binutils: CVE-2017-7299

Source: git://sourceware.org/git/binutils-gdb.git MR: 74257 Type: Security Fix Disposition: Backport from 'embedded-binutils-master' ChangeID: b55df05e3d3fd21bd30edaea124135892747b1ee Description: Linking non-ELF file broken by PR20908 fix PR ld/20968 PR ld/20908 * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move reloc counting code later after ELF flavour test. PR lf/20908 * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries when following indirect links. Affects: <= 2.28 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: 020863d45d39a336723300138777583afb0b12c7) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-20 14:27:21 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:08 +0000
commit: 67d5e33d4f02c5c784338f736900df72129d1258 (patch)
tree: 09ae8ca7a098cb58a1f89d1c9adb7fe77049cd48 /meta/recipes-devtools
parent: b5e7f898506df7bbff861f1ba1b78c695906e3a6 (diff)
download: poky-67d5e33d4f02c5c784338f736900df72129d1258.tar.gz
3 files changed, 169 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 35e26fc0dd..1e55be69f7 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -76,6 +76,8 @@ SRC_URI = "\
     file://CVE-2017-8394_1.patch \
     file://CVE-2017-8394.patch \
     file://CVE-2017-8398.patch \
+     file://CVE-2017-7299_1.patch \
+     file://CVE-2017-7299_2.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch
new file mode 100644
index 0000000000..50a48bc549
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch
@@ -0,0 +1,47 @@
+commit d7f399a8de4c55eb841db6493597a587fac002de
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Fri Dec 2 17:46:26 2016 +0000
+    Fix seg-fault in linker when passed a corrupt binary input file.
+    
+        PR lf/20908
+        * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
+        when following indirect links.
+Upstream-Status: Backport
+CVE: CVE-2017-7299
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/elflink.c
+===================================================================
+--- git.orig/bfd/elflink.c      2017-09-20 14:15:26.337333504 +0530
+++ git/bfd/elflink.c   2017-09-20 14:20:19.000000000 +0530
+@@ -11201,6 +11201,12 @@
+              asection *sec;
+ 
+              sec = p->u.indirect.section;
+             /* See PR 20908 for a reproducer.  */
+             if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour)
+               {
+                 _bfd_error_handler (_("%B: not in ELF format"), sec->owner);
+                 goto error_return;
+               }
+              esdi = elf_section_data (sec);
+ 
+              /* Mark all sections which are to be included in the
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-20 14:20:19.000000000 +0530
+++ git/bfd/ChangeLog   2017-09-20 14:23:48.743556932 +0530
+@@ -192,6 +192,10 @@
+ 
+ 2016-12-02  Nick Clifton  <nickc@redhat.com>
+ 
+       PR lf/20908
+       * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
+       when following indirect links.
+
+        PR ld/20909
+        * aoutx.h (aout_link_add_symbols): Fix off-by-one error in check
+        for an illegal string offset.
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch
new file mode 100644
index 0000000000..7691b122ce
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch
@@ -0,0 +1,120 @@
+commit a961cdd5f139d3c3e09170db52bd8df7dafae13f
+Author: Alan Modra <amodra@gmail.com>
+Date:   Thu Dec 15 21:29:44 2016 +1030
+    Linking non-ELF file broken by PR20908 fix
+    
+        PR ld/20968
+        PR ld/20908
+        * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change.  Move
+        reloc counting code later after ELF flavour test.
+Upstream-Status: Backport
+CVE: CVE-2017-7299
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/elflink.c
+===================================================================
+--- git.orig/bfd/elflink.c      2017-09-20 14:15:28.133343092 +0530
+++ git/bfd/elflink.c   2017-09-20 14:15:28.189343391 +0530
+@@ -11201,13 +11201,6 @@
+              asection *sec;
+ 
+              sec = p->u.indirect.section;
+-             /* See PR 20908 for a reproducer.  */
+-             if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour)
+-               {
+-                 _bfd_error_handler (_("%B: not in ELF format"), sec->owner);
+-                 goto error_return;
+-               }
+-             esdi = elf_section_data (sec);
+ 
+              /* Mark all sections which are to be included in the
+                 link.  This will normally be every section.  We need
+@@ -11218,37 +11211,18 @@
+              if (sec->flags & SEC_MERGE)
+                merged = TRUE;
+ 
+-             if (esdo->this_hdr.sh_type == SHT_REL
+-                 || esdo->this_hdr.sh_type == SHT_RELA)
+-               /* Some backends use reloc_count in relocation sections
+-                  to count particular types of relocs.  Of course,
+-                  reloc sections themselves can't have relocations.  */
+-               reloc_count = 0;
+-             else if (emit_relocs)
+-               {
+-                 reloc_count = sec->reloc_count;
+-                 if (bed->elf_backend_count_additional_relocs)
+-                   {
+-                     int c;
+-                     c = (*bed->elf_backend_count_additional_relocs) (sec);
+-                     additional_reloc_count += c;
+-                   }
+-               }
+-             else if (bed->elf_backend_count_relocs)
+-               reloc_count = (*bed->elf_backend_count_relocs) (info, sec);
+-
+              if (sec->rawsize > max_contents_size)
+                max_contents_size = sec->rawsize;
+              if (sec->size > max_contents_size)
+                max_contents_size = sec->size;
+ 
+-             /* We are interested in just local symbols, not all
+-                symbols.  */
+              if (bfd_get_flavour (sec->owner) == bfd_target_elf_flavour
+                  && (sec->owner->flags & DYNAMIC) == 0)
+                {
+                  size_t sym_count;
+ 
+                 /* We are interested in just local symbols, not all
+                    symbols.  */
+                  if (elf_bad_symtab (sec->owner))
+                    sym_count = (elf_tdata (sec->owner)->symtab_hdr.sh_size
+                                 / bed->s->sizeof_sym);
+@@ -11262,6 +11236,27 @@
+                      && elf_symtab_shndx_list (sec->owner) != NULL)
+                    max_sym_shndx_count = sym_count;
+ 
+                 if (esdo->this_hdr.sh_type == SHT_REL
+                     || esdo->this_hdr.sh_type == SHT_RELA)
+                   /* Some backends use reloc_count in relocation sections
+                      to count particular types of relocs.  Of course,
+                      reloc sections themselves can't have relocations.  */
+                   ;
+                 else if (emit_relocs)
+                   {
+                     reloc_count = sec->reloc_count;
+                     if (bed->elf_backend_count_additional_relocs)
+                       {
+                         int c;
+                         c = (*bed->elf_backend_count_additional_relocs) (sec);
+                         additional_reloc_count += c;
+                       }
+                   }
+                 else if (bed->elf_backend_count_relocs)
+                   reloc_count = (*bed->elf_backend_count_relocs) (info, sec);
+
+                 esdi = elf_section_data (sec);
+
+                  if ((sec->flags & SEC_RELOC) != 0)
+                    {
+                      size_t ext_size = 0;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-20 14:15:28.013342453 +0530
+++ git/bfd/ChangeLog   2017-09-20 14:19:06.990419395 +0530
+@@ -156,6 +156,13 @@
+        (bfd_elf_final_link): Only initialize the extended symbol index
+        section if there are extended symbol tables to list.
+ 
+2016-12-15  Alan Modra  <amodra@gmail.com>
+
+       PR ld/20968
+       PR ld/20908
+        * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change.  Move
+       reloc counting code later after ELF flavour test.
+
+  2016-12-06  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/20931
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-20 14:27:21 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:08 +0000
commit	67d5e33d4f02c5c784338f736900df72129d1258 (patch)
tree	09ae8ca7a098cb58a1f89d1c9adb7fe77049cd48 /meta/recipes-devtools
parent	b5e7f898506df7bbff861f1ba1b78c695906e3a6 (diff)
download	poky-67d5e33d4f02c5c784338f736900df72129d1258.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 35e26fc0dd..1e55be69f7 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -76,6 +76,8 @@ SRC_URI = "\
76	file://CVE-2017-8394_1.patch \	76	file://CVE-2017-8394_1.patch \
77	file://CVE-2017-8394.patch \	77	file://CVE-2017-8394.patch \
78	file://CVE-2017-8398.patch \	78	file://CVE-2017-8398.patch \
		79	file://CVE-2017-7299_1.patch \
		80	file://CVE-2017-7299_2.patch \
79	"	81	"
80	S = "${WORKDIR}/git"	82	S = "${WORKDIR}/git"
81		83


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch new file mode 100644 index 0000000000..50a48bc549 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch
@@ -0,0 +1,47 @@
		1	commit d7f399a8de4c55eb841db6493597a587fac002de
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Fri Dec 2 17:46:26 2016 +0000
		4
		5	Fix seg-fault in linker when passed a corrupt binary input file.
		6
		7	PR lf/20908
		8	* elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
		9	when following indirect links.
		10
		11	Upstream-Status: Backport
		12
		13	CVE: CVE-2017-7299
		14	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		15
		16	Index: git/bfd/elflink.c
		17	===================================================================
		18	--- git.orig/bfd/elflink.c 2017-09-20 14:15:26.337333504 +0530
		19	+++ git/bfd/elflink.c 2017-09-20 14:20:19.000000000 +0530
		20	@@ -11201,6 +11201,12 @@
		21	asection *sec;
		22
		23	sec = p->u.indirect.section;
		24	+ /* See PR 20908 for a reproducer. */
		25	+ if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour)
		26	+ {
		27	+ _bfd_error_handler (_("%B: not in ELF format"), sec->owner);
		28	+ goto error_return;
		29	+ }
		30	esdi = elf_section_data (sec);
		31
		32	/* Mark all sections which are to be included in the
		33	Index: git/bfd/ChangeLog
		34	===================================================================
		35	--- git.orig/bfd/ChangeLog 2017-09-20 14:20:19.000000000 +0530
		36	+++ git/bfd/ChangeLog 2017-09-20 14:23:48.743556932 +0530
		37	@@ -192,6 +192,10 @@
		38
		39	2016-12-02 Nick Clifton <nickc@redhat.com>
		40
		41	+ PR lf/20908
		42	+ * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
		43	+ when following indirect links.
		44	+
		45	PR ld/20909
		46	* aoutx.h (aout_link_add_symbols): Fix off-by-one error in check
		47	for an illegal string offset.


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch new file mode 100644 index 0000000000..7691b122ce --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch
@@ -0,0 +1,120 @@
		1	commit a961cdd5f139d3c3e09170db52bd8df7dafae13f
		2	Author: Alan Modra <amodra@gmail.com>
		3	Date: Thu Dec 15 21:29:44 2016 +1030
		4
		5	Linking non-ELF file broken by PR20908 fix
		6
		7	PR ld/20968
		8	PR ld/20908
		9	* elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move
		10	reloc counting code later after ELF flavour test.
		11
		12	Upstream-Status: Backport
		13
		14	CVE: CVE-2017-7299
		15	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		16
		17	Index: git/bfd/elflink.c
		18	===================================================================
		19	--- git.orig/bfd/elflink.c 2017-09-20 14:15:28.133343092 +0530
		20	+++ git/bfd/elflink.c 2017-09-20 14:15:28.189343391 +0530
		21	@@ -11201,13 +11201,6 @@
		22	asection *sec;
		23
		24	sec = p->u.indirect.section;
		25	- /* See PR 20908 for a reproducer. */
		26	- if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour)
		27	- {
		28	- _bfd_error_handler (_("%B: not in ELF format"), sec->owner);
		29	- goto error_return;
		30	- }
		31	- esdi = elf_section_data (sec);
		32
		33	/* Mark all sections which are to be included in the
		34	link. This will normally be every section. We need
		35	@@ -11218,37 +11211,18 @@
		36	if (sec->flags & SEC_MERGE)
		37	merged = TRUE;
		38
		39	- if (esdo->this_hdr.sh_type == SHT_REL
		40	- \|\| esdo->this_hdr.sh_type == SHT_RELA)
		41	- /* Some backends use reloc_count in relocation sections
		42	- to count particular types of relocs. Of course,
		43	- reloc sections themselves can't have relocations. */
		44	- reloc_count = 0;
		45	- else if (emit_relocs)
		46	- {
		47	- reloc_count = sec->reloc_count;
		48	- if (bed->elf_backend_count_additional_relocs)
		49	- {
		50	- int c;
		51	- c = (*bed->elf_backend_count_additional_relocs) (sec);
		52	- additional_reloc_count += c;
		53	- }
		54	- }
		55	- else if (bed->elf_backend_count_relocs)
		56	- reloc_count = (*bed->elf_backend_count_relocs) (info, sec);
		57	-
		58	if (sec->rawsize > max_contents_size)
		59	max_contents_size = sec->rawsize;
		60	if (sec->size > max_contents_size)
		61	max_contents_size = sec->size;
		62
		63	- /* We are interested in just local symbols, not all
		64	- symbols. */
		65	if (bfd_get_flavour (sec->owner) == bfd_target_elf_flavour
		66	&& (sec->owner->flags & DYNAMIC) == 0)
		67	{
		68	size_t sym_count;
		69
		70	+ /* We are interested in just local symbols, not all
		71	+ symbols. */
		72	if (elf_bad_symtab (sec->owner))
		73	sym_count = (elf_tdata (sec->owner)->symtab_hdr.sh_size
		74	/ bed->s->sizeof_sym);
		75	@@ -11262,6 +11236,27 @@
		76	&& elf_symtab_shndx_list (sec->owner) != NULL)
		77	max_sym_shndx_count = sym_count;
		78
		79	+ if (esdo->this_hdr.sh_type == SHT_REL
		80	+ \|\| esdo->this_hdr.sh_type == SHT_RELA)
		81	+ /* Some backends use reloc_count in relocation sections
		82	+ to count particular types of relocs. Of course,
		83	+ reloc sections themselves can't have relocations. */
		84	+ ;
		85	+ else if (emit_relocs)
		86	+ {
		87	+ reloc_count = sec->reloc_count;
		88	+ if (bed->elf_backend_count_additional_relocs)
		89	+ {
		90	+ int c;
		91	+ c = (*bed->elf_backend_count_additional_relocs) (sec);
		92	+ additional_reloc_count += c;
		93	+ }
		94	+ }
		95	+ else if (bed->elf_backend_count_relocs)
		96	+ reloc_count = (*bed->elf_backend_count_relocs) (info, sec);
		97	+
		98	+ esdi = elf_section_data (sec);
		99	+
		100	if ((sec->flags & SEC_RELOC) != 0)
		101	{
		102	size_t ext_size = 0;
		103	Index: git/bfd/ChangeLog
		104	===================================================================
		105	--- git.orig/bfd/ChangeLog 2017-09-20 14:15:28.013342453 +0530
		106	+++ git/bfd/ChangeLog 2017-09-20 14:19:06.990419395 +0530
		107	@@ -156,6 +156,13 @@
		108	(bfd_elf_final_link): Only initialize the extended symbol index
		109	section if there are extended symbol tables to list.
		110
		111	+2016-12-15 Alan Modra <amodra@gmail.com>
		112	+
		113	+ PR ld/20968
		114	+ PR ld/20908
		115	+ * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move
		116	+ reloc counting code later after ELF flavour test.
		117	+
		118	2016-12-06 Nick Clifton <nickc@redhat.com>
		119
		120	PR binutils/20931