binutils: CVE-2017-8393

Source: git://sourceware.org/git/binutils-gdb.git MR: 74179 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: 976156cd25454143883090ca42010c38c6d6af0f Description: PR 21412, get_reloc_section assumes .rel/.rela name for SHT_REL/RELA. This patch fixes an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. I'm also modifying the interface for elf_backend_get_reloc_section, so any backend function just needs to handle name mapping. Affects: <= 2.29 Author: Alan Modra <amodra@gmail.com> (From OE-Core rev: 24124406a2a1657b80ba2933bef40ccf798c8097) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-04 18:26:31 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:07 +0000
commit: a36d21557b756e5e0b063f001841fd5afd2c706c (patch)
tree: 6d080b60f9b164c54d0947ee70c906456778e504 /meta/recipes-devtools
parent: 951aea1f7bb7a3394429918b4322ea72af568151 (diff)
download: poky-a36d21557b756e5e0b063f001841fd5afd2c706c.tar.gz
2 files changed, 202 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index d1ad198c57..447de53946 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -67,6 +67,7 @@ SRC_URI = "\
     file://CVE-2017-7302.patch \
     file://CVE-2017-7303.patch \
     file://CVE-2017-7304.patch \
+     file://CVE-2017-8393.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch
new file mode 100644
index 0000000000..96fe9e34bd
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch
@@ -0,0 +1,201 @@
+commit bce964aa6c777d236fbd641f2bc7bb931cfe4bf3
+Author: Alan Modra <amodra@gmail.com>
+Date:   Sun Apr 23 11:03:34 2017 +0930
+    PR 21412, get_reloc_section assumes .rel/.rela name for SHT_REL/RELA.
+    
+    This patch fixes an assumption made by code that runs for objcopy and
+    strip, that SHT_REL/SHR_RELA sections are always named starting with a
+    .rel/.rela prefix.  I'm also modifying the interface for
+    elf_backend_get_reloc_section, so any backend function just needs to
+    handle name mapping.
+    
+        PR 21412
+        * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
+        parameters and comment.
+        (_bfd_elf_get_reloc_section): Delete.
+        (_bfd_elf_plt_get_reloc_section): Declare.
+        * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
+        New functions.  Don't blindly skip over assumed .rel/.rela prefix.
+        Extracted from..
+        (_bfd_elf_get_reloc_section): ..here.  Delete.
+        (assign_section_numbers): Call elf_get_reloc_section.
+        * elf64-ppc.c (elf_backend_get_reloc_section): Define.
+        * elfxx-target.h (elf_backend_get_reloc_section): Update.
+Upstream-Status: Backport
+CVE: CVE-2017-8393
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/elf-bfd.h
+===================================================================
+--- git.orig/bfd/elf-bfd.h      2017-09-04 17:43:22.156623008 +0530
+++ git/bfd/elf-bfd.h   2017-09-04 17:43:33.836716941 +0530
+@@ -1298,8 +1298,10 @@
+   bfd_size_type (*maybe_function_sym) (const asymbol *sym, asection *sec,
+                                       bfd_vma *code_off);
+ 
+-  /* Return the section which RELOC_SEC applies to.  */
+-  asection *(*get_reloc_section) (asection *reloc_sec);
+  /* Given NAME, the name of a relocation section stripped of its
+     .rel/.rela prefix, return the section in ABFD to which the
+     relocations apply.  */
+  asection *(*get_reloc_section) (bfd *abfd, const char *name);
+ 
+   /* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which
+      has a type >= SHT_LOOS.  Returns TRUE if the fields were initialised,
+@@ -2358,7 +2360,7 @@
+ extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol *, asection *,
+                                                  bfd_vma *);
+ 
+-extern asection *_bfd_elf_get_reloc_section (asection *);
+extern asection *_bfd_elf_plt_get_reloc_section (bfd *, const char *);
+ 
+ extern int bfd_elf_get_default_section_type (flagword);
+ 
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c  2017-09-04 17:43:33.780716491 +0530
+++ git/bfd/elf.c       2017-09-04 17:43:33.836716941 +0530
+@@ -3493,17 +3493,39 @@
+   H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
+ }
+ 
+-/* Return the section which RELOC_SEC applies to.  */
+/* Given NAME, the name of a relocation section stripped of its
+   .rel/.rela prefix, return the section in ABFD to which the
+   relocations apply.  */
+ 
+ asection *
+-_bfd_elf_get_reloc_section (asection *reloc_sec)
+_bfd_elf_plt_get_reloc_section (bfd *abfd, const char *name)
+{
+  /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
+     section likely apply to .got.plt or .got section.  */
+  if (get_elf_backend_data (abfd)->want_got_plt
+      && strcmp (name, ".plt") == 0)
+    {
+      asection *sec;
+
+      name = ".got.plt";
+      sec = bfd_get_section_by_name (abfd, name);
+      if (sec != NULL)
+       return sec;
+      name = ".got";
+    }
+
+  return bfd_get_section_by_name (abfd, name);
+}
+
+/* Return the section to which RELOC_SEC applies.  */
+
+static asection *
+elf_get_reloc_section (asection *reloc_sec)
+ {
+   const char *name;
+   unsigned int type;
+   bfd *abfd;
+-
+-  if (reloc_sec == NULL)
+-    return NULL;
+  const struct elf_backend_data *bed;
+ 
+   type = elf_section_data (reloc_sec)->this_hdr.sh_type;
+   if (type != SHT_REL && type != SHT_RELA)
+@@ -3511,28 +3533,15 @@
+ 
+   /* We look up the section the relocs apply to by name.  */
+   name = reloc_sec->name;
+-  if (type == SHT_REL)
+-    name += 4;
+-  else
+-    name += 5;
+  if (strncmp (name, ".rel", 4) != 0)
+    return NULL;
+  name += 4;
+  if (type == SHT_RELA && *name++ != 'a')
+    return NULL;
+ 
+-  /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
+-     section apply to .got.plt section.  */
+   abfd = reloc_sec->owner;
+-  if (get_elf_backend_data (abfd)->want_got_plt
+-      && strcmp (name, ".plt") == 0)
+-    {
+-      /* .got.plt is a linker created input section.  It may be mapped
+-        to some other output section.  Try two likely sections.  */
+-      name = ".got.plt";
+-      reloc_sec = bfd_get_section_by_name (abfd, name);
+-      if (reloc_sec != NULL)
+-       return reloc_sec;
+-      name = ".got";
+-    }
+-
+-  reloc_sec = bfd_get_section_by_name (abfd, name);
+-  return reloc_sec;
+  bed = get_elf_backend_data (abfd);
+  return bed->get_reloc_section (abfd, name);
+ }
+ 
+ /* Assign all ELF section numbers.  The dummy first section is handled here
+@@ -3790,7 +3799,7 @@
+          if (s != NULL)
+            d->this_hdr.sh_link = elf_section_data (s)->this_idx;
+ 
+-         s = get_elf_backend_data (abfd)->get_reloc_section (sec);
+         s = elf_get_reloc_section (sec);
+          if (s != NULL)
+            {
+              d->this_hdr.sh_info = elf_section_data (s)->this_idx;
+Index: git/bfd/elfxx-target.h
+===================================================================
+--- git.orig/bfd/elfxx-target.h 2017-09-04 17:43:22.216623490 +0530
+++ git/bfd/elfxx-target.h      2017-09-04 17:43:33.836716941 +0530
+@@ -686,7 +686,7 @@
+ #endif
+ 
+ #ifndef elf_backend_get_reloc_section
+-#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section
+#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section
+ #endif
+ 
+ #ifndef elf_backend_copy_special_section_fields
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-04 17:43:33.780716491 +0530
+++ git/bfd/ChangeLog   2017-09-04 17:45:58.349944078 +0530
+@@ -82,6 +82,21 @@
+  
+        * readelf.c (process_mips_specific): Remove null GOT data check.
+ 
+2017-04-23  Alan Modra  <amodra@gmail.com>
+ 
+       PR 21412
+       * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
+       parameters and comment.
+       (_bfd_elf_get_reloc_section): Delete.
+       (_bfd_elf_plt_get_reloc_section): Declare.
+       * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
+       New functions.  Don't blindly skip over assumed .rel/.rela prefix.
+       Extracted from..
+       (_bfd_elf_get_reloc_section): ..here.  Delete.
+       (assign_section_numbers): Call elf_get_reloc_section.
+       * elf64-ppc.c (elf_backend_get_reloc_section): Define.
+       * elfxx-target.h (elf_backend_get_reloc_section): Update.
+
+ 2017-04-13  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21379
+Index: git/bfd/elf64-ppc.c
+===================================================================
+--- git.orig/bfd/elf64-ppc.c    2017-09-04 17:43:22.200623362 +0530
+++ git/bfd/elf64-ppc.c 2017-09-04 17:47:04.458511122 +0530
+@@ -117,6 +117,7 @@
+ #define elf_backend_link_output_symbol_hook   ppc64_elf_output_symbol_hook
+ #define elf_backend_special_sections         ppc64_elf_special_sections
+ #define elf_backend_merge_symbol_attribute    ppc64_elf_merge_symbol_attribute
+#define elf_backend_get_reloc_section        bfd_get_section_by_name
+ 
+ /* The name of the dynamic interpreter.  This is put in the .interp
+    section.  */
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-04 18:26:31 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:07 +0000
commit	a36d21557b756e5e0b063f001841fd5afd2c706c (patch)
tree	6d080b60f9b164c54d0947ee70c906456778e504 /meta/recipes-devtools
parent	951aea1f7bb7a3394429918b4322ea72af568151 (diff)
download	poky-a36d21557b756e5e0b063f001841fd5afd2c706c.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index d1ad198c57..447de53946 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -67,6 +67,7 @@ SRC_URI = "\
67	file://CVE-2017-7302.patch \	67	file://CVE-2017-7302.patch \
68	file://CVE-2017-7303.patch \	68	file://CVE-2017-7303.patch \
69	file://CVE-2017-7304.patch \	69	file://CVE-2017-7304.patch \
		70	file://CVE-2017-8393.patch \
70	"	71	"
71	S = "${WORKDIR}/git"	72	S = "${WORKDIR}/git"
72		73


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch new file mode 100644 index 0000000000..96fe9e34bd --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch
@@ -0,0 +1,201 @@
		1	commit bce964aa6c777d236fbd641f2bc7bb931cfe4bf3
		2	Author: Alan Modra <amodra@gmail.com>
		3	Date: Sun Apr 23 11:03:34 2017 +0930
		4
		5	PR 21412, get_reloc_section assumes .rel/.rela name for SHT_REL/RELA.
		6
		7	This patch fixes an assumption made by code that runs for objcopy and
		8	strip, that SHT_REL/SHR_RELA sections are always named starting with a
		9	.rel/.rela prefix. I'm also modifying the interface for
		10	elf_backend_get_reloc_section, so any backend function just needs to
		11	handle name mapping.
		12
		13	PR 21412
		14	* elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
		15	parameters and comment.
		16	(_bfd_elf_get_reloc_section): Delete.
		17	(_bfd_elf_plt_get_reloc_section): Declare.
		18	* elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
		19	New functions. Don't blindly skip over assumed .rel/.rela prefix.
		20	Extracted from..
		21	(_bfd_elf_get_reloc_section): ..here. Delete.
		22	(assign_section_numbers): Call elf_get_reloc_section.
		23	* elf64-ppc.c (elf_backend_get_reloc_section): Define.
		24	* elfxx-target.h (elf_backend_get_reloc_section): Update.
		25
		26	Upstream-Status: Backport
		27
		28	CVE: CVE-2017-8393
		29	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		30
		31	Index: git/bfd/elf-bfd.h
		32	===================================================================
		33	--- git.orig/bfd/elf-bfd.h 2017-09-04 17:43:22.156623008 +0530
		34	+++ git/bfd/elf-bfd.h 2017-09-04 17:43:33.836716941 +0530
		35	@@ -1298,8 +1298,10 @@
		36	bfd_size_type (maybe_function_sym) (const asymbol sym, asection *sec,
		37	bfd_vma *code_off);
		38
		39	- /* Return the section which RELOC_SEC applies to. */
		40	- asection (get_reloc_section) (asection *reloc_sec);
		41	+ /* Given NAME, the name of a relocation section stripped of its
		42	+ .rel/.rela prefix, return the section in ABFD to which the
		43	+ relocations apply. */
		44	+ asection (get_reloc_section) (bfd abfd, const char name);
		45
		46	/* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which
		47	has a type >= SHT_LOOS. Returns TRUE if the fields were initialised,
		48	@@ -2358,7 +2360,7 @@
		49	extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol , asection ,
		50	bfd_vma *);
		51
		52	-extern asection _bfd_elf_get_reloc_section (asection );
		53	+extern asection _bfd_elf_plt_get_reloc_section (bfd , const char *);
		54
		55	extern int bfd_elf_get_default_section_type (flagword);
		56
		57	Index: git/bfd/elf.c
		58	===================================================================
		59	--- git.orig/bfd/elf.c 2017-09-04 17:43:33.780716491 +0530
		60	+++ git/bfd/elf.c 2017-09-04 17:43:33.836716941 +0530
		61	@@ -3493,17 +3493,39 @@
		62	H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
		63	}
		64
		65	-/* Return the section which RELOC_SEC applies to. */
		66	+/* Given NAME, the name of a relocation section stripped of its
		67	+ .rel/.rela prefix, return the section in ABFD to which the
		68	+ relocations apply. */
		69
		70	asection *
		71	-_bfd_elf_get_reloc_section (asection *reloc_sec)
		72	+_bfd_elf_plt_get_reloc_section (bfd abfd, const char name)
		73	+{
		74	+ /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
		75	+ section likely apply to .got.plt or .got section. */
		76	+ if (get_elf_backend_data (abfd)->want_got_plt
		77	+ && strcmp (name, ".plt") == 0)
		78	+ {
		79	+ asection *sec;
		80	+
		81	+ name = ".got.plt";
		82	+ sec = bfd_get_section_by_name (abfd, name);
		83	+ if (sec != NULL)
		84	+ return sec;
		85	+ name = ".got";
		86	+ }
		87	+
		88	+ return bfd_get_section_by_name (abfd, name);
		89	+}
		90	+
		91	+/* Return the section to which RELOC_SEC applies. */
		92	+
		93	+static asection *
		94	+elf_get_reloc_section (asection *reloc_sec)
		95	{
		96	const char *name;
		97	unsigned int type;
		98	bfd *abfd;
		99	-
		100	- if (reloc_sec == NULL)
		101	- return NULL;
		102	+ const struct elf_backend_data *bed;
		103
		104	type = elf_section_data (reloc_sec)->this_hdr.sh_type;
		105	if (type != SHT_REL && type != SHT_RELA)
		106	@@ -3511,28 +3533,15 @@
		107
		108	/* We look up the section the relocs apply to by name. */
		109	name = reloc_sec->name;
		110	- if (type == SHT_REL)
		111	- name += 4;
		112	- else
		113	- name += 5;
		114	+ if (strncmp (name, ".rel", 4) != 0)
		115	+ return NULL;
		116	+ name += 4;
		117	+ if (type == SHT_RELA && *name++ != 'a')
		118	+ return NULL;
		119
		120	- /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
		121	- section apply to .got.plt section. */
		122	abfd = reloc_sec->owner;
		123	- if (get_elf_backend_data (abfd)->want_got_plt
		124	- && strcmp (name, ".plt") == 0)
		125	- {
		126	- /* .got.plt is a linker created input section. It may be mapped
		127	- to some other output section. Try two likely sections. */
		128	- name = ".got.plt";
		129	- reloc_sec = bfd_get_section_by_name (abfd, name);
		130	- if (reloc_sec != NULL)
		131	- return reloc_sec;
		132	- name = ".got";
		133	- }
		134	-
		135	- reloc_sec = bfd_get_section_by_name (abfd, name);
		136	- return reloc_sec;
		137	+ bed = get_elf_backend_data (abfd);
		138	+ return bed->get_reloc_section (abfd, name);
		139	}
		140
		141	/* Assign all ELF section numbers. The dummy first section is handled here
		142	@@ -3790,7 +3799,7 @@
		143	if (s != NULL)
		144	d->this_hdr.sh_link = elf_section_data (s)->this_idx;
		145
		146	- s = get_elf_backend_data (abfd)->get_reloc_section (sec);
		147	+ s = elf_get_reloc_section (sec);
		148	if (s != NULL)
		149	{
		150	d->this_hdr.sh_info = elf_section_data (s)->this_idx;
		151	Index: git/bfd/elfxx-target.h
		152	===================================================================
		153	--- git.orig/bfd/elfxx-target.h 2017-09-04 17:43:22.216623490 +0530
		154	+++ git/bfd/elfxx-target.h 2017-09-04 17:43:33.836716941 +0530
		155	@@ -686,7 +686,7 @@
		156	#endif
		157
		158	#ifndef elf_backend_get_reloc_section
		159	-#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section
		160	+#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section
		161	#endif
		162
		163	#ifndef elf_backend_copy_special_section_fields
		164	Index: git/bfd/ChangeLog
		165	===================================================================
		166	--- git.orig/bfd/ChangeLog 2017-09-04 17:43:33.780716491 +0530
		167	+++ git/bfd/ChangeLog 2017-09-04 17:45:58.349944078 +0530
		168	@@ -82,6 +82,21 @@
		169
		170	* readelf.c (process_mips_specific): Remove null GOT data check.
		171
		172	+2017-04-23 Alan Modra <amodra@gmail.com>
		173	+
		174	+ PR 21412
		175	+ * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
		176	+ parameters and comment.
		177	+ (_bfd_elf_get_reloc_section): Delete.
		178	+ (_bfd_elf_plt_get_reloc_section): Declare.
		179	+ * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
		180	+ New functions. Don't blindly skip over assumed .rel/.rela prefix.
		181	+ Extracted from..
		182	+ (_bfd_elf_get_reloc_section): ..here. Delete.
		183	+ (assign_section_numbers): Call elf_get_reloc_section.
		184	+ * elf64-ppc.c (elf_backend_get_reloc_section): Define.
		185	+ * elfxx-target.h (elf_backend_get_reloc_section): Update.
		186	+
		187	2017-04-13 Nick Clifton <nickc@redhat.com>
		188
		189	PR binutils/21379
		190	Index: git/bfd/elf64-ppc.c
		191	===================================================================
		192	--- git.orig/bfd/elf64-ppc.c 2017-09-04 17:43:22.200623362 +0530
		193	+++ git/bfd/elf64-ppc.c 2017-09-04 17:47:04.458511122 +0530
		194	@@ -117,6 +117,7 @@
		195	#define elf_backend_link_output_symbol_hook ppc64_elf_output_symbol_hook
		196	#define elf_backend_special_sections ppc64_elf_special_sections
		197	#define elf_backend_merge_symbol_attribute ppc64_elf_merge_symbol_attribute
		198	+#define elf_backend_get_reloc_section bfd_get_section_by_name
		199
		200	/* The name of the dynamic interpreter. This is put in the .interp
		201	section. */