diff options
author | Yuanjie Huang <yuanjie.huang@windriver.com> | 2017-04-11 00:00:24 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-04-11 18:10:18 +0100 |
commit | ca22ef73d03ec5140493f29d1fe0cb6c0400c307 (patch) | |
tree | 09daa69eb2bb69fd5738ccbec10d01769eb1cf8a /meta/recipes-devtools | |
parent | 40bf913a720f3c0db57d4ab003cbacda40f50c69 (diff) | |
download | poky-ca22ef73d03ec5140493f29d1fe0cb6c0400c307.tar.gz |
binutils: Fix CVE-2017-6965 and CVE-2017-6966
Backport upstream commit to address vulnerabilities:
CVE: CVE-2017-6965
[BZ 21137] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21137
Fix readelf writing to illegal addresses whilst processing corrupt input
files containing symbol-difference relocations.
PR binutils/21137
* readelf.c (target_specific_reloc_handling): Add end parameter.
Check for buffer overflow before writing relocated values.
(apply_relocations): Pass end to target_specific_reloc_handling.
CVE: CVE-2017-6966
[BZ 21139] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21139
Fix read-after-free error in readelf when processing multiple, relocated
sections in an MSP430 binary.
PR binutils/21139
* readelf.c (target_specific_reloc_handling): Add num_syms
parameter. Check for symbol table overflow before accessing
symbol value. If reloc pointer is NULL, discard all saved state.
(apply_relocations): Pass num_syms to target_specific_reloc_handling.
Call target_specific_reloc_handling with a NULL reloc pointer
after processing all of the relocs.
(From OE-Core rev: 8c52a530ba2beb438aa47956bcec3777a1eafe5f)
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
3 files changed, 367 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index 76b81b04ca..7585da1ca9 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc | |||
@@ -35,6 +35,8 @@ SRC_URI = "\ | |||
35 | file://0014-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \ | 35 | file://0014-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \ |
36 | file://0015-sync-with-OE-libtool-changes.patch \ | 36 | file://0015-sync-with-OE-libtool-changes.patch \ |
37 | file://0016-Detect-64-bit-MIPS-targets.patch \ | 37 | file://0016-Detect-64-bit-MIPS-targets.patch \ |
38 | file://CVE-2017-6965.patch \ | ||
39 | file://CVE-2017-6966.patch \ | ||
38 | " | 40 | " |
39 | S = "${WORKDIR}/git" | 41 | S = "${WORKDIR}/git" |
40 | 42 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch new file mode 100644 index 0000000000..1334c9444d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From bdc5166c274b842f83f8328e7cfaaf80fd29934e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon, 13 Feb 2017 13:08:32 +0000 | ||
4 | Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst | ||
5 | processing corrupt input files containing symbol-difference relocations. | ||
6 | |||
7 | PR binutils/21137 | ||
8 | * readelf.c (target_specific_reloc_handling): Add end parameter. | ||
9 | Check for buffer overflow before writing relocated values. | ||
10 | (apply_relocations): Pass end to target_specific_reloc_handling. | ||
11 | |||
12 | (cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493) | ||
13 | Upstream-Status: Backport [master] | ||
14 | CVE: CVE-2017-6965 | ||
15 | |||
16 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
17 | --- | ||
18 | binutils/ChangeLog | 7 +++++++ | ||
19 | binutils/readelf.c | 30 +++++++++++++++++++++++++----- | ||
20 | 2 files changed, 32 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog | ||
23 | index f21867f98c..e789a3b99b 100644 | ||
24 | --- a/binutils/ChangeLog | ||
25 | +++ b/binutils/ChangeLog | ||
26 | @@ -1,3 +1,10 @@ | ||
27 | +2017-02-13 Nick Clifton <nickc@redhat.com> | ||
28 | + | ||
29 | + PR binutils/21137 | ||
30 | + * readelf.c (target_specific_reloc_handling): Add end parameter. | ||
31 | + Check for buffer overflow before writing relocated values. | ||
32 | + (apply_relocations): Pass end to target_specific_reloc_handling. | ||
33 | + | ||
34 | 2017-03-02 Tristan Gingold <gingold@adacore.com> | ||
35 | |||
36 | * configure: Regenerate. | ||
37 | diff --git a/binutils/readelf.c b/binutils/readelf.c | ||
38 | index b5f577f5a1..8cdaae3b8c 100644 | ||
39 | --- a/binutils/readelf.c | ||
40 | +++ b/binutils/readelf.c | ||
41 | @@ -11585,6 +11585,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) | ||
42 | static bfd_boolean | ||
43 | target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
44 | unsigned char * start, | ||
45 | + unsigned char * end, | ||
46 | Elf_Internal_Sym * symtab) | ||
47 | { | ||
48 | unsigned int reloc_type = get_reloc_type (reloc->r_info); | ||
49 | @@ -11625,13 +11626,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
50 | handle_sym_diff: | ||
51 | if (saved_sym != NULL) | ||
52 | { | ||
53 | + int reloc_size = reloc_type == 1 ? 4 : 2; | ||
54 | bfd_vma value; | ||
55 | |||
56 | value = reloc->r_addend | ||
57 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
58 | - saved_sym->st_value); | ||
59 | |||
60 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); | ||
61 | + if (start + reloc->r_offset + reloc_size >= end) | ||
62 | + /* PR 21137 */ | ||
63 | + error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
64 | + start + reloc->r_offset + reloc_size, end); | ||
65 | + else | ||
66 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
67 | |||
68 | saved_sym = NULL; | ||
69 | return TRUE; | ||
70 | @@ -11662,13 +11669,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
71 | case 2: /* R_MN10300_16 */ | ||
72 | if (saved_sym != NULL) | ||
73 | { | ||
74 | + int reloc_size = reloc_type == 1 ? 4 : 2; | ||
75 | bfd_vma value; | ||
76 | |||
77 | value = reloc->r_addend | ||
78 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
79 | - saved_sym->st_value); | ||
80 | |||
81 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); | ||
82 | + if (start + reloc->r_offset + reloc_size >= end) | ||
83 | + error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
84 | + start + reloc->r_offset + reloc_size, end); | ||
85 | + else | ||
86 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
87 | |||
88 | saved_sym = NULL; | ||
89 | return TRUE; | ||
90 | @@ -11703,12 +11715,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
91 | break; | ||
92 | |||
93 | case 0x41: /* R_RL78_ABS32. */ | ||
94 | - byte_put (start + reloc->r_offset, value, 4); | ||
95 | + if (start + reloc->r_offset + 4 >= end) | ||
96 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
97 | + start + reloc->r_offset + 2, end); | ||
98 | + else | ||
99 | + byte_put (start + reloc->r_offset, value, 4); | ||
100 | value = 0; | ||
101 | return TRUE; | ||
102 | |||
103 | case 0x43: /* R_RL78_ABS16. */ | ||
104 | - byte_put (start + reloc->r_offset, value, 2); | ||
105 | + if (start + reloc->r_offset + 2 >= end) | ||
106 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
107 | + start + reloc->r_offset + 2, end); | ||
108 | + else | ||
109 | + byte_put (start + reloc->r_offset, value, 2); | ||
110 | value = 0; | ||
111 | return TRUE; | ||
112 | |||
113 | @@ -12325,7 +12345,7 @@ apply_relocations (void * file, | ||
114 | |||
115 | reloc_type = get_reloc_type (rp->r_info); | ||
116 | |||
117 | - if (target_specific_reloc_handling (rp, start, symtab)) | ||
118 | + if (target_specific_reloc_handling (rp, start, end, symtab)) | ||
119 | continue; | ||
120 | else if (is_none_reloc (reloc_type)) | ||
121 | continue; | ||
122 | -- | ||
123 | 2.11.0 | ||
124 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch new file mode 100644 index 0000000000..dd58df5fbf --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch | |||
@@ -0,0 +1,241 @@ | |||
1 | From 383ec757d27652448d1511169e1133f486abf54f Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon, 13 Feb 2017 14:03:22 +0000 | ||
4 | Subject: [PATCH] Fix read-after-free error in readelf when processing | ||
5 | multiple, relocated sections in an MSP430 binary. | ||
6 | |||
7 | PR binutils/21139 | ||
8 | * readelf.c (target_specific_reloc_handling): Add num_syms | ||
9 | parameter. Check for symbol table overflow before accessing | ||
10 | symbol value. If reloc pointer is NULL, discard all saved state. | ||
11 | (apply_relocations): Pass num_syms to target_specific_reloc_handling. | ||
12 | Call target_specific_reloc_handling with a NULL reloc pointer | ||
13 | after processing all of the relocs. | ||
14 | |||
15 | (cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9) | ||
16 | Upstream-Status: Backport [master] | ||
17 | CVE: CVE-2017-6966 | ||
18 | |||
19 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
20 | --- | ||
21 | binutils/ChangeLog | 10 +++++ | ||
22 | binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------ | ||
23 | 2 files changed, 94 insertions(+), 25 deletions(-) | ||
24 | |||
25 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog | ||
26 | index e789a3b99b..bd63c8a0d8 100644 | ||
27 | --- a/binutils/ChangeLog | ||
28 | +++ b/binutils/ChangeLog | ||
29 | @@ -1,5 +1,15 @@ | ||
30 | 2017-02-13 Nick Clifton <nickc@redhat.com> | ||
31 | |||
32 | + PR binutils/21139 | ||
33 | + * readelf.c (target_specific_reloc_handling): Add num_syms | ||
34 | + parameter. Check for symbol table overflow before accessing | ||
35 | + symbol value. If reloc pointer is NULL, discard all saved state. | ||
36 | + (apply_relocations): Pass num_syms to target_specific_reloc_handling. | ||
37 | + Call target_specific_reloc_handling with a NULL reloc pointer | ||
38 | + after processing all of the relocs. | ||
39 | + | ||
40 | +2017-02-13 Nick Clifton <nickc@redhat.com> | ||
41 | + | ||
42 | PR binutils/21137 | ||
43 | * readelf.c (target_specific_reloc_handling): Add end parameter. | ||
44 | Check for buffer overflow before writing relocated values. | ||
45 | diff --git a/binutils/readelf.c b/binutils/readelf.c | ||
46 | index 8cdaae3b8c..7c158c6342 100644 | ||
47 | --- a/binutils/readelf.c | ||
48 | +++ b/binutils/readelf.c | ||
49 | @@ -11580,15 +11580,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) | ||
50 | |||
51 | /* Check to see if the given reloc needs to be handled in a target specific | ||
52 | manner. If so then process the reloc and return TRUE otherwise return | ||
53 | - FALSE. */ | ||
54 | + FALSE. | ||
55 | + | ||
56 | + If called with reloc == NULL, then this is a signal that reloc processing | ||
57 | + for the current section has finished, and any saved state should be | ||
58 | + discarded. */ | ||
59 | |||
60 | static bfd_boolean | ||
61 | target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
62 | unsigned char * start, | ||
63 | unsigned char * end, | ||
64 | - Elf_Internal_Sym * symtab) | ||
65 | + Elf_Internal_Sym * symtab, | ||
66 | + unsigned long num_syms) | ||
67 | { | ||
68 | - unsigned int reloc_type = get_reloc_type (reloc->r_info); | ||
69 | + unsigned int reloc_type = 0; | ||
70 | + unsigned long sym_index = 0; | ||
71 | + | ||
72 | + if (reloc) | ||
73 | + { | ||
74 | + reloc_type = get_reloc_type (reloc->r_info); | ||
75 | + sym_index = get_reloc_symindex (reloc->r_info); | ||
76 | + } | ||
77 | |||
78 | switch (elf_header.e_machine) | ||
79 | { | ||
80 | @@ -11597,6 +11609,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
81 | { | ||
82 | static Elf_Internal_Sym * saved_sym = NULL; | ||
83 | |||
84 | + if (reloc == NULL) | ||
85 | + { | ||
86 | + saved_sym = NULL; | ||
87 | + return TRUE; | ||
88 | + } | ||
89 | + | ||
90 | switch (reloc_type) | ||
91 | { | ||
92 | case 10: /* R_MSP430_SYM_DIFF */ | ||
93 | @@ -11604,7 +11622,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
94 | break; | ||
95 | /* Fall through. */ | ||
96 | case 21: /* R_MSP430X_SYM_DIFF */ | ||
97 | - saved_sym = symtab + get_reloc_symindex (reloc->r_info); | ||
98 | + /* PR 21139. */ | ||
99 | + if (sym_index >= num_syms) | ||
100 | + error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"), | ||
101 | + sym_index); | ||
102 | + else | ||
103 | + saved_sym = symtab + sym_index; | ||
104 | return TRUE; | ||
105 | |||
106 | case 1: /* R_MSP430_32 or R_MSP430_ABS32 */ | ||
107 | @@ -11629,16 +11652,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
108 | int reloc_size = reloc_type == 1 ? 4 : 2; | ||
109 | bfd_vma value; | ||
110 | |||
111 | - value = reloc->r_addend | ||
112 | - + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
113 | - - saved_sym->st_value); | ||
114 | - | ||
115 | - if (start + reloc->r_offset + reloc_size >= end) | ||
116 | - /* PR 21137 */ | ||
117 | - error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
118 | - start + reloc->r_offset + reloc_size, end); | ||
119 | + if (sym_index >= num_syms) | ||
120 | + error (_("MSP430 reloc contains invalid symbol index %lu\n"), | ||
121 | + sym_index); | ||
122 | else | ||
123 | - byte_put (start + reloc->r_offset, value, reloc_size); | ||
124 | + { | ||
125 | + value = reloc->r_addend + (symtab[sym_index].st_value | ||
126 | + - saved_sym->st_value); | ||
127 | + | ||
128 | + if (start + reloc->r_offset + reloc_size >= end) | ||
129 | + /* PR 21137 */ | ||
130 | + error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
131 | + start + reloc->r_offset + reloc_size, end); | ||
132 | + else | ||
133 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
134 | + } | ||
135 | |||
136 | saved_sym = NULL; | ||
137 | return TRUE; | ||
138 | @@ -11658,13 +11686,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
139 | { | ||
140 | static Elf_Internal_Sym * saved_sym = NULL; | ||
141 | |||
142 | + if (reloc == NULL) | ||
143 | + { | ||
144 | + saved_sym = NULL; | ||
145 | + return TRUE; | ||
146 | + } | ||
147 | + | ||
148 | switch (reloc_type) | ||
149 | { | ||
150 | case 34: /* R_MN10300_ALIGN */ | ||
151 | return TRUE; | ||
152 | case 33: /* R_MN10300_SYM_DIFF */ | ||
153 | - saved_sym = symtab + get_reloc_symindex (reloc->r_info); | ||
154 | + if (sym_index >= num_syms) | ||
155 | + error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"), | ||
156 | + sym_index); | ||
157 | + else | ||
158 | + saved_sym = symtab + sym_index; | ||
159 | return TRUE; | ||
160 | + | ||
161 | case 1: /* R_MN10300_32 */ | ||
162 | case 2: /* R_MN10300_16 */ | ||
163 | if (saved_sym != NULL) | ||
164 | @@ -11672,15 +11711,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
165 | int reloc_size = reloc_type == 1 ? 4 : 2; | ||
166 | bfd_vma value; | ||
167 | |||
168 | - value = reloc->r_addend | ||
169 | - + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
170 | - - saved_sym->st_value); | ||
171 | - | ||
172 | - if (start + reloc->r_offset + reloc_size >= end) | ||
173 | - error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
174 | - start + reloc->r_offset + reloc_size, end); | ||
175 | + if (sym_index >= num_syms) | ||
176 | + error (_("MN10300 reloc contains invalid symbol index %lu\n"), | ||
177 | + sym_index); | ||
178 | else | ||
179 | - byte_put (start + reloc->r_offset, value, reloc_size); | ||
180 | + { | ||
181 | + value = reloc->r_addend + (symtab[sym_index].st_value | ||
182 | + - saved_sym->st_value); | ||
183 | + | ||
184 | + if (start + reloc->r_offset + reloc_size >= end) | ||
185 | + error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
186 | + start + reloc->r_offset + reloc_size, end); | ||
187 | + else | ||
188 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
189 | + } | ||
190 | |||
191 | saved_sym = NULL; | ||
192 | return TRUE; | ||
193 | @@ -11700,12 +11744,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
194 | static bfd_vma saved_sym2 = 0; | ||
195 | static bfd_vma value; | ||
196 | |||
197 | + if (reloc == NULL) | ||
198 | + { | ||
199 | + saved_sym1 = saved_sym2 = 0; | ||
200 | + return TRUE; | ||
201 | + } | ||
202 | + | ||
203 | switch (reloc_type) | ||
204 | { | ||
205 | case 0x80: /* R_RL78_SYM. */ | ||
206 | saved_sym1 = saved_sym2; | ||
207 | - saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value; | ||
208 | - saved_sym2 += reloc->r_addend; | ||
209 | + if (sym_index >= num_syms) | ||
210 | + error (_("RL78_SYM reloc contains invalid symbol index %lu\n"), | ||
211 | + sym_index); | ||
212 | + else | ||
213 | + { | ||
214 | + saved_sym2 = symtab[sym_index].st_value; | ||
215 | + saved_sym2 += reloc->r_addend; | ||
216 | + } | ||
217 | return TRUE; | ||
218 | |||
219 | case 0x83: /* R_RL78_OPsub. */ | ||
220 | @@ -12345,7 +12401,7 @@ apply_relocations (void * file, | ||
221 | |||
222 | reloc_type = get_reloc_type (rp->r_info); | ||
223 | |||
224 | - if (target_specific_reloc_handling (rp, start, end, symtab)) | ||
225 | + if (target_specific_reloc_handling (rp, start, end, symtab, num_syms)) | ||
226 | continue; | ||
227 | else if (is_none_reloc (reloc_type)) | ||
228 | continue; | ||
229 | @@ -12441,6 +12497,9 @@ apply_relocations (void * file, | ||
230 | } | ||
231 | |||
232 | free (symtab); | ||
233 | + /* Let the target specific reloc processing code know that | ||
234 | + we have finished with these relocs. */ | ||
235 | + target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0); | ||
236 | |||
237 | if (relocs_return) | ||
238 | { | ||
239 | -- | ||
240 | 2.11.0 | ||
241 | |||