summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorYuanjie Huang <yuanjie.huang@windriver.com>2017-04-11 00:00:24 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-04-11 18:10:18 +0100
commitca22ef73d03ec5140493f29d1fe0cb6c0400c307 (patch)
tree09daa69eb2bb69fd5738ccbec10d01769eb1cf8a /meta/recipes-devtools
parent40bf913a720f3c0db57d4ab003cbacda40f50c69 (diff)
downloadpoky-ca22ef73d03ec5140493f29d1fe0cb6c0400c307.tar.gz
binutils: Fix CVE-2017-6965 and CVE-2017-6966
Backport upstream commit to address vulnerabilities: CVE: CVE-2017-6965 [BZ 21137] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21137 Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations. PR binutils/21137 * readelf.c (target_specific_reloc_handling): Add end parameter. Check for buffer overflow before writing relocated values. (apply_relocations): Pass end to target_specific_reloc_handling. CVE: CVE-2017-6966 [BZ 21139] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21139 Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary. PR binutils/21139 * readelf.c (target_specific_reloc_handling): Add num_syms parameter. Check for symbol table overflow before accessing symbol value. If reloc pointer is NULL, discard all saved state. (apply_relocations): Pass num_syms to target_specific_reloc_handling. Call target_specific_reloc_handling with a NULL reloc pointer after processing all of the relocs. (From OE-Core rev: 8c52a530ba2beb438aa47956bcec3777a1eafe5f) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.28.inc2
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch124
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch241
3 files changed, 367 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 76b81b04ca..7585da1ca9 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -35,6 +35,8 @@ SRC_URI = "\
35 file://0014-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \ 35 file://0014-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \
36 file://0015-sync-with-OE-libtool-changes.patch \ 36 file://0015-sync-with-OE-libtool-changes.patch \
37 file://0016-Detect-64-bit-MIPS-targets.patch \ 37 file://0016-Detect-64-bit-MIPS-targets.patch \
38 file://CVE-2017-6965.patch \
39 file://CVE-2017-6966.patch \
38" 40"
39S = "${WORKDIR}/git" 41S = "${WORKDIR}/git"
40 42
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
new file mode 100644
index 0000000000..1334c9444d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
@@ -0,0 +1,124 @@
1From bdc5166c274b842f83f8328e7cfaaf80fd29934e Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Mon, 13 Feb 2017 13:08:32 +0000
4Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst
5 processing corrupt input files containing symbol-difference relocations.
6
7 PR binutils/21137
8 * readelf.c (target_specific_reloc_handling): Add end parameter.
9 Check for buffer overflow before writing relocated values.
10 (apply_relocations): Pass end to target_specific_reloc_handling.
11
12(cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493)
13Upstream-Status: Backport [master]
14CVE: CVE-2017-6965
15
16Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
17---
18 binutils/ChangeLog | 7 +++++++
19 binutils/readelf.c | 30 +++++++++++++++++++++++++-----
20 2 files changed, 32 insertions(+), 5 deletions(-)
21
22diff --git a/binutils/ChangeLog b/binutils/ChangeLog
23index f21867f98c..e789a3b99b 100644
24--- a/binutils/ChangeLog
25+++ b/binutils/ChangeLog
26@@ -1,3 +1,10 @@
27+2017-02-13 Nick Clifton <nickc@redhat.com>
28+
29+ PR binutils/21137
30+ * readelf.c (target_specific_reloc_handling): Add end parameter.
31+ Check for buffer overflow before writing relocated values.
32+ (apply_relocations): Pass end to target_specific_reloc_handling.
33+
34 2017-03-02 Tristan Gingold <gingold@adacore.com>
35
36 * configure: Regenerate.
37diff --git a/binutils/readelf.c b/binutils/readelf.c
38index b5f577f5a1..8cdaae3b8c 100644
39--- a/binutils/readelf.c
40+++ b/binutils/readelf.c
41@@ -11585,6 +11585,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
42 static bfd_boolean
43 target_specific_reloc_handling (Elf_Internal_Rela * reloc,
44 unsigned char * start,
45+ unsigned char * end,
46 Elf_Internal_Sym * symtab)
47 {
48 unsigned int reloc_type = get_reloc_type (reloc->r_info);
49@@ -11625,13 +11626,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
50 handle_sym_diff:
51 if (saved_sym != NULL)
52 {
53+ int reloc_size = reloc_type == 1 ? 4 : 2;
54 bfd_vma value;
55
56 value = reloc->r_addend
57 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
58 - saved_sym->st_value);
59
60- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
61+ if (start + reloc->r_offset + reloc_size >= end)
62+ /* PR 21137 */
63+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
64+ start + reloc->r_offset + reloc_size, end);
65+ else
66+ byte_put (start + reloc->r_offset, value, reloc_size);
67
68 saved_sym = NULL;
69 return TRUE;
70@@ -11662,13 +11669,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
71 case 2: /* R_MN10300_16 */
72 if (saved_sym != NULL)
73 {
74+ int reloc_size = reloc_type == 1 ? 4 : 2;
75 bfd_vma value;
76
77 value = reloc->r_addend
78 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
79 - saved_sym->st_value);
80
81- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
82+ if (start + reloc->r_offset + reloc_size >= end)
83+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
84+ start + reloc->r_offset + reloc_size, end);
85+ else
86+ byte_put (start + reloc->r_offset, value, reloc_size);
87
88 saved_sym = NULL;
89 return TRUE;
90@@ -11703,12 +11715,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
91 break;
92
93 case 0x41: /* R_RL78_ABS32. */
94- byte_put (start + reloc->r_offset, value, 4);
95+ if (start + reloc->r_offset + 4 >= end)
96+ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
97+ start + reloc->r_offset + 2, end);
98+ else
99+ byte_put (start + reloc->r_offset, value, 4);
100 value = 0;
101 return TRUE;
102
103 case 0x43: /* R_RL78_ABS16. */
104- byte_put (start + reloc->r_offset, value, 2);
105+ if (start + reloc->r_offset + 2 >= end)
106+ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
107+ start + reloc->r_offset + 2, end);
108+ else
109+ byte_put (start + reloc->r_offset, value, 2);
110 value = 0;
111 return TRUE;
112
113@@ -12325,7 +12345,7 @@ apply_relocations (void * file,
114
115 reloc_type = get_reloc_type (rp->r_info);
116
117- if (target_specific_reloc_handling (rp, start, symtab))
118+ if (target_specific_reloc_handling (rp, start, end, symtab))
119 continue;
120 else if (is_none_reloc (reloc_type))
121 continue;
122--
1232.11.0
124
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
new file mode 100644
index 0000000000..dd58df5fbf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
@@ -0,0 +1,241 @@
1From 383ec757d27652448d1511169e1133f486abf54f Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Mon, 13 Feb 2017 14:03:22 +0000
4Subject: [PATCH] Fix read-after-free error in readelf when processing
5 multiple, relocated sections in an MSP430 binary.
6
7 PR binutils/21139
8 * readelf.c (target_specific_reloc_handling): Add num_syms
9 parameter. Check for symbol table overflow before accessing
10 symbol value. If reloc pointer is NULL, discard all saved state.
11 (apply_relocations): Pass num_syms to target_specific_reloc_handling.
12 Call target_specific_reloc_handling with a NULL reloc pointer
13 after processing all of the relocs.
14
15(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9)
16Upstream-Status: Backport [master]
17CVE: CVE-2017-6966
18
19Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
20---
21 binutils/ChangeLog | 10 +++++
22 binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------
23 2 files changed, 94 insertions(+), 25 deletions(-)
24
25diff --git a/binutils/ChangeLog b/binutils/ChangeLog
26index e789a3b99b..bd63c8a0d8 100644
27--- a/binutils/ChangeLog
28+++ b/binutils/ChangeLog
29@@ -1,5 +1,15 @@
30 2017-02-13 Nick Clifton <nickc@redhat.com>
31
32+ PR binutils/21139
33+ * readelf.c (target_specific_reloc_handling): Add num_syms
34+ parameter. Check for symbol table overflow before accessing
35+ symbol value. If reloc pointer is NULL, discard all saved state.
36+ (apply_relocations): Pass num_syms to target_specific_reloc_handling.
37+ Call target_specific_reloc_handling with a NULL reloc pointer
38+ after processing all of the relocs.
39+
40+2017-02-13 Nick Clifton <nickc@redhat.com>
41+
42 PR binutils/21137
43 * readelf.c (target_specific_reloc_handling): Add end parameter.
44 Check for buffer overflow before writing relocated values.
45diff --git a/binutils/readelf.c b/binutils/readelf.c
46index 8cdaae3b8c..7c158c6342 100644
47--- a/binutils/readelf.c
48+++ b/binutils/readelf.c
49@@ -11580,15 +11580,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
50
51 /* Check to see if the given reloc needs to be handled in a target specific
52 manner. If so then process the reloc and return TRUE otherwise return
53- FALSE. */
54+ FALSE.
55+
56+ If called with reloc == NULL, then this is a signal that reloc processing
57+ for the current section has finished, and any saved state should be
58+ discarded. */
59
60 static bfd_boolean
61 target_specific_reloc_handling (Elf_Internal_Rela * reloc,
62 unsigned char * start,
63 unsigned char * end,
64- Elf_Internal_Sym * symtab)
65+ Elf_Internal_Sym * symtab,
66+ unsigned long num_syms)
67 {
68- unsigned int reloc_type = get_reloc_type (reloc->r_info);
69+ unsigned int reloc_type = 0;
70+ unsigned long sym_index = 0;
71+
72+ if (reloc)
73+ {
74+ reloc_type = get_reloc_type (reloc->r_info);
75+ sym_index = get_reloc_symindex (reloc->r_info);
76+ }
77
78 switch (elf_header.e_machine)
79 {
80@@ -11597,6 +11609,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
81 {
82 static Elf_Internal_Sym * saved_sym = NULL;
83
84+ if (reloc == NULL)
85+ {
86+ saved_sym = NULL;
87+ return TRUE;
88+ }
89+
90 switch (reloc_type)
91 {
92 case 10: /* R_MSP430_SYM_DIFF */
93@@ -11604,7 +11622,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
94 break;
95 /* Fall through. */
96 case 21: /* R_MSP430X_SYM_DIFF */
97- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
98+ /* PR 21139. */
99+ if (sym_index >= num_syms)
100+ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
101+ sym_index);
102+ else
103+ saved_sym = symtab + sym_index;
104 return TRUE;
105
106 case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
107@@ -11629,16 +11652,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
108 int reloc_size = reloc_type == 1 ? 4 : 2;
109 bfd_vma value;
110
111- value = reloc->r_addend
112- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
113- - saved_sym->st_value);
114-
115- if (start + reloc->r_offset + reloc_size >= end)
116- /* PR 21137 */
117- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
118- start + reloc->r_offset + reloc_size, end);
119+ if (sym_index >= num_syms)
120+ error (_("MSP430 reloc contains invalid symbol index %lu\n"),
121+ sym_index);
122 else
123- byte_put (start + reloc->r_offset, value, reloc_size);
124+ {
125+ value = reloc->r_addend + (symtab[sym_index].st_value
126+ - saved_sym->st_value);
127+
128+ if (start + reloc->r_offset + reloc_size >= end)
129+ /* PR 21137 */
130+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
131+ start + reloc->r_offset + reloc_size, end);
132+ else
133+ byte_put (start + reloc->r_offset, value, reloc_size);
134+ }
135
136 saved_sym = NULL;
137 return TRUE;
138@@ -11658,13 +11686,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
139 {
140 static Elf_Internal_Sym * saved_sym = NULL;
141
142+ if (reloc == NULL)
143+ {
144+ saved_sym = NULL;
145+ return TRUE;
146+ }
147+
148 switch (reloc_type)
149 {
150 case 34: /* R_MN10300_ALIGN */
151 return TRUE;
152 case 33: /* R_MN10300_SYM_DIFF */
153- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
154+ if (sym_index >= num_syms)
155+ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
156+ sym_index);
157+ else
158+ saved_sym = symtab + sym_index;
159 return TRUE;
160+
161 case 1: /* R_MN10300_32 */
162 case 2: /* R_MN10300_16 */
163 if (saved_sym != NULL)
164@@ -11672,15 +11711,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
165 int reloc_size = reloc_type == 1 ? 4 : 2;
166 bfd_vma value;
167
168- value = reloc->r_addend
169- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
170- - saved_sym->st_value);
171-
172- if (start + reloc->r_offset + reloc_size >= end)
173- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
174- start + reloc->r_offset + reloc_size, end);
175+ if (sym_index >= num_syms)
176+ error (_("MN10300 reloc contains invalid symbol index %lu\n"),
177+ sym_index);
178 else
179- byte_put (start + reloc->r_offset, value, reloc_size);
180+ {
181+ value = reloc->r_addend + (symtab[sym_index].st_value
182+ - saved_sym->st_value);
183+
184+ if (start + reloc->r_offset + reloc_size >= end)
185+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
186+ start + reloc->r_offset + reloc_size, end);
187+ else
188+ byte_put (start + reloc->r_offset, value, reloc_size);
189+ }
190
191 saved_sym = NULL;
192 return TRUE;
193@@ -11700,12 +11744,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
194 static bfd_vma saved_sym2 = 0;
195 static bfd_vma value;
196
197+ if (reloc == NULL)
198+ {
199+ saved_sym1 = saved_sym2 = 0;
200+ return TRUE;
201+ }
202+
203 switch (reloc_type)
204 {
205 case 0x80: /* R_RL78_SYM. */
206 saved_sym1 = saved_sym2;
207- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
208- saved_sym2 += reloc->r_addend;
209+ if (sym_index >= num_syms)
210+ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
211+ sym_index);
212+ else
213+ {
214+ saved_sym2 = symtab[sym_index].st_value;
215+ saved_sym2 += reloc->r_addend;
216+ }
217 return TRUE;
218
219 case 0x83: /* R_RL78_OPsub. */
220@@ -12345,7 +12401,7 @@ apply_relocations (void * file,
221
222 reloc_type = get_reloc_type (rp->r_info);
223
224- if (target_specific_reloc_handling (rp, start, end, symtab))
225+ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
226 continue;
227 else if (is_none_reloc (reloc_type))
228 continue;
229@@ -12441,6 +12497,9 @@ apply_relocations (void * file,
230 }
231
232 free (symtab);
233+ /* Let the target specific reloc processing code know that
234+ we have finished with these relocs. */
235+ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
236
237 if (relocs_return)
238 {
239--
2402.11.0
241