binutils: Fix CVE-2017-6965 and CVE-2017-6966

Backport upstream commit to address vulnerabilities: CVE: CVE-2017-6965 [BZ 21137] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21137 Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations. PR binutils/21137 * readelf.c (target_specific_reloc_handling): Add end parameter. Check for buffer overflow before writing relocated values. (apply_relocations): Pass end to target_specific_reloc_handling. CVE: CVE-2017-6966 [BZ 21139] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21139 Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary. PR binutils/21139 * readelf.c (target_specific_reloc_handling): Add num_syms parameter. Check for symbol table overflow before accessing symbol value. If reloc pointer is NULL, discard all saved state. (apply_relocations): Pass num_syms to target_specific_reloc_handling. Call target_specific_reloc_handling with a NULL reloc pointer after processing all of the relocs. (From OE-Core rev: 477afc5634698d6c5cdb6d7705a31d859495695d) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yuanjie Huang <Yuanjie.Huang@windriver.com> 2017-04-10 18:58:34 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18 13:07:33 +0100
commit: 1693b28967b35044e818f0b23627b5778a58045c (patch)
tree: 39173d087e5e472e69e82bfaa7b490d50d2c91ef /meta
parent: 5476c5d9d8fc278faeff2fd8a33cf5582636a943 (diff)
download: poky-1693b28967b35044e818f0b23627b5778a58045c.tar.gz
3 files changed, 369 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index a7cdb6f1d4..f98fef9e02 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -39,6 +39,8 @@ SRC_URI = "\
     file://0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch \
     file://0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch \
     file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \
+     file://CVE-2017-6965.patch \
+     file://CVE-2017-6966.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
new file mode 100644
index 0000000000..85f7f98fe0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
@@ -0,0 +1,127 @@
+From 6f898c17b1d6f6a29a05ca6de31f0fc8f52cfbfe Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 13:08:32 +0000
+Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst
+ processing corrupt input files containing symbol-difference relocations.
+        PR binutils/21137
+        * readelf.c (target_specific_reloc_handling): Add end parameter.
+        Check for buffer overflow before writing relocated values.
+        (apply_relocations): Pass end to target_specific_reloc_handling.
+(cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493)
+Upstream-Status: Backport [master]
+CVE: CVE-2017-6965
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  7 +++++++
+ binutils/readelf.c | 30 +++++++++++++++++++++++++-----
+ 2 files changed, 32 insertions(+), 5 deletions(-)
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 995de87dc3..154b797a29 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -5,6 +5,13 @@
+        Check for buffer overflow before writing relocated values.
+        (apply_relocations): Pass end to target_specific_reloc_handling.
+ 
+2017-02-13  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21137
+       * readelf.c (target_specific_reloc_handling): Add end parameter.
+       Check for buffer overflow before writing relocated values.
+       (apply_relocations): Pass end to target_specific_reloc_handling.
+
+ 2016-08-03  Tristan Gingold  <gingold@adacore.com>
+ 
+        * configure: Regenerate.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index d31558c3b4..220671f76f 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -11345,6 +11345,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
+ static bfd_boolean
+ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+                                unsigned char *     start,
+                               unsigned char *     end,
+                                Elf_Internal_Sym *  symtab)
+ {
+   unsigned int reloc_type = get_reloc_type (reloc->r_info);
+@@ -11384,13 +11385,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+          handle_sym_diff:
+            if (saved_sym != NULL)
+              {
+               int reloc_size = reloc_type == 1 ? 4 : 2;
+                bfd_vma value;
+ 
+                value = reloc->r_addend
+                  + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+                     - saved_sym->st_value);
+ 
+-               byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
+               if (start + reloc->r_offset + reloc_size >= end)
+                 /* PR 21137 */
+                 error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
+                        start + reloc->r_offset + reloc_size, end);
+               else
+                 byte_put (start + reloc->r_offset, value, reloc_size);
+ 
+                saved_sym = NULL;
+                return TRUE;
+@@ -11421,13 +11428,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+          case 2: /* R_MN10300_16 */
+            if (saved_sym != NULL)
+              {
+               int reloc_size = reloc_type == 1 ? 4 : 2;
+                bfd_vma value;
+ 
+                value = reloc->r_addend
+                  + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+                     - saved_sym->st_value);
+ 
+-               byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
+               if (start + reloc->r_offset + reloc_size >= end)
+                 error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
+                        start + reloc->r_offset + reloc_size, end);
+               else
+                 byte_put (start + reloc->r_offset, value, reloc_size);
+ 
+                saved_sym = NULL;
+                return TRUE;
+@@ -11462,12 +11474,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+            break;
+ 
+          case 0x41: /* R_RL78_ABS32.  */
+-           byte_put (start + reloc->r_offset, value, 4);
+           if (start + reloc->r_offset + 4 >= end)
+             error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
+                    start + reloc->r_offset + 2, end);
+           else
+             byte_put (start + reloc->r_offset, value, 4);
+            value = 0;
+            return TRUE;
+ 
+          case 0x43: /* R_RL78_ABS16.  */
+-           byte_put (start + reloc->r_offset, value, 2);
+           if (start + reloc->r_offset + 2 >= end)
+             error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
+                    start + reloc->r_offset + 2, end);
+           else
+             byte_put (start + reloc->r_offset, value, 2);
+            value = 0;
+            return TRUE;
+ 
+@@ -12074,7 +12094,7 @@ apply_relocations (void *                     file,
+ 
+          reloc_type = get_reloc_type (rp->r_info);
+ 
+-         if (target_specific_reloc_handling (rp, start, symtab))
+         if (target_specific_reloc_handling (rp, start, end, symtab))
+            continue;
+          else if (is_none_reloc (reloc_type))
+            continue;
+-- 
+2.11.0
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
new file mode 100644
index 0000000000..5e364ef69c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
@@ -0,0 +1,240 @@
+From 310e2cdc0a46ef62602097f5c21c393571e76df4 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 14:03:22 +0000
+Subject: [PATCH 2/2] Fix read-after-free error in readelf when processing
+ multiple, relocated sections in an MSP430 binary.
+        PR binutils/21139
+        * readelf.c (target_specific_reloc_handling): Add num_syms
+        parameter.  Check for symbol table overflow before accessing
+        symbol value.  If reloc pointer is NULL, discard all saved state.
+        (apply_relocations): Pass num_syms to target_specific_reloc_handling.
+        Call target_specific_reloc_handling with a NULL reloc pointer
+        after processing all of the relocs.
+(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9)
+Upstream-Status: Backport [master]
+CVE: CVE-2017-6966
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  10 +++++
+ binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 94 insertions(+), 25 deletions(-)
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 154b797a29..aef0a51f19 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -1,5 +1,15 @@
+ 2017-02-13  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21139
+       * readelf.c (target_specific_reloc_handling): Add num_syms
+       parameter.  Check for symbol table overflow before accessing
+       symbol value.  If reloc pointer is NULL, discard all saved state.
+       (apply_relocations): Pass num_syms to target_specific_reloc_handling.
+       Call target_specific_reloc_handling with a NULL reloc pointer
+       after processing all of the relocs.
+
+2017-02-13  Nick Clifton  <nickc@redhat.com>
+
+        PR binutils/21137
+        * readelf.c (target_specific_reloc_handling): Add end parameter.
+        Check for buffer overflow before writing relocated values.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 220671f76f..2b6cef1638 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -11340,15 +11340,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
+ 
+ /* Check to see if the given reloc needs to be handled in a target specific
+    manner.  If so then process the reloc and return TRUE otherwise return
+-   FALSE.  */
+   FALSE.
+
+   If called with reloc == NULL, then this is a signal that reloc processing
+   for the current section has finished, and any saved state should be
+   discarded.  */
+ 
+ static bfd_boolean
+ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+                                unsigned char *     start,
+                                unsigned char *     end,
+-                               Elf_Internal_Sym *  symtab)
+                               Elf_Internal_Sym *  symtab,
+                               unsigned long       num_syms)
+ {
+-  unsigned int reloc_type = get_reloc_type (reloc->r_info);
+  unsigned int reloc_type = 0;
+  unsigned long sym_index = 0;
+
+  if (reloc)
+    {
+      reloc_type = get_reloc_type (reloc->r_info);
+      sym_index = get_reloc_symindex (reloc->r_info);
+    }
+ 
+   switch (elf_header.e_machine)
+     {
+@@ -11357,13 +11369,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+       {
+        static Elf_Internal_Sym * saved_sym = NULL;
+ 
+       if (reloc == NULL)
+         {
+           saved_sym = NULL;
+           return TRUE;
+         }
+
+        switch (reloc_type)
+          {
+          case 10: /* R_MSP430_SYM_DIFF */
+            if (uses_msp430x_relocs ())
+              break;
+          case 21: /* R_MSP430X_SYM_DIFF */
+-           saved_sym = symtab + get_reloc_symindex (reloc->r_info);
+           /* PR 21139.  */
+           if (sym_index >= num_syms)
+             error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
+                    sym_index);
+           else
+             saved_sym = symtab + sym_index;
+            return TRUE;
+ 
+          case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
+@@ -11388,16 +11411,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+                int reloc_size = reloc_type == 1 ? 4 : 2;
+                bfd_vma value;
+ 
+-               value = reloc->r_addend
+-                 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+-                    - saved_sym->st_value);
+-
+-               if (start + reloc->r_offset + reloc_size >= end)
+-                 /* PR 21137 */
+-                 error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
+-                        start + reloc->r_offset + reloc_size, end);
+               if (sym_index >= num_syms)
+                 error (_("MSP430 reloc contains invalid symbol index %lu\n"),
+                        sym_index);
+                else
+-                 byte_put (start + reloc->r_offset, value, reloc_size);
+                 {
+                   value = reloc->r_addend + (symtab[sym_index].st_value
+                                              - saved_sym->st_value);
+
+                   if (start + reloc->r_offset + reloc_size >= end)
+                     /* PR 21137 */
+                     error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
+                            start + reloc->r_offset + reloc_size, end);
+                   else
+                     byte_put (start + reloc->r_offset, value, reloc_size);
+                 }
+ 
+                saved_sym = NULL;
+                return TRUE;
+@@ -11417,13 +11445,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+       {
+        static Elf_Internal_Sym * saved_sym = NULL;
+ 
+       if (reloc == NULL)
+         {
+           saved_sym = NULL;
+           return TRUE;
+         }
+
+        switch (reloc_type)
+          {
+          case 34: /* R_MN10300_ALIGN */
+            return TRUE;
+          case 33: /* R_MN10300_SYM_DIFF */
+-           saved_sym = symtab + get_reloc_symindex (reloc->r_info);
+           if (sym_index >= num_syms)
+             error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
+                    sym_index);
+           else
+             saved_sym = symtab + sym_index;
+            return TRUE;
+
+          case 1: /* R_MN10300_32 */
+          case 2: /* R_MN10300_16 */
+            if (saved_sym != NULL)
+@@ -11431,15 +11470,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+                int reloc_size = reloc_type == 1 ? 4 : 2;
+                bfd_vma value;
+ 
+-               value = reloc->r_addend
+-                 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+-                    - saved_sym->st_value);
+-
+-               if (start + reloc->r_offset + reloc_size >= end)
+-                 error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
+-                        start + reloc->r_offset + reloc_size, end);
+               if (sym_index >= num_syms)
+                 error (_("MN10300 reloc contains invalid symbol index %lu\n"),
+                        sym_index);
+                else
+-                 byte_put (start + reloc->r_offset, value, reloc_size);
+                 {
+                   value = reloc->r_addend + (symtab[sym_index].st_value
+                                              - saved_sym->st_value);
+
+                   if (start + reloc->r_offset + reloc_size >= end)
+                     error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
+                            start + reloc->r_offset + reloc_size, end);
+                   else
+                     byte_put (start + reloc->r_offset, value, reloc_size);
+                 }
+ 
+                saved_sym = NULL;
+                return TRUE;
+@@ -11459,12 +11503,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+        static bfd_vma saved_sym2 = 0;
+        static bfd_vma value;
+ 
+       if (reloc == NULL)
+         {
+           saved_sym1 = saved_sym2 = 0;
+           return TRUE;
+         }
+
+        switch (reloc_type)
+          {
+          case 0x80: /* R_RL78_SYM.  */
+            saved_sym1 = saved_sym2;
+-           saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
+-           saved_sym2 += reloc->r_addend;
+           if (sym_index >= num_syms)
+             error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
+                    sym_index);
+           else
+             {
+               saved_sym2 = symtab[sym_index].st_value;
+               saved_sym2 += reloc->r_addend;
+             }
+            return TRUE;
+ 
+          case 0x83: /* R_RL78_OPsub.  */
+@@ -12094,7 +12150,7 @@ apply_relocations (void *                     file,
+ 
+          reloc_type = get_reloc_type (rp->r_info);
+ 
+-         if (target_specific_reloc_handling (rp, start, end, symtab))
+         if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
+            continue;
+          else if (is_none_reloc (reloc_type))
+            continue;
+@@ -12190,6 +12246,9 @@ apply_relocations (void *                     file,
+        }
+ 
+       free (symtab);
+      /* Let the target specific reloc processing code know that
+        we have finished with these relocs.  */
+      target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
+ 
+       if (relocs_return)
+        {
+-- 
+2.11.0
author	Yuanjie Huang <Yuanjie.Huang@windriver.com>	2017-04-10 18:58:34 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-05-18 13:07:33 +0100
commit	1693b28967b35044e818f0b23627b5778a58045c (patch)
tree	39173d087e5e472e69e82bfaa7b490d50d2c91ef /meta
parent	5476c5d9d8fc278faeff2fd8a33cf5582636a943 (diff)
download	poky-1693b28967b35044e818f0b23627b5778a58045c.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index a7cdb6f1d4..f98fef9e02 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -39,6 +39,8 @@ SRC_URI = "\
39	file://0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch \	39	file://0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch \
40	file://0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch \	40	file://0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch \
41	file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \	41	file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \
		42	file://CVE-2017-6965.patch \
		43	file://CVE-2017-6966.patch \
42	"	44	"
43	S = "${WORKDIR}/git"	45	S = "${WORKDIR}/git"
44		46


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch new file mode 100644 index 0000000000..85f7f98fe0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
@@ -0,0 +1,127 @@
		1	From 6f898c17b1d6f6a29a05ca6de31f0fc8f52cfbfe Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Mon, 13 Feb 2017 13:08:32 +0000
		4	Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst
		5	processing corrupt input files containing symbol-difference relocations.
		6
		7	PR binutils/21137
		8	* readelf.c (target_specific_reloc_handling): Add end parameter.
		9	Check for buffer overflow before writing relocated values.
		10	(apply_relocations): Pass end to target_specific_reloc_handling.
		11
		12	(cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493)
		13	Upstream-Status: Backport [master]
		14	CVE: CVE-2017-6965
		15
		16	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
		17	---
		18	binutils/ChangeLog \| 7 +++++++
		19	binutils/readelf.c \| 30 +++++++++++++++++++++++++-----
		20	2 files changed, 32 insertions(+), 5 deletions(-)
		21
		22	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
		23	index 995de87dc3..154b797a29 100644
		24	--- a/binutils/ChangeLog
		25	+++ b/binutils/ChangeLog
		26	@@ -5,6 +5,13 @@
		27	Check for buffer overflow before writing relocated values.
		28	(apply_relocations): Pass end to target_specific_reloc_handling.
		29
		30	+2017-02-13 Nick Clifton <nickc@redhat.com>
		31	+
		32	+ PR binutils/21137
		33	+ * readelf.c (target_specific_reloc_handling): Add end parameter.
		34	+ Check for buffer overflow before writing relocated values.
		35	+ (apply_relocations): Pass end to target_specific_reloc_handling.
		36	+
		37	2016-08-03 Tristan Gingold <gingold@adacore.com>
		38
		39	* configure: Regenerate.
		40	diff --git a/binutils/readelf.c b/binutils/readelf.c
		41	index d31558c3b4..220671f76f 100644
		42	--- a/binutils/readelf.c
		43	+++ b/binutils/readelf.c
		44	@@ -11345,6 +11345,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
		45	static bfd_boolean
		46	target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		47	unsigned char * start,
		48	+ unsigned char * end,
		49	Elf_Internal_Sym * symtab)
		50	{
		51	unsigned int reloc_type = get_reloc_type (reloc->r_info);
		52	@@ -11384,13 +11385,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		53	handle_sym_diff:
		54	if (saved_sym != NULL)
		55	{
		56	+ int reloc_size = reloc_type == 1 ? 4 : 2;
		57	bfd_vma value;
		58
		59	value = reloc->r_addend
		60	+ (symtab[get_reloc_symindex (reloc->r_info)].st_value
		61	- saved_sym->st_value);
		62
		63	- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
		64	+ if (start + reloc->r_offset + reloc_size >= end)
		65	+ /* PR 21137 */
		66	+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
		67	+ start + reloc->r_offset + reloc_size, end);
		68	+ else
		69	+ byte_put (start + reloc->r_offset, value, reloc_size);
		70
		71	saved_sym = NULL;
		72	return TRUE;
		73	@@ -11421,13 +11428,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		74	case 2: /* R_MN10300_16 */
		75	if (saved_sym != NULL)
		76	{
		77	+ int reloc_size = reloc_type == 1 ? 4 : 2;
		78	bfd_vma value;
		79
		80	value = reloc->r_addend
		81	+ (symtab[get_reloc_symindex (reloc->r_info)].st_value
		82	- saved_sym->st_value);
		83
		84	- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
		85	+ if (start + reloc->r_offset + reloc_size >= end)
		86	+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
		87	+ start + reloc->r_offset + reloc_size, end);
		88	+ else
		89	+ byte_put (start + reloc->r_offset, value, reloc_size);
		90
		91	saved_sym = NULL;
		92	return TRUE;
		93	@@ -11462,12 +11474,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		94	break;
		95
		96	case 0x41: /* R_RL78_ABS32. */
		97	- byte_put (start + reloc->r_offset, value, 4);
		98	+ if (start + reloc->r_offset + 4 >= end)
		99	+ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
		100	+ start + reloc->r_offset + 2, end);
		101	+ else
		102	+ byte_put (start + reloc->r_offset, value, 4);
		103	value = 0;
		104	return TRUE;
		105
		106	case 0x43: /* R_RL78_ABS16. */
		107	- byte_put (start + reloc->r_offset, value, 2);
		108	+ if (start + reloc->r_offset + 2 >= end)
		109	+ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
		110	+ start + reloc->r_offset + 2, end);
		111	+ else
		112	+ byte_put (start + reloc->r_offset, value, 2);
		113	value = 0;
		114	return TRUE;
		115
		116	@@ -12074,7 +12094,7 @@ apply_relocations (void * file,
		117
		118	reloc_type = get_reloc_type (rp->r_info);
		119
		120	- if (target_specific_reloc_handling (rp, start, symtab))
		121	+ if (target_specific_reloc_handling (rp, start, end, symtab))
		122	continue;
		123	else if (is_none_reloc (reloc_type))
		124	continue;
		125	--
		126	2.11.0
		127


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch new file mode 100644 index 0000000000..5e364ef69c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
@@ -0,0 +1,240 @@
		1	From 310e2cdc0a46ef62602097f5c21c393571e76df4 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Mon, 13 Feb 2017 14:03:22 +0000
		4	Subject: [PATCH 2/2] Fix read-after-free error in readelf when processing
		5	multiple, relocated sections in an MSP430 binary.
		6
		7	PR binutils/21139
		8	* readelf.c (target_specific_reloc_handling): Add num_syms
		9	parameter. Check for symbol table overflow before accessing
		10	symbol value. If reloc pointer is NULL, discard all saved state.
		11	(apply_relocations): Pass num_syms to target_specific_reloc_handling.
		12	Call target_specific_reloc_handling with a NULL reloc pointer
		13	after processing all of the relocs.
		14
		15	(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9)
		16	Upstream-Status: Backport [master]
		17	CVE: CVE-2017-6966
		18
		19	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
		20	---
		21	binutils/ChangeLog \| 10 +++++
		22	binutils/readelf.c \| 109 +++++++++++++++++++++++++++++++++++++++++------------
		23	2 files changed, 94 insertions(+), 25 deletions(-)
		24
		25	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
		26	index 154b797a29..aef0a51f19 100644
		27	--- a/binutils/ChangeLog
		28	+++ b/binutils/ChangeLog
		29	@@ -1,5 +1,15 @@
		30	2017-02-13 Nick Clifton <nickc@redhat.com>
		31
		32	+ PR binutils/21139
		33	+ * readelf.c (target_specific_reloc_handling): Add num_syms
		34	+ parameter. Check for symbol table overflow before accessing
		35	+ symbol value. If reloc pointer is NULL, discard all saved state.
		36	+ (apply_relocations): Pass num_syms to target_specific_reloc_handling.
		37	+ Call target_specific_reloc_handling with a NULL reloc pointer
		38	+ after processing all of the relocs.
		39	+
		40	+2017-02-13 Nick Clifton <nickc@redhat.com>
		41	+
		42	PR binutils/21137
		43	* readelf.c (target_specific_reloc_handling): Add end parameter.
		44	Check for buffer overflow before writing relocated values.
		45	diff --git a/binutils/readelf.c b/binutils/readelf.c
		46	index 220671f76f..2b6cef1638 100644
		47	--- a/binutils/readelf.c
		48	+++ b/binutils/readelf.c
		49	@@ -11340,15 +11340,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
		50
		51	/* Check to see if the given reloc needs to be handled in a target specific
		52	manner. If so then process the reloc and return TRUE otherwise return
		53	- FALSE. */
		54	+ FALSE.
		55	+
		56	+ If called with reloc == NULL, then this is a signal that reloc processing
		57	+ for the current section has finished, and any saved state should be
		58	+ discarded. */
		59
		60	static bfd_boolean
		61	target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		62	unsigned char * start,
		63	unsigned char * end,
		64	- Elf_Internal_Sym * symtab)
		65	+ Elf_Internal_Sym * symtab,
		66	+ unsigned long num_syms)
		67	{
		68	- unsigned int reloc_type = get_reloc_type (reloc->r_info);
		69	+ unsigned int reloc_type = 0;
		70	+ unsigned long sym_index = 0;
		71	+
		72	+ if (reloc)
		73	+ {
		74	+ reloc_type = get_reloc_type (reloc->r_info);
		75	+ sym_index = get_reloc_symindex (reloc->r_info);
		76	+ }
		77
		78	switch (elf_header.e_machine)
		79	{
		80	@@ -11357,13 +11369,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		81	{
		82	static Elf_Internal_Sym * saved_sym = NULL;
		83
		84	+ if (reloc == NULL)
		85	+ {
		86	+ saved_sym = NULL;
		87	+ return TRUE;
		88	+ }
		89	+
		90	switch (reloc_type)
		91	{
		92	case 10: /* R_MSP430_SYM_DIFF */
		93	if (uses_msp430x_relocs ())
		94	break;
		95	case 21: /* R_MSP430X_SYM_DIFF */
		96	- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
		97	+ /* PR 21139. */
		98	+ if (sym_index >= num_syms)
		99	+ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
		100	+ sym_index);
		101	+ else
		102	+ saved_sym = symtab + sym_index;
		103	return TRUE;
		104
		105	case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
		106	@@ -11388,16 +11411,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		107	int reloc_size = reloc_type == 1 ? 4 : 2;
		108	bfd_vma value;
		109
		110	- value = reloc->r_addend
		111	- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
		112	- - saved_sym->st_value);
		113	-
		114	- if (start + reloc->r_offset + reloc_size >= end)
		115	- /* PR 21137 */
		116	- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
		117	- start + reloc->r_offset + reloc_size, end);
		118	+ if (sym_index >= num_syms)
		119	+ error (_("MSP430 reloc contains invalid symbol index %lu\n"),
		120	+ sym_index);
		121	else
		122	- byte_put (start + reloc->r_offset, value, reloc_size);
		123	+ {
		124	+ value = reloc->r_addend + (symtab[sym_index].st_value
		125	+ - saved_sym->st_value);
		126	+
		127	+ if (start + reloc->r_offset + reloc_size >= end)
		128	+ /* PR 21137 */
		129	+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
		130	+ start + reloc->r_offset + reloc_size, end);
		131	+ else
		132	+ byte_put (start + reloc->r_offset, value, reloc_size);
		133	+ }
		134
		135	saved_sym = NULL;
		136	return TRUE;
		137	@@ -11417,13 +11445,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		138	{
		139	static Elf_Internal_Sym * saved_sym = NULL;
		140
		141	+ if (reloc == NULL)
		142	+ {
		143	+ saved_sym = NULL;
		144	+ return TRUE;
		145	+ }
		146	+
		147	switch (reloc_type)
		148	{
		149	case 34: /* R_MN10300_ALIGN */
		150	return TRUE;
		151	case 33: /* R_MN10300_SYM_DIFF */
		152	- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
		153	+ if (sym_index >= num_syms)
		154	+ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
		155	+ sym_index);
		156	+ else
		157	+ saved_sym = symtab + sym_index;
		158	return TRUE;
		159	+
		160	case 1: /* R_MN10300_32 */
		161	case 2: /* R_MN10300_16 */
		162	if (saved_sym != NULL)
		163	@@ -11431,15 +11470,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		164	int reloc_size = reloc_type == 1 ? 4 : 2;
		165	bfd_vma value;
		166
		167	- value = reloc->r_addend
		168	- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
		169	- - saved_sym->st_value);
		170	-
		171	- if (start + reloc->r_offset + reloc_size >= end)
		172	- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
		173	- start + reloc->r_offset + reloc_size, end);
		174	+ if (sym_index >= num_syms)
		175	+ error (_("MN10300 reloc contains invalid symbol index %lu\n"),
		176	+ sym_index);
		177	else
		178	- byte_put (start + reloc->r_offset, value, reloc_size);
		179	+ {
		180	+ value = reloc->r_addend + (symtab[sym_index].st_value
		181	+ - saved_sym->st_value);
		182	+
		183	+ if (start + reloc->r_offset + reloc_size >= end)
		184	+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
		185	+ start + reloc->r_offset + reloc_size, end);
		186	+ else
		187	+ byte_put (start + reloc->r_offset, value, reloc_size);
		188	+ }
		189
		190	saved_sym = NULL;
		191	return TRUE;
		192	@@ -11459,12 +11503,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		193	static bfd_vma saved_sym2 = 0;
		194	static bfd_vma value;
		195
		196	+ if (reloc == NULL)
		197	+ {
		198	+ saved_sym1 = saved_sym2 = 0;
		199	+ return TRUE;
		200	+ }
		201	+
		202	switch (reloc_type)
		203	{
		204	case 0x80: /* R_RL78_SYM. */
		205	saved_sym1 = saved_sym2;
		206	- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
		207	- saved_sym2 += reloc->r_addend;
		208	+ if (sym_index >= num_syms)
		209	+ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
		210	+ sym_index);
		211	+ else
		212	+ {
		213	+ saved_sym2 = symtab[sym_index].st_value;
		214	+ saved_sym2 += reloc->r_addend;
		215	+ }
		216	return TRUE;
		217
		218	case 0x83: /* R_RL78_OPsub. */
		219	@@ -12094,7 +12150,7 @@ apply_relocations (void * file,
		220
		221	reloc_type = get_reloc_type (rp->r_info);
		222
		223	- if (target_specific_reloc_handling (rp, start, end, symtab))
		224	+ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
		225	continue;
		226	else if (is_none_reloc (reloc_type))
		227	continue;
		228	@@ -12190,6 +12246,9 @@ apply_relocations (void * file,
		229	}
		230
		231	free (symtab);
		232	+ /* Let the target specific reloc processing code know that
		233	+ we have finished with these relocs. */
		234	+ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
		235
		236	if (relocs_return)
		237	{
		238	--
		239	2.11.0
		240