binutils: fix CVE-2017-7209 in readelf

CVE: CVE-2017-7209 [BZ 21135] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21135 PR binutils/21135: Fix invalid read of section contents whilst processing a corrupt binary. (From OE-Core rev: fd7a91e2a6db1fb806c57c137f72efcffbf1f26b) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yuanjie Huang <Yuanjie.Huang@windriver.com> 2017-05-31 01:37:58 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-08-29 16:50:52 +0100
commit: 5d6e240db6b0448e77248f7f110449bce9d97667 (patch)
tree: c3ce49763ae89efeeed3574985265b238cbcf4f4 /meta
parent: c7e48934c9560a507c7899a77bf02941ef52aec7 (diff)
download: poky-5d6e240db6b0448e77248f7f110449bce9d97667.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index d32ce25dd5..5dca05e898 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -43,6 +43,7 @@ SRC_URI = "\
     file://CVE-2017-6966.patch \
     file://CVE-2017-6969.patch \
     file://CVE-2017-6969_2.patch \
+     file://CVE-2017-7209.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch
new file mode 100644
index 0000000000..336d72cfe0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch
@@ -0,0 +1,63 @@
+From 6e5e9d96b5bd7dc3147db9917d6a7a20682915cc Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 15:04:37 +0000
+Subject: Fix invalid read of section contents whilst processing a corrupt
+ binary.
+        PR binutils/21135
+        * readelf.c (dump_section_as_bytes): Handle the case where
+        uncompress_section_contents returns false.
+CVE: CVE-2017-7209
+Upstream-Status: Backport[master]
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/readelf.c | 16 ++++++++++++----
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 55d2f8ba40..c4d8e60eca 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
+2017-02-13  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21135
+       * readelf.c (dump_section_as_bytes): Handle the case where
+       uncompress_section_contents returns false.
+
+ 2017-02-20  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21156
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 7f7365dbc5..bc4e92fa81 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -12473,10 +12473,18 @@ dump_section_as_bytes (Elf_Internal_Shdr * section,
+          new_size -= 12;
+        }
+ 
+-      if (uncompressed_size
+-         && uncompress_section_contents (& start, uncompressed_size,
+-                                         & new_size))
+-       section_size = new_size;
+      if (uncompressed_size)
+       {
+         if (uncompress_section_contents (& start, uncompressed_size,
+                                          & new_size))
+           section_size = new_size;
+         else
+           {
+             error (_("Unable to decompress section %s\n"),
+                    printable_section_name (section));
+             return;
+           }
+       }
+     }
+ 
+   if (relocate)
+-- 
+2.11.0
author	Yuanjie Huang <Yuanjie.Huang@windriver.com>	2017-05-31 01:37:58 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-08-29 16:50:52 +0100
commit	5d6e240db6b0448e77248f7f110449bce9d97667 (patch)
tree	c3ce49763ae89efeeed3574985265b238cbcf4f4 /meta
parent	c7e48934c9560a507c7899a77bf02941ef52aec7 (diff)
download	poky-5d6e240db6b0448e77248f7f110449bce9d97667.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index d32ce25dd5..5dca05e898 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -43,6 +43,7 @@ SRC_URI = "\
43	file://CVE-2017-6966.patch \	43	file://CVE-2017-6966.patch \
44	file://CVE-2017-6969.patch \	44	file://CVE-2017-6969.patch \
45	file://CVE-2017-6969_2.patch \	45	file://CVE-2017-6969_2.patch \
		46	file://CVE-2017-7209.patch \
46	"	47	"
47	S = "${WORKDIR}/git"	48	S = "${WORKDIR}/git"
48		49


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch new file mode 100644 index 0000000000..336d72cfe0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch
@@ -0,0 +1,63 @@
		1	From 6e5e9d96b5bd7dc3147db9917d6a7a20682915cc Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Mon, 13 Feb 2017 15:04:37 +0000
		4	Subject: Fix invalid read of section contents whilst processing a corrupt
		5	binary.
		6
		7	PR binutils/21135
		8	* readelf.c (dump_section_as_bytes): Handle the case where
		9	uncompress_section_contents returns false.
		10
		11	CVE: CVE-2017-7209
		12	Upstream-Status: Backport[master]
		13
		14	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
		15	---
		16	binutils/ChangeLog \| 6 ++++++
		17	binutils/readelf.c \| 16 ++++++++++++----
		18	2 files changed, 18 insertions(+), 4 deletions(-)
		19
		20	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
		21	index 55d2f8ba40..c4d8e60eca 100644
		22	--- a/binutils/ChangeLog
		23	+++ b/binutils/ChangeLog
		24	@@ -1,3 +1,9 @@
		25	+2017-02-13 Nick Clifton <nickc@redhat.com>
		26	+
		27	+ PR binutils/21135
		28	+ * readelf.c (dump_section_as_bytes): Handle the case where
		29	+ uncompress_section_contents returns false.
		30	+
		31	2017-02-20 Nick Clifton <nickc@redhat.com>
		32
		33	PR binutils/21156
		34	diff --git a/binutils/readelf.c b/binutils/readelf.c
		35	index 7f7365dbc5..bc4e92fa81 100644
		36	--- a/binutils/readelf.c
		37	+++ b/binutils/readelf.c
		38	@@ -12473,10 +12473,18 @@ dump_section_as_bytes (Elf_Internal_Shdr * section,
		39	new_size -= 12;
		40	}
		41
		42	- if (uncompressed_size
		43	- && uncompress_section_contents (& start, uncompressed_size,
		44	- & new_size))
		45	- section_size = new_size;
		46	+ if (uncompressed_size)
		47	+ {
		48	+ if (uncompress_section_contents (& start, uncompressed_size,
		49	+ & new_size))
		50	+ section_size = new_size;
		51	+ else
		52	+ {
		53	+ error (_("Unable to decompress section %s\n"),
		54	+ printable_section_name (section));
		55	+ return;
		56	+ }
		57	+ }
		58	}
		59
		60	if (relocate)
		61	--
		62	2.11.0
		63