diff options
5 files changed, 342 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index e1a6673b7f..c9a3610e72 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc | |||
@@ -48,6 +48,10 @@ SRC_URI = "\ | |||
48 | file://CVE-2018-18607.patch \ | 48 | file://CVE-2018-18607.patch \ |
49 | file://CVE-2019-14444.patch \ | 49 | file://CVE-2019-14444.patch \ |
50 | file://CVE-2019-12972.patch \ | 50 | file://CVE-2019-12972.patch \ |
51 | file://CVE-2018-20623.patch \ | ||
52 | file://CVE-2018-20651.patch \ | ||
53 | file://CVE-2018-20671.patch \ | ||
54 | file://CVE-2018-1000876.patch \ | ||
51 | " | 55 | " |
52 | S = "${WORKDIR}/git" | 56 | S = "${WORKDIR}/git" |
53 | 57 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch new file mode 100644 index 0000000000..ff853511f9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch | |||
@@ -0,0 +1,180 @@ | |||
1 | From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Sun, 16 Dec 2018 23:02:50 +1030 | ||
4 | Subject: [PATCH] PR23994, libbfd integer overflow | ||
5 | |||
6 | PR 23994 | ||
7 | * aoutx.h: Include limits.h. | ||
8 | (get_reloc_upper_bound): Detect long overflow and return a file | ||
9 | too big error if it occurs. | ||
10 | * elf.c: Include limits.h. | ||
11 | (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return | ||
12 | a file too big error if it occurs. | ||
13 | (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise. | ||
14 | (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise. | ||
15 | |||
16 | CVE: CVE-2018-1000876 | ||
17 | Upstream-Status: Backport | ||
18 | [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f] | ||
19 | |||
20 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
21 | --- | ||
22 | bfd/aoutx.h | 40 +++++++++++++++++++++------------------- | ||
23 | bfd/elf.c | 32 ++++++++++++++++++++++++-------- | ||
24 | 2 files changed, 45 insertions(+), 27 deletions(-) | ||
25 | |||
26 | diff --git a/bfd/aoutx.h b/bfd/aoutx.h | ||
27 | index 023843b0be..78eaa9c503 100644 | ||
28 | --- a/bfd/aoutx.h | ||
29 | +++ b/bfd/aoutx.h | ||
30 | @@ -117,6 +117,7 @@ DESCRIPTION | ||
31 | #define KEEPIT udata.i | ||
32 | |||
33 | #include "sysdep.h" | ||
34 | +#include <limits.h> | ||
35 | #include "bfd.h" | ||
36 | #include "safe-ctype.h" | ||
37 | #include "bfdlink.h" | ||
38 | @@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd, | ||
39 | long | ||
40 | NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) | ||
41 | { | ||
42 | + bfd_size_type count; | ||
43 | + | ||
44 | if (bfd_get_format (abfd) != bfd_object) | ||
45 | { | ||
46 | bfd_set_error (bfd_error_invalid_operation); | ||
47 | @@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) | ||
48 | } | ||
49 | |||
50 | if (asect->flags & SEC_CONSTRUCTOR) | ||
51 | - return sizeof (arelent *) * (asect->reloc_count + 1); | ||
52 | - | ||
53 | - if (asect == obj_datasec (abfd)) | ||
54 | - return sizeof (arelent *) | ||
55 | - * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd)) | ||
56 | - + 1); | ||
57 | - | ||
58 | - if (asect == obj_textsec (abfd)) | ||
59 | - return sizeof (arelent *) | ||
60 | - * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd)) | ||
61 | - + 1); | ||
62 | - | ||
63 | - if (asect == obj_bsssec (abfd)) | ||
64 | - return sizeof (arelent *); | ||
65 | - | ||
66 | - if (asect == obj_bsssec (abfd)) | ||
67 | - return 0; | ||
68 | + count = asect->reloc_count; | ||
69 | + else if (asect == obj_datasec (abfd)) | ||
70 | + count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd); | ||
71 | + else if (asect == obj_textsec (abfd)) | ||
72 | + count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd); | ||
73 | + else if (asect == obj_bsssec (abfd)) | ||
74 | + count = 0; | ||
75 | + else | ||
76 | + { | ||
77 | + bfd_set_error (bfd_error_invalid_operation); | ||
78 | + return -1; | ||
79 | + } | ||
80 | |||
81 | - bfd_set_error (bfd_error_invalid_operation); | ||
82 | - return -1; | ||
83 | + if (count >= LONG_MAX / sizeof (arelent *)) | ||
84 | + { | ||
85 | + bfd_set_error (bfd_error_file_too_big); | ||
86 | + return -1; | ||
87 | + } | ||
88 | + return (count + 1) * sizeof (arelent *); | ||
89 | } | ||
90 | |||
91 | long | ||
92 | diff --git a/bfd/elf.c b/bfd/elf.c | ||
93 | index 828241d48a..10037176a3 100644 | ||
94 | --- a/bfd/elf.c | ||
95 | +++ b/bfd/elf.c | ||
96 | @@ -35,6 +35,7 @@ SECTION | ||
97 | /* For sparc64-cross-sparc32. */ | ||
98 | #define _SYSCALL32 | ||
99 | #include "sysdep.h" | ||
100 | +#include <limits.h> | ||
101 | #include "bfd.h" | ||
102 | #include "bfdlink.h" | ||
103 | #include "libbfd.h" | ||
104 | @@ -8114,11 +8115,16 @@ error_return: | ||
105 | long | ||
106 | _bfd_elf_get_symtab_upper_bound (bfd *abfd) | ||
107 | { | ||
108 | - long symcount; | ||
109 | + bfd_size_type symcount; | ||
110 | long symtab_size; | ||
111 | Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr; | ||
112 | |||
113 | symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; | ||
114 | + if (symcount >= LONG_MAX / sizeof (asymbol *)) | ||
115 | + { | ||
116 | + bfd_set_error (bfd_error_file_too_big); | ||
117 | + return -1; | ||
118 | + } | ||
119 | symtab_size = (symcount + 1) * (sizeof (asymbol *)); | ||
120 | if (symcount > 0) | ||
121 | symtab_size -= sizeof (asymbol *); | ||
122 | @@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd) | ||
123 | long | ||
124 | _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) | ||
125 | { | ||
126 | - long symcount; | ||
127 | + bfd_size_type symcount; | ||
128 | long symtab_size; | ||
129 | Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr; | ||
130 | |||
131 | @@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) | ||
132 | } | ||
133 | |||
134 | symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; | ||
135 | + if (symcount >= LONG_MAX / sizeof (asymbol *)) | ||
136 | + { | ||
137 | + bfd_set_error (bfd_error_file_too_big); | ||
138 | + return -1; | ||
139 | + } | ||
140 | symtab_size = (symcount + 1) * (sizeof (asymbol *)); | ||
141 | if (symcount > 0) | ||
142 | symtab_size -= sizeof (asymbol *); | ||
143 | @@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd, | ||
144 | long | ||
145 | _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) | ||
146 | { | ||
147 | - long ret; | ||
148 | + bfd_size_type count; | ||
149 | asection *s; | ||
150 | |||
151 | if (elf_dynsymtab (abfd) == 0) | ||
152 | @@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) | ||
153 | return -1; | ||
154 | } | ||
155 | |||
156 | - ret = sizeof (arelent *); | ||
157 | + count = 1; | ||
158 | for (s = abfd->sections; s != NULL; s = s->next) | ||
159 | if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd) | ||
160 | && (elf_section_data (s)->this_hdr.sh_type == SHT_REL | ||
161 | || elf_section_data (s)->this_hdr.sh_type == SHT_RELA)) | ||
162 | - ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize) | ||
163 | - * sizeof (arelent *)); | ||
164 | - | ||
165 | - return ret; | ||
166 | + { | ||
167 | + count += s->size / elf_section_data (s)->this_hdr.sh_entsize; | ||
168 | + if (count > LONG_MAX / sizeof (arelent *)) | ||
169 | + { | ||
170 | + bfd_set_error (bfd_error_file_too_big); | ||
171 | + return -1; | ||
172 | + } | ||
173 | + } | ||
174 | + return count * sizeof (arelent *); | ||
175 | } | ||
176 | |||
177 | /* Canonicalize the dynamic relocation entries. Note that we return the | ||
178 | -- | ||
179 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
180 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch new file mode 100644 index 0000000000..b44d448fce --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Wed, 9 Jan 2019 12:25:16 +0000 | ||
4 | Subject: [PATCH] Fix a heap use after free memory access fault when displaying | ||
5 | error messages about malformed archives. | ||
6 | |||
7 | PR 14049 | ||
8 | * readelf.c (process_archive): Use arch.file_name in error | ||
9 | messages until the qualified name is available. | ||
10 | |||
11 | CVE: CVE-2018-20623 | ||
12 | Upstream-Status: Backport | ||
13 | [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837] | ||
14 | |||
15 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
16 | --- | ||
17 | binutils/readelf.c | 13 ++++++++----- | ||
18 | 1 file changed, 8 insertions(+), 5 deletions(-) | ||
19 | |||
20 | diff --git a/binutils/readelf.c b/binutils/readelf.c | ||
21 | index f4df697a7d..280023d8de 100644 | ||
22 | --- a/binutils/readelf.c | ||
23 | +++ b/binutils/readelf.c | ||
24 | @@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) | ||
25 | /* Read the next archive header. */ | ||
26 | if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0) | ||
27 | { | ||
28 | - error (_("%s: failed to seek to next archive header\n"), filedata->file_name); | ||
29 | + error (_("%s: failed to seek to next archive header\n"), arch.file_name); | ||
30 | return FALSE; | ||
31 | } | ||
32 | got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle); | ||
33 | @@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) | ||
34 | { | ||
35 | if (got == 0) | ||
36 | break; | ||
37 | - error (_("%s: failed to read archive header\n"), filedata->file_name); | ||
38 | + /* PR 24049 - we cannot use filedata->file_name as this will | ||
39 | + have already been freed. */ | ||
40 | + error (_("%s: failed to read archive header\n"), arch.file_name); | ||
41 | + | ||
42 | ret = FALSE; | ||
43 | break; | ||
44 | } | ||
45 | @@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) | ||
46 | name = get_archive_member_name (&arch, &nested_arch); | ||
47 | if (name == NULL) | ||
48 | { | ||
49 | - error (_("%s: bad archive file name\n"), filedata->file_name); | ||
50 | + error (_("%s: bad archive file name\n"), arch.file_name); | ||
51 | ret = FALSE; | ||
52 | break; | ||
53 | } | ||
54 | @@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) | ||
55 | qualified_name = make_qualified_name (&arch, &nested_arch, name); | ||
56 | if (qualified_name == NULL) | ||
57 | { | ||
58 | - error (_("%s: bad archive file name\n"), filedata->file_name); | ||
59 | + error (_("%s: bad archive file name\n"), arch.file_name); | ||
60 | ret = FALSE; | ||
61 | break; | ||
62 | } | ||
63 | @@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) | ||
64 | if (nested_arch.file == NULL) | ||
65 | { | ||
66 | error (_("%s: contains corrupt thin archive: %s\n"), | ||
67 | - filedata->file_name, name); | ||
68 | + qualified_name, name); | ||
69 | ret = FALSE; | ||
70 | break; | ||
71 | } | ||
72 | -- | ||
73 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
74 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch new file mode 100644 index 0000000000..24fb031223 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 6a29d95602b09bb83d2c82b45ed935157fb780aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Mon, 31 Dec 2018 15:40:08 +1030 | ||
4 | Subject: [PATCH] PR24041, Invalid Memory Address Dereference in | ||
5 | elf_link_add_object_symbols | ||
6 | |||
7 | PR 24041 | ||
8 | * elflink.c (elf_link_add_object_symbols): Don't segfault on | ||
9 | crafted ET_DYN with no program headers. | ||
10 | |||
11 | CVE: CVE-2018-20651 | ||
12 | Upstream-Status: Backport | ||
13 | [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f] | ||
14 | |||
15 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
16 | --- | ||
17 | bfd/elflink.c | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/bfd/elflink.c b/bfd/elflink.c | ||
21 | index 46091b6341..557c550082 100644 | ||
22 | --- a/bfd/elflink.c | ||
23 | +++ b/bfd/elflink.c | ||
24 | @@ -4178,7 +4178,7 @@ error_free_dyn: | ||
25 | all sections contained fully therein. This makes relro | ||
26 | shared library sections appear as they will at run-time. */ | ||
27 | phdr = elf_tdata (abfd)->phdr + elf_elfheader (abfd)->e_phnum; | ||
28 | - while (--phdr >= elf_tdata (abfd)->phdr) | ||
29 | + while (phdr-- > elf_tdata (abfd)->phdr) | ||
30 | if (phdr->p_type == PT_GNU_RELRO) | ||
31 | { | ||
32 | for (s = abfd->sections; s != NULL; s = s->next) | ||
33 | -- | ||
34 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
35 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch new file mode 100644 index 0000000000..9bd9207bb5 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Fri, 4 Jan 2019 13:44:34 +0000 | ||
4 | Subject: [PATCH] Fix a possible integer overflow problem when examining | ||
5 | corrupt binaries using a 32-bit binutil. | ||
6 | |||
7 | PR 24005 | ||
8 | * objdump.c (load_specific_debug_section): Check for integer | ||
9 | overflow before attempting to allocate contents. | ||
10 | |||
11 | CVE: CVE-2018-20671 | ||
12 | Upstream-Status: Backport | ||
13 | [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca] | ||
14 | |||
15 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
16 | --- | ||
17 | binutils/objdump.c | 13 ++++++++++--- | ||
18 | 1 file changed, 10 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/binutils/objdump.c b/binutils/objdump.c | ||
21 | index f468fcdb59..89ca688938 100644 | ||
22 | --- a/binutils/objdump.c | ||
23 | +++ b/binutils/objdump.c | ||
24 | @@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, | ||
25 | section->reloc_info = NULL; | ||
26 | section->num_relocs = 0; | ||
27 | section->address = bfd_get_section_vma (abfd, sec); | ||
28 | + section->user_data = sec; | ||
29 | section->size = bfd_get_section_size (sec); | ||
30 | amt = section->size + 1; | ||
31 | + if (amt == 0 || amt > bfd_get_file_size (abfd)) | ||
32 | + { | ||
33 | + section->start = NULL; | ||
34 | + free_debug_section (debug); | ||
35 | + printf (_("\nSection '%s' has an invalid size: %#llx.\n"), | ||
36 | + section->name, (unsigned long long) section->size); | ||
37 | + return FALSE; | ||
38 | + } | ||
39 | section->start = contents = malloc (amt); | ||
40 | - section->user_data = sec; | ||
41 | - if (amt == 0 | ||
42 | - || section->start == NULL | ||
43 | + if (section->start == NULL | ||
44 | || !bfd_get_full_section_contents (abfd, sec, &contents)) | ||
45 | { | ||
46 | free_debug_section (debug); | ||
47 | -- | ||
48 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
49 | |||