summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.31.inc2
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch144
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch65
3 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc
index 76add0fe4b..27a643d765 100644
--- a/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -41,6 +41,8 @@ SRC_URI = "\
41 file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \ 41 file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \
42 file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \ 42 file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \
43 file://0021-PLT-information-was-still-being-generated-when-symbo.patch \ 43 file://0021-PLT-information-was-still-being-generated-when-symbo.patch \
44 file://CVE-2018-17358.patch \
45 file://CVE-2018-17360.patch \
44" 46"
45S = "${WORKDIR}/git" 47S = "${WORKDIR}/git"
46 48
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
new file mode 100644
index 0000000000..813509160f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
@@ -0,0 +1,144 @@
1From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 20 Sep 2018 15:29:17 +0930
4Subject: [PATCH] Bug 23686, two segment faults in nm
5
6Fixes the bugs exposed by the testcases in the PR, plus two more bugs
7I noticed when looking at _bfd_stab_section_find_nearest_line.
8
9 PR 23686
10 * dwarf2.c (read_section): Error when attempting to malloc
11 "(bfd_size_type) -1".
12 * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
13 function_name. Bounds check reloc address. Formatting. Ensure
14 .stabstr zero terminated.
15CVE: CVE-2018-17358 and CVE-2018-17359
16Upstream-Status: Backport
17Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
18---
19 bfd/ChangeLog | 9 +++++++++
20 bfd/dwarf2.c | 9 ++++++++-
21 bfd/syms.c | 22 ++++++++++++++++------
22 3 files changed, 33 insertions(+), 7 deletions(-)
23
24diff --git a/bfd/ChangeLog b/bfd/ChangeLog
25index 04c0c2a..fef5479 100644
26--- a/bfd/ChangeLog
27+++ b/bfd/ChangeLog
28@@ -1,3 +1,12 @@
29+2018-09-20 Alan Modra <amodra@gmail.com>
30+
31+ PR 23686
32+ * dwarf2.c (read_section): Error when attempting to malloc
33+ "(bfd_size_type) -1".
34+ * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
35+ function_name. Bounds check reloc address. Formatting. Ensure
36+ .stabstr zero terminated.
37+
38 2018-08-12 H.J. Lu <hongjiu.lu@intel.com>
39
40 PR ld/23428
41diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
42index 3b28855..77a7368 100644
43--- a/bfd/dwarf2.c
44+++ b/bfd/dwarf2.c
45@@ -527,6 +527,7 @@ read_section (bfd * abfd,
46 asection *msec;
47 const char *section_name = sec->uncompressed_name;
48 bfd_byte *contents = *section_buffer;
49+ bfd_size_type amt;
50
51 /* The section may have already been read. */
52 if (contents == NULL)
53@@ -549,7 +550,13 @@ read_section (bfd * abfd,
54 *section_size = msec->rawsize ? msec->rawsize : msec->size;
55 /* Paranoia - alloc one extra so that we can make sure a string
56 section is NUL terminated. */
57- contents = (bfd_byte *) bfd_malloc (*section_size + 1);
58+ amt = *section_size + 1;
59+ if (amt == 0)
60+ {
61+ bfd_set_error (bfd_error_no_memory);
62+ return FALSE;
63+ }
64+ contents = (bfd_byte *) bfd_malloc (amt);
65 if (contents == NULL)
66 return FALSE;
67 if (syms
68diff --git a/bfd/syms.c b/bfd/syms.c
69index 187071f..e09640a 100644
70--- a/bfd/syms.c
71+++ b/bfd/syms.c
72@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
73 0, strsize))
74 return FALSE;
75
76+ /* Stab strings ought to be nul terminated. Ensure the last one
77+ is, to prevent running off the end of the buffer. */
78+ info->strs[strsize - 1] = 0;
79+
80 /* If this is a relocatable object file, we have to relocate
81 the entries in .stab. This should always be simple 32 bit
82 relocations against symbols defined in this object file, so
83@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
84 || r->howto->bitsize != 32
85 || r->howto->pc_relative
86 || r->howto->bitpos != 0
87- || r->howto->dst_mask != 0xffffffff)
88+ || r->howto->dst_mask != 0xffffffff
89+ || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
90 {
91 _bfd_error_handler
92 (_("unsupported .stab relocation"));
93@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
94 {
95 nul_fun = stab;
96 nul_str = str;
97- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
98+ if (file_name >= (char *) info->strs + strsize
99+ || file_name < (char *) str)
100 file_name = NULL;
101 if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
102 && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
103@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
104 directory_name = file_name;
105 file_name = ((char *) str
106 + bfd_get_32 (abfd, stab + STRDXOFF));
107- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
108+ if (file_name >= (char *) info->strs + strsize
109+ || file_name < (char *) str)
110 file_name = NULL;
111 }
112 }
113@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
114 file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
115 /* PR 17512: file: 0c680a1f. */
116 /* PR 17512: file: 5da8aec4. */
117- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
118+ if (file_name >= (char *) info->strs + strsize
119+ || file_name < (char *) str)
120 file_name = NULL;
121 break;
122
123@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
124 function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
125 if (function_name == (char *) str)
126 continue;
127- if (function_name >= (char *) info->strs + strsize)
128+ if (function_name >= (char *) info->strs + strsize
129+ || function_name < (char *) str)
130 function_name = NULL;
131
132 nul_fun = NULL;
133@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
134 if (val <= offset)
135 {
136 file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
137- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
138+ if (file_name >= (char *) info->strs + strsize
139+ || file_name < (char *) str)
140 file_name = NULL;
141 *pline = 0;
142 }
143--
1442.9.3
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch
new file mode 100644
index 0000000000..cef10a7546
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch
@@ -0,0 +1,65 @@
1From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 20 Sep 2018 18:23:17 +0930
4Subject: [PATCH] PR23685, buffer overflow
5
6 PR 23685
7 * peXXigen.c (pe_print_edata): Correct export address table
8 overflow checks. Check dataoff against section size too.
9
10CVE: CVE-2018-17360
11Upstream-Status: Backport
12Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
13---
14 bfd/ChangeLog | 6 ++++++
15 bfd/peXXigen.c | 11 ++++++-----
16 2 files changed, 12 insertions(+), 5 deletions(-)
17
18diff --git a/bfd/ChangeLog b/bfd/ChangeLog
19index fef5479..81b9e56 100644
20--- a/bfd/ChangeLog
21+++ b/bfd/ChangeLog
22@@ -1,5 +1,11 @@
23 2018-09-20 Alan Modra <amodra@gmail.com>
24
25+ PR 23685
26+ * peXXigen.c (pe_print_edata): Correct export address table
27+ overflow checks. Check dataoff against section size too.
28+
29+2018-09-20 Alan Modra <amodra@gmail.com>
30+
31 PR 23686
32 * dwarf2.c (read_section): Error when attempting to malloc
33 "(bfd_size_type) -1".
34diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
35index 598f2ca..1645ef4 100644
36--- a/bfd/peXXigen.c
37+++ b/bfd/peXXigen.c
38@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile)
39
40 dataoff = addr - section->vma;
41 datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
42- if (datasize > section->size - dataoff)
43+ if (dataoff > section->size
44+ || datasize > section->size - dataoff)
45 {
46 fprintf (file,
47 _("\nThere is an export table in %s, but it does not fit into that section\n"),
48@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile)
49 edt.base);
50
51 /* PR 17512: Handle corrupt PE binaries. */
52- if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize
53+ /* PR 17512 file: 140-165018-0.004. */
54+ if (edt.eat_addr - adj >= datasize
55 /* PR 17512: file: 092b1829 */
56- || (edt.num_functions * 4) < edt.num_functions
57- /* PR 17512 file: 140-165018-0.004. */
58- || data + edt.eat_addr - adj < data)
59+ || (edt.num_functions + 1) * 4 < edt.num_functions
60+ || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize)
61 fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
62 (long) edt.eat_addr,
63 (long) edt.num_functions);
64--
652.9.3