diff options
3 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index a117323282..eefb2e7031 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc | |||
@@ -47,6 +47,8 @@ SRC_URI = "\ | |||
47 | file://CVE-2017-7210.patch \ | 47 | file://CVE-2017-7210.patch \ |
48 | file://CVE-2017-7614.patch \ | 48 | file://CVE-2017-7614.patch \ |
49 | file://CVE-2017-9038.patch \ | 49 | file://CVE-2017-9038.patch \ |
50 | file://CVE-2017-9039.patch \ | ||
51 | file://CVE-2017-9039_1.patch \ | ||
50 | " | 52 | " |
51 | S = "${WORKDIR}/git" | 53 | S = "${WORKDIR}/git" |
52 | 54 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch new file mode 100644 index 0000000000..41f2b6e316 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From 75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon, 3 Apr 2017 11:13:21 +0100 | ||
4 | Subject: [PATCH] Fix runtime seg-fault in readelf when parsing a corrupt MIPS | ||
5 | binary. | ||
6 | |||
7 | PR binutils/21344 | ||
8 | * readelf.c (process_mips_specific): Check for an out of range GOT | ||
9 | entry before reading the module pointer. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2017-9039 supporting patch | ||
13 | VER: <= 2.28 | ||
14 | Signed-off-by: Armin kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | binutils/ChangeLog | 6 ++++++ | ||
18 | binutils/readelf.c | 26 ++++++++++++++++++-------- | ||
19 | 2 files changed, 24 insertions(+), 8 deletions(-) | ||
20 | |||
21 | Index: git/binutils/readelf.c | ||
22 | =================================================================== | ||
23 | --- git.orig/binutils/readelf.c | ||
24 | +++ git/binutils/readelf.c | ||
25 | @@ -14987,14 +14987,24 @@ process_mips_specific (FILE * file) | ||
26 | printf (_(" Lazy resolver\n")); | ||
27 | if (ent == (bfd_vma) -1) | ||
28 | goto got_print_fail; | ||
29 | - if (data | ||
30 | - && (byte_get (data + ent - pltgot, addr_size) | ||
31 | - >> (addr_size * 8 - 1)) != 0) | ||
32 | + | ||
33 | + if (data) | ||
34 | { | ||
35 | - ent = print_mips_got_entry (data, pltgot, ent, data_end); | ||
36 | - printf (_(" Module pointer (GNU extension)\n")); | ||
37 | - if (ent == (bfd_vma) -1) | ||
38 | - goto got_print_fail; | ||
39 | + /* PR 21344 */ | ||
40 | + if (data + ent - pltgot > data_end - addr_size) | ||
41 | + { | ||
42 | + error (_("Invalid got entry - %#lx - overflows GOT table\n"), ent); | ||
43 | + goto got_print_fail; | ||
44 | + } | ||
45 | + | ||
46 | + if (byte_get (data + ent - pltgot, addr_size) | ||
47 | + >> (addr_size * 8 - 1) != 0) | ||
48 | + { | ||
49 | + ent = print_mips_got_entry (data, pltgot, ent, data_end); | ||
50 | + printf (_(" Module pointer (GNU extension)\n")); | ||
51 | + if (ent == (bfd_vma) -1) | ||
52 | + goto got_print_fail; | ||
53 | + } | ||
54 | } | ||
55 | printf ("\n"); | ||
56 | |||
57 | Index: git/bfd/ChangeLog | ||
58 | =================================================================== | ||
59 | --- git.orig/bfd/ChangeLog | ||
60 | +++ git/bfd/ChangeLog | ||
61 | @@ -1,5 +1,11 @@ | ||
62 | 2017-04-03 Nick Clifton <nickc@redhat.com> | ||
63 | |||
64 | + PR binutils/21344 | ||
65 | + * readelf.c (process_mips_specific): Check for an out of range GOT | ||
66 | + entry before reading the module pointer. | ||
67 | + | ||
68 | +2017-04-03 Nick Clifton <nickc@redhat.com> | ||
69 | + | ||
70 | PR binutils/21343 | ||
71 | * readelf.c (get_unwind_section_word): Fix snafu checking for | ||
72 | invalid word offsets in ARM unwind information. | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9039_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039_1.patch new file mode 100644 index 0000000000..ee827ee3e7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039_1.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 82156ab704b08b124d319c0decdbd48b3ca2dac5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon, 3 Apr 2017 12:14:06 +0100 | ||
4 | Subject: [PATCH] readelf: Fix overlarge memory allocation when reading a | ||
5 | binary with an excessive number of program headers. | ||
6 | |||
7 | PR binutils/21345 | ||
8 | * readelf.c (get_program_headers): Check for there being too many | ||
9 | program headers before attempting to allocate space for them. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2017-9039 | ||
13 | VER: <= 2.28 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | binutils/ChangeLog | 6 ++++++ | ||
18 | binutils/readelf.c | 17 ++++++++++++++--- | ||
19 | 2 files changed, 20 insertions(+), 3 deletions(-) | ||
20 | |||
21 | Index: git/binutils/readelf.c | ||
22 | =================================================================== | ||
23 | --- git.orig/binutils/readelf.c | ||
24 | +++ git/binutils/readelf.c | ||
25 | @@ -4705,9 +4705,19 @@ get_program_headers (FILE * file) | ||
26 | if (program_headers != NULL) | ||
27 | return 1; | ||
28 | |||
29 | - phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, | ||
30 | - sizeof (Elf_Internal_Phdr)); | ||
31 | + /* Be kind to memory checkers by looking for | ||
32 | + e_phnum values which we know must be invalid. */ | ||
33 | + if (elf_header.e_phnum | ||
34 | + * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr)) | ||
35 | + >= current_file_size) | ||
36 | + { | ||
37 | + error (_("Too many program headers - %#x - the file is not that big\n"), | ||
38 | + elf_header.e_phnum); | ||
39 | + return FALSE; | ||
40 | + } | ||
41 | |||
42 | + phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, | ||
43 | + sizeof (Elf_Internal_Phdr)); | ||
44 | if (phdrs == NULL) | ||
45 | { | ||
46 | error (_("Out of memory reading %u program headers\n"), | ||
47 | @@ -14993,7 +15003,8 @@ process_mips_specific (FILE * file) | ||
48 | /* PR 21344 */ | ||
49 | if (data + ent - pltgot > data_end - addr_size) | ||
50 | { | ||
51 | - error (_("Invalid got entry - %#lx - overflows GOT table\n"), ent); | ||
52 | + error (_("Invalid got entry - %#lx - overflows GOT table\n"), | ||
53 | + (long) ent); | ||
54 | goto got_print_fail; | ||
55 | } | ||
56 | |||