diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch | 375 |
1 files changed, 375 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch new file mode 100644 index 0000000000..503f655b61 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch | |||
@@ -0,0 +1,375 @@ | |||
1 | commit ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 | ||
2 | Author: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon Jul 24 13:49:22 2017 +0100 | ||
4 | |||
5 | Fix address violation errors parsing corrupt binary files. | ||
6 | |||
7 | PR 21813 | ||
8 | binutils* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty | ||
9 | string whilst concatenating symbol names. | ||
10 | |||
11 | bfd * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address | ||
12 | of the relocs to the canonicalize_one_reloc routine. | ||
13 | * mach-o.h (struct bfd_mach_o_backend_data): Update the prototype | ||
14 | for the _bfd_mach_o_canonicalize_one_reloc field. | ||
15 | * mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add | ||
16 | res_base parameter. Use to check for corrupt pair relocs. | ||
17 | * mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc): | ||
18 | Likewise. | ||
19 | * mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc): | ||
20 | Likewise. | ||
21 | * mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc): | ||
22 | Likewise. | ||
23 | |||
24 | * vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is | ||
25 | enough data in the record before attempting to parse it. | ||
26 | (_bfd_vms_slurp_eeom): Likewise. | ||
27 | |||
28 | (_bfd_vms_slurp_egsd): Check for an invalid section index. | ||
29 | (image_set_ptr): Likewise. | ||
30 | (alpha_vms_slurp_relocs): Likewise. | ||
31 | |||
32 | (alpha_vms_object_p): Check for a truncated record. | ||
33 | |||
34 | Upstream-Status: Backport | ||
35 | |||
36 | CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456 | ||
37 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
38 | |||
39 | Index: git/bfd/mach-o-aarch64.c | ||
40 | =================================================================== | ||
41 | --- git.orig/bfd/mach-o-aarch64.c 2017-08-31 19:17:51.264385450 +0530 | ||
42 | +++ git/bfd/mach-o-aarch64.c 2017-08-31 19:18:02.620442777 +0530 | ||
43 | @@ -147,9 +147,11 @@ | ||
44 | }; | ||
45 | |||
46 | static bfd_boolean | ||
47 | -bfd_mach_o_arm64_canonicalize_one_reloc (bfd *abfd, | ||
48 | - struct mach_o_reloc_info_external *raw, | ||
49 | - arelent *res, asymbol **syms) | ||
50 | +bfd_mach_o_arm64_canonicalize_one_reloc (bfd * abfd, | ||
51 | + struct mach_o_reloc_info_external * raw, | ||
52 | + arelent * res, | ||
53 | + asymbol ** syms, | ||
54 | + arelent * res_base ATTRIBUTE_UNUSED) | ||
55 | { | ||
56 | bfd_mach_o_reloc_info reloc; | ||
57 | |||
58 | Index: git/bfd/mach-o-i386.c | ||
59 | =================================================================== | ||
60 | --- git.orig/bfd/mach-o-i386.c 2017-08-31 19:17:51.264385450 +0530 | ||
61 | +++ git/bfd/mach-o-i386.c 2017-08-31 19:18:02.620442777 +0530 | ||
62 | @@ -112,9 +112,11 @@ | ||
63 | }; | ||
64 | |||
65 | static bfd_boolean | ||
66 | -bfd_mach_o_i386_canonicalize_one_reloc (bfd *abfd, | ||
67 | - struct mach_o_reloc_info_external *raw, | ||
68 | - arelent *res, asymbol **syms) | ||
69 | +bfd_mach_o_i386_canonicalize_one_reloc (bfd * abfd, | ||
70 | + struct mach_o_reloc_info_external * raw, | ||
71 | + arelent * res, | ||
72 | + asymbol ** syms, | ||
73 | + arelent * res_base) | ||
74 | { | ||
75 | bfd_mach_o_reloc_info reloc; | ||
76 | |||
77 | @@ -126,6 +128,9 @@ | ||
78 | switch (reloc.r_type) | ||
79 | { | ||
80 | case BFD_MACH_O_GENERIC_RELOC_PAIR: | ||
81 | + /* PR 21813: Check for a corrupt PAIR reloc at the start. */ | ||
82 | + if (res == res_base) | ||
83 | + return FALSE; | ||
84 | if (reloc.r_length == 2) | ||
85 | { | ||
86 | res->howto = &i386_howto_table[7]; | ||
87 | @@ -391,9 +396,9 @@ | ||
88 | { NULL, NULL } | ||
89 | }; | ||
90 | |||
91 | -#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc | ||
92 | -#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out | ||
93 | -#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread | ||
94 | +#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc | ||
95 | +#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out | ||
96 | +#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread | ||
97 | |||
98 | #define bfd_mach_o_tgt_seg_table mach_o_i386_segsec_names_xlat | ||
99 | #define bfd_mach_o_section_type_valid_for_tgt NULL | ||
100 | Index: git/bfd/mach-o-x86-64.c | ||
101 | =================================================================== | ||
102 | --- git.orig/bfd/mach-o-x86-64.c 2017-08-31 19:17:51.264385450 +0530 | ||
103 | +++ git/bfd/mach-o-x86-64.c 2017-08-31 19:18:02.620442777 +0530 | ||
104 | @@ -120,9 +120,11 @@ | ||
105 | }; | ||
106 | |||
107 | static bfd_boolean | ||
108 | -bfd_mach_o_x86_64_canonicalize_one_reloc (bfd *abfd, | ||
109 | - struct mach_o_reloc_info_external *raw, | ||
110 | - arelent *res, asymbol **syms) | ||
111 | +bfd_mach_o_x86_64_canonicalize_one_reloc (bfd * abfd, | ||
112 | + struct mach_o_reloc_info_external * raw, | ||
113 | + arelent * res, | ||
114 | + asymbol ** syms, | ||
115 | + arelent * res_base ATTRIBUTE_UNUSED) | ||
116 | { | ||
117 | bfd_mach_o_reloc_info reloc; | ||
118 | |||
119 | Index: git/bfd/mach-o.c | ||
120 | =================================================================== | ||
121 | --- git.orig/bfd/mach-o.c 2017-08-31 19:18:02.440441869 +0530 | ||
122 | +++ git/bfd/mach-o.c 2017-08-31 19:18:02.620442777 +0530 | ||
123 | @@ -1496,7 +1496,7 @@ | ||
124 | for (i = 0; i < count; i++) | ||
125 | { | ||
126 | if (!(*bed->_bfd_mach_o_canonicalize_one_reloc)(abfd, &native_relocs[i], | ||
127 | - &res[i], syms)) | ||
128 | + &res[i], syms, res)) | ||
129 | goto err; | ||
130 | } | ||
131 | free (native_relocs); | ||
132 | Index: git/bfd/mach-o.h | ||
133 | =================================================================== | ||
134 | --- git.orig/bfd/mach-o.h 2017-08-31 19:17:51.264385450 +0530 | ||
135 | +++ git/bfd/mach-o.h 2017-08-31 19:18:02.620442777 +0530 | ||
136 | @@ -746,7 +746,7 @@ | ||
137 | enum bfd_architecture arch; | ||
138 | bfd_vma page_size; | ||
139 | bfd_boolean (*_bfd_mach_o_canonicalize_one_reloc) | ||
140 | - (bfd *, struct mach_o_reloc_info_external *, arelent *, asymbol **); | ||
141 | + (bfd *, struct mach_o_reloc_info_external *, arelent *, asymbol **, arelent *); | ||
142 | bfd_boolean (*_bfd_mach_o_swap_reloc_out)(arelent *, bfd_mach_o_reloc_info *); | ||
143 | bfd_boolean (*_bfd_mach_o_print_thread)(bfd *, bfd_mach_o_thread_flavour *, | ||
144 | void *, char *); | ||
145 | Index: git/bfd/ChangeLog | ||
146 | =================================================================== | ||
147 | --- git.orig/bfd/ChangeLog 2017-08-31 19:18:02.564442494 +0530 | ||
148 | +++ git/bfd/ChangeLog 2017-08-31 19:18:02.620442777 +0530 | ||
149 | @@ -11,6 +11,30 @@ | ||
150 | of end pointer. | ||
151 | (evax_bfd_print_emh): Check for invalid string lengths. | ||
152 | |||
153 | + 2017-07-24 Nick Clifton <nickc@redhat.com> | ||
154 | + | ||
155 | + PR 21813 | ||
156 | + * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address | ||
157 | + of the relocs to the canonicalize_one_reloc routine. | ||
158 | + * mach-o.h (struct bfd_mach_o_backend_data): Update the prototype | ||
159 | + for the _bfd_mach_o_canonicalize_one_reloc field. | ||
160 | + * mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add | ||
161 | + res_base parameter. Use to check for corrupt pair relocs. | ||
162 | + * mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc): | ||
163 | + Likewise. | ||
164 | + * mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc): | ||
165 | + Likewise. | ||
166 | + * mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc): | ||
167 | + Likewise. | ||
168 | + | ||
169 | + * vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is | ||
170 | + enough data in the record before attempting to parse it. | ||
171 | + (_bfd_vms_slurp_eeom): Likewise. | ||
172 | + | ||
173 | + (_bfd_vms_slurp_egsd): Check for an invalid section index. | ||
174 | + (image_set_ptr): Likewise. | ||
175 | + (alpha_vms_slurp_relocs): Likewise. | ||
176 | + | ||
177 | 2017-07-19 Nick Clifton <nickc@redhat.com> | ||
178 | |||
179 | PR 21786 | ||
180 | Index: git/bfd/mach-o-arm.c | ||
181 | =================================================================== | ||
182 | --- git.orig/bfd/mach-o-arm.c 2017-08-31 19:17:51.264385450 +0530 | ||
183 | +++ git/bfd/mach-o-arm.c 2017-08-31 19:18:02.620442777 +0530 | ||
184 | @@ -30,7 +30,7 @@ | ||
185 | #define bfd_mach_o_mkobject bfd_mach_o_arm_mkobject | ||
186 | |||
187 | #define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_arm_canonicalize_one_reloc | ||
188 | -#define bfd_mach_o_swap_reloc_out NULL | ||
189 | +#define bfd_mach_o_swap_reloc_out NULL | ||
190 | #define bfd_mach_o_bfd_reloc_type_lookup bfd_mach_o_arm_bfd_reloc_type_lookup | ||
191 | #define bfd_mach_o_bfd_reloc_name_lookup bfd_mach_o_arm_bfd_reloc_name_lookup | ||
192 | |||
193 | @@ -147,9 +147,11 @@ | ||
194 | }; | ||
195 | |||
196 | static bfd_boolean | ||
197 | -bfd_mach_o_arm_canonicalize_one_reloc (bfd *abfd, | ||
198 | - struct mach_o_reloc_info_external *raw, | ||
199 | - arelent *res, asymbol **syms) | ||
200 | +bfd_mach_o_arm_canonicalize_one_reloc (bfd * abfd, | ||
201 | + struct mach_o_reloc_info_external * raw, | ||
202 | + arelent * res, | ||
203 | + asymbol ** syms, | ||
204 | + arelent * res_base) | ||
205 | { | ||
206 | bfd_mach_o_reloc_info reloc; | ||
207 | |||
208 | @@ -161,6 +163,9 @@ | ||
209 | switch (reloc.r_type) | ||
210 | { | ||
211 | case BFD_MACH_O_ARM_RELOC_PAIR: | ||
212 | + /* PR 21813: Check for a corrupt PAIR reloc at the start. */ | ||
213 | + if (res == res_base) | ||
214 | + return FALSE; | ||
215 | if (reloc.r_length == 2) | ||
216 | { | ||
217 | res->howto = &arm_howto_table[7]; | ||
218 | Index: git/bfd/vms-alpha.c | ||
219 | =================================================================== | ||
220 | --- git.orig/bfd/vms-alpha.c 2017-08-31 19:18:02.556442454 +0530 | ||
221 | +++ git/bfd/vms-alpha.c 2017-08-31 19:20:56.233322607 +0530 | ||
222 | @@ -473,6 +473,14 @@ | ||
223 | |||
224 | vms_debug2 ((8, "_bfd_vms_slurp_eihd\n")); | ||
225 | |||
226 | + /* PR 21813: Check for an undersized record. */ | ||
227 | + if (PRIV (recrd.buf_size) < sizeof (* eihd)) | ||
228 | + { | ||
229 | + _bfd_error_handler (_("Corrupt EIHD record - size is too small")); | ||
230 | + bfd_set_error (bfd_error_bad_value); | ||
231 | + return FALSE; | ||
232 | + } | ||
233 | + | ||
234 | size = bfd_getl32 (eihd->size); | ||
235 | imgtype = bfd_getl32 (eihd->imgtype); | ||
236 | |||
237 | @@ -1255,19 +1263,39 @@ | ||
238 | if (old_flags & EGSY__V_DEF) | ||
239 | { | ||
240 | struct vms_esdf *esdf = (struct vms_esdf *)vms_rec; | ||
241 | + long psindx; | ||
242 | |||
243 | entry->value = bfd_getl64 (esdf->value); | ||
244 | if (PRIV (sections) == NULL) | ||
245 | return FALSE; | ||
246 | - entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)]; | ||
247 | + | ||
248 | + psindx = bfd_getl32 (esdf->psindx); | ||
249 | + /* PR 21813: Check for an out of range index. */ | ||
250 | + if (psindx < 0 || psindx >= (int) PRIV (section_count)) | ||
251 | + { | ||
252 | + _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), | ||
253 | + psindx); | ||
254 | + bfd_set_error (bfd_error_bad_value); | ||
255 | + return FALSE; | ||
256 | + } | ||
257 | + entry->section = PRIV (sections)[psindx]; | ||
258 | |||
259 | if (old_flags & EGSY__V_NORM) | ||
260 | { | ||
261 | PRIV (norm_sym_count)++; | ||
262 | |||
263 | entry->code_value = bfd_getl64 (esdf->code_address); | ||
264 | - entry->code_section = | ||
265 | - PRIV (sections)[bfd_getl32 (esdf->ca_psindx)]; | ||
266 | + psindx = bfd_getl32 (esdf->ca_psindx); | ||
267 | + /* PR 21813: Check for an out of range index. */ | ||
268 | + if (psindx < 0 || psindx >= (int) PRIV (section_count)) | ||
269 | + { | ||
270 | + _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), | ||
271 | + psindx); | ||
272 | + bfd_set_error (bfd_error_bad_value); | ||
273 | + return FALSE; | ||
274 | + } | ||
275 | + entry->code_section = PRIV (sections)[psindx]; | ||
276 | + | ||
277 | } | ||
278 | } | ||
279 | } | ||
280 | @@ -1294,9 +1322,20 @@ | ||
281 | |||
282 | if (old_flags & EGSY__V_REL) | ||
283 | { | ||
284 | + long psindx; | ||
285 | + | ||
286 | if (PRIV (sections) == NULL) | ||
287 | return FALSE; | ||
288 | - entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)]; | ||
289 | + psindx = bfd_getl32 (egst->psindx); | ||
290 | + /* PR 21813: Check for an out of range index. */ | ||
291 | + if (psindx < 0 || psindx >= (int) PRIV (section_count)) | ||
292 | + { | ||
293 | + _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), | ||
294 | + psindx); | ||
295 | + bfd_set_error (bfd_error_bad_value); | ||
296 | + return FALSE; | ||
297 | + } | ||
298 | + entry->section = PRIV (sections)[psindx]; | ||
299 | } | ||
300 | else | ||
301 | entry->section = bfd_abs_section_ptr; | ||
302 | @@ -1387,6 +1426,10 @@ | ||
303 | |||
304 | if (PRIV (sections) == NULL) | ||
305 | return; | ||
306 | + | ||
307 | + if (sect < 0 || sect >= (int) PRIV (section_count)) | ||
308 | + return; | ||
309 | + | ||
310 | sec = PRIV (sections)[sect]; | ||
311 | |||
312 | if (info) | ||
313 | @@ -2360,6 +2403,14 @@ | ||
314 | |||
315 | vms_debug2 ((2, "EEOM\n")); | ||
316 | |||
317 | + /* PR 21813: Check for an undersized record. */ | ||
318 | + if (PRIV (recrd.buf_size) < sizeof (* eeom)) | ||
319 | + { | ||
320 | + _bfd_error_handler (_("Corrupt EEOM record - size is too small")); | ||
321 | + bfd_set_error (bfd_error_bad_value); | ||
322 | + return FALSE; | ||
323 | + } | ||
324 | + | ||
325 | PRIV (eom_data).eom_l_total_lps = bfd_getl32 (eeom->total_lps); | ||
326 | PRIV (eom_data).eom_w_comcod = bfd_getl16 (eeom->comcod); | ||
327 | if (PRIV (eom_data).eom_w_comcod > 1) | ||
328 | @@ -2540,6 +2591,10 @@ | ||
329 | PRIV (recrd.buf_size) = PRIV (recrd.rec_size); | ||
330 | } | ||
331 | |||
332 | + /* PR 21813: Check for a truncated record. */ | ||
333 | + if (PRIV (recrd.rec_size < test_len)) | ||
334 | + goto error_ret; | ||
335 | + | ||
336 | /* Read the remaining record. */ | ||
337 | remaining = PRIV (recrd.rec_size) - test_len; | ||
338 | to_read = MIN (VMS_BLOCK_SIZE - test_len, remaining); | ||
339 | @@ -5074,7 +5129,7 @@ | ||
340 | } | ||
341 | else if (cur_psidx >= 0) | ||
342 | { | ||
343 | - if (PRIV (sections) == NULL) | ||
344 | + if (PRIV (sections) == NULL || cur_psidx >= (int) PRIV (section_count)) | ||
345 | return FALSE; | ||
346 | reloc->sym_ptr_ptr = | ||
347 | PRIV (sections)[cur_psidx]->symbol_ptr_ptr; | ||
348 | Index: git/binutils/ChangeLog | ||
349 | =================================================================== | ||
350 | --- git.orig/binutils/ChangeLog 2017-08-31 19:18:01.816438718 +0530 | ||
351 | +++ git/binutils/ChangeLog 2017-08-31 19:18:02.624442798 +0530 | ||
352 | @@ -1,3 +1,9 @@ | ||
353 | +2017-07-24 Nick Clifton <nickc@redhat.com> | ||
354 | + | ||
355 | + PR 21813 | ||
356 | + * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty | ||
357 | + string whilst concatenating symbol names. | ||
358 | + | ||
359 | 2017-02-14 Nick Clifton <nickc@redhat.com> | ||
360 | |||
361 | PR binutils/21157 | ||
362 | Index: git/binutils/rddbg.c | ||
363 | =================================================================== | ||
364 | --- git.orig/binutils/rddbg.c 2017-08-31 19:17:51.596387126 +0530 | ||
365 | +++ git/binutils/rddbg.c 2017-08-31 19:18:02.624442798 +0530 | ||
366 | @@ -300,7 +300,8 @@ | ||
367 | |||
368 | s = i.name; | ||
369 | f = NULL; | ||
370 | - while (s[strlen (s) - 1] == '\\' | ||
371 | + while (strlen (s) > 0 | ||
372 | + && s[strlen (s) - 1] == '\\' | ||
373 | && ps + 1 < symend) | ||
374 | { | ||
375 | char *sc, *n; | ||