diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | 109 |
1 files changed, 0 insertions, 109 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch deleted file mode 100644 index 6697d4bc95..0000000000 --- a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch +++ /dev/null | |||
@@ -1,109 +0,0 @@ | |||
1 | From bdc5166c274b842f83f8328e7cfaaf80fd29934e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon, 13 Feb 2017 13:08:32 +0000 | ||
4 | Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst | ||
5 | processing corrupt input files containing symbol-difference relocations. | ||
6 | |||
7 | PR binutils/21137 | ||
8 | * readelf.c (target_specific_reloc_handling): Add end parameter. | ||
9 | Check for buffer overflow before writing relocated values. | ||
10 | (apply_relocations): Pass end to target_specific_reloc_handling. | ||
11 | |||
12 | (cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493) | ||
13 | Upstream-Status: Backport [master] | ||
14 | CVE: CVE-2017-6965 | ||
15 | |||
16 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
17 | --- | ||
18 | binutils/ChangeLog | 7 +++++++ | ||
19 | binutils/readelf.c | 30 +++++++++++++++++++++++++----- | ||
20 | 2 files changed, 32 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/binutils/readelf.c b/binutils/readelf.c | ||
23 | index b5f577f5a1..8cdaae3b8c 100644 | ||
24 | --- a/binutils/readelf.c | ||
25 | +++ b/binutils/readelf.c | ||
26 | @@ -11585,6 +11585,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) | ||
27 | static bfd_boolean | ||
28 | target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
29 | unsigned char * start, | ||
30 | + unsigned char * end, | ||
31 | Elf_Internal_Sym * symtab) | ||
32 | { | ||
33 | unsigned int reloc_type = get_reloc_type (reloc->r_info); | ||
34 | @@ -11625,13 +11626,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
35 | handle_sym_diff: | ||
36 | if (saved_sym != NULL) | ||
37 | { | ||
38 | + int reloc_size = reloc_type == 1 ? 4 : 2; | ||
39 | bfd_vma value; | ||
40 | |||
41 | value = reloc->r_addend | ||
42 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
43 | - saved_sym->st_value); | ||
44 | |||
45 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); | ||
46 | + if (start + reloc->r_offset + reloc_size >= end) | ||
47 | + /* PR 21137 */ | ||
48 | + error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
49 | + start + reloc->r_offset + reloc_size, end); | ||
50 | + else | ||
51 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
52 | |||
53 | saved_sym = NULL; | ||
54 | return TRUE; | ||
55 | @@ -11662,13 +11669,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
56 | case 2: /* R_MN10300_16 */ | ||
57 | if (saved_sym != NULL) | ||
58 | { | ||
59 | + int reloc_size = reloc_type == 1 ? 4 : 2; | ||
60 | bfd_vma value; | ||
61 | |||
62 | value = reloc->r_addend | ||
63 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
64 | - saved_sym->st_value); | ||
65 | |||
66 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); | ||
67 | + if (start + reloc->r_offset + reloc_size >= end) | ||
68 | + error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
69 | + start + reloc->r_offset + reloc_size, end); | ||
70 | + else | ||
71 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
72 | |||
73 | saved_sym = NULL; | ||
74 | return TRUE; | ||
75 | @@ -11703,12 +11715,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
76 | break; | ||
77 | |||
78 | case 0x41: /* R_RL78_ABS32. */ | ||
79 | - byte_put (start + reloc->r_offset, value, 4); | ||
80 | + if (start + reloc->r_offset + 4 >= end) | ||
81 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
82 | + start + reloc->r_offset + 2, end); | ||
83 | + else | ||
84 | + byte_put (start + reloc->r_offset, value, 4); | ||
85 | value = 0; | ||
86 | return TRUE; | ||
87 | |||
88 | case 0x43: /* R_RL78_ABS16. */ | ||
89 | - byte_put (start + reloc->r_offset, value, 2); | ||
90 | + if (start + reloc->r_offset + 2 >= end) | ||
91 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
92 | + start + reloc->r_offset + 2, end); | ||
93 | + else | ||
94 | + byte_put (start + reloc->r_offset, value, 2); | ||
95 | value = 0; | ||
96 | return TRUE; | ||
97 | |||
98 | @@ -12325,7 +12345,7 @@ apply_relocations (void * file, | ||
99 | |||
100 | reloc_type = get_reloc_type (rp->r_info); | ||
101 | |||
102 | - if (target_specific_reloc_handling (rp, start, symtab)) | ||
103 | + if (target_specific_reloc_handling (rp, start, end, symtab)) | ||
104 | continue; | ||
105 | else if (is_none_reloc (reloc_type)) | ||
106 | continue; | ||
107 | -- | ||
108 | 2.11.0 | ||
109 | |||