1 files changed, 0 insertions, 221 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
deleted file mode 100644
index 206e493b6e..0000000000
--- a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
+++ /dev/null
@@ -1,221 +0,0 @@
-From 383ec757d27652448d1511169e1133f486abf54f Mon Sep 17 00:00:00 2001
-From: Nick Clifton <nickc@redhat.com>
-Date: Mon, 13 Feb 2017 14:03:22 +0000
-Subject: [PATCH] Fix read-after-free error in readelf when processing
- multiple, relocated sections in an MSP430 binary.
-        PR binutils/21139
-        * readelf.c (target_specific_reloc_handling): Add num_syms
-        parameter.  Check for symbol table overflow before accessing
-        symbol value.  If reloc pointer is NULL, discard all saved state.
-        (apply_relocations): Pass num_syms to target_specific_reloc_handling.
-        Call target_specific_reloc_handling with a NULL reloc pointer
-        after processing all of the relocs.
-(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9)
-Upstream-Status: Backport [master]
-CVE: CVE-2017-6966
-Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
---
- binutils/ChangeLog |  10 +++++
- binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------
- 2 files changed, 94 insertions(+), 25 deletions(-)
-diff --git a/binutils/readelf.c b/binutils/readelf.c
-index 8cdaae3b8c..7c158c6342 100644
--- a/binutils/readelf.c
-+++ b/binutils/readelf.c
-@@ -11580,15 +11580,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
- 
- /* Check to see if the given reloc needs to be handled in a target specific
-    manner.  If so then process the reloc and return TRUE otherwise return
-   FALSE.  */
-+   FALSE.
-+
-+   If called with reloc == NULL, then this is a signal that reloc processing
-+   for the current section has finished, and any saved state should be
-+   discarded.  */
- 
- static bfd_boolean
- target_specific_reloc_handling (Elf_Internal_Rela * reloc,
-                                unsigned char *     start,
-                                unsigned char *     end,
-                               Elf_Internal_Sym *  symtab)
-+                               Elf_Internal_Sym *  symtab,
-+                               unsigned long       num_syms)
- {
-  unsigned int reloc_type = get_reloc_type (reloc->r_info);
-+  unsigned int reloc_type = 0;
-+  unsigned long sym_index = 0;
-+
-+  if (reloc)
-+    {
-+      reloc_type = get_reloc_type (reloc->r_info);
-+      sym_index = get_reloc_symindex (reloc->r_info);
-+    }
- 
-   switch (elf_header.e_machine)
-     {
-@@ -11597,6 +11609,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
-       {
-        static Elf_Internal_Sym * saved_sym = NULL;
- 
-+       if (reloc == NULL)
-+         {
-+           saved_sym = NULL;
-+           return TRUE;
-+         }
-+
-        switch (reloc_type)
-          {
-          case 10: /* R_MSP430_SYM_DIFF */
-@@ -11604,7 +11622,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
-              break;
-            /* Fall through.  */
-          case 21: /* R_MSP430X_SYM_DIFF */
-           saved_sym = symtab + get_reloc_symindex (reloc->r_info);
-+           /* PR 21139.  */
-+           if (sym_index >= num_syms)
-+             error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
-+                    sym_index);
-+           else
-+             saved_sym = symtab + sym_index;
-            return TRUE;
- 
-          case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
-@@ -11629,16 +11652,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
-                int reloc_size = reloc_type == 1 ? 4 : 2;
-                bfd_vma value;
- 
-               value = reloc->r_addend
-                 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
-                    - saved_sym->st_value);
-
-               if (start + reloc->r_offset + reloc_size >= end)
-                 /* PR 21137 */
-                 error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
-                        start + reloc->r_offset + reloc_size, end);
-+               if (sym_index >= num_syms)
-+                 error (_("MSP430 reloc contains invalid symbol index %lu\n"),
-+                        sym_index);
-                else
-                 byte_put (start + reloc->r_offset, value, reloc_size);
-+                 {
-+                   value = reloc->r_addend + (symtab[sym_index].st_value
-+                                              - saved_sym->st_value);
-+
-+                   if (start + reloc->r_offset + reloc_size >= end)
-+                     /* PR 21137 */
-+                     error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
-+                            start + reloc->r_offset + reloc_size, end);
-+                   else
-+                     byte_put (start + reloc->r_offset, value, reloc_size);
-+                 }
- 
-                saved_sym = NULL;
-                return TRUE;
-@@ -11658,13 +11686,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
-       {
-        static Elf_Internal_Sym * saved_sym = NULL;
- 
-+       if (reloc == NULL)
-+         {
-+           saved_sym = NULL;
-+           return TRUE;
-+         }
-+
-        switch (reloc_type)
-          {
-          case 34: /* R_MN10300_ALIGN */
-            return TRUE;
-          case 33: /* R_MN10300_SYM_DIFF */
-           saved_sym = symtab + get_reloc_symindex (reloc->r_info);
-+           if (sym_index >= num_syms)
-+             error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
-+                    sym_index);
-+           else
-+             saved_sym = symtab + sym_index;
-            return TRUE;
-+
-          case 1: /* R_MN10300_32 */
-          case 2: /* R_MN10300_16 */
-            if (saved_sym != NULL)
-@@ -11672,15 +11711,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
-                int reloc_size = reloc_type == 1 ? 4 : 2;
-                bfd_vma value;
- 
-               value = reloc->r_addend
-                 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
-                    - saved_sym->st_value);
-
-               if (start + reloc->r_offset + reloc_size >= end)
-                 error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
-                        start + reloc->r_offset + reloc_size, end);
-+               if (sym_index >= num_syms)
-+                 error (_("MN10300 reloc contains invalid symbol index %lu\n"),
-+                        sym_index);
-                else
-                 byte_put (start + reloc->r_offset, value, reloc_size);
-+                 {
-+                   value = reloc->r_addend + (symtab[sym_index].st_value
-+                                              - saved_sym->st_value);
-+
-+                   if (start + reloc->r_offset + reloc_size >= end)
-+                     error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
-+                            start + reloc->r_offset + reloc_size, end);
-+                   else
-+                     byte_put (start + reloc->r_offset, value, reloc_size);
-+                 }
- 
-                saved_sym = NULL;
-                return TRUE;
-@@ -11700,12 +11744,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
-        static bfd_vma saved_sym2 = 0;
-        static bfd_vma value;
- 
-+       if (reloc == NULL)
-+         {
-+           saved_sym1 = saved_sym2 = 0;
-+           return TRUE;
-+         }
-+
-        switch (reloc_type)
-          {
-          case 0x80: /* R_RL78_SYM.  */
-            saved_sym1 = saved_sym2;
-           saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
-           saved_sym2 += reloc->r_addend;
-+           if (sym_index >= num_syms)
-+             error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
-+                    sym_index);
-+           else
-+             {
-+               saved_sym2 = symtab[sym_index].st_value;
-+               saved_sym2 += reloc->r_addend;
-+             }
-            return TRUE;
- 
-          case 0x83: /* R_RL78_OPsub.  */
-@@ -12345,7 +12401,7 @@ apply_relocations (void *                     file,
- 
-          reloc_type = get_reloc_type (rp->r_info);
- 
-         if (target_specific_reloc_handling (rp, start, end, symtab))
-+         if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
-            continue;
-          else if (is_none_reloc (reloc_type))
-            continue;
-@@ -12441,6 +12497,9 @@ apply_relocations (void *                     file,
-        }
- 
-       free (symtab);
-+      /* Let the target specific reloc processing code know that
-+        we have finished with these relocs.  */
-+      target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
- 
-       if (relocs_return)
-        {
-- 
-2.11.0

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch deleted file mode 100644 index 206e493b6e..0000000000 --- a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch +++ /dev/null
@@ -1,221 +0,0 @@
1	From 383ec757d27652448d1511169e1133f486abf54f Mon Sep 17 00:00:00 2001
2	From: Nick Clifton <nickc@redhat.com>
3	Date: Mon, 13 Feb 2017 14:03:22 +0000
4	Subject: [PATCH] Fix read-after-free error in readelf when processing
5	multiple, relocated sections in an MSP430 binary.
6
7	PR binutils/21139
8	* readelf.c (target_specific_reloc_handling): Add num_syms
9	parameter. Check for symbol table overflow before accessing
10	symbol value. If reloc pointer is NULL, discard all saved state.
11	(apply_relocations): Pass num_syms to target_specific_reloc_handling.
12	Call target_specific_reloc_handling with a NULL reloc pointer
13	after processing all of the relocs.
14
15	(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9)
16	Upstream-Status: Backport [master]
17	CVE: CVE-2017-6966
18
19	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
20	---
21	binutils/ChangeLog \| 10 +++++
22	binutils/readelf.c \| 109 +++++++++++++++++++++++++++++++++++++++++------------
23	2 files changed, 94 insertions(+), 25 deletions(-)
24
25	diff --git a/binutils/readelf.c b/binutils/readelf.c
26	index 8cdaae3b8c..7c158c6342 100644
27	--- a/binutils/readelf.c
28	+++ b/binutils/readelf.c
29	@@ -11580,15 +11580,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
30
31	/* Check to see if the given reloc needs to be handled in a target specific
32	manner. If so then process the reloc and return TRUE otherwise return
33	- FALSE. */
34	+ FALSE.
35	+
36	+ If called with reloc == NULL, then this is a signal that reloc processing
37	+ for the current section has finished, and any saved state should be
38	+ discarded. */
39
40	static bfd_boolean
41	target_specific_reloc_handling (Elf_Internal_Rela * reloc,
42	unsigned char * start,
43	unsigned char * end,
44	- Elf_Internal_Sym * symtab)
45	+ Elf_Internal_Sym * symtab,
46	+ unsigned long num_syms)
47	{
48	- unsigned int reloc_type = get_reloc_type (reloc->r_info);
49	+ unsigned int reloc_type = 0;
50	+ unsigned long sym_index = 0;
51	+
52	+ if (reloc)
53	+ {
54	+ reloc_type = get_reloc_type (reloc->r_info);
55	+ sym_index = get_reloc_symindex (reloc->r_info);
56	+ }
57
58	switch (elf_header.e_machine)
59	{
60	@@ -11597,6 +11609,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
61	{
62	static Elf_Internal_Sym * saved_sym = NULL;
63
64	+ if (reloc == NULL)
65	+ {
66	+ saved_sym = NULL;
67	+ return TRUE;
68	+ }
69	+
70	switch (reloc_type)
71	{
72	case 10: /* R_MSP430_SYM_DIFF */
73	@@ -11604,7 +11622,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
74	break;
75	/* Fall through. */
76	case 21: /* R_MSP430X_SYM_DIFF */
77	- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
78	+ /* PR 21139. */
79	+ if (sym_index >= num_syms)
80	+ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
81	+ sym_index);
82	+ else
83	+ saved_sym = symtab + sym_index;
84	return TRUE;
85
86	case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
87	@@ -11629,16 +11652,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
88	int reloc_size = reloc_type == 1 ? 4 : 2;
89	bfd_vma value;
90
91	- value = reloc->r_addend
92	- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
93	- - saved_sym->st_value);
94	-
95	- if (start + reloc->r_offset + reloc_size >= end)
96	- /* PR 21137 */
97	- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
98	- start + reloc->r_offset + reloc_size, end);
99	+ if (sym_index >= num_syms)
100	+ error (_("MSP430 reloc contains invalid symbol index %lu\n"),
101	+ sym_index);
102	else
103	- byte_put (start + reloc->r_offset, value, reloc_size);
104	+ {
105	+ value = reloc->r_addend + (symtab[sym_index].st_value
106	+ - saved_sym->st_value);
107	+
108	+ if (start + reloc->r_offset + reloc_size >= end)
109	+ /* PR 21137 */
110	+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
111	+ start + reloc->r_offset + reloc_size, end);
112	+ else
113	+ byte_put (start + reloc->r_offset, value, reloc_size);
114	+ }
115
116	saved_sym = NULL;
117	return TRUE;
118	@@ -11658,13 +11686,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
119	{
120	static Elf_Internal_Sym * saved_sym = NULL;
121
122	+ if (reloc == NULL)
123	+ {
124	+ saved_sym = NULL;
125	+ return TRUE;
126	+ }
127	+
128	switch (reloc_type)
129	{
130	case 34: /* R_MN10300_ALIGN */
131	return TRUE;
132	case 33: /* R_MN10300_SYM_DIFF */
133	- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
134	+ if (sym_index >= num_syms)
135	+ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
136	+ sym_index);
137	+ else
138	+ saved_sym = symtab + sym_index;
139	return TRUE;
140	+
141	case 1: /* R_MN10300_32 */
142	case 2: /* R_MN10300_16 */
143	if (saved_sym != NULL)
144	@@ -11672,15 +11711,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
145	int reloc_size = reloc_type == 1 ? 4 : 2;
146	bfd_vma value;
147
148	- value = reloc->r_addend
149	- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
150	- - saved_sym->st_value);
151	-
152	- if (start + reloc->r_offset + reloc_size >= end)
153	- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
154	- start + reloc->r_offset + reloc_size, end);
155	+ if (sym_index >= num_syms)
156	+ error (_("MN10300 reloc contains invalid symbol index %lu\n"),
157	+ sym_index);
158	else
159	- byte_put (start + reloc->r_offset, value, reloc_size);
160	+ {
161	+ value = reloc->r_addend + (symtab[sym_index].st_value
162	+ - saved_sym->st_value);
163	+
164	+ if (start + reloc->r_offset + reloc_size >= end)
165	+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
166	+ start + reloc->r_offset + reloc_size, end);
167	+ else
168	+ byte_put (start + reloc->r_offset, value, reloc_size);
169	+ }
170
171	saved_sym = NULL;
172	return TRUE;
173	@@ -11700,12 +11744,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
174	static bfd_vma saved_sym2 = 0;
175	static bfd_vma value;
176
177	+ if (reloc == NULL)
178	+ {
179	+ saved_sym1 = saved_sym2 = 0;
180	+ return TRUE;
181	+ }
182	+
183	switch (reloc_type)
184	{
185	case 0x80: /* R_RL78_SYM. */
186	saved_sym1 = saved_sym2;
187	- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
188	- saved_sym2 += reloc->r_addend;
189	+ if (sym_index >= num_syms)
190	+ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
191	+ sym_index);
192	+ else
193	+ {
194	+ saved_sym2 = symtab[sym_index].st_value;
195	+ saved_sym2 += reloc->r_addend;
196	+ }
197	return TRUE;
198
199	case 0x83: /* R_RL78_OPsub. */
200	@@ -12345,7 +12401,7 @@ apply_relocations (void * file,
201
202	reloc_type = get_reloc_type (rp->r_info);
203
204	- if (target_specific_reloc_handling (rp, start, end, symtab))
205	+ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
206	continue;
207	else if (is_none_reloc (reloc_type))
208	continue;
209	@@ -12441,6 +12497,9 @@ apply_relocations (void * file,
210	}
211
212	free (symtab);
213	+ /* Let the target specific reloc processing code know that
214	+ we have finished with these relocs. */
215	+ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
216
217	if (relocs_return)
218	{
219	--
220	2.11.0
221