diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch | 168 |
1 files changed, 168 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch new file mode 100644 index 0000000000..774670fb0e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch | |||
@@ -0,0 +1,168 @@ | |||
1 | From cfd14a500e0485374596234de4db10e88ebc7618 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon, 26 Jun 2017 15:25:08 +0100 | ||
4 | Subject: [PATCH] Fix address violations when atempting to parse fuzzed | ||
5 | binaries. | ||
6 | |||
7 | PR binutils/21665 | ||
8 | bfd * opncls.c (get_build_id): Check that the section is beig enough | ||
9 | to contain the whole note. | ||
10 | * compress.c (bfd_get_full_section_contents): Check for and reject | ||
11 | a section whoes size is greater than the size of the entire file. | ||
12 | * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not | ||
13 | contain a notes section. | ||
14 | |||
15 | binutils* objdump.c (disassemble_section): Skip any section that is bigger | ||
16 | than the entire file. | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2017-9955 #1 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | bfd/ChangeLog | 10 ++++++++++ | ||
24 | bfd/compress.c | 6 ++++++ | ||
25 | bfd/elf32-v850.c | 4 +++- | ||
26 | bfd/opncls.c | 18 ++++++++++++++++-- | ||
27 | binutils/ChangeLog | 6 ++++++ | ||
28 | binutils/objdump.c | 4 ++-- | ||
29 | 6 files changed, 43 insertions(+), 5 deletions(-) | ||
30 | |||
31 | Index: git/bfd/compress.c | ||
32 | =================================================================== | ||
33 | --- git.orig/bfd/compress.c | ||
34 | +++ git/bfd/compress.c | ||
35 | @@ -239,6 +239,12 @@ bfd_get_full_section_contents (bfd *abfd | ||
36 | *ptr = NULL; | ||
37 | return TRUE; | ||
38 | } | ||
39 | + else if (bfd_get_file_size (abfd) > 0 | ||
40 | + && sz > (bfd_size_type) bfd_get_file_size (abfd)) | ||
41 | + { | ||
42 | + *ptr = NULL; | ||
43 | + return FALSE; | ||
44 | + } | ||
45 | |||
46 | switch (sec->compress_status) | ||
47 | { | ||
48 | Index: git/bfd/elf32-v850.c | ||
49 | =================================================================== | ||
50 | --- git.orig/bfd/elf32-v850.c | ||
51 | +++ git/bfd/elf32-v850.c | ||
52 | @@ -2450,7 +2450,9 @@ v850_elf_copy_notes (bfd *ibfd, bfd *obf | ||
53 | BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont)); | ||
54 | |||
55 | if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL) | ||
56 | - BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont)); | ||
57 | + /* If the output is being stripped then it is possible for | ||
58 | + the notes section to disappear. In this case do nothing. */ | ||
59 | + return; | ||
60 | |||
61 | /* Copy/overwrite notes from the input to the output. */ | ||
62 | memcpy (ocont, icont, bfd_section_size (obfd, onotes)); | ||
63 | Index: git/bfd/opncls.c | ||
64 | =================================================================== | ||
65 | --- git.orig/bfd/opncls.c | ||
66 | +++ git/bfd/opncls.c | ||
67 | @@ -1776,6 +1776,7 @@ get_build_id (bfd *abfd) | ||
68 | Elf_External_Note *enote; | ||
69 | bfd_byte *contents; | ||
70 | asection *sect; | ||
71 | + bfd_size_type size; | ||
72 | |||
73 | BFD_ASSERT (abfd); | ||
74 | |||
75 | @@ -1790,8 +1791,9 @@ get_build_id (bfd *abfd) | ||
76 | return NULL; | ||
77 | } | ||
78 | |||
79 | + size = bfd_get_section_size (sect); | ||
80 | /* FIXME: Should we support smaller build-id notes ? */ | ||
81 | - if (bfd_get_section_size (sect) < 0x24) | ||
82 | + if (size < 0x24) | ||
83 | { | ||
84 | bfd_set_error (bfd_error_invalid_operation); | ||
85 | return NULL; | ||
86 | @@ -1804,6 +1806,17 @@ get_build_id (bfd *abfd) | ||
87 | return NULL; | ||
88 | } | ||
89 | |||
90 | + /* FIXME: Paranoia - allow for compressed build-id sections. | ||
91 | + Maybe we should complain if this size is different from | ||
92 | + the one obtained above... */ | ||
93 | + size = bfd_get_section_size (sect); | ||
94 | + if (size < sizeof (Elf_External_Note)) | ||
95 | + { | ||
96 | + bfd_set_error (bfd_error_invalid_operation); | ||
97 | + free (contents); | ||
98 | + return NULL; | ||
99 | + } | ||
100 | + | ||
101 | enote = (Elf_External_Note *) contents; | ||
102 | inote.type = H_GET_32 (abfd, enote->type); | ||
103 | inote.namesz = H_GET_32 (abfd, enote->namesz); | ||
104 | @@ -1815,7 +1828,8 @@ get_build_id (bfd *abfd) | ||
105 | if (inote.descsz == 0 | ||
106 | || inote.type != NT_GNU_BUILD_ID | ||
107 | || inote.namesz != 4 /* sizeof "GNU" */ | ||
108 | - || strcmp (inote.namedata, "GNU") != 0) | ||
109 | + || strncmp (inote.namedata, "GNU", 4) != 0 | ||
110 | + || size < (12 + BFD_ALIGN (inote.namesz, 4) + inote.descsz)) | ||
111 | { | ||
112 | free (contents); | ||
113 | bfd_set_error (bfd_error_invalid_operation); | ||
114 | Index: git/binutils/objdump.c | ||
115 | =================================================================== | ||
116 | --- git.orig/binutils/objdump.c | ||
117 | +++ git/binutils/objdump.c | ||
118 | @@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection | ||
119 | return; | ||
120 | |||
121 | datasize = bfd_get_section_size (section); | ||
122 | - if (datasize == 0) | ||
123 | + if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd)) | ||
124 | return; | ||
125 | |||
126 | if (start_address == (bfd_vma) -1 | ||
127 | @@ -2912,7 +2912,7 @@ dump_target_specific (bfd *abfd) | ||
128 | static void | ||
129 | dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED) | ||
130 | { | ||
131 | - bfd_byte *data = 0; | ||
132 | + bfd_byte *data = NULL; | ||
133 | bfd_size_type datasize; | ||
134 | bfd_vma addr_offset; | ||
135 | bfd_vma start_offset; | ||
136 | Index: git/bfd/ChangeLog | ||
137 | =================================================================== | ||
138 | --- git.orig/bfd/ChangeLog | ||
139 | +++ git/bfd/ChangeLog | ||
140 | @@ -1,4 +1,14 @@ | ||
141 | 2017-06-26 Nick Clifton <nickc@redhat.com> | ||
142 | + | ||
143 | + PR binutils/21665 | ||
144 | + * opncls.c (get_build_id): Check that the section is beig enough | ||
145 | + to contain the whole note. | ||
146 | + * compress.c (bfd_get_full_section_contents): Check for and reject | ||
147 | + a section whoes size is greater than the size of the entire file. | ||
148 | + * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not | ||
149 | + contain a notes section. | ||
150 | + | ||
151 | +2017-06-26 Nick Clifton <nickc@redhat.com> | ||
152 | |||
153 | PR binutils/21670 | ||
154 | * tekhex.c (getvalue): Check for the source pointer exceeding the | ||
155 | Index: git/binutils/ChangeLog | ||
156 | =================================================================== | ||
157 | --- git.orig/binutils/ChangeLog | ||
158 | +++ git/binutils/ChangeLog | ||
159 | @@ -1,3 +1,9 @@ | ||
160 | +2017-06-26 Nick Clifton <nickc@redhat.com> | ||
161 | + | ||
162 | + PR binutils/21665 | ||
163 | + * objdump.c (disassemble_section): Skip any section that is bigger | ||
164 | + than the entire file. | ||
165 | + | ||
166 | 2017-04-03 Nick Clifton <nickc@redhat.com> | ||
167 | |||
168 | PR binutils/21345 | ||