binutils: Security fix CVE-2017-8393

Affects: <= 2.28 (From OE-Core rev: e96c9ab000c8693788b7a233bd7061d43cbe24d7) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster808@gmail.com> 2017-11-26 12:08:36 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-12-11 22:02:58 +0000
commit: 6da272440da118f656f432a800491e0ef3b46466 (patch)
tree: 0721b3b5b892d97d6342d95dc9594242ae584858
parent: 34a2b675f4c95c8112cb60cc2c88ca247e03d083 (diff)
download: poky-6da272440da118f656f432a800491e0ef3b46466.tar.gz
2 files changed, 206 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 6ae091c289..53299fa013 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -45,6 +45,7 @@ SRC_URI = "\
     file://CVE-2017-7210.patch \
     file://CVE-2017-7223.patch \
     file://CVE-2017-7614.patch \
+     file://CVE-2017-8393.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch
new file mode 100644
index 0000000000..8500a03b13
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch
@@ -0,0 +1,205 @@
+From bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 23 Apr 2017 11:03:34 +0930
+Subject: [PATCH] PR 21412, get_reloc_section assumes .rel/.rela name for
+ SHT_REL/RELA.
+This patch fixes an assumption made by code that runs for objcopy and
+strip, that SHT_REL/SHR_RELA sections are always named starting with a
+.rel/.rela prefix.  I'm also modifying the interface for
+elf_backend_get_reloc_section, so any backend function just needs to
+handle name mapping.
+        PR 21412
+        * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
+        parameters and comment.
+        (_bfd_elf_get_reloc_section): Delete.
+        (_bfd_elf_plt_get_reloc_section): Declare.
+        * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
+        New functions.  Don't blindly skip over assumed .rel/.rela prefix.
+        Extracted from..
+        (_bfd_elf_get_reloc_section): ..here.  Delete.
+        (assign_section_numbers): Call elf_get_reloc_section.
+        * elf64-ppc.c (elf_backend_get_reloc_section): Define.
+        * elfxx-target.h (elf_backend_get_reloc_section): Update.
+Upstream-Status: Backport
+CVE: CVE-2017-8393
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog      | 15 ++++++++++++++
+ bfd/elf-bfd.h      |  8 ++++---
+ bfd/elf.c          | 61 +++++++++++++++++++++++++++++++-----------------------
+ bfd/elf64-ppc.c    |  1 +
+ bfd/elfxx-target.h |  2 +-
+ 5 files changed, 57 insertions(+), 30 deletions(-)
+Index: git/bfd/elf-bfd.h
+===================================================================
+--- git.orig/bfd/elf-bfd.h
+++ git/bfd/elf-bfd.h
+@@ -1322,8 +1322,10 @@ struct elf_backend_data
+   bfd_size_type (*maybe_function_sym) (const asymbol *sym, asection *sec,
+                                       bfd_vma *code_off);
+ 
+-  /* Return the section which RELOC_SEC applies to.  */
+-  asection *(*get_reloc_section) (asection *reloc_sec);
+  /* Given NAME, the name of a relocation section stripped of its
+     .rel/.rela prefix, return the section in ABFD to which the
+     relocations apply.  */
+  asection *(*get_reloc_section) (bfd *abfd, const char *name);
+ 
+   /* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which
+      has a type >= SHT_LOOS.  Returns TRUE if the fields were initialised,
+@@ -2392,7 +2394,7 @@ extern bfd_boolean _bfd_elf_is_function_
+ extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol *, asection *,
+                                                  bfd_vma *);
+ 
+-extern asection *_bfd_elf_get_reloc_section (asection *);
+extern asection *_bfd_elf_plt_get_reloc_section (bfd *, const char *);
+ 
+ extern int bfd_elf_get_default_section_type (flagword);
+ 
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
+++ git/bfd/elf.c
+@@ -3532,17 +3532,39 @@ bfd_elf_set_group_contents (bfd *abfd, a
+   H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
+ }
+ 
+-/* Return the section which RELOC_SEC applies to.  */
+/* Given NAME, the name of a relocation section stripped of its
+   .rel/.rela prefix, return the section in ABFD to which the
+   relocations apply.  */
+ 
+ asection *
+-_bfd_elf_get_reloc_section (asection *reloc_sec)
+_bfd_elf_plt_get_reloc_section (bfd *abfd, const char *name)
+{
+  /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
+     section likely apply to .got.plt or .got section.  */
+  if (get_elf_backend_data (abfd)->want_got_plt
+      && strcmp (name, ".plt") == 0)
+    {
+      asection *sec;
+
+      name = ".got.plt";
+      sec = bfd_get_section_by_name (abfd, name);
+      if (sec != NULL)
+       return sec;
+      name = ".got";
+    }
+
+  return bfd_get_section_by_name (abfd, name);
+}
+
+/* Return the section to which RELOC_SEC applies.  */
+
+static asection *
+elf_get_reloc_section (asection *reloc_sec)
+ {
+   const char *name;
+   unsigned int type;
+   bfd *abfd;
+-
+-  if (reloc_sec == NULL)
+-    return NULL;
+  const struct elf_backend_data *bed;
+ 
+   type = elf_section_data (reloc_sec)->this_hdr.sh_type;
+   if (type != SHT_REL && type != SHT_RELA)
+@@ -3550,28 +3572,15 @@ _bfd_elf_get_reloc_section (asection *re
+ 
+   /* We look up the section the relocs apply to by name.  */
+   name = reloc_sec->name;
+-  if (type == SHT_REL)
+-    name += 4;
+-  else
+-    name += 5;
+  if (strncmp (name, ".rel", 4) != 0)
+    return NULL;
+  name += 4;
+  if (type == SHT_RELA && *name++ != 'a')
+    return NULL;
+ 
+-  /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
+-     section apply to .got.plt section.  */
+   abfd = reloc_sec->owner;
+-  if (get_elf_backend_data (abfd)->want_got_plt
+-      && strcmp (name, ".plt") == 0)
+-    {
+-      /* .got.plt is a linker created input section.  It may be mapped
+-        to some other output section.  Try two likely sections.  */
+-      name = ".got.plt";
+-      reloc_sec = bfd_get_section_by_name (abfd, name);
+-      if (reloc_sec != NULL)
+-       return reloc_sec;
+-      name = ".got";
+-    }
+-
+-  reloc_sec = bfd_get_section_by_name (abfd, name);
+-  return reloc_sec;
+  bed = get_elf_backend_data (abfd);
+  return bed->get_reloc_section (abfd, name);
+ }
+ 
+ /* Assign all ELF section numbers.  The dummy first section is handled here
+@@ -3833,7 +3842,7 @@ assign_section_numbers (bfd *abfd, struc
+          if (s != NULL)
+            d->this_hdr.sh_link = elf_section_data (s)->this_idx;
+ 
+-         s = get_elf_backend_data (abfd)->get_reloc_section (sec);
+         s = elf_get_reloc_section (sec);
+          if (s != NULL)
+            {
+              d->this_hdr.sh_info = elf_section_data (s)->this_idx;
+Index: git/bfd/elf64-ppc.c
+===================================================================
+--- git.orig/bfd/elf64-ppc.c
+++ git/bfd/elf64-ppc.c
+@@ -121,6 +121,7 @@ static bfd_vma opd_entry_value
+ #define elf_backend_special_sections         ppc64_elf_special_sections
+ #define elf_backend_merge_symbol_attribute    ppc64_elf_merge_symbol_attribute
+ #define elf_backend_merge_symbol             ppc64_elf_merge_symbol
+#define elf_backend_get_reloc_section        bfd_get_section_by_name
+ 
+ /* The name of the dynamic interpreter.  This is put in the .interp
+    section.  */
+Index: git/bfd/elfxx-target.h
+===================================================================
+--- git.orig/bfd/elfxx-target.h
+++ git/bfd/elfxx-target.h
+@@ -706,7 +706,7 @@
+ #endif
+ 
+ #ifndef elf_backend_get_reloc_section
+-#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section
+#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section
+ #endif
+ 
+ #ifndef elf_backend_copy_special_section_fields
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,18 @@
+2017-04-23  Alan Modra  <amodra@gmail.com>
+ 
+       PR 21412
+       * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
+       parameters and comment.
+       (_bfd_elf_get_reloc_section): Delete.
+       (_bfd_elf_plt_get_reloc_section): Declare.
+       * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
+       New functions.  Don't blindly skip over assumed .rel/.rela prefix.
+       Extracted from..
+       (_bfd_elf_get_reloc_section): ..here.  Delete.
+       (assign_section_numbers): Call elf_get_reloc_section.
+       * elf64-ppc.c (elf_backend_get_reloc_section): Define.
+       * elfxx-target.h (elf_backend_get_reloc_section): Update.
+
+ 2017-04-04  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21342
author	Armin Kuster <akuster808@gmail.com>	2017-11-26 12:08:36 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-12-11 22:02:58 +0000
commit	6da272440da118f656f432a800491e0ef3b46466 (patch)
tree	0721b3b5b892d97d6342d95dc9594242ae584858
parent	34a2b675f4c95c8112cb60cc2c88ca247e03d083 (diff)
download	poky-6da272440da118f656f432a800491e0ef3b46466.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index 6ae091c289..53299fa013 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -45,6 +45,7 @@ SRC_URI = "\
45	file://CVE-2017-7210.patch \	45	file://CVE-2017-7210.patch \
46	file://CVE-2017-7223.patch \	46	file://CVE-2017-7223.patch \
47	file://CVE-2017-7614.patch \	47	file://CVE-2017-7614.patch \
		48	file://CVE-2017-8393.patch \
48	"	49	"
49	S = "${WORKDIR}/git"	50	S = "${WORKDIR}/git"
50		51


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch new file mode 100644 index 0000000000..8500a03b13 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch
@@ -0,0 +1,205 @@
		1	From bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Sun, 23 Apr 2017 11:03:34 +0930
		4	Subject: [PATCH] PR 21412, get_reloc_section assumes .rel/.rela name for
		5	SHT_REL/RELA.
		6
		7	This patch fixes an assumption made by code that runs for objcopy and
		8	strip, that SHT_REL/SHR_RELA sections are always named starting with a
		9	.rel/.rela prefix. I'm also modifying the interface for
		10	elf_backend_get_reloc_section, so any backend function just needs to
		11	handle name mapping.
		12
		13	PR 21412
		14	* elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
		15	parameters and comment.
		16	(_bfd_elf_get_reloc_section): Delete.
		17	(_bfd_elf_plt_get_reloc_section): Declare.
		18	* elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
		19	New functions. Don't blindly skip over assumed .rel/.rela prefix.
		20	Extracted from..
		21	(_bfd_elf_get_reloc_section): ..here. Delete.
		22	(assign_section_numbers): Call elf_get_reloc_section.
		23	* elf64-ppc.c (elf_backend_get_reloc_section): Define.
		24	* elfxx-target.h (elf_backend_get_reloc_section): Update.
		25
		26	Upstream-Status: Backport
		27	CVE: CVE-2017-8393
		28	Signed-off-by: Armin Kuster <akuster@mvista.com>
		29
		30	---
		31	bfd/ChangeLog \| 15 ++++++++++++++
		32	bfd/elf-bfd.h \| 8 ++++---
		33	bfd/elf.c \| 61 +++++++++++++++++++++++++++++++-----------------------
		34	bfd/elf64-ppc.c \| 1 +
		35	bfd/elfxx-target.h \| 2 +-
		36	5 files changed, 57 insertions(+), 30 deletions(-)
		37
		38	Index: git/bfd/elf-bfd.h
		39	===================================================================
		40	--- git.orig/bfd/elf-bfd.h
		41	+++ git/bfd/elf-bfd.h
		42	@@ -1322,8 +1322,10 @@ struct elf_backend_data
		43	bfd_size_type (maybe_function_sym) (const asymbol sym, asection *sec,
		44	bfd_vma *code_off);
		45
		46	- /* Return the section which RELOC_SEC applies to. */
		47	- asection (get_reloc_section) (asection *reloc_sec);
		48	+ /* Given NAME, the name of a relocation section stripped of its
		49	+ .rel/.rela prefix, return the section in ABFD to which the
		50	+ relocations apply. */
		51	+ asection (get_reloc_section) (bfd abfd, const char name);
		52
		53	/* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which
		54	has a type >= SHT_LOOS. Returns TRUE if the fields were initialised,
		55	@@ -2392,7 +2394,7 @@ extern bfd_boolean _bfd_elf_is_function_
		56	extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol , asection ,
		57	bfd_vma *);
		58
		59	-extern asection _bfd_elf_get_reloc_section (asection );
		60	+extern asection _bfd_elf_plt_get_reloc_section (bfd , const char *);
		61
		62	extern int bfd_elf_get_default_section_type (flagword);
		63
		64	Index: git/bfd/elf.c
		65	===================================================================
		66	--- git.orig/bfd/elf.c
		67	+++ git/bfd/elf.c
		68	@@ -3532,17 +3532,39 @@ bfd_elf_set_group_contents (bfd *abfd, a
		69	H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
		70	}
		71
		72	-/* Return the section which RELOC_SEC applies to. */
		73	+/* Given NAME, the name of a relocation section stripped of its
		74	+ .rel/.rela prefix, return the section in ABFD to which the
		75	+ relocations apply. */
		76
		77	asection *
		78	-_bfd_elf_get_reloc_section (asection *reloc_sec)
		79	+_bfd_elf_plt_get_reloc_section (bfd abfd, const char name)
		80	+{
		81	+ /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
		82	+ section likely apply to .got.plt or .got section. */
		83	+ if (get_elf_backend_data (abfd)->want_got_plt
		84	+ && strcmp (name, ".plt") == 0)
		85	+ {
		86	+ asection *sec;
		87	+
		88	+ name = ".got.plt";
		89	+ sec = bfd_get_section_by_name (abfd, name);
		90	+ if (sec != NULL)
		91	+ return sec;
		92	+ name = ".got";
		93	+ }
		94	+
		95	+ return bfd_get_section_by_name (abfd, name);
		96	+}
		97	+
		98	+/* Return the section to which RELOC_SEC applies. */
		99	+
		100	+static asection *
		101	+elf_get_reloc_section (asection *reloc_sec)
		102	{
		103	const char *name;
		104	unsigned int type;
		105	bfd *abfd;
		106	-
		107	- if (reloc_sec == NULL)
		108	- return NULL;
		109	+ const struct elf_backend_data *bed;
		110
		111	type = elf_section_data (reloc_sec)->this_hdr.sh_type;
		112	if (type != SHT_REL && type != SHT_RELA)
		113	@@ -3550,28 +3572,15 @@ _bfd_elf_get_reloc_section (asection *re
		114
		115	/* We look up the section the relocs apply to by name. */
		116	name = reloc_sec->name;
		117	- if (type == SHT_REL)
		118	- name += 4;
		119	- else
		120	- name += 5;
		121	+ if (strncmp (name, ".rel", 4) != 0)
		122	+ return NULL;
		123	+ name += 4;
		124	+ if (type == SHT_RELA && *name++ != 'a')
		125	+ return NULL;
		126
		127	- /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
		128	- section apply to .got.plt section. */
		129	abfd = reloc_sec->owner;
		130	- if (get_elf_backend_data (abfd)->want_got_plt
		131	- && strcmp (name, ".plt") == 0)
		132	- {
		133	- /* .got.plt is a linker created input section. It may be mapped
		134	- to some other output section. Try two likely sections. */
		135	- name = ".got.plt";
		136	- reloc_sec = bfd_get_section_by_name (abfd, name);
		137	- if (reloc_sec != NULL)
		138	- return reloc_sec;
		139	- name = ".got";
		140	- }
		141	-
		142	- reloc_sec = bfd_get_section_by_name (abfd, name);
		143	- return reloc_sec;
		144	+ bed = get_elf_backend_data (abfd);
		145	+ return bed->get_reloc_section (abfd, name);
		146	}
		147
		148	/* Assign all ELF section numbers. The dummy first section is handled here
		149	@@ -3833,7 +3842,7 @@ assign_section_numbers (bfd *abfd, struc
		150	if (s != NULL)
		151	d->this_hdr.sh_link = elf_section_data (s)->this_idx;
		152
		153	- s = get_elf_backend_data (abfd)->get_reloc_section (sec);
		154	+ s = elf_get_reloc_section (sec);
		155	if (s != NULL)
		156	{
		157	d->this_hdr.sh_info = elf_section_data (s)->this_idx;
		158	Index: git/bfd/elf64-ppc.c
		159	===================================================================
		160	--- git.orig/bfd/elf64-ppc.c
		161	+++ git/bfd/elf64-ppc.c
		162	@@ -121,6 +121,7 @@ static bfd_vma opd_entry_value
		163	#define elf_backend_special_sections ppc64_elf_special_sections
		164	#define elf_backend_merge_symbol_attribute ppc64_elf_merge_symbol_attribute
		165	#define elf_backend_merge_symbol ppc64_elf_merge_symbol
		166	+#define elf_backend_get_reloc_section bfd_get_section_by_name
		167
		168	/* The name of the dynamic interpreter. This is put in the .interp
		169	section. */
		170	Index: git/bfd/elfxx-target.h
		171	===================================================================
		172	--- git.orig/bfd/elfxx-target.h
		173	+++ git/bfd/elfxx-target.h
		174	@@ -706,7 +706,7 @@
		175	#endif
		176
		177	#ifndef elf_backend_get_reloc_section
		178	-#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section
		179	+#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section
		180	#endif
		181
		182	#ifndef elf_backend_copy_special_section_fields
		183	Index: git/bfd/ChangeLog
		184	===================================================================
		185	--- git.orig/bfd/ChangeLog
		186	+++ git/bfd/ChangeLog
		187	@@ -1,3 +1,18 @@
		188	+2017-04-23 Alan Modra <amodra@gmail.com>
		189	+
		190	+ PR 21412
		191	+ * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
		192	+ parameters and comment.
		193	+ (_bfd_elf_get_reloc_section): Delete.
		194	+ (_bfd_elf_plt_get_reloc_section): Declare.
		195	+ * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
		196	+ New functions. Don't blindly skip over assumed .rel/.rela prefix.
		197	+ Extracted from..
		198	+ (_bfd_elf_get_reloc_section): ..here. Delete.
		199	+ (assign_section_numbers): Call elf_get_reloc_section.
		200	+ * elf64-ppc.c (elf_backend_get_reloc_section): Define.
		201	+ * elfxx-target.h (elf_backend_get_reloc_section): Update.
		202	+
		203	2017-04-04 Nick Clifton <nickc@redhat.com>
		204
		205	PR binutils/21342