binutils: fix CVE-2017-6969 in readelf

CVE: CVE-2017-6969 [BZ 21156] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21156 PR binutils/21156: Fix illegal memory accesses in readelf when ing a corrupt binary. PR binutils/21156: Fix another memory access error in readelf when parsing a corrupt binary. (From OE-Core rev: 565d4b9432c898e4483f392a91f4b4aaebb4b184) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yuanjie Huang <Yuanjie.Huang@windriver.com> 2017-05-31 01:37:57 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-08-29 16:50:52 +0100
commit: c7e48934c9560a507c7899a77bf02941ef52aec7 (patch)
tree: 6677867188fc6ab50aa5d2a300107b1e77f8d6bf /meta/recipes-devtools/binutils
parent: 6131129c0ad6d2f679a7580c6ccbfd0989ea4f6a (diff)
download: poky-c7e48934c9560a507c7899a77bf02941ef52aec7.tar.gz
3 files changed, 180 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index f98fef9e02..d32ce25dd5 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -41,6 +41,8 @@ SRC_URI = "\
     file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \
     file://CVE-2017-6965.patch \
     file://CVE-2017-6966.patch \
+     file://CVE-2017-6969.patch \
+     file://CVE-2017-6969_2.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
new file mode 100644
index 0000000000..3d036c4cf6
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
@@ -0,0 +1,56 @@
+From 489246368e2c49a795ad5ecbc8895cbc854292fa Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 17 Feb 2017 15:59:45 +0000
+Subject: Fix illegal memory accesses in readelf when parsing a corrupt binary.
+        PR binutils/21156
+        * readelf.c (find_section_in_set): Test for invalid section
+        indicies.
+CVE: CVE-2017-6969
+Upstream-Status: Backport [master]
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/readelf.c | 10 ++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index a70bdb7a7b..dbf8eb079e 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
+2017-02-17  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21156
+       * readelf.c (find_section_in_set): Test for invalid section
+       indicies.
+
+ 2016-08-03  Tristan Gingold  <gingold@adacore.com>
+ 
+        * configure: Regenerate.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index d31558c3b4..7f7365dbc5 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -674,8 +674,14 @@ find_section_in_set (const char * name, unsigned int * set)
+   if (set != NULL)
+     {
+       while ((i = *set++) > 0)
+-       if (streq (SECTION_NAME (section_headers + i), name))
+-         return section_headers + i;
+       {
+         /* See PR 21156 for a reproducer.  */
+         if (i >= elf_header.e_shnum)
+           continue; /* FIXME: Should we issue an error message ?  */
+
+         if (streq (SECTION_NAME (section_headers + i), name))
+           return section_headers + i;
+       }
+     }
+ 
+   return find_section (name);
+-- 
+2.11.0
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
new file mode 100644
index 0000000000..491c7086ee
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
@@ -0,0 +1,122 @@
+From 59fcd64fe65a89fb0acaf5463840310701189375 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 20 Feb 2017 14:40:39 +0000
+Subject: Fix another memory access error in readelf when parsing a corrupt
+ binary.
+        PR binutils/21156
+        * dwarf.c (cu_tu_indexes_read): Move into...
+        (load_cu_tu_indexes): ... here.  Change the variable into
+        tri-state.  Change the function into boolean, returning
+        false if the indicies could not be loaded.
+        (find_cu_tu_set): Return NULL if the indicies could not be
+        loaded.
+CVE: CVE-2017-6969
+Upstream-Status: Backport [master]
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog | 10 ++++++++++
+ binutils/dwarf.c   | 34 ++++++++++++++++++++--------------
+ 2 files changed, 30 insertions(+), 14 deletions(-)
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index dbf8eb079e..55d2f8ba40 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -1,3 +1,13 @@
+2017-02-20  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21156
+       * dwarf.c (cu_tu_indexes_read): Move into...
+       (load_cu_tu_indexes): ... here.  Change the variable into
+       tri-state.  Change the function into boolean, returning
+       false if the indicies could not be loaded.
+       (find_cu_tu_set): Return NULL if the indicies could not be
+       loaded.
+
+ 2017-02-17  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21156
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 282e069958..a23267feb6 100644
+--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
+@@ -76,7 +76,6 @@ int dwarf_check = 0;
+    as a zero-terminated list of section indexes comprising one set of debug
+    sections from a .dwo file.  */
+ 
+-static int cu_tu_indexes_read = 0;
+ static unsigned int *shndx_pool = NULL;
+ static unsigned int shndx_pool_size = 0;
+ static unsigned int shndx_pool_used = 0;
+@@ -99,7 +98,7 @@ static int tu_count = 0;
+ static struct cu_tu_set *cu_sets = NULL;
+ static struct cu_tu_set *tu_sets = NULL;
+ 
+-static void load_cu_tu_indexes (void *file);
+static bfd_boolean load_cu_tu_indexes (void *);
+ 
+ /* Values for do_debug_lines.  */
+ #define FLAG_DEBUG_LINES_RAW    1
+@@ -2713,7 +2712,7 @@ load_debug_info (void * file)
+     return num_debug_info_entries;
+ 
+   /* If this is a DWARF package file, load the CU and TU indexes.  */
+-  load_cu_tu_indexes (file);
+  (void) load_cu_tu_indexes (file);
+ 
+   if (load_debug_section (info, file)
+       && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0))
+@@ -7302,21 +7301,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
+    section sets that we can use to associate a .debug_info.dwo section
+    with its associated .debug_abbrev.dwo section in a .dwp file.  */
+ 
+-static void
+static bfd_boolean
+ load_cu_tu_indexes (void *file)
+ {
+  static int cu_tu_indexes_read = -1; /* Tri-state variable.  */
+
+   /* If we have already loaded (or tried to load) the CU and TU indexes
+      then do not bother to repeat the task.  */
+-  if (cu_tu_indexes_read)
+-    return;
+-
+-  if (load_debug_section (dwp_cu_index, file))
+-    process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0);
+-
+-  if (load_debug_section (dwp_tu_index, file))
+-    process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0);
+  if (cu_tu_indexes_read == -1)
+    {
+      cu_tu_indexes_read = TRUE;
+  
+      if (load_debug_section (dwp_cu_index, file))
+       if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0))
+         cu_tu_indexes_read = FALSE;
+
+      if (load_debug_section (dwp_tu_index, file))
+       if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0))
+         cu_tu_indexes_read = FALSE;
+    }
+ 
+-  cu_tu_indexes_read = 1;
+  return (bfd_boolean) cu_tu_indexes_read;
+ }
+ 
+ /* Find the set of sections that includes section SHNDX.  */
+@@ -7326,7 +7331,8 @@ find_cu_tu_set (void *file, unsigned int shndx)
+ {
+   unsigned int i;
+ 
+-  load_cu_tu_indexes (file);
+  if (! load_cu_tu_indexes (file))
+    return NULL;
+ 
+   /* Find SHNDX in the shndx pool.  */
+   for (i = 0; i < shndx_pool_used; i++)
+-- 
+2.11.0
author	Yuanjie Huang <Yuanjie.Huang@windriver.com>	2017-05-31 01:37:57 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-08-29 16:50:52 +0100
commit	c7e48934c9560a507c7899a77bf02941ef52aec7 (patch)
tree	6677867188fc6ab50aa5d2a300107b1e77f8d6bf /meta/recipes-devtools/binutils
parent	6131129c0ad6d2f679a7580c6ccbfd0989ea4f6a (diff)
download	poky-c7e48934c9560a507c7899a77bf02941ef52aec7.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index f98fef9e02..d32ce25dd5 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -41,6 +41,8 @@ SRC_URI = "\
41	file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \	41	file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \
42	file://CVE-2017-6965.patch \	42	file://CVE-2017-6965.patch \
43	file://CVE-2017-6966.patch \	43	file://CVE-2017-6966.patch \
		44	file://CVE-2017-6969.patch \
		45	file://CVE-2017-6969_2.patch \
44	"	46	"
45	S = "${WORKDIR}/git"	47	S = "${WORKDIR}/git"
46		48


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch new file mode 100644 index 0000000000..3d036c4cf6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
@@ -0,0 +1,56 @@
		1	From 489246368e2c49a795ad5ecbc8895cbc854292fa Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Fri, 17 Feb 2017 15:59:45 +0000
		4	Subject: Fix illegal memory accesses in readelf when parsing a corrupt binary.
		5
		6	PR binutils/21156
		7	* readelf.c (find_section_in_set): Test for invalid section
		8	indicies.
		9
		10	CVE: CVE-2017-6969
		11	Upstream-Status: Backport [master]
		12
		13	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
		14	---
		15	binutils/ChangeLog \| 6 ++++++
		16	binutils/readelf.c \| 10 ++++++++--
		17	2 files changed, 14 insertions(+), 2 deletions(-)
		18
		19	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
		20	index a70bdb7a7b..dbf8eb079e 100644
		21	--- a/binutils/ChangeLog
		22	+++ b/binutils/ChangeLog
		23	@@ -1,3 +1,9 @@
		24	+2017-02-17 Nick Clifton <nickc@redhat.com>
		25	+
		26	+ PR binutils/21156
		27	+ * readelf.c (find_section_in_set): Test for invalid section
		28	+ indicies.
		29	+
		30	2016-08-03 Tristan Gingold <gingold@adacore.com>
		31
		32	* configure: Regenerate.
		33	diff --git a/binutils/readelf.c b/binutils/readelf.c
		34	index d31558c3b4..7f7365dbc5 100644
		35	--- a/binutils/readelf.c
		36	+++ b/binutils/readelf.c
		37	@@ -674,8 +674,14 @@ find_section_in_set (const char * name, unsigned int * set)
		38	if (set != NULL)
		39	{
		40	while ((i = *set++) > 0)
		41	- if (streq (SECTION_NAME (section_headers + i), name))
		42	- return section_headers + i;
		43	+ {
		44	+ /* See PR 21156 for a reproducer. */
		45	+ if (i >= elf_header.e_shnum)
		46	+ continue; /* FIXME: Should we issue an error message ? */
		47	+
		48	+ if (streq (SECTION_NAME (section_headers + i), name))
		49	+ return section_headers + i;
		50	+ }
		51	}
		52
		53	return find_section (name);
		54	--
		55	2.11.0
		56


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch new file mode 100644 index 0000000000..491c7086ee --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
@@ -0,0 +1,122 @@
		1	From 59fcd64fe65a89fb0acaf5463840310701189375 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Mon, 20 Feb 2017 14:40:39 +0000
		4	Subject: Fix another memory access error in readelf when parsing a corrupt
		5	binary.
		6
		7	PR binutils/21156
		8	* dwarf.c (cu_tu_indexes_read): Move into...
		9	(load_cu_tu_indexes): ... here. Change the variable into
		10	tri-state. Change the function into boolean, returning
		11	false if the indicies could not be loaded.
		12	(find_cu_tu_set): Return NULL if the indicies could not be
		13	loaded.
		14
		15	CVE: CVE-2017-6969
		16	Upstream-Status: Backport [master]
		17
		18	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
		19	---
		20	binutils/ChangeLog \| 10 ++++++++++
		21	binutils/dwarf.c \| 34 ++++++++++++++++++++--------------
		22	2 files changed, 30 insertions(+), 14 deletions(-)
		23
		24	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
		25	index dbf8eb079e..55d2f8ba40 100644
		26	--- a/binutils/ChangeLog
		27	+++ b/binutils/ChangeLog
		28	@@ -1,3 +1,13 @@
		29	+2017-02-20 Nick Clifton <nickc@redhat.com>
		30	+
		31	+ PR binutils/21156
		32	+ * dwarf.c (cu_tu_indexes_read): Move into...
		33	+ (load_cu_tu_indexes): ... here. Change the variable into
		34	+ tri-state. Change the function into boolean, returning
		35	+ false if the indicies could not be loaded.
		36	+ (find_cu_tu_set): Return NULL if the indicies could not be
		37	+ loaded.
		38	+
		39	2017-02-17 Nick Clifton <nickc@redhat.com>
		40
		41	PR binutils/21156
		42	diff --git a/binutils/dwarf.c b/binutils/dwarf.c
		43	index 282e069958..a23267feb6 100644
		44	--- a/binutils/dwarf.c
		45	+++ b/binutils/dwarf.c
		46	@@ -76,7 +76,6 @@ int dwarf_check = 0;
		47	as a zero-terminated list of section indexes comprising one set of debug
		48	sections from a .dwo file. */
		49
		50	-static int cu_tu_indexes_read = 0;
		51	static unsigned int *shndx_pool = NULL;
		52	static unsigned int shndx_pool_size = 0;
		53	static unsigned int shndx_pool_used = 0;
		54	@@ -99,7 +98,7 @@ static int tu_count = 0;
		55	static struct cu_tu_set *cu_sets = NULL;
		56	static struct cu_tu_set *tu_sets = NULL;
		57
		58	-static void load_cu_tu_indexes (void *file);
		59	+static bfd_boolean load_cu_tu_indexes (void *);
		60
		61	/* Values for do_debug_lines. */
		62	#define FLAG_DEBUG_LINES_RAW 1
		63	@@ -2713,7 +2712,7 @@ load_debug_info (void * file)
		64	return num_debug_info_entries;
		65
		66	/* If this is a DWARF package file, load the CU and TU indexes. */
		67	- load_cu_tu_indexes (file);
		68	+ (void) load_cu_tu_indexes (file);
		69
		70	if (load_debug_section (info, file)
		71	&& process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0))
		72	@@ -7302,21 +7301,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
		73	section sets that we can use to associate a .debug_info.dwo section
		74	with its associated .debug_abbrev.dwo section in a .dwp file. */
		75
		76	-static void
		77	+static bfd_boolean
		78	load_cu_tu_indexes (void *file)
		79	{
		80	+ static int cu_tu_indexes_read = -1; /* Tri-state variable. */
		81	+
		82	/* If we have already loaded (or tried to load) the CU and TU indexes
		83	then do not bother to repeat the task. */
		84	- if (cu_tu_indexes_read)
		85	- return;
		86	-
		87	- if (load_debug_section (dwp_cu_index, file))
		88	- process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0);
		89	-
		90	- if (load_debug_section (dwp_tu_index, file))
		91	- process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0);
		92	+ if (cu_tu_indexes_read == -1)
		93	+ {
		94	+ cu_tu_indexes_read = TRUE;
		95	+
		96	+ if (load_debug_section (dwp_cu_index, file))
		97	+ if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0))
		98	+ cu_tu_indexes_read = FALSE;
		99	+
		100	+ if (load_debug_section (dwp_tu_index, file))
		101	+ if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0))
		102	+ cu_tu_indexes_read = FALSE;
		103	+ }
		104
		105	- cu_tu_indexes_read = 1;
		106	+ return (bfd_boolean) cu_tu_indexes_read;
		107	}
		108
		109	/* Find the set of sections that includes section SHNDX. */
		110	@@ -7326,7 +7331,8 @@ find_cu_tu_set (void *file, unsigned int shndx)
		111	{
		112	unsigned int i;
		113
		114	- load_cu_tu_indexes (file);
		115	+ if (! load_cu_tu_indexes (file))
		116	+ return NULL;
		117
		118	/* Find SHNDX in the shndx pool. */
		119	for (i = 0; i < shndx_pool_used; i++)
		120	--
		121	2.11.0
		122