diff options
| author | Zhixiong Chi <zhixiong.chi@windriver.com> | 2018-11-05 22:43:41 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-11-09 15:27:34 +0000 |
| commit | b9feb4e46b8a45910ba7002a431b137454f05909 (patch) | |
| tree | 848704e39a8476b03fb3a6515462b0c835ca3248 /meta | |
| parent | 0814e48a0812a739ac59b76a4592465b718b5030 (diff) | |
| download | poky-b9feb4e46b8a45910ba7002a431b137454f05909.tar.gz | |
binutils: fix four CVE issues
Backport the CVE patches from the binutils upstream.
(From OE-Core rev: 84bb9c0514ecbd7c31935c22062b18b4aaefbef1)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
5 files changed, 506 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index 27a643d765..0c9d4cef21 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc | |||
| @@ -43,6 +43,10 @@ SRC_URI = "\ | |||
| 43 | file://0021-PLT-information-was-still-being-generated-when-symbo.patch \ | 43 | file://0021-PLT-information-was-still-being-generated-when-symbo.patch \ |
| 44 | file://CVE-2018-17358.patch \ | 44 | file://CVE-2018-17358.patch \ |
| 45 | file://CVE-2018-17360.patch \ | 45 | file://CVE-2018-17360.patch \ |
| 46 | file://CVE-2018-18309.patch \ | ||
| 47 | file://CVE-2018-18605.patch \ | ||
| 48 | file://CVE-2018-18606.patch \ | ||
| 49 | file://CVE-2018-18607.patch \ | ||
| 46 | " | 50 | " |
| 47 | S = "${WORKDIR}/git" | 51 | S = "${WORKDIR}/git" |
| 48 | 52 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch new file mode 100644 index 0000000000..b240a3f994 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch | |||
| @@ -0,0 +1,308 @@ | |||
| 1 | From 0930cb3021b8078b34cf216e79eb8608d017864f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alan Modra <amodra@gmail.com> | ||
| 3 | Date: Sat, 13 Oct 2018 22:03:02 +1030 | ||
| 4 | Subject: [PATCH] _bfd_clear_contents bounds checking | ||
| 5 | |||
| 6 | This PR shows a fuzzed binary triggering a segfault via a bad | ||
| 7 | relocation in .debug_line. It turns out that unlike normal | ||
| 8 | relocations applied to a section, the linker applies those with | ||
| 9 | symbols from discarded sections via _bfd_clear_contents without | ||
| 10 | checking that the relocation is within the section bounds. The same | ||
| 11 | thing now happens when reading debug sections since commit | ||
| 12 | a4cd947aca23, the PR23425 fix. | ||
| 13 | |||
| 14 | PR 23770 | ||
| 15 | PR 23425 | ||
| 16 | * reloc.c (_bfd_clear_contents): Replace "location" param with | ||
| 17 | "buf" and "off". Bounds check "off". Return status. | ||
| 18 | * cofflink.c (_bfd_coff_generic_relocate_section): Update | ||
| 19 | _bfd_clear_contents call. | ||
| 20 | * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise. | ||
| 21 | * elf32-arc.c (elf_arc_relocate_section): Likewise. | ||
| 22 | * elf32-i386.c (elf_i386_relocate_section): Likewise. | ||
| 23 | * elf32-metag.c (metag_final_link_relocate): Likewise. | ||
| 24 | * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise. | ||
| 25 | * elf32-ppc.c (ppc_elf_relocate_section): Likewise. | ||
| 26 | * elf32-visium.c (visium_elf_relocate_section): Likewise. | ||
| 27 | * elf64-ppc.c (ppc64_elf_relocate_section): Likewise. | ||
| 28 | * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise. | ||
| 29 | * libbfd-in.h (_bfd_clear_contents): Update prototype. | ||
| 30 | * libbfd.h: Regenerate. | ||
| 31 | |||
| 32 | Upstream-Status: Backport | ||
| 33 | CVE: CVE-2018-18605 | ||
| 34 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
| 35 | --- | ||
| 36 | bfd/ChangeLog | 20 ++++++++++++++++++++ | ||
| 37 | bfd/cofflink.c | 2 +- | ||
| 38 | bfd/elf-bfd.h | 2 +- | ||
| 39 | bfd/elf32-arc.c | 2 +- | ||
| 40 | bfd/elf32-i386.c | 2 +- | ||
| 41 | bfd/elf32-metag.c | 2 +- | ||
| 42 | bfd/elf32-nds32.c | 8 ++++---- | ||
| 43 | bfd/elf32-ppc.c | 2 +- | ||
| 44 | bfd/elf32-visium.c | 2 +- | ||
| 45 | bfd/elf64-ppc.c | 2 +- | ||
| 46 | bfd/elf64-x86-64.c | 2 +- | ||
| 47 | bfd/libbfd-in.h | 4 ++-- | ||
| 48 | bfd/libbfd.h | 4 ++-- | ||
| 49 | bfd/reloc.c | 19 +++++++++++++------ | ||
| 50 | 14 files changed, 50 insertions(+), 23 deletions(-) | ||
| 51 | |||
| 52 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
| 53 | index 68c1ff665b..e9696ee314 100644 | ||
| 54 | --- a/bfd/ChangeLog | ||
| 55 | +++ b/bfd/ChangeLog | ||
| 56 | @@ -1,3 +1,23 @@ | ||
| 57 | +2018-10-13 Alan Modra <amodra@gmail.com> | ||
| 58 | + | ||
| 59 | + PR 23770 | ||
| 60 | + PR 23425 | ||
| 61 | + * reloc.c (_bfd_clear_contents): Replace "location" param with | ||
| 62 | + "buf" and "off". Bounds check "off". Return status. | ||
| 63 | + * cofflink.c (_bfd_coff_generic_relocate_section): Update | ||
| 64 | + _bfd_clear_contents call. | ||
| 65 | + * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise. | ||
| 66 | + * elf32-arc.c (elf_arc_relocate_section): Likewise. | ||
| 67 | + * elf32-i386.c (elf_i386_relocate_section): Likewise. | ||
| 68 | + * elf32-metag.c (metag_final_link_relocate): Likewise. | ||
| 69 | + * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise. | ||
| 70 | + * elf32-ppc.c (ppc_elf_relocate_section): Likewise. | ||
| 71 | + * elf32-visium.c (visium_elf_relocate_section): Likewise. | ||
| 72 | + * elf64-ppc.c (ppc64_elf_relocate_section): Likewise. | ||
| 73 | + * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise. | ||
| 74 | + * libbfd-in.h (_bfd_clear_contents): Update prototype. | ||
| 75 | + * libbfd.h: Regenerate. | ||
| 76 | + | ||
| 77 | 2018-09-20 Alan Modra <amodra@gmail.com> | ||
| 78 | |||
| 79 | PR 23685 | ||
| 80 | diff --git a/bfd/cofflink.c b/bfd/cofflink.c | ||
| 81 | index 2f73f72e31..b7ea69b7f9 100644 | ||
| 82 | --- a/bfd/cofflink.c | ||
| 83 | +++ b/bfd/cofflink.c | ||
| 84 | @@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd *output_bfd, | ||
| 85 | if (sec != NULL && discarded_section (sec)) | ||
| 86 | { | ||
| 87 | _bfd_clear_contents (howto, input_bfd, input_section, | ||
| 88 | - contents + (rel->r_vaddr - input_section->vma)); | ||
| 89 | + contents, rel->r_vaddr - input_section->vma); | ||
| 90 | continue; | ||
| 91 | } | ||
| 92 | |||
| 93 | diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h | ||
| 94 | index cf256f70e0..3374f411f9 100644 | ||
| 95 | --- a/bfd/elf-bfd.h | ||
| 96 | +++ b/bfd/elf-bfd.h | ||
| 97 | @@ -2811,7 +2811,7 @@ extern asection _bfd_elf_large_com_section; | ||
| 98 | { \ | ||
| 99 | int i_; \ | ||
| 100 | _bfd_clear_contents (howto, input_bfd, input_section, \ | ||
| 101 | - contents + rel[index].r_offset); \ | ||
| 102 | + contents, rel[index].r_offset); \ | ||
| 103 | \ | ||
| 104 | if (bfd_link_relocatable (info) \ | ||
| 105 | && (input_section->flags & SEC_DEBUGGING)) \ | ||
| 106 | diff --git a/bfd/elf32-arc.c b/bfd/elf32-arc.c | ||
| 107 | index 7a1b3042ae..30f47a5b22 100644 | ||
| 108 | --- a/bfd/elf32-arc.c | ||
| 109 | +++ b/bfd/elf32-arc.c | ||
| 110 | @@ -1549,7 +1549,7 @@ elf_arc_relocate_section (bfd * output_bfd, | ||
| 111 | if (sec != NULL && discarded_section (sec)) | ||
| 112 | { | ||
| 113 | _bfd_clear_contents (howto, input_bfd, input_section, | ||
| 114 | - contents + rel->r_offset); | ||
| 115 | + contents, rel->r_offset); | ||
| 116 | rel->r_info = 0; | ||
| 117 | rel->r_addend = 0; | ||
| 118 | |||
| 119 | diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c | ||
| 120 | index 49797dcbfa..177471777d 100644 | ||
| 121 | --- a/bfd/elf32-i386.c | ||
| 122 | +++ b/bfd/elf32-i386.c | ||
| 123 | @@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_bfd, | ||
| 124 | if (sec != NULL && discarded_section (sec)) | ||
| 125 | { | ||
| 126 | _bfd_clear_contents (howto, input_bfd, input_section, | ||
| 127 | - contents + rel->r_offset); | ||
| 128 | + contents, rel->r_offset); | ||
| 129 | wrel->r_offset = rel->r_offset; | ||
| 130 | wrel->r_info = 0; | ||
| 131 | wrel->r_addend = 0; | ||
| 132 | diff --git a/bfd/elf32-metag.c b/bfd/elf32-metag.c | ||
| 133 | index efe95bddff..7f96246e5d 100644 | ||
| 134 | --- a/bfd/elf32-metag.c | ||
| 135 | +++ b/bfd/elf32-metag.c | ||
| 136 | @@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_type *howto, | ||
| 137 | rel, relend, howto, contents) \ | ||
| 138 | { \ | ||
| 139 | _bfd_clear_contents (howto, input_bfd, input_section, \ | ||
| 140 | - contents + rel->r_offset); \ | ||
| 141 | + contents, rel->r_offset); \ | ||
| 142 | \ | ||
| 143 | if (bfd_link_relocatable (info) \ | ||
| 144 | && (input_section->flags & SEC_DEBUGGING)) \ | ||
| 145 | diff --git a/bfd/elf32-nds32.c b/bfd/elf32-nds32.c | ||
| 146 | index 0d86e5b865..184cf320f7 100644 | ||
| 147 | --- a/bfd/elf32-nds32.c | ||
| 148 | +++ b/bfd/elf32-nds32.c | ||
| 149 | @@ -12582,14 +12582,14 @@ nds32_elf_get_relocated_section_contents (bfd *abfd, | ||
| 150 | symbol = *(*parent)->sym_ptr_ptr; | ||
| 151 | if (symbol->section && discarded_section (symbol->section)) | ||
| 152 | { | ||
| 153 | - bfd_byte *p; | ||
| 154 | + bfd_vma off; | ||
| 155 | static reloc_howto_type none_howto | ||
| 156 | = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL, | ||
| 157 | "unused", FALSE, 0, 0, FALSE); | ||
| 158 | |||
| 159 | - p = data + (*parent)->address * bfd_octets_per_byte (input_bfd); | ||
| 160 | - _bfd_clear_contents ((*parent)->howto, input_bfd, input_section, | ||
| 161 | - p); | ||
| 162 | + off = (*parent)->address * bfd_octets_per_byte (input_bfd); | ||
| 163 | + _bfd_clear_contents ((*parent)->howto, input_bfd, | ||
| 164 | + input_section, data, off); | ||
| 165 | (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; | ||
| 166 | (*parent)->addend = 0; | ||
| 167 | (*parent)->howto = &none_howto; | ||
| 168 | diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c | ||
| 169 | index 61f70de12e..c31e26efd7 100644 | ||
| 170 | --- a/bfd/elf32-ppc.c | ||
| 171 | +++ b/bfd/elf32-ppc.c | ||
| 172 | @@ -8232,7 +8232,7 @@ ppc_elf_relocate_section (bfd *output_bfd, | ||
| 173 | howto = ppc_elf_howto_table[r_type]; | ||
| 174 | |||
| 175 | _bfd_clear_contents (howto, input_bfd, input_section, | ||
| 176 | - contents + rel->r_offset); | ||
| 177 | + contents, rel->r_offset); | ||
| 178 | wrel->r_offset = rel->r_offset; | ||
| 179 | wrel->r_info = 0; | ||
| 180 | wrel->r_addend = 0; | ||
| 181 | diff --git a/bfd/elf32-visium.c b/bfd/elf32-visium.c | ||
| 182 | index e8f1c4c9e4..961366cd87 100644 | ||
| 183 | --- a/bfd/elf32-visium.c | ||
| 184 | +++ b/bfd/elf32-visium.c | ||
| 185 | @@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output_bfd, | ||
| 186 | or sections discarded by a linker script, we just want the | ||
| 187 | section contents zeroed. Avoid any special processing. */ | ||
| 188 | _bfd_clear_contents (howto, input_bfd, input_section, | ||
| 189 | - contents + rel->r_offset); | ||
| 190 | + contents, rel->r_offset); | ||
| 191 | |||
| 192 | rel->r_info = 0; | ||
| 193 | rel->r_addend = 0; | ||
| 194 | diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c | ||
| 195 | index eadde17615..7c3534ac65 100644 | ||
| 196 | --- a/bfd/elf64-ppc.c | ||
| 197 | +++ b/bfd/elf64-ppc.c | ||
| 198 | @@ -14073,7 +14073,7 @@ ppc64_elf_relocate_section (bfd *output_bfd, | ||
| 199 | { | ||
| 200 | _bfd_clear_contents (ppc64_elf_howto_table[r_type], | ||
| 201 | input_bfd, input_section, | ||
| 202 | - contents + rel->r_offset); | ||
| 203 | + contents, rel->r_offset); | ||
| 204 | wrel->r_offset = rel->r_offset; | ||
| 205 | wrel->r_info = 0; | ||
| 206 | wrel->r_addend = 0; | ||
| 207 | diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c | ||
| 208 | index c3a6c31ed2..4dcab43478 100644 | ||
| 209 | --- a/bfd/elf64-x86-64.c | ||
| 210 | +++ b/bfd/elf64-x86-64.c | ||
| 211 | @@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output_bfd, | ||
| 212 | if (sec != NULL && discarded_section (sec)) | ||
| 213 | { | ||
| 214 | _bfd_clear_contents (howto, input_bfd, input_section, | ||
| 215 | - contents + rel->r_offset); | ||
| 216 | + contents, rel->r_offset); | ||
| 217 | wrel->r_offset = rel->r_offset; | ||
| 218 | wrel->r_info = 0; | ||
| 219 | wrel->r_addend = 0; | ||
| 220 | diff --git a/bfd/libbfd-in.h b/bfd/libbfd-in.h | ||
| 221 | index e53b255dad..f6d9565f03 100644 | ||
| 222 | --- a/bfd/libbfd-in.h | ||
| 223 | +++ b/bfd/libbfd-in.h | ||
| 224 | @@ -696,8 +696,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents | ||
| 225 | (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN; | ||
| 226 | |||
| 227 | /* Clear a given location using a given howto. */ | ||
| 228 | -extern void _bfd_clear_contents | ||
| 229 | - (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN; | ||
| 230 | +extern bfd_reloc_status_type _bfd_clear_contents | ||
| 231 | + (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN; | ||
| 232 | |||
| 233 | /* Link stabs in sections in the first pass. */ | ||
| 234 | |||
| 235 | diff --git a/bfd/libbfd.h b/bfd/libbfd.h | ||
| 236 | index a8851c8026..1189e63358 100644 | ||
| 237 | --- a/bfd/libbfd.h | ||
| 238 | +++ b/bfd/libbfd.h | ||
| 239 | @@ -701,8 +701,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents | ||
| 240 | (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN; | ||
| 241 | |||
| 242 | /* Clear a given location using a given howto. */ | ||
| 243 | -extern void _bfd_clear_contents | ||
| 244 | - (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN; | ||
| 245 | +extern bfd_reloc_status_type _bfd_clear_contents | ||
| 246 | + (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN; | ||
| 247 | |||
| 248 | /* Link stabs in sections in the first pass. */ | ||
| 249 | |||
| 250 | diff --git a/bfd/reloc.c b/bfd/reloc.c | ||
| 251 | index 8dbb8896d3..1686780669 100644 | ||
| 252 | --- a/bfd/reloc.c | ||
| 253 | +++ b/bfd/reloc.c | ||
| 254 | @@ -1613,16 +1613,22 @@ _bfd_relocate_contents (reloc_howto_type *howto, | ||
| 255 | relocations against discarded symbols, to make ignorable debug or unwind | ||
| 256 | information more obvious. */ | ||
| 257 | |||
| 258 | -void | ||
| 259 | +bfd_reloc_status_type | ||
| 260 | _bfd_clear_contents (reloc_howto_type *howto, | ||
| 261 | bfd *input_bfd, | ||
| 262 | asection *input_section, | ||
| 263 | - bfd_byte *location) | ||
| 264 | + bfd_byte *buf, | ||
| 265 | + bfd_vma off) | ||
| 266 | { | ||
| 267 | int size; | ||
| 268 | bfd_vma x = 0; | ||
| 269 | + bfd_byte *location; | ||
| 270 | + | ||
| 271 | + if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off)) | ||
| 272 | + return bfd_reloc_outofrange; | ||
| 273 | |||
| 274 | /* Get the value we are going to relocate. */ | ||
| 275 | + location = buf + off; | ||
| 276 | size = bfd_get_reloc_size (howto); | ||
| 277 | switch (size) | ||
| 278 | { | ||
| 279 | @@ -1687,6 +1693,7 @@ _bfd_clear_contents (reloc_howto_type *howto, | ||
| 280 | #endif | ||
| 281 | break; | ||
| 282 | } | ||
| 283 | + return bfd_reloc_ok; | ||
| 284 | } | ||
| 285 | |||
| 286 | /* | ||
| 287 | @@ -8275,14 +8282,14 @@ bfd_generic_get_relocated_section_contents (bfd *abfd, | ||
| 288 | |||
| 289 | if (symbol->section && discarded_section (symbol->section)) | ||
| 290 | { | ||
| 291 | - bfd_byte *p; | ||
| 292 | + bfd_vma off; | ||
| 293 | static reloc_howto_type none_howto | ||
| 294 | = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL, | ||
| 295 | "unused", FALSE, 0, 0, FALSE); | ||
| 296 | |||
| 297 | - p = data + (*parent)->address * bfd_octets_per_byte (input_bfd); | ||
| 298 | - _bfd_clear_contents ((*parent)->howto, input_bfd, input_section, | ||
| 299 | - p); | ||
| 300 | + off = (*parent)->address * bfd_octets_per_byte (input_bfd); | ||
| 301 | + _bfd_clear_contents ((*parent)->howto, input_bfd, | ||
| 302 | + input_section, data, off); | ||
| 303 | (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; | ||
| 304 | (*parent)->addend = 0; | ||
| 305 | (*parent)->howto = &none_howto; | ||
| 306 | -- | ||
| 307 | 2.13.3 | ||
| 308 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-18605.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-18605.patch new file mode 100644 index 0000000000..d6c7067715 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-18605.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From ab419ddbb2cdd17ca83618990f2cacf904ce1d61 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alan Modra <amodra@gmail.com> | ||
| 3 | Date: Tue, 23 Oct 2018 18:29:24 +1030 | ||
| 4 | Subject: [PATCH] PR23804, buffer overflow in sec_merge_hash_lookup | ||
| 5 | |||
| 6 | PR 23804 | ||
| 7 | * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
| 8 | sections where size is not a multiple of entsize. | ||
| 9 | |||
| 10 | Upstream-Status: Backport | ||
| 11 | CVE: CVE-2018-18605 | ||
| 12 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
| 13 | --- | ||
| 14 | bfd/ChangeLog | 6 ++++++ | ||
| 15 | bfd/merge.c | 3 +++ | ||
| 16 | 2 files changed, 9 insertions(+) | ||
| 17 | |||
| 18 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
| 19 | index 31ff3d6..da423b1 100644 | ||
| 20 | --- a/bfd/ChangeLog | ||
| 21 | +++ b/bfd/ChangeLog | ||
| 22 | @@ -1,3 +1,9 @@ | ||
| 23 | +2018-10-23 Alan Modra <amodra@gmail.com> | ||
| 24 | + | ||
| 25 | + PR 23804 | ||
| 26 | + * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
| 27 | + sections where size is not a multiple of entsize. | ||
| 28 | + | ||
| 29 | 2018-10-13 Alan Modra <amodra@gmail.com> | ||
| 30 | |||
| 31 | PR 23770 | ||
| 32 | diff --git a/bfd/merge.c b/bfd/merge.c | ||
| 33 | index 7904552..5e3bba0 100644 | ||
| 34 | --- a/bfd/merge.c | ||
| 35 | +++ b/bfd/merge.c | ||
| 36 | @@ -376,6 +376,9 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec, | ||
| 37 | || sec->entsize == 0) | ||
| 38 | return TRUE; | ||
| 39 | |||
| 40 | + if (sec->size % sec->entsize != 0) | ||
| 41 | + return TRUE; | ||
| 42 | + | ||
| 43 | if ((sec->flags & SEC_RELOC) != 0) | ||
| 44 | { | ||
| 45 | /* We aren't prepared to handle relocations in merged sections. */ | ||
| 46 | -- | ||
| 47 | 2.9.3 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch new file mode 100644 index 0000000000..35cf328a14 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch | |||
| @@ -0,0 +1,70 @@ | |||
| 1 | From 45a0eaf77022963d639d6d19871dbab7b79703fc Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alan Modra <amodra@gmail.com> | ||
| 3 | Date: Tue, 23 Oct 2018 19:02:06 +1030 | ||
| 4 | Subject: [PATCH] PR23806, NULL pointer dereference in merge_strings | ||
| 5 | |||
| 6 | PR 23806 | ||
| 7 | * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
| 8 | sections with ridiculously large alignments. | ||
| 9 | |||
| 10 | Upstream-Status: Backport | ||
| 11 | CVE: CVE-2018-18606 | ||
| 12 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
| 13 | --- | ||
| 14 | bfd/ChangeLog | 6 ++++++ | ||
| 15 | bfd/merge.c | 15 +++++++++++---- | ||
| 16 | 2 files changed, 17 insertions(+), 4 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
| 19 | index 1f3fc1c..c5f7ec7 100644 | ||
| 20 | --- a/bfd/ChangeLog | ||
| 21 | +++ b/bfd/ChangeLog | ||
| 22 | @@ -1,5 +1,11 @@ | ||
| 23 | 2018-10-23 Alan Modra <amodra@gmail.com> | ||
| 24 | |||
| 25 | + PR 23806 | ||
| 26 | + * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
| 27 | + sections with ridiculously large alignments. | ||
| 28 | + | ||
| 29 | +2018-10-23 Alan Modra <amodra@gmail.com> | ||
| 30 | + | ||
| 31 | PR 23804 | ||
| 32 | * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
| 33 | sections where size is not a multiple of entsize. | ||
| 34 | diff --git a/bfd/merge.c b/bfd/merge.c | ||
| 35 | index 5e3bba0..7de0c88 100644 | ||
| 36 | --- a/bfd/merge.c | ||
| 37 | +++ b/bfd/merge.c | ||
| 38 | @@ -24,6 +24,7 @@ | ||
| 39 | as used in ELF SHF_MERGE. */ | ||
| 40 | |||
| 41 | #include "sysdep.h" | ||
| 42 | +#include <limits.h> | ||
| 43 | #include "bfd.h" | ||
| 44 | #include "elf-bfd.h" | ||
| 45 | #include "libbfd.h" | ||
| 46 | @@ -385,12 +386,18 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec, | ||
| 47 | return TRUE; | ||
| 48 | } | ||
| 49 | |||
| 50 | - align = sec->alignment_power; | ||
| 51 | - if ((sec->entsize < (unsigned) 1 << align | ||
| 52 | +#ifndef CHAR_BIT | ||
| 53 | +#define CHAR_BIT 8 | ||
| 54 | +#endif | ||
| 55 | + if (sec->alignment_power >= sizeof (align) * CHAR_BIT) | ||
| 56 | + return TRUE; | ||
| 57 | + | ||
| 58 | + align = 1u << sec->alignment_power; | ||
| 59 | + if ((sec->entsize < align | ||
| 60 | && ((sec->entsize & (sec->entsize - 1)) | ||
| 61 | || !(sec->flags & SEC_STRINGS))) | ||
| 62 | - || (sec->entsize > (unsigned) 1 << align | ||
| 63 | - && (sec->entsize & (((unsigned) 1 << align) - 1)))) | ||
| 64 | + || (sec->entsize > align | ||
| 65 | + && (sec->entsize & (align - 1)))) | ||
| 66 | { | ||
| 67 | /* Sanity check. If string character size is smaller than | ||
| 68 | alignment, then we require character size to be a power | ||
| 69 | -- | ||
| 70 | 2.9.3 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-18607.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-18607.patch new file mode 100644 index 0000000000..38225d171e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-18607.patch | |||
| @@ -0,0 +1,77 @@ | |||
| 1 | From 102def4da826b3d9e169741421e5e67e8731909a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alan Modra <amodra@gmail.com> | ||
| 3 | Date: Tue, 23 Oct 2018 18:30:22 +1030 | ||
| 4 | Subject: [PATCH] PR23805, NULL pointer dereference in elf_link_input_bfd | ||
| 5 | |||
| 6 | PR 23805 | ||
| 7 | * elflink.c (elf_link_input_bfd): Don't segfault on finding | ||
| 8 | STT_TLS symbols without any TLS sections. Instead, change the | ||
| 9 | symbol type to STT_NOTYPE. | ||
| 10 | |||
| 11 | Upstream-Status: Backport | ||
| 12 | CVE: CVE-2018-18606 | ||
| 13 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
| 14 | --- | ||
| 15 | bfd/ChangeLog | 7 +++++++ | ||
| 16 | bfd/elflink.c | 20 ++++++++++++++------ | ||
| 17 | 2 files changed, 21 insertions(+), 6 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
| 20 | index da423b1..1f3fc1c 100644 | ||
| 21 | --- a/bfd/ChangeLog | ||
| 22 | +++ b/bfd/ChangeLog | ||
| 23 | @@ -1,5 +1,12 @@ | ||
| 24 | 2018-10-23 Alan Modra <amodra@gmail.com> | ||
| 25 | |||
| 26 | + PR 23805 | ||
| 27 | + * elflink.c (elf_link_input_bfd): Don't segfault on finding | ||
| 28 | + STT_TLS symbols without any TLS sections. Instead, change the | ||
| 29 | + symbol type to STT_NOTYPE. | ||
| 30 | + | ||
| 31 | +2018-10-23 Alan Modra <amodra@gmail.com> | ||
| 32 | + | ||
| 33 | PR 23806 | ||
| 34 | * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
| 35 | sections with ridiculously large alignments. | ||
| 36 | diff --git a/bfd/elflink.c b/bfd/elflink.c | ||
| 37 | index c3876cb..87440db 100644 | ||
| 38 | --- a/bfd/elflink.c | ||
| 39 | +++ b/bfd/elflink.c | ||
| 40 | @@ -10489,8 +10489,11 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd) | ||
| 41 | if (ELF_ST_TYPE (osym.st_info) == STT_TLS) | ||
| 42 | { | ||
| 43 | /* STT_TLS symbols are relative to PT_TLS segment base. */ | ||
| 44 | - BFD_ASSERT (elf_hash_table (flinfo->info)->tls_sec != NULL); | ||
| 45 | - osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma; | ||
| 46 | + if (elf_hash_table (flinfo->info)->tls_sec != NULL) | ||
| 47 | + osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma; | ||
| 48 | + else | ||
| 49 | + osym.st_info = ELF_ST_INFO (ELF_ST_BIND (osym.st_info), | ||
| 50 | + STT_NOTYPE); | ||
| 51 | } | ||
| 52 | } | ||
| 53 | |||
| 54 | @@ -11046,12 +11049,17 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd) | ||
| 55 | sym.st_value += osec->vma; | ||
| 56 | if (ELF_ST_TYPE (sym.st_info) == STT_TLS) | ||
| 57 | { | ||
| 58 | + struct elf_link_hash_table *htab | ||
| 59 | + = elf_hash_table (flinfo->info); | ||
| 60 | + | ||
| 61 | /* STT_TLS symbols are relative to PT_TLS | ||
| 62 | segment base. */ | ||
| 63 | - BFD_ASSERT (elf_hash_table (flinfo->info) | ||
| 64 | - ->tls_sec != NULL); | ||
| 65 | - sym.st_value -= (elf_hash_table (flinfo->info) | ||
| 66 | - ->tls_sec->vma); | ||
| 67 | + if (htab->tls_sec != NULL) | ||
| 68 | + sym.st_value -= htab->tls_sec->vma; | ||
| 69 | + else | ||
| 70 | + sym.st_info | ||
| 71 | + = ELF_ST_INFO (ELF_ST_BIND (sym.st_info), | ||
| 72 | + STT_NOTYPE); | ||
| 73 | } | ||
| 74 | } | ||
| 75 | |||
| 76 | -- | ||
| 77 | 2.9.3 | ||