aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-07 21:20:03 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 10:22:30 +0100
commit7e5cf6ef776465101f18daf22f283c87423c7d20 (patch)
treee28e56ad58b94a5ebf3833ad31593d251ac5a954
parent86c54c4770ce207575e29c589732c74e68d9ff3c (diff)
downloadopenembedded-core-contrib-7e5cf6ef776465101f18daf22f283c87423c7d20.tar.gz
binutls: Security fix for CVE-2017-17125
Affects: <= 2.29.1 Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch129
2 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 59718c7d1f..f80b59a9bf 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
file://CVE-2017-17080.patch \
file://CVE-2017-17121.patch \
file://CVE-2017-17122.patch \
+ file://CVE-2017-17125.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch
new file mode 100644
index 0000000000..30dc6d5727
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch
@@ -0,0 +1,129 @@
+From 160b1a618ad94988410dc81fce9189fcda5b7ff4 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 18 Nov 2017 23:18:22 +1030
+Subject: [PATCH] PR22443, Global buffer overflow in
+ _bfd_elf_get_symbol_version_string
+
+Symbols like *ABS* defined in bfd/section.c:global_syms are not
+elf_symbol_type. They can appear on relocs and perhaps other places
+in an ELF bfd, so a number of places in nm.c and objdump.c are wrong
+to cast an asymbol based on the bfd being ELF. I think we lose
+nothing by excluding all section symbols, not just the global_syms.
+
+ PR 22443
+ * nm.c (sort_symbols_by_size): Don't attempt to access
+ section symbol internal_elf_sym.
+ (print_symbol): Likewise. Don't call bfd_get_symbol_version_string
+ for section symbols.
+ * objdump.c (compare_symbols): Don't attempt to access
+ section symbol internal_elf_sym.
+ (objdump_print_symname): Don't call bfd_get_symbol_version_string
+ for section symbols.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-17125
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 12 ++++++++++++
+ binutils/nm.c | 17 ++++++++++-------
+ binutils/objdump.c | 6 +++---
+ 3 files changed, 25 insertions(+), 10 deletions(-)
+
+Index: git/binutils/nm.c
+===================================================================
+--- git.orig/binutils/nm.c
++++ git/binutils/nm.c
+@@ -765,7 +765,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boo
+ asection *sec;
+ bfd_vma sz;
+ asymbol *temp;
+- int synthetic = (sym->flags & BSF_SYNTHETIC);
+
+ if (from + size < fromend)
+ {
+@@ -782,10 +781,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boo
+ sec = bfd_get_section (sym);
+
+ /* Synthetic symbols don't have a full type set of data available, thus
+- we can't rely on that information for the symbol size. */
+- if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
++ we can't rely on that information for the symbol size. Ditto for
++ bfd/section.c:global_syms like *ABS*. */
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
++ && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+ sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size;
+- else if (!synthetic && bfd_is_com_section (sec))
++ else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
++ && bfd_is_com_section (sec))
+ sz = sym->value;
+ else
+ {
+@@ -874,8 +876,9 @@ print_symbol (bfd * abfd,
+
+ info.sinfo = &syminfo;
+ info.ssize = ssize;
+- /* Synthetic symbols do not have a full symbol type set of data available. */
+- if ((sym->flags & BSF_SYNTHETIC) != 0)
++ /* Synthetic symbols do not have a full symbol type set of data available.
++ Nor do bfd/section.c:global_syms like *ABS*. */
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0)
+ {
+ info.elfinfo = NULL;
+ info.coffinfo = NULL;
+@@ -893,7 +896,7 @@ print_symbol (bfd * abfd,
+ const char * version_string = NULL;
+ bfd_boolean hidden = FALSE;
+
+- if ((sym->flags & BSF_SYNTHETIC) == 0)
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
+
+ if (bfd_is_und_section (bfd_get_section (sym)))
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const v
+ bfd_vma asz, bsz;
+
+ asz = 0;
+- if ((a->flags & BSF_SYNTHETIC) == 0)
++ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
+ bsz = 0;
+- if ((b->flags & BSF_SYNTHETIC) == 0)
++ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
+ if (asz != bsz)
+ return asz > bsz ? -1 : 1;
+@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct
+ name = alloc;
+ }
+
+- if ((sym->flags & BSF_SYNTHETIC) == 0)
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
+
+ if (bfd_is_und_section (bfd_get_section (sym)))
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,15 @@
++2017-11-18 Alan Modra <amodra@gmail.com>
++
++ PR 22443
++ * nm.c (sort_symbols_by_size): Don't attempt to access
++ section symbol internal_elf_sym.
++ (print_symbol): Likewise. Don't call bfd_get_symbol_version_string
++ for section symbols.
++ * objdump.c (compare_symbols): Don't attempt to access
++ section symbol internal_elf_sym.
++ (objdump_print_symname): Don't call bfd_get_symbol_version_string
++ for section symbols.
++
+ 2017-11-29 Nick Clifton <nickc@redhat.com>
+
+ PR 22508