From 981eeec0f26f25db444782f40a86c558a2358215 Mon Sep 17 00:00:00 2001 From: Dan Tran Date: Mon, 9 Sep 2019 17:31:25 +0000 Subject: binutils: Fix 4 CVEs Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and CVE-2018-1000876 for binutils 2.31.1. Signed-off-by: Dan Tran [fixed up .inc for thud-next context] Signed-off-by: Armin Kuster --- meta/recipes-devtools/binutils/binutils-2.31.inc | 4 + .../binutils/binutils/CVE-2018-1000876.patch | 180 +++++++++++++++++++++ .../binutils/binutils/CVE-2018-20623.patch | 74 +++++++++ .../binutils/binutils/CVE-2018-20651.patch | 35 ++++ .../binutils/binutils/CVE-2018-20671.patch | 49 ++++++ 5 files changed, 342 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index e1a6673b7f..c9a3610e72 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc @@ -48,6 +48,10 @@ SRC_URI = "\ file://CVE-2018-18607.patch \ file://CVE-2019-14444.patch \ file://CVE-2019-12972.patch \ + file://CVE-2018-20623.patch \ + file://CVE-2018-20651.patch \ + file://CVE-2018-20671.patch \ + file://CVE-2018-1000876.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch new file mode 100644 index 0000000000..ff853511f9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch @@ -0,0 +1,180 @@ +From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sun, 16 Dec 2018 23:02:50 +1030 +Subject: [PATCH] PR23994, libbfd integer overflow + + PR 23994 + * aoutx.h: Include limits.h. + (get_reloc_upper_bound): Detect long overflow and return a file + too big error if it occurs. + * elf.c: Include limits.h. + (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return + a file too big error if it occurs. + (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise. + (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise. + +CVE: CVE-2018-1000876 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f] + +Signed-off-by: Dan Tran +--- + bfd/aoutx.h | 40 +++++++++++++++++++++------------------- + bfd/elf.c | 32 ++++++++++++++++++++++++-------- + 2 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/bfd/aoutx.h b/bfd/aoutx.h +index 023843b0be..78eaa9c503 100644 +--- a/bfd/aoutx.h ++++ b/bfd/aoutx.h +@@ -117,6 +117,7 @@ DESCRIPTION + #define KEEPIT udata.i + + #include "sysdep.h" ++#include + #include "bfd.h" + #include "safe-ctype.h" + #include "bfdlink.h" +@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd, + long + NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) + { ++ bfd_size_type count; ++ + if (bfd_get_format (abfd) != bfd_object) + { + bfd_set_error (bfd_error_invalid_operation); +@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) + } + + if (asect->flags & SEC_CONSTRUCTOR) +- return sizeof (arelent *) * (asect->reloc_count + 1); +- +- if (asect == obj_datasec (abfd)) +- return sizeof (arelent *) +- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd)) +- + 1); +- +- if (asect == obj_textsec (abfd)) +- return sizeof (arelent *) +- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd)) +- + 1); +- +- if (asect == obj_bsssec (abfd)) +- return sizeof (arelent *); +- +- if (asect == obj_bsssec (abfd)) +- return 0; ++ count = asect->reloc_count; ++ else if (asect == obj_datasec (abfd)) ++ count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd); ++ else if (asect == obj_textsec (abfd)) ++ count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd); ++ else if (asect == obj_bsssec (abfd)) ++ count = 0; ++ else ++ { ++ bfd_set_error (bfd_error_invalid_operation); ++ return -1; ++ } + +- bfd_set_error (bfd_error_invalid_operation); +- return -1; ++ if (count >= LONG_MAX / sizeof (arelent *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } ++ return (count + 1) * sizeof (arelent *); + } + + long +diff --git a/bfd/elf.c b/bfd/elf.c +index 828241d48a..10037176a3 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -35,6 +35,7 @@ SECTION + /* For sparc64-cross-sparc32. */ + #define _SYSCALL32 + #include "sysdep.h" ++#include + #include "bfd.h" + #include "bfdlink.h" + #include "libbfd.h" +@@ -8114,11 +8115,16 @@ error_return: + long + _bfd_elf_get_symtab_upper_bound (bfd *abfd) + { +- long symcount; ++ bfd_size_type symcount; + long symtab_size; + Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr; + + symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; ++ if (symcount >= LONG_MAX / sizeof (asymbol *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } + symtab_size = (symcount + 1) * (sizeof (asymbol *)); + if (symcount > 0) + symtab_size -= sizeof (asymbol *); +@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd) + long + _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) + { +- long symcount; ++ bfd_size_type symcount; + long symtab_size; + Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr; + +@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) + } + + symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; ++ if (symcount >= LONG_MAX / sizeof (asymbol *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } + symtab_size = (symcount + 1) * (sizeof (asymbol *)); + if (symcount > 0) + symtab_size -= sizeof (asymbol *); +@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd, + long + _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) + { +- long ret; ++ bfd_size_type count; + asection *s; + + if (elf_dynsymtab (abfd) == 0) +@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) + return -1; + } + +- ret = sizeof (arelent *); ++ count = 1; + for (s = abfd->sections; s != NULL; s = s->next) + if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd) + && (elf_section_data (s)->this_hdr.sh_type == SHT_REL + || elf_section_data (s)->this_hdr.sh_type == SHT_RELA)) +- ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize) +- * sizeof (arelent *)); +- +- return ret; ++ { ++ count += s->size / elf_section_data (s)->this_hdr.sh_entsize; ++ if (count > LONG_MAX / sizeof (arelent *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } ++ } ++ return count * sizeof (arelent *); + } + + /* Canonicalize the dynamic relocation entries. Note that we return the +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch new file mode 100644 index 0000000000..b44d448fce --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch @@ -0,0 +1,74 @@ +From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Wed, 9 Jan 2019 12:25:16 +0000 +Subject: [PATCH] Fix a heap use after free memory access fault when displaying + error messages about malformed archives. + + PR 14049 + * readelf.c (process_archive): Use arch.file_name in error + messages until the qualified name is available. + +CVE: CVE-2018-20623 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837] + +Signed-off-by: Dan Tran +--- + binutils/readelf.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/binutils/readelf.c b/binutils/readelf.c +index f4df697a7d..280023d8de 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + /* Read the next archive header. */ + if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0) + { +- error (_("%s: failed to seek to next archive header\n"), filedata->file_name); ++ error (_("%s: failed to seek to next archive header\n"), arch.file_name); + return FALSE; + } + got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle); +@@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + { + if (got == 0) + break; +- error (_("%s: failed to read archive header\n"), filedata->file_name); ++ /* PR 24049 - we cannot use filedata->file_name as this will ++ have already been freed. */ ++ error (_("%s: failed to read archive header\n"), arch.file_name); ++ + ret = FALSE; + break; + } +@@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + name = get_archive_member_name (&arch, &nested_arch); + if (name == NULL) + { +- error (_("%s: bad archive file name\n"), filedata->file_name); ++ error (_("%s: bad archive file name\n"), arch.file_name); + ret = FALSE; + break; + } +@@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + qualified_name = make_qualified_name (&arch, &nested_arch, name); + if (qualified_name == NULL) + { +- error (_("%s: bad archive file name\n"), filedata->file_name); ++ error (_("%s: bad archive file name\n"), arch.file_name); + ret = FALSE; + break; + } +@@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + if (nested_arch.file == NULL) + { + error (_("%s: contains corrupt thin archive: %s\n"), +- filedata->file_name, name); ++ qualified_name, name); + ret = FALSE; + break; + } +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch new file mode 100644 index 0000000000..24fb031223 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch @@ -0,0 +1,35 @@ +From 6a29d95602b09bb83d2c82b45ed935157fb780aa Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Mon, 31 Dec 2018 15:40:08 +1030 +Subject: [PATCH] PR24041, Invalid Memory Address Dereference in + elf_link_add_object_symbols + + PR 24041 + * elflink.c (elf_link_add_object_symbols): Don't segfault on + crafted ET_DYN with no program headers. + +CVE: CVE-2018-20651 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f] + +Signed-off-by: Dan Tran +--- + bfd/elflink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 46091b6341..557c550082 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -4178,7 +4178,7 @@ error_free_dyn: + all sections contained fully therein. This makes relro + shared library sections appear as they will at run-time. */ + phdr = elf_tdata (abfd)->phdr + elf_elfheader (abfd)->e_phnum; +- while (--phdr >= elf_tdata (abfd)->phdr) ++ while (phdr-- > elf_tdata (abfd)->phdr) + if (phdr->p_type == PT_GNU_RELRO) + { + for (s = abfd->sections; s != NULL; s = s->next) +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch new file mode 100644 index 0000000000..9bd9207bb5 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch @@ -0,0 +1,49 @@ +From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Fri, 4 Jan 2019 13:44:34 +0000 +Subject: [PATCH] Fix a possible integer overflow problem when examining + corrupt binaries using a 32-bit binutil. + + PR 24005 + * objdump.c (load_specific_debug_section): Check for integer + overflow before attempting to allocate contents. + +CVE: CVE-2018-20671 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca] + +Signed-off-by: Dan Tran +--- + binutils/objdump.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index f468fcdb59..89ca688938 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, + section->reloc_info = NULL; + section->num_relocs = 0; + section->address = bfd_get_section_vma (abfd, sec); ++ section->user_data = sec; + section->size = bfd_get_section_size (sec); + amt = section->size + 1; ++ if (amt == 0 || amt > bfd_get_file_size (abfd)) ++ { ++ section->start = NULL; ++ free_debug_section (debug); ++ printf (_("\nSection '%s' has an invalid size: %#llx.\n"), ++ section->name, (unsigned long long) section->size); ++ return FALSE; ++ } + section->start = contents = malloc (amt); +- section->user_data = sec; +- if (amt == 0 +- || section->start == NULL ++ if (section->start == NULL + || !bfd_get_full_section_contents (abfd, sec, &contents)) + { + free_debug_section (debug); +-- +2.22.0.vfs.1.1.57.gbaf16c8 + -- cgit 1.2.3-korg