From 859fb4d9ec6974be9ce755e4ffefd9b199f3604c Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 26 Dec 2014 08:51:53 -0800 Subject: binutils: several security fixes CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 and one supporting patch. [Yocto # 7084] Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../binutils/binutils/binutils_CVE-2014-8485.patch | 102 +++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch (limited to 'meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch') diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch new file mode 100644 index 0000000000..ec3308b4f4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch @@ -0,0 +1,102 @@ +Upstream-Status: Backport + +CVE-2014-8485 fix. + +[YOCTO #7084] + +Signed-off-by: Armin Kuster + +From 493a33860c71cac998f1a56d6d87d6faa801fbaa Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 27 Oct 2014 12:43:16 +0000 +Subject: [PATCH] This patch closes a potential security hole in applications + that use the bfd library to parse binaries containing maliciously corrupt + section group headers. + + PR binutils/17510 + * elf.c (setup_group): Improve handling of corrupt group + sections. +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf.c | 34 ++++++++++++++++++++++++++++++---- + 2 files changed, 36 insertions(+), 4 deletions(-) + +Index: binutils-2.24/bfd/elf.c +=================================================================== +--- binutils-2.24.orig/bfd/elf.c ++++ binutils-2.24/bfd/elf.c +@@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shd + if (shdr->contents == NULL) + { + _bfd_error_handler +- (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); ++ (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); + bfd_set_error (bfd_error_bad_value); +- return FALSE; ++ -- num_group; ++ continue; + } + + memset (shdr->contents, 0, amt); +@@ -618,7 +619,16 @@ setup_group (bfd *abfd, Elf_Internal_Shd + if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 + || (bfd_bread (shdr->contents, shdr->sh_size, abfd) + != shdr->sh_size)) +- return FALSE; ++ { ++ _bfd_error_handler ++ (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size); ++ bfd_set_error (bfd_error_bad_value); ++ -- num_group; ++ /* PR 17510: If the group contents are even partially ++ corrupt, do not allow any of the contents to be used. */ ++ memset (shdr->contents, 0, amt); ++ continue; ++ } + + /* Translate raw contents, a flag word followed by an + array of elf section indices all in target byte order, +@@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shd + } + } + } ++ ++ /* PR 17510: Corrupt binaries might contain invalid groups. */ ++ if (num_group != (unsigned) elf_tdata (abfd)->num_group) ++ { ++ elf_tdata (abfd)->num_group = num_group; ++ ++ /* If all groups are invalid then fail. */ ++ if (num_group == 0) ++ { ++ elf_tdata (abfd)->group_sect_ptr = NULL; ++ elf_tdata (abfd)->num_group = num_group = -1; ++ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd); ++ bfd_set_error (bfd_error_bad_value); ++ } ++ } + } + } + +@@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shd + { + (*_bfd_error_handler) (_("%B: no group info for section %A"), + abfd, newsect); ++ return FALSE; + } + return TRUE; + } +Index: binutils-2.24/bfd/ChangeLog +=================================================================== +--- binutils-2.24.orig/bfd/ChangeLog ++++ binutils-2.24/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2014-10-27 Nick Clifton ++ ++ PR binutils/17510 ++ * elf.c (setup_group): Improve handling of corrupt group ++ sections. ++ + 2014-08-29 Alan Modra + + * srec.c (srec_scan): Revert last change. Report an error for -- cgit 1.2.3-korg