diff options
author | Yuanjie Huang <yuanjie.huang@windriver.com> | 2017-04-11 00:00:24 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-04-11 18:09:20 +0100 |
commit | 8c52a530ba2beb438aa47956bcec3777a1eafe5f (patch) | |
tree | 0c437489a36ea00c5986fc2081c654c52ba95491 /meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | |
parent | 378b333fb09d106fb04901f5a4362fc0eb076e82 (diff) | |
download | openembedded-core-contrib-8c52a530ba2beb438aa47956bcec3777a1eafe5f.tar.gz |
binutils: Fix CVE-2017-6965 and CVE-2017-6966
Backport upstream commit to address vulnerabilities:
CVE: CVE-2017-6965
[BZ 21137] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21137
Fix readelf writing to illegal addresses whilst processing corrupt input
files containing symbol-difference relocations.
PR binutils/21137
* readelf.c (target_specific_reloc_handling): Add end parameter.
Check for buffer overflow before writing relocated values.
(apply_relocations): Pass end to target_specific_reloc_handling.
CVE: CVE-2017-6966
[BZ 21139] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21139
Fix read-after-free error in readelf when processing multiple, relocated
sections in an MSP430 binary.
PR binutils/21139
* readelf.c (target_specific_reloc_handling): Add num_syms
parameter. Check for symbol table overflow before accessing
symbol value. If reloc pointer is NULL, discard all saved state.
(apply_relocations): Pass num_syms to target_specific_reloc_handling.
Call target_specific_reloc_handling with a NULL reloc pointer
after processing all of the relocs.
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch new file mode 100644 index 0000000000..1334c9444d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch @@ -0,0 +1,124 @@ +From bdc5166c274b842f83f8328e7cfaaf80fd29934e Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 13 Feb 2017 13:08:32 +0000 +Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst + processing corrupt input files containing symbol-difference relocations. + + PR binutils/21137 + * readelf.c (target_specific_reloc_handling): Add end parameter. + Check for buffer overflow before writing relocated values. + (apply_relocations): Pass end to target_specific_reloc_handling. + +(cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493) +Upstream-Status: Backport [master] +CVE: CVE-2017-6965 + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + binutils/ChangeLog | 7 +++++++ + binutils/readelf.c | 30 +++++++++++++++++++++++++----- + 2 files changed, 32 insertions(+), 5 deletions(-) + +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index f21867f98c..e789a3b99b 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -1,3 +1,10 @@ ++2017-02-13 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21137 ++ * readelf.c (target_specific_reloc_handling): Add end parameter. ++ Check for buffer overflow before writing relocated values. ++ (apply_relocations): Pass end to target_specific_reloc_handling. ++ + 2017-03-02 Tristan Gingold <gingold@adacore.com> + + * configure: Regenerate. +diff --git a/binutils/readelf.c b/binutils/readelf.c +index b5f577f5a1..8cdaae3b8c 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -11585,6 +11585,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) + static bfd_boolean + target_specific_reloc_handling (Elf_Internal_Rela * reloc, + unsigned char * start, ++ unsigned char * end, + Elf_Internal_Sym * symtab) + { + unsigned int reloc_type = get_reloc_type (reloc->r_info); +@@ -11625,13 +11626,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + handle_sym_diff: + if (saved_sym != NULL) + { ++ int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + + value = reloc->r_addend + + (symtab[get_reloc_symindex (reloc->r_info)].st_value + - saved_sym->st_value); + +- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); ++ if (start + reloc->r_offset + reloc_size >= end) ++ /* PR 21137 */ ++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); + + saved_sym = NULL; + return TRUE; +@@ -11662,13 +11669,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + case 2: /* R_MN10300_16 */ + if (saved_sym != NULL) + { ++ int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + + value = reloc->r_addend + + (symtab[get_reloc_symindex (reloc->r_info)].st_value + - saved_sym->st_value); + +- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); ++ if (start + reloc->r_offset + reloc_size >= end) ++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); + + saved_sym = NULL; + return TRUE; +@@ -11703,12 +11715,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + break; + + case 0x41: /* R_RL78_ABS32. */ +- byte_put (start + reloc->r_offset, value, 4); ++ if (start + reloc->r_offset + 4 >= end) ++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + 2, end); ++ else ++ byte_put (start + reloc->r_offset, value, 4); + value = 0; + return TRUE; + + case 0x43: /* R_RL78_ABS16. */ +- byte_put (start + reloc->r_offset, value, 2); ++ if (start + reloc->r_offset + 2 >= end) ++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + 2, end); ++ else ++ byte_put (start + reloc->r_offset, value, 2); + value = 0; + return TRUE; + +@@ -12325,7 +12345,7 @@ apply_relocations (void * file, + + reloc_type = get_reloc_type (rp->r_info); + +- if (target_specific_reloc_handling (rp, start, symtab)) ++ if (target_specific_reloc_handling (rp, start, end, symtab)) + continue; + else if (is_none_reloc (reloc_type)) + continue; +-- +2.11.0 + |