diff options
author | Armin Kuster <akuster@mvista.com> | 2017-06-21 12:01:25 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-07 17:09:43 +0000 |
commit | d445a9abe7af0a1a54e466bdae8978f6ffb5f6bc (patch) | |
tree | 69fd77b1cacbc17720fda9b2a87ab431d3f6c31a | |
parent | 2dfdc0ceac466a4b80ece01a970cb5cfdc08d7ab (diff) | |
download | openembedded-core-d445a9abe7af0a1a54e466bdae8978f6ffb5f6bc.tar.gz |
binutils: Security Fix CVE-2017-9041
Source: binutils-gdb.git
MR: 72791
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=919383ac718c2a3187ee2a9ad659daa22da26258
ChangeID: 7b4588368a367a4d57efbfdcd9c00fcc0875af7b
Description:
Affects: <= 2.28
Signed-off-by: Armin Kuster <akuster@mvista.com>
Reviewed-by Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
3 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 53c09e6d0d..3f8a5fe19c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc @@ -50,6 +50,8 @@ SRC_URI = "\ file://CVE-2017-9039.patch \ file://CVE-2017-9039_1.patch \ file://CVE-2017-9040_and_9042.patch \ + file://CVE-2017-9041_1.patch \ + file://CVE-2017-9041_2.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch new file mode 100644 index 0000000000..857cd4af91 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch @@ -0,0 +1,51 @@ +From 919383ac718c2a3187ee2a9ad659daa22da26258 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" <macro@imgtec.com> +Date: Wed, 12 Apr 2017 00:02:13 +0100 +Subject: [PATCH] MIPS/readelf: Remove extraneous null GOT data check + +Null data is handled gracefully throughout in MIPS GOT processing, with +addresses printed normally and unavailable data shown as `<unknown>' by +`print_mips_got_entry', and special processing code for GOT[1] doing an +explicit check. Remove an unwanted null GOT data check then, introduced +with commit 592458412fb2 in the course of addressing PR binutils/12855. + + binutils/ + * readelf.c (process_mips_specific): Remove null GOT data check. + +Upstream-Status: Backport +CVE: CVE-2017-9041 patch #1 +VER: <= 2.28 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 4 ++++ + binutils/readelf.c | 3 +-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -14995,8 +14995,8 @@ process_mips_specific (FILE * file) + data = (unsigned char *) get_data (NULL, file, offset, + global_end - pltgot, 1, + _("Global Offset Table data")); +- if (data == NULL) +- return 0; ++ ++ /* PR 12855: Null data is handled gracefully throughout. */ + data_end = data + (global_end - pltgot); + + printf (_("\nPrimary GOT:\n")); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,7 @@ ++2017-04-25 Maciej W. Rozycki <macro@imgtec.com> ++ ++ * readelf.c (process_mips_specific): Remove null GOT data check. ++ + 2017-04-13 Nick Clifton <nickc@redhat.com> + + PR binutils/21379 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch new file mode 100644 index 0000000000..9c3cb8ca25 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch @@ -0,0 +1,84 @@ +From c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" <macro@imgtec.com> +Date: Wed, 12 Apr 2017 00:03:41 +0100 +Subject: [PATCH] MIPS/readelf: Simplify GOT[1] data availability check + +Unavailable data is handled gracefully in MIPS GOT processing done by +`print_mips_got_entry', so all that is needed in special GOT[1] handling +is to verify whether data can be retrieved for the purpose of the GNU +marker check done with `byte_get'. Remove the extra error reporting +code then, introduced with commit 75ec1fdbb797 ("Fix runtime seg-fault +in readelf when parsing a corrupt MIPS binary.") in the course of +addressing PR binutils/21344, and defer the error case to regular local +GOT entry processing. + + binutils/ + * readelf.c (process_mips_specific): Remove error reporting from + GOT[1] processing. + +Upstream-Status: Backport +CVE: CVE-2017-9041 +VER: <= 2.28 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 5 +++++ + binutils/readelf.c | 32 ++++++++++++++------------------ + 2 files changed, 19 insertions(+), 18 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -15013,24 +15013,20 @@ process_mips_specific (FILE * file) + if (ent == (bfd_vma) -1) + goto got_print_fail; + +- if (data) ++ /* Check for the MSB of GOT[1] being set, denoting a GNU object. ++ This entry will be used by some runtime loaders, to store the ++ module pointer. Otherwise this is an ordinary local entry. ++ PR 21344: Check for the entry being fully available before ++ fetching it. */ ++ if (data ++ && data + ent - pltgot + addr_size <= data_end ++ && (byte_get (data + ent - pltgot, addr_size) ++ >> (addr_size * 8 - 1)) != 0) + { +- /* PR 21344 */ +- if (data + ent - pltgot > data_end - addr_size) +- { +- error (_("Invalid got entry - %#lx - overflows GOT table\n"), +- (long) ent); +- goto got_print_fail; +- } +- +- if (byte_get (data + ent - pltgot, addr_size) +- >> (addr_size * 8 - 1) != 0) +- { +- ent = print_mips_got_entry (data, pltgot, ent, data_end); +- printf (_(" Module pointer (GNU extension)\n")); +- if (ent == (bfd_vma) -1) +- goto got_print_fail; +- } ++ ent = print_mips_got_entry (data, pltgot, ent, data_end); ++ printf (_(" Module pointer (GNU extension)\n")); ++ if (ent == (bfd_vma) -1) ++ goto got_print_fail; + } + printf ("\n"); + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,9 @@ + 2017-04-25 Maciej W. Rozycki <macro@imgtec.com> ++ ++ * readelf.c (process_mips_specific): Remove error reporting from ++ GOT[1] processing. ++ ++2017-04-25 Maciej W. Rozycki <macro@imgtec.com> + + * readelf.c (process_mips_specific): Remove null GOT data check. + |