binutils: CVE-2017-7299

Source: git://sourceware.org/git/binutils-gdb.git MR: 74257 Type: Security Fix Disposition: Backport from 'embedded-binutils-master' ChangeID: b55df05e3d3fd21bd30edaea124135892747b1ee Description: Linking non-ELF file broken by PR20908 fix PR ld/20968 PR ld/20908 * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move reloc counting code later after ELF flavour test. PR lf/20908 * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries when following indirect links. Affects: <= 2.28 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: 020863d45d39a336723300138777583afb0b12c7) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-16 15:32:13 +02:00 · 2017-09-20 14:27:21 +05:30
parent b5e7f89850
commit 67d5e33d4f
3 changed files with 169 additions and 0 deletions
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -76,6 +76,8 @@ SRC_URI = "\
     file://CVE-2017-8394_1.patch \
     file://CVE-2017-8394.patch \
     file://CVE-2017-8398.patch \
+     file://CVE-2017-7299_1.patch \
+     file://CVE-2017-7299_2.patch \
 "
 S  = "${WORKDIR}/git"

--- a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch
@@ -0,0 +1,47 @@
+commit d7f399a8de4c55eb841db6493597a587fac002de
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Fri Dec 2 17:46:26 2016 +0000
+
+    Fix seg-fault in linker when passed a corrupt binary input file.
+    
+    	PR lf/20908
+    	* elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
+    	when following indirect links.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-7299
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/elflink.c
+===================================================================
+--- git.orig/bfd/elflink.c	2017-09-20 14:15:26.337333504 +0530
+++ git/bfd/elflink.c	2017-09-20 14:20:19.000000000 +0530
+@@ -11201,6 +11201,12 @@
+ 	      asection *sec;
+ 
+ 	      sec = p->u.indirect.section;
+	      /* See PR 20908 for a reproducer.  */
+	      if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour)
+		{
+		  _bfd_error_handler (_("%B: not in ELF format"), sec->owner);
+		  goto error_return;
+		}
+ 	      esdi = elf_section_data (sec);
+ 
+ 	      /* Mark all sections which are to be included in the
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog	2017-09-20 14:20:19.000000000 +0530
+++ git/bfd/ChangeLog	2017-09-20 14:23:48.743556932 +0530
+@@ -192,6 +192,10 @@
+ 
+ 2016-12-02  Nick Clifton  <nickc@redhat.com>
+ 
+	PR lf/20908
+	* elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
+	when following indirect links.
+
+ 	PR ld/20909
+ 	* aoutx.h (aout_link_add_symbols): Fix off-by-one error in check
+ 	for an illegal string offset.
--- a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch
@@ -0,0 +1,120 @@
+commit a961cdd5f139d3c3e09170db52bd8df7dafae13f
+Author: Alan Modra <amodra@gmail.com>
+Date:   Thu Dec 15 21:29:44 2016 +1030
+
+    Linking non-ELF file broken by PR20908 fix
+    
+    	PR ld/20968
+    	PR ld/20908
+    	* elflink.c (bfd_elf_final_link): Revert 2016-12-02 change.  Move
+    	reloc counting code later after ELF flavour test.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-7299
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/elflink.c
+===================================================================
+--- git.orig/bfd/elflink.c	2017-09-20 14:15:28.133343092 +0530
+++ git/bfd/elflink.c	2017-09-20 14:15:28.189343391 +0530
+@@ -11201,13 +11201,6 @@
+ 	      asection *sec;
+ 
+ 	      sec = p->u.indirect.section;
+-	      /* See PR 20908 for a reproducer.  */
+-	      if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour)
+-		{
+-		  _bfd_error_handler (_("%B: not in ELF format"), sec->owner);
+-		  goto error_return;
+-		}
+-	      esdi = elf_section_data (sec);
+ 
+ 	      /* Mark all sections which are to be included in the
+ 		 link.  This will normally be every section.  We need
+@@ -11218,37 +11211,18 @@
+ 	      if (sec->flags & SEC_MERGE)
+ 		merged = TRUE;
+ 
+-	      if (esdo->this_hdr.sh_type == SHT_REL
+-		  || esdo->this_hdr.sh_type == SHT_RELA)
+-		/* Some backends use reloc_count in relocation sections
+-		   to count particular types of relocs.  Of course,
+-		   reloc sections themselves can't have relocations.  */
+-		reloc_count = 0;
+-	      else if (emit_relocs)
+-		{
+-		  reloc_count = sec->reloc_count;
+-		  if (bed->elf_backend_count_additional_relocs)
+-		    {
+-		      int c;
+-		      c = (*bed->elf_backend_count_additional_relocs) (sec);
+-		      additional_reloc_count += c;
+-		    }
+-		}
+-	      else if (bed->elf_backend_count_relocs)
+-		reloc_count = (*bed->elf_backend_count_relocs) (info, sec);
+-
+ 	      if (sec->rawsize > max_contents_size)
+ 		max_contents_size = sec->rawsize;
+ 	      if (sec->size > max_contents_size)
+ 		max_contents_size = sec->size;
+ 
+-	      /* We are interested in just local symbols, not all
+-		 symbols.  */
+ 	      if (bfd_get_flavour (sec->owner) == bfd_target_elf_flavour
+ 		  && (sec->owner->flags & DYNAMIC) == 0)
+ 		{
+ 		  size_t sym_count;
+ 
+		  /* We are interested in just local symbols, not all
+		     symbols.  */
+ 		  if (elf_bad_symtab (sec->owner))
+ 		    sym_count = (elf_tdata (sec->owner)->symtab_hdr.sh_size
+ 				 / bed->s->sizeof_sym);
+@@ -11262,6 +11236,27 @@
+ 		      && elf_symtab_shndx_list (sec->owner) != NULL)
+ 		    max_sym_shndx_count = sym_count;
+ 
+		  if (esdo->this_hdr.sh_type == SHT_REL
+		      || esdo->this_hdr.sh_type == SHT_RELA)
+		    /* Some backends use reloc_count in relocation sections
+		       to count particular types of relocs.  Of course,
+		       reloc sections themselves can't have relocations.  */
+		    ;
+		  else if (emit_relocs)
+		    {
+		      reloc_count = sec->reloc_count;
+		      if (bed->elf_backend_count_additional_relocs)
+			{
+			  int c;
+			  c = (*bed->elf_backend_count_additional_relocs) (sec);
+			  additional_reloc_count += c;
+			}
+		    }
+		  else if (bed->elf_backend_count_relocs)
+		    reloc_count = (*bed->elf_backend_count_relocs) (info, sec);
+
+		  esdi = elf_section_data (sec);
+
+ 		  if ((sec->flags & SEC_RELOC) != 0)
+ 		    {
+ 		      size_t ext_size = 0;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog	2017-09-20 14:15:28.013342453 +0530
+++ git/bfd/ChangeLog	2017-09-20 14:19:06.990419395 +0530
+@@ -156,6 +156,13 @@
+        (bfd_elf_final_link): Only initialize the extended symbol index
+        section if there are extended symbol tables to list.
+ 
+2016-12-15  Alan Modra  <amodra@gmail.com>
+
+	PR ld/20968
+	PR ld/20908
+	 * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change.  Move
+	reloc counting code later after ELF flavour test.
+
+  2016-12-06  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/20931