mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-18 12:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

binutils: fix four CVE issues

Browse Source 
Backport the CVE patches from the binutils upstream.

(From OE-Core rev: 84bb9c0514ecbd7c31935c22062b18b4aaefbef1)

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Zhixiong Chi
2018-11-05 22:43:41 -08:00
committed by Richard Purdie
parent 0814e48a08
commit b9feb4e46b
5 changed files with 506 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
meta/recipes-devtools/binutils/binutils-2.31.inc
View File

@@ -43,6 +43,10 @@ SRC_URI = "\
file://0021-PLT-information-was-still-being-generated-when-symbo.patch \
file://CVE-2018-17358.patch \
file://CVE-2018-17360.patch \
file://CVE-2018-18309.patch \
file://CVE-2018-18605.patch \
file://CVE-2018-18606.patch \
file://CVE-2018-18607.patch \
"
S = "${WORKDIR}/git"

308
meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch Normal file
View File

@@ -0,0 +1,308 @@
From 0930cb3021b8078b34cf216e79eb8608d017864f Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sat, 13 Oct 2018 22:03:02 +1030
Subject: [PATCH] _bfd_clear_contents bounds checking
This PR shows a fuzzed binary triggering a segfault via a bad
relocation in .debug_line. It turns out that unlike normal
relocations applied to a section, the linker applies those with
symbols from discarded sections via _bfd_clear_contents without
checking that the relocation is within the section bounds. The same
thing now happens when reading debug sections since commit
a4cd947aca23, the PR23425 fix.
PR 23770
PR 23425
* reloc.c (_bfd_clear_contents): Replace "location" param with
"buf" and "off". Bounds check "off". Return status.
* cofflink.c (_bfd_coff_generic_relocate_section): Update
_bfd_clear_contents call.
* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
* elf32-arc.c (elf_arc_relocate_section): Likewise.
* elf32-i386.c (elf_i386_relocate_section): Likewise.
* elf32-metag.c (metag_final_link_relocate): Likewise.
* elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
* elf32-visium.c (visium_elf_relocate_section): Likewise.
* elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
* elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
* libbfd-in.h (_bfd_clear_contents): Update prototype.
* libbfd.h: Regenerate.
Upstream-Status: Backport
CVE: CVE-2018-18605
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
bfd/ChangeLog | 20 ++++++++++++++++++++
bfd/cofflink.c | 2 +-
bfd/elf-bfd.h | 2 +-
bfd/elf32-arc.c | 2 +-
bfd/elf32-i386.c | 2 +-
bfd/elf32-metag.c | 2 +-
bfd/elf32-nds32.c | 8 ++++----
bfd/elf32-ppc.c | 2 +-
bfd/elf32-visium.c | 2 +-
bfd/elf64-ppc.c | 2 +-
bfd/elf64-x86-64.c | 2 +-
bfd/libbfd-in.h | 4 ++--
bfd/libbfd.h | 4 ++--
bfd/reloc.c | 19 +++++++++++++------
14 files changed, 50 insertions(+), 23 deletions(-)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 68c1ff665b..e9696ee314 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,23 @@
+2018-10-13 Alan Modra <amodra@gmail.com>
+
+ PR 23770
+ PR 23425
+ * reloc.c (_bfd_clear_contents): Replace "location" param with
+ "buf" and "off". Bounds check "off". Return status.
+ * cofflink.c (_bfd_coff_generic_relocate_section): Update
+ _bfd_clear_contents call.
+ * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
+ * elf32-arc.c (elf_arc_relocate_section): Likewise.
+ * elf32-i386.c (elf_i386_relocate_section): Likewise.
+ * elf32-metag.c (metag_final_link_relocate): Likewise.
+ * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
+ * elf32-ppc.c (ppc_elf_relocate_section): Likewise.
+ * elf32-visium.c (visium_elf_relocate_section): Likewise.
+ * elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
+ * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
+ * libbfd-in.h (_bfd_clear_contents): Update prototype.
+ * libbfd.h: Regenerate.
+
2018-09-20 Alan Modra <amodra@gmail.com>
PR 23685
diff --git a/bfd/cofflink.c b/bfd/cofflink.c
index 2f73f72e31..b7ea69b7f9 100644
--- a/bfd/cofflink.c
+++ b/bfd/cofflink.c
@@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd *output_bfd,
if (sec != NULL && discarded_section (sec))
{
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + (rel->r_vaddr - input_section->vma));
+ contents, rel->r_vaddr - input_section->vma);
continue;
}
diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
index cf256f70e0..3374f411f9 100644
--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
@@ -2811,7 +2811,7 @@ extern asection _bfd_elf_large_com_section;
{ \
int i_; \
_bfd_clear_contents (howto, input_bfd, input_section, \
- contents + rel[index].r_offset); \
+ contents, rel[index].r_offset); \
\
if (bfd_link_relocatable (info) \
&& (input_section->flags & SEC_DEBUGGING)) \
diff --git a/bfd/elf32-arc.c b/bfd/elf32-arc.c
index 7a1b3042ae..30f47a5b22 100644
--- a/bfd/elf32-arc.c
+++ b/bfd/elf32-arc.c
@@ -1549,7 +1549,7 @@ elf_arc_relocate_section (bfd * output_bfd,
if (sec != NULL && discarded_section (sec))
{
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
rel->r_info = 0;
rel->r_addend = 0;
diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
index 49797dcbfa..177471777d 100644
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_bfd,
if (sec != NULL && discarded_section (sec))
{
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
wrel->r_offset = rel->r_offset;
wrel->r_info = 0;
wrel->r_addend = 0;
diff --git a/bfd/elf32-metag.c b/bfd/elf32-metag.c
index efe95bddff..7f96246e5d 100644
--- a/bfd/elf32-metag.c
+++ b/bfd/elf32-metag.c
@@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_type *howto,
rel, relend, howto, contents) \
{ \
_bfd_clear_contents (howto, input_bfd, input_section, \
- contents + rel->r_offset); \
+ contents, rel->r_offset); \
\
if (bfd_link_relocatable (info) \
&& (input_section->flags & SEC_DEBUGGING)) \
diff --git a/bfd/elf32-nds32.c b/bfd/elf32-nds32.c
index 0d86e5b865..184cf320f7 100644
--- a/bfd/elf32-nds32.c
+++ b/bfd/elf32-nds32.c
@@ -12582,14 +12582,14 @@ nds32_elf_get_relocated_section_contents (bfd *abfd,
symbol = *(*parent)->sym_ptr_ptr;
if (symbol->section && discarded_section (symbol->section))
{
- bfd_byte *p;
+ bfd_vma off;
static reloc_howto_type none_howto
= HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
"unused", FALSE, 0, 0, FALSE);
- p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
- _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
- p);
+ off = (*parent)->address * bfd_octets_per_byte (input_bfd);
+ _bfd_clear_contents ((*parent)->howto, input_bfd,
+ input_section, data, off);
(*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
(*parent)->addend = 0;
(*parent)->howto = &none_howto;
diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c
index 61f70de12e..c31e26efd7 100644
--- a/bfd/elf32-ppc.c
+++ b/bfd/elf32-ppc.c
@@ -8232,7 +8232,7 @@ ppc_elf_relocate_section (bfd *output_bfd,
howto = ppc_elf_howto_table[r_type];
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
wrel->r_offset = rel->r_offset;
wrel->r_info = 0;
wrel->r_addend = 0;
diff --git a/bfd/elf32-visium.c b/bfd/elf32-visium.c
index e8f1c4c9e4..961366cd87 100644
--- a/bfd/elf32-visium.c
+++ b/bfd/elf32-visium.c
@@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output_bfd,
or sections discarded by a linker script, we just want the
section contents zeroed. Avoid any special processing. */
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
rel->r_info = 0;
rel->r_addend = 0;
diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c
index eadde17615..7c3534ac65 100644
--- a/bfd/elf64-ppc.c
+++ b/bfd/elf64-ppc.c
@@ -14073,7 +14073,7 @@ ppc64_elf_relocate_section (bfd *output_bfd,
{
_bfd_clear_contents (ppc64_elf_howto_table[r_type],
input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
wrel->r_offset = rel->r_offset;
wrel->r_info = 0;
wrel->r_addend = 0;
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index c3a6c31ed2..4dcab43478 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output_bfd,
if (sec != NULL && discarded_section (sec))
{
_bfd_clear_contents (howto, input_bfd, input_section,
- contents + rel->r_offset);
+ contents, rel->r_offset);
wrel->r_offset = rel->r_offset;
wrel->r_info = 0;
wrel->r_addend = 0;
diff --git a/bfd/libbfd-in.h b/bfd/libbfd-in.h
index e53b255dad..f6d9565f03 100644
--- a/bfd/libbfd-in.h
+++ b/bfd/libbfd-in.h
@@ -696,8 +696,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
(reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
/* Clear a given location using a given howto. */
-extern void _bfd_clear_contents
- (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
+extern bfd_reloc_status_type _bfd_clear_contents
+ (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
/* Link stabs in sections in the first pass. */
diff --git a/bfd/libbfd.h b/bfd/libbfd.h
index a8851c8026..1189e63358 100644
--- a/bfd/libbfd.h
+++ b/bfd/libbfd.h
@@ -701,8 +701,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
(reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
/* Clear a given location using a given howto. */
-extern void _bfd_clear_contents
- (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
+extern bfd_reloc_status_type _bfd_clear_contents
+ (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
/* Link stabs in sections in the first pass. */
diff --git a/bfd/reloc.c b/bfd/reloc.c
index 8dbb8896d3..1686780669 100644
--- a/bfd/reloc.c
+++ b/bfd/reloc.c
@@ -1613,16 +1613,22 @@ _bfd_relocate_contents (reloc_howto_type *howto,
relocations against discarded symbols, to make ignorable debug or unwind
information more obvious. */
-void
+bfd_reloc_status_type
_bfd_clear_contents (reloc_howto_type *howto,
bfd *input_bfd,
asection *input_section,
- bfd_byte *location)
+ bfd_byte *buf,
+ bfd_vma off)
{
int size;
bfd_vma x = 0;
+ bfd_byte *location;
+
+ if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off))
+ return bfd_reloc_outofrange;
/* Get the value we are going to relocate. */
+ location = buf + off;
size = bfd_get_reloc_size (howto);
switch (size)
{
@@ -1687,6 +1693,7 @@ _bfd_clear_contents (reloc_howto_type *howto,
#endif
break;
}
+ return bfd_reloc_ok;
}
/*
@@ -8275,14 +8282,14 @@ bfd_generic_get_relocated_section_contents (bfd *abfd,
if (symbol->section && discarded_section (symbol->section))
{
- bfd_byte *p;
+ bfd_vma off;
static reloc_howto_type none_howto
= HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
"unused", FALSE, 0, 0, FALSE);
- p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
- _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
- p);
+ off = (*parent)->address * bfd_octets_per_byte (input_bfd);
+ _bfd_clear_contents ((*parent)->howto, input_bfd,
+ input_section, data, off);
(*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
(*parent)->addend = 0;
(*parent)->howto = &none_howto;
--
2.13.3

47
meta/recipes-devtools/binutils/binutils/CVE-2018-18605.patch Normal file
View File

@@ -0,0 +1,47 @@
From ab419ddbb2cdd17ca83618990f2cacf904ce1d61 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 23 Oct 2018 18:29:24 +1030
Subject: [PATCH] PR23804, buffer overflow in sec_merge_hash_lookup
PR 23804
* merge.c (_bfd_add_merge_section): Don't attempt to merge
sections where size is not a multiple of entsize.
Upstream-Status: Backport
CVE: CVE-2018-18605
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
bfd/ChangeLog | 6 ++++++
bfd/merge.c | 3 +++
2 files changed, 9 insertions(+)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 31ff3d6..da423b1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2018-10-23 Alan Modra <amodra@gmail.com>
+
+ PR 23804
+ * merge.c (_bfd_add_merge_section): Don't attempt to merge
+ sections where size is not a multiple of entsize.
+
2018-10-13 Alan Modra <amodra@gmail.com>
PR 23770
diff --git a/bfd/merge.c b/bfd/merge.c
index 7904552..5e3bba0 100644
--- a/bfd/merge.c
+++ b/bfd/merge.c
@@ -376,6 +376,9 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec,
|| sec->entsize == 0)
return TRUE;
+ if (sec->size % sec->entsize != 0)
+ return TRUE;
+
if ((sec->flags & SEC_RELOC) != 0)
{
/* We aren't prepared to handle relocations in merged sections. */
--
2.9.3

70
meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch Normal file
View File

@@ -0,0 +1,70 @@
From 45a0eaf77022963d639d6d19871dbab7b79703fc Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 23 Oct 2018 19:02:06 +1030
Subject: [PATCH] PR23806, NULL pointer dereference in merge_strings
PR 23806
* merge.c (_bfd_add_merge_section): Don't attempt to merge
sections with ridiculously large alignments.
Upstream-Status: Backport
CVE: CVE-2018-18606
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
bfd/ChangeLog | 6 ++++++
bfd/merge.c | 15 +++++++++++----
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 1f3fc1c..c5f7ec7 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,11 @@
2018-10-23 Alan Modra <amodra@gmail.com>
+ PR 23806
+ * merge.c (_bfd_add_merge_section): Don't attempt to merge
+ sections with ridiculously large alignments.
+
+2018-10-23 Alan Modra <amodra@gmail.com>
+
PR 23804
* merge.c (_bfd_add_merge_section): Don't attempt to merge
sections where size is not a multiple of entsize.
diff --git a/bfd/merge.c b/bfd/merge.c
index 5e3bba0..7de0c88 100644
--- a/bfd/merge.c
+++ b/bfd/merge.c
@@ -24,6 +24,7 @@
as used in ELF SHF_MERGE. */
#include "sysdep.h"
+#include <limits.h>
#include "bfd.h"
#include "elf-bfd.h"
#include "libbfd.h"
@@ -385,12 +386,18 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec,
return TRUE;
}
- align = sec->alignment_power;
- if ((sec->entsize < (unsigned) 1 << align
+#ifndef CHAR_BIT
+#define CHAR_BIT 8
+#endif
+ if (sec->alignment_power >= sizeof (align) * CHAR_BIT)
+ return TRUE;
+
+ align = 1u << sec->alignment_power;
+ if ((sec->entsize < align
&& ((sec->entsize & (sec->entsize - 1))
|| !(sec->flags & SEC_STRINGS)))
- || (sec->entsize > (unsigned) 1 << align
- && (sec->entsize & (((unsigned) 1 << align) - 1))))
+ || (sec->entsize > align
+ && (sec->entsize & (align - 1))))
{
/* Sanity check. If string character size is smaller than
alignment, then we require character size to be a power
--
2.9.3

77
meta/recipes-devtools/binutils/binutils/CVE-2018-18607.patch Normal file
View File

@@ -0,0 +1,77 @@
From 102def4da826b3d9e169741421e5e67e8731909a Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 23 Oct 2018 18:30:22 +1030
Subject: [PATCH] PR23805, NULL pointer dereference in elf_link_input_bfd
PR 23805
* elflink.c (elf_link_input_bfd): Don't segfault on finding
STT_TLS symbols without any TLS sections. Instead, change the
symbol type to STT_NOTYPE.
Upstream-Status: Backport
CVE: CVE-2018-18606
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
bfd/ChangeLog | 7 +++++++
bfd/elflink.c | 20 ++++++++++++++------
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index da423b1..1f3fc1c 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,12 @@
2018-10-23 Alan Modra <amodra@gmail.com>
+ PR 23805
+ * elflink.c (elf_link_input_bfd): Don't segfault on finding
+ STT_TLS symbols without any TLS sections. Instead, change the
+ symbol type to STT_NOTYPE.
+
+2018-10-23 Alan Modra <amodra@gmail.com>
+
PR 23806
* merge.c (_bfd_add_merge_section): Don't attempt to merge
sections with ridiculously large alignments.
diff --git a/bfd/elflink.c b/bfd/elflink.c
index c3876cb..87440db 100644
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -10489,8 +10489,11 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)
if (ELF_ST_TYPE (osym.st_info) == STT_TLS)
{
/* STT_TLS symbols are relative to PT_TLS segment base. */
- BFD_ASSERT (elf_hash_table (flinfo->info)->tls_sec != NULL);
- osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma;
+ if (elf_hash_table (flinfo->info)->tls_sec != NULL)
+ osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma;
+ else
+ osym.st_info = ELF_ST_INFO (ELF_ST_BIND (osym.st_info),
+ STT_NOTYPE);
}
}
@@ -11046,12 +11049,17 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)
sym.st_value += osec->vma;
if (ELF_ST_TYPE (sym.st_info) == STT_TLS)
{
+ struct elf_link_hash_table *htab
+ = elf_hash_table (flinfo->info);
+
/* STT_TLS symbols are relative to PT_TLS
segment base. */
- BFD_ASSERT (elf_hash_table (flinfo->info)
- ->tls_sec != NULL);
- sym.st_value -= (elf_hash_table (flinfo->info)
- ->tls_sec->vma);
+ if (htab->tls_sec != NULL)
+ sym.st_value -= htab->tls_sec->vma;
+ else
+ sym.st_info
+ = ELF_ST_INFO (ELF_ST_BIND (sym.st_info),
+ STT_NOTYPE);
}
}
--
2.9.3