mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-27 12:32:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

binutils: CVE-2017-9955

Browse Source 
Source: binutils-gdb.git
MR: 73893
Type: Security Fix
Disposition: Backport from 'binutils-gdb.git/master' branch
ChangeID: 94c3ef8c1fa2e84e84ad76fb45307848d98817c8
Description:

PR 21665 : Fixed multiple heap based buffer overflow

Affects: <= 2.28
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: a36978f0dd372ec836f63942f965652ca3716e3f)

Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Thiruvadi Rajaraman
2017-09-21 20:35:41 +05:30
committed by Richard Purdie
parent ab884ff9a7
commit e7f53f5fe5
10 changed files with 1061 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
meta/recipes-devtools/binutils/binutils-2.27.inc
View File

@@ -91,6 +91,15 @@ SRC_URI = "\
file://CVE-2017-9756.patch \
file://CVE-2017-9745.patch \
file://CVE-2017-9954.patch \
file://CVE-2017-9955_1.patch \
file://CVE-2017-9955_2.patch \
file://CVE-2017-9955_3.patch \
file://CVE-2017-9955_4.patch \
file://CVE-2017-9955_5.patch \
file://CVE-2017-9955_6.patch \
file://CVE-2017-9955_7.patch \
file://CVE-2017-9955_8.patch \
file://CVE-2017-9955_9.patch \
"
S = "${WORKDIR}/git"

93
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch Normal file
View File

@@ -0,0 +1,93 @@
commit cfd14a500e0485374596234de4db10e88ebc7618
Author: Nick Clifton <nickc@redhat.com>
Date: Mon Jun 26 15:25:08 2017 +0100
Fix address violations when atempting to parse fuzzed binaries.
PR binutils/21665
* compress.c (bfd_get_full_section_contents): Check for and reject
a section whoes size is greater than the size of the entire file.
* elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
contain a notes section.
binutils* objdump.c (disassemble_section): Skip any section that is bigger
than the entire file.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/compress.c
===================================================================
--- git.orig/bfd/compress.c 2017-09-21 17:32:51.645611404 +0530
+++ git/bfd/compress.c 2017-09-21 17:32:52.965622987 +0530
@@ -239,6 +239,12 @@
*ptr = NULL;
return TRUE;
}
+ else if (bfd_get_file_size (abfd) > 0
+ && sz > (bfd_size_type) bfd_get_file_size (abfd))
+ {
+ *ptr = NULL;
+ return FALSE;
+ }
switch (sec->compress_status)
{
Index: git/bfd/elf32-v850.c
===================================================================
--- git.orig/bfd/elf32-v850.c 2017-09-21 17:32:35.053465773 +0530
+++ git/bfd/elf32-v850.c 2017-09-21 17:32:52.965622987 +0530
@@ -2448,7 +2448,9 @@
BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
- BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
+ /* If the output is being stripped then it is possible for
+ the notes section to disappear. In this case do nothing. */
+ return;
/* Copy/overwrite notes from the input to the output. */
memcpy (ocont, icont, bfd_section_size (obfd, onotes));
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c 2017-09-21 17:32:52.337617476 +0530
+++ git/binutils/objdump.c 2017-09-21 17:32:52.965622987 +0530
@@ -1973,7 +1973,7 @@
return;
datasize = bfd_get_section_size (section);
- if (datasize == 0)
+ if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
return;
if (start_address == (bfd_vma) -1
@@ -2839,7 +2839,7 @@
static void
dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED)
{
- bfd_byte *data = 0;
+ bfd_byte *data = NULL;
bfd_size_type datasize;
bfd_vma addr_offset;
bfd_vma start_offset;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 17:32:52.909622495 +0530
+++ git/bfd/ChangeLog 2017-09-21 17:35:57.863164167 +0530
@@ -11,6 +11,14 @@
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
+2017-06-26 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21665
+ * compress.c (bfd_get_full_section_contents): Check for and reject
+ a section whoes size is greater than the size of the entire file.
+ * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+ contain a notes section.
+
2017-07-24 Nick Clifton <nickc@redhat.com>
PR 21813

112
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch Normal file
View File

@@ -0,0 +1,112 @@
commit 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jun 26 09:24:49 2017 -0700
Check file size before getting section contents
Don't check the section size in bfd_get_full_section_contents since
the size of a decompressed section may be larger than the file size.
Instead, check file size in _bfd_generic_get_section_contents.
PR binutils/21665
* compress.c (bfd_get_full_section_contents): Don't check the
file size here.
* libbfd.c (_bfd_generic_get_section_contents): Check for and
reject a section whoes size + offset is greater than the size
of the entire file.
(_bfd_generic_get_section_contents_in_window): Likewise.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/libbfd.c
===================================================================
--- git.orig/bfd/libbfd.c 2017-09-21 17:41:59.457841691 +0530
+++ git/bfd/libbfd.c 2017-09-21 17:42:18.269987768 +0530
@@ -780,6 +780,7 @@
bfd_size_type count)
{
bfd_size_type sz;
+ file_ptr filesz;
if (count == 0)
return TRUE;
@@ -801,8 +802,15 @@
sz = section->rawsize;
else
sz = section->size;
+ filesz = bfd_get_file_size (abfd);
+ if (filesz < 0)
+ {
+ /* This should never happen. */
+ abort ();
+ }
if (offset + count < count
- || offset + count > sz)
+ || offset + count > sz
+ || (section->filepos + offset + sz) > (bfd_size_type) filesz)
{
bfd_set_error (bfd_error_invalid_operation);
return FALSE;
@@ -825,6 +833,7 @@
{
#ifdef USE_MMAP
bfd_size_type sz;
+ file_ptr filesz;
if (count == 0)
return TRUE;
@@ -857,7 +866,13 @@
sz = section->rawsize;
else
sz = section->size;
+ filesz = bfd_get_file_size (abfd);
+ {
+ /* This should never happen. */
+ abort ();
+ }
if (offset + count > sz
+ || (section->filepos + offset + sz) > (bfd_size_type) filesz
|| ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
TRUE))
return FALSE;
Index: git/bfd/compress.c
===================================================================
--- git.orig/bfd/compress.c 2017-09-21 17:42:18.213987332 +0530
+++ git/bfd/compress.c 2017-09-21 17:45:17.107399434 +0530
@@ -239,12 +239,6 @@
*ptr = NULL;
return TRUE;
}
- else if (bfd_get_file_size (abfd) > 0
- && sz > (bfd_size_type) bfd_get_file_size (abfd))
- {
- *ptr = NULL;
- return FALSE;
- }
switch (sec->compress_status)
{
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 17:42:18.213987332 +0530
+++ git/bfd/ChangeLog 2017-09-21 17:47:03.668256850 +0530
@@ -11,6 +11,16 @@
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
+2017-06-26 H.J. Lu <hongjiu.lu@intel.com>
+
+ PR binutils/21665
+ * compress.c (bfd_get_full_section_contents): Don't check the
+ file size here.
+ * libbfd.c (_bfd_generic_get_section_contents): Check for and
+ reject a section whoes size + offset is greater than the size
+ of the entire file.
+ (_bfd_generic_get_section_contents_in_window): Likewise.
+
2017-06-26 Nick Clifton <nickc@redhat.com>
PR binutils/21665

44
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch Normal file
View File

@@ -0,0 +1,44 @@
commit 1f473e3d0ad285195934e6a077c7ed32afe66437
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jun 26 15:47:16 2017 -0700
Add a missing line to _bfd_generic_get_section_contents_in_window
PR binutils/21665
* libbfd.c (_bfd_generic_get_section_contents_in_window): Add
a missing line.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/libbfd.c
===================================================================
--- git.orig/bfd/libbfd.c 2017-09-21 17:57:11.424955516 +0530
+++ git/bfd/libbfd.c 2017-09-21 17:58:57.000000000 +0530
@@ -867,6 +867,7 @@
else
sz = section->size;
filesz = bfd_get_file_size (abfd);
+ if (filesz < 0)
{
/* This should never happen. */
abort ();
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 17:57:11.424955516 +0530
+++ git/bfd/ChangeLog 2017-09-21 18:01:32.258884464 +0530
@@ -14,6 +14,12 @@
2017-06-26 H.J. Lu <hongjiu.lu@intel.com>
PR binutils/21665
+ * libbfd.c (_bfd_generic_get_section_contents_in_window): Add
+ a missing line.
+
+2017-06-26 H.J. Lu <hongjiu.lu@intel.com>
+
+ PR binutils/21665
* compress.c (bfd_get_full_section_contents): Don't check the
file size here.
* libbfd.c (_bfd_generic_get_section_contents): Check for and

50
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch Normal file
View File

@@ -0,0 +1,50 @@
commit ab27f80c5dceaa23c4ba7f62c0d5d22a5d5dd7a1
Author: Pedro Alves <palves@redhat.com>
Date: Tue Jun 27 00:21:25 2017 +0100
Fix GDB regressions caused by previous bfd_get_section_contents changes
Ref: https://sourceware.org/ml/binutils/2017-06/msg00343.html
bfd/ChangeLog:
2017-06-26 Pedro Alves <palves@redhat.com>
PR binutils/21665
* libbfd.c (_bfd_generic_get_section_contents): Add "count", not
"sz".
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/libbfd.c
===================================================================
--- git.orig/bfd/libbfd.c 2017-09-21 18:01:58.079078554 +0530
+++ git/bfd/libbfd.c 2017-09-21 18:01:58.063078433 +0530
@@ -810,7 +810,7 @@
}
if (offset + count < count
|| offset + count > sz
- || (section->filepos + offset + sz) > (bfd_size_type) filesz)
+ || (section->filepos + offset + count) > (bfd_size_type) filesz)
{
bfd_set_error (bfd_error_invalid_operation);
return FALSE;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 18:01:32.258884464 +0530
+++ git/bfd/ChangeLog 2017-09-21 18:03:42.955872017 +0530
@@ -11,6 +11,12 @@
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
+2017-06-26 Pedro Alves <palves@redhat.com>
+
+ PR binutils/21665
+ * libbfd.c (_bfd_generic_get_section_contents): Add "count", not
+ "sz".
+
2017-06-26 H.J. Lu <hongjiu.lu@intel.com>
PR binutils/21665

89
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch Normal file
View File

@@ -0,0 +1,89 @@
commit 7211ae501eb0de1044983f2dfb00091a58fbd66c
Author: Alan Modra <amodra@gmail.com>
Date: Tue Jun 27 09:45:04 2017 +0930
More fixes for bfd_get_section_contents change
PR binutils/21665
* libbfd.c (_bfd_generic_get_section_contents): Delete abort.
Use unsigned file pointer type, and remove cast.
* libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise.
Add "count", not "sz".
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/libbfd.c
===================================================================
--- git.orig/bfd/libbfd.c 2017-09-21 18:04:47.316362760 +0530
+++ git/bfd/libbfd.c 2017-09-21 18:04:47.300362638 +0530
@@ -780,7 +780,7 @@
bfd_size_type count)
{
bfd_size_type sz;
- file_ptr filesz;
+ ufile_ptr filesz;
if (count == 0)
return TRUE;
@@ -803,14 +803,9 @@
else
sz = section->size;
filesz = bfd_get_file_size (abfd);
- if (filesz < 0)
- {
- /* This should never happen. */
- abort ();
- }
if (offset + count < count
|| offset + count > sz
- || (section->filepos + offset + count) > (bfd_size_type) filesz)
+ || section->filepos + offset + count > filesz)
{
bfd_set_error (bfd_error_invalid_operation);
return FALSE;
@@ -833,7 +828,7 @@
{
#ifdef USE_MMAP
bfd_size_type sz;
- file_ptr filesz;
+ ufile_ptr filesz;
if (count == 0)
return TRUE;
@@ -867,13 +862,8 @@
else
sz = section->size;
filesz = bfd_get_file_size (abfd);
- if (filesz < 0)
- {
- /* This should never happen. */
- abort ();
- }
if (offset + count > sz
- || (section->filepos + offset + sz) > (bfd_size_type) filesz
+ || section->filepos + offset + count > filesz
|| ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
TRUE))
return FALSE;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 18:03:42.955872017 +0530
+++ git/bfd/ChangeLog 2017-09-21 18:06:39.973228125 +0530
@@ -11,6 +11,14 @@
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
+2017-06-27 Alan Modra <amodra@gmail.com>
+
+ PR binutils/21665
+ * libbfd.c (_bfd_generic_get_section_contents): Delete abort.
+ Use unsigned file pointer type, and remove cast.
+ * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise.
+ Add "count", not "sz".
+
2017-06-26 Pedro Alves <palves@redhat.com>
PR binutils/21665

55
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch Normal file
View File

@@ -0,0 +1,55 @@
commit ea9aafc41a764e4e2dbb88a7b031e886b481b99a
Author: Alan Modra <amodra@gmail.com>
Date: Tue Jun 27 14:43:49 2017 +0930
Warning fix
PR binutils/21665
* libbfd.c (_bfd_generic_get_section_contents): Warning fix.
(_bfd_generic_get_section_contents_in_window): Likewise.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/libbfd.c
===================================================================
--- git.orig/bfd/libbfd.c 2017-09-21 18:07:34.777651818 +0530
+++ git/bfd/libbfd.c 2017-09-21 18:07:34.761651695 +0530
@@ -805,7 +805,7 @@
filesz = bfd_get_file_size (abfd);
if (offset + count < count
|| offset + count > sz
- || section->filepos + offset + count > filesz)
+ || (ufile_ptr) section->filepos + offset + count > filesz)
{
bfd_set_error (bfd_error_invalid_operation);
return FALSE;
@@ -863,7 +863,7 @@
sz = section->size;
filesz = bfd_get_file_size (abfd);
if (offset + count > sz
- || section->filepos + offset + count > filesz
+ || (ufile_ptr) section->filepos + offset + count > filesz
|| ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
TRUE))
return FALSE;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 18:06:39.973228125 +0530
+++ git/bfd/ChangeLog 2017-09-21 18:09:41.798640031 +0530
@@ -19,6 +19,12 @@
* libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise.
Add "count", not "sz".
+2017-06-27 Alan Modra <amodra@gmail.com>
+
+ PR binutils/21665
+ * libbfd.c (_bfd_generic_get_section_contents): Warning fix.
+ (_bfd_generic_get_section_contents_in_window): Likewise.
+
2017-06-26 Pedro Alves <palves@redhat.com>
PR binutils/21665

79
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch Normal file
View File

@@ -0,0 +1,79 @@
commit 60a02042bacf8d25814430080adda61ed086bca6
Author: Nick Clifton <nickc@redhat.com>
Date: Fri Jun 30 11:03:37 2017 +0100
Fix failures in MMIX linker tests introduced by fix for PR 21665.
PR binutils/21665
* objdump.c (disassemble_section): Move check for an overlarge
section to just before the allocation of memory. Do not check
section size against file size, but instead use an arbitrary 2Gb
limit. Issue a warning message if the section is too big.
Upstream-Status: CVE-2017-9955
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c 2017-09-21 18:10:55.499217078 +0530
+++ git/binutils/objdump.c 2017-09-21 18:10:55.483216953 +0530
@@ -1973,7 +1973,7 @@
return;
datasize = bfd_get_section_size (section);
- if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
+ if (datasize == 0)
return;
if (start_address == (bfd_vma) -1
@@ -2037,6 +2037,29 @@
}
rel_ppend = rel_pp + rel_count;
+ /* PR 21665: Check for overlarge datasizes.
+ Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
+ this fails when using compressed sections or compressed file formats
+ (eg MMO, tekhex).
+
+ The call to xmalloc below will fail if too much memory is requested,
+ which will catch the problem in the normal use case. But if a memory
+ checker is in use, eg valgrind or sanitize, then an exception will
+ be still generated, so we try to catch the problem first.
+
+ Unfortunately there is no simple way to determine how much memory can
+ be allocated by calling xmalloc. So instead we use a simple, arbitrary
+ limit of 2Gb. Hopefully this should be enough for most users. If
+ someone does start trying to disassemble sections larger then 2Gb in
+ size they will doubtless complain and we can increase the limit. */
+#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
+ if (datasize > MAX_XMALLOC)
+ {
+ non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
+ section->name, (unsigned long) datasize);
+ return;
+ }
+
data = (bfd_byte *) xmalloc (datasize);
bfd_get_section_contents (abfd, section, data, 0, datasize);
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog 2017-09-21 17:57:10.448948416 +0530
+++ git/binutils/ChangeLog 2017-09-21 18:13:09.052268892 +0530
@@ -4,6 +4,14 @@
* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
string whilst concatenating symbol names.
+2017-06-30 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21665
+ * objdump.c (disassemble_section): Move check for an overlarge
+ section to just before the allocation of memory. Do not check
+ section size against file size, but instead use an arbitrary 2Gb
+ limit. Issue a warning message if the section is too big.
+
2017-05-02 Nick Clifton <nickc@redhat.com>
PR 21440

170
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch Normal file
View File

@@ -0,0 +1,170 @@
commit bae7501e87ab614115d9d3213b4dd18d96e604db
Author: Alan Modra <amodra@gmail.com>
Date: Sat Jul 1 21:58:10 2017 +0930
Use bfd_malloc_and_get_section
It's nicer than xmalloc followed by bfd_get_section_contents, since
xmalloc exits on failure and needs a check that its size_t arg doesn't
lose high bits when converted from bfd_size_type.
PR binutils/21665
* objdump.c (strtab): Make var a bfd_byte*.
(disassemble_section): Don't limit malloc size. Instead, use
bfd_malloc_and_get_section.
(read_section_stabs): Use bfd_malloc_and_get_section. Return
bfd_byte*.
(find_stabs_section): Remove now unnecessary cast.
* objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free
contents on error return.
* nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/binutils/nlmconv.c
===================================================================
--- git.orig/binutils/nlmconv.c 2017-09-21 18:14:15.792797232 +0530
+++ git/binutils/nlmconv.c 2017-09-21 18:14:15.776797105 +0530
@@ -1224,7 +1224,7 @@
const char *inname;
asection *outsec;
bfd_size_type size;
- void *contents;
+ bfd_byte *contents;
long reloc_size;
bfd_byte buf[4];
bfd_size_type add;
@@ -1240,9 +1240,7 @@
contents = NULL;
else
{
- contents = xmalloc (size);
- if (! bfd_get_section_contents (inbfd, insec, contents,
- (file_ptr) 0, size))
+ if (!bfd_malloc_and_get_section (inbfd, insec, &contents))
bfd_fatal (bfd_get_filename (inbfd));
}
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c 2017-09-21 18:14:15.792797232 +0530
+++ git/binutils/objdump.c 2017-09-21 18:23:30.420895459 +0530
@@ -180,7 +180,7 @@
static bfd_byte *stabs;
static bfd_size_type stab_size;
-static char *strtab;
+static bfd_byte *strtab;
static bfd_size_type stabstr_size;
static bfd_boolean is_relocatable = FALSE;
@@ -2037,33 +2037,13 @@
}
rel_ppend = rel_pp + rel_count;
- /* PR 21665: Check for overlarge datasizes.
- Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
- this fails when using compressed sections or compressed file formats
- (eg MMO, tekhex).
-
- The call to xmalloc below will fail if too much memory is requested,
- which will catch the problem in the normal use case. But if a memory
- checker is in use, eg valgrind or sanitize, then an exception will
- be still generated, so we try to catch the problem first.
-
- Unfortunately there is no simple way to determine how much memory can
- be allocated by calling xmalloc. So instead we use a simple, arbitrary
- limit of 2Gb. Hopefully this should be enough for most users. If
- someone does start trying to disassemble sections larger then 2Gb in
- size they will doubtless complain and we can increase the limit. */
-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
- if (datasize > MAX_XMALLOC)
+ if (!bfd_malloc_and_get_section (abfd, section, &data))
{
- non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
- section->name, (unsigned long) datasize);
+ non_fatal (_("Reading section %s failed because: %s"),
+ section->name, bfd_errmsg (bfd_get_error ()));
return;
}
- data = (bfd_byte *) xmalloc (datasize);
-
- bfd_get_section_contents (abfd, section, data, 0, datasize);
-
paux->sec = section;
pinfo->buffer = data;
pinfo->buffer_vma = section->vma;
@@ -2579,12 +2559,11 @@
/* Read ABFD's stabs section STABSECT_NAME, and return a pointer to
it. Return NULL on failure. */
-static char *
+static bfd_byte *
read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr)
{
asection *stabsect;
- bfd_size_type size;
- char *contents;
+ bfd_byte *contents;
stabsect = bfd_get_section_by_name (abfd, sect_name);
if (stabsect == NULL)
@@ -2593,10 +2572,7 @@
return FALSE;
}
- size = bfd_section_size (abfd, stabsect);
- contents = (char *) xmalloc (size);
-
- if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size))
+ if (!bfd_malloc_and_get_section (abfd, stabsect, &contents))
{
non_fatal (_("reading %s section of %s failed: %s"),
sect_name, bfd_get_filename (abfd),
@@ -2606,7 +2582,7 @@
return NULL;
}
- *size_ptr = size;
+ *size_ptr = bfd_section_size (abfd, stabsect);
return contents;
}
@@ -2733,8 +2709,7 @@
if (strtab)
{
- stabs = (bfd_byte *) read_section_stabs (abfd, section->name,
- &stab_size);
+ stabs = read_section_stabs (abfd, section->name, &stab_size);
if (stabs)
print_section_stabs (abfd, section->name, &sought->string_offset);
}
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog 2017-09-21 18:13:09.052268892 +0530
+++ git/binutils/ChangeLog 2017-09-21 18:25:00.195937741 +0530
@@ -4,6 +4,19 @@
* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
string whilst concatenating symbol names.
+2017-07-01 Alan Modra <amodra@gmail.com>
+
+ PR binutils/21665
+ * objdump.c (strtab): Make var a bfd_byte*.
+ (disassemble_section): Don't limit malloc size. Instead, use
+ bfd_malloc_and_get_section.
+ (read_section_stabs): Use bfd_malloc_and_get_section. Return
+ bfd_byte*.
+ (find_stabs_section): Remove now unnecessary cast.
+ * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free
+ contents on error return.
+ * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
+
2017-06-30 Nick Clifton <nickc@redhat.com>
PR binutils/21665

360
meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch Normal file
View File

@@ -0,0 +1,360 @@
commit 8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Tue May 30 06:34:05 2017 -0700
Add bfd_get_file_size to get archive element size
We can't use stat() to get archive element size. Add bfd_get_file_size
to get size for both normal files and archive elements.
bfd/
PR binutils/21519
* bfdio.c (bfd_get_file_size): New function.
* bfd-in2.h: Regenerated.
binutils/
PR binutils/21519
* objdump.c (dump_relocs_in_section): Replace get_file_size
with bfd_get_file_size to get archive element size.
* testsuite/binutils-all/objdump.exp (test_objdump_f): New
proc.
(test_objdump_h): Likewise.
(test_objdump_t): Likewise.
(test_objdump_r): Likewise.
(test_objdump_s): Likewise.
Add objdump tests on archive.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/bfd-in2.h
===================================================================
--- git.orig/bfd/bfd-in2.h 2017-09-21 20:09:13.475032861 +0530
+++ git/bfd/bfd-in2.h 2017-09-21 20:09:16.375051269 +0530
@@ -1208,6 +1208,8 @@
file_ptr bfd_get_size (bfd *abfd);
+file_ptr bfd_get_file_size (bfd *abfd);
+
void *bfd_mmap (bfd *abfd, void *addr, bfd_size_type len,
int prot, int flags, file_ptr offset,
void **map_addr, bfd_size_type *map_len);
Index: git/bfd/bfdio.c
===================================================================
--- git.orig/bfd/bfdio.c 2017-09-21 20:08:55.774919453 +0530
+++ git/bfd/bfdio.c 2017-09-21 20:09:16.375051269 +0530
@@ -434,6 +434,29 @@
return buf.st_size;
}
+/*
+FUNCTION
+ bfd_get_file_size
+
+SYNOPSIS
+ file_ptr bfd_get_file_size (bfd *abfd);
+
+DESCRIPTION
+ Return the file size (as read from file system) for the file
+ associated with BFD @var{abfd}. It supports both normal files
+ and archive elements.
+
+*/
+
+file_ptr
+bfd_get_file_size (bfd *abfd)
+{
+ if (abfd->my_archive != NULL
+ && !bfd_is_thin_archive (abfd->my_archive))
+ return arelt_size (abfd);
+
+ return bfd_get_size (abfd);
+}
/*
FUNCTION
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c 2017-09-21 20:09:16.319050914 +0530
+++ git/binutils/objdump.c 2017-09-21 20:09:16.375051269 +0530
@@ -3240,7 +3240,7 @@
}
if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
- && relsize > get_file_size (bfd_get_filename (abfd)))
+ && relsize > bfd_get_file_size (abfd))
{
printf (" (too many: 0x%x)\n", section->reloc_count);
bfd_set_error (bfd_error_file_truncated);
Index: git/binutils/testsuite/binutils-all/objdump.exp
===================================================================
--- git.orig/binutils/testsuite/binutils-all/objdump.exp 2017-09-21 20:08:55.982920797 +0530
+++ git/binutils/testsuite/binutils-all/objdump.exp 2017-09-21 20:09:16.375051269 +0530
@@ -64,96 +64,168 @@
if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest.o]} then {
return
}
+if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest2.o]} then {
+ return
+}
if [is_remote host] {
set testfile [remote_download host tmpdir/bintest.o]
+ set testfile2 [remote_download host tmpdir/bintest2.o]
} else {
set testfile tmpdir/bintest.o
+ set testfile2 tmpdir/bintest2.o
+}
+
+if { ![istarget "alpha-*-*"] || [is_elf_format] } then {
+ remote_file host file delete tmpdir/bintest.a
+ set got [binutils_run $AR "rc tmpdir/bintest.a $testfile2"]
+ if ![string match "" $got] then {
+ fail "bintest.a"
+ remote_file host delete tmpdir/bintest.a
+ } else {
+ if [is_remote host] {
+ set testarchive [remote_download host tmpdir/bintest.a]
+ } else {
+ set testarchive tmpdir/bintest.a
+ }
+ }
+ remote_file host delete tmpdir/bintest2.o
}
# Test objdump -f
-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"]
+proc test_objdump_f { testfile dumpfile } {
+ global OBJDUMP
+ global OBJDUMPFLAGS
+ global cpus_regex
-set want "$testfile:\[ \]*file format.*architecture:\[ \]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS"
+ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"]
-if ![regexp $want $got] then {
- fail "objdump -f"
-} else {
- pass "objdump -f"
+ set want "$dumpfile:\[ \]*file format.*architecture:\[ \]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS"
+
+ if ![regexp $want $got] then {
+ fail "objdump -f ($testfile, $dumpfile)"
+ } else {
+ pass "objdump -f ($testfile, $dumpfile)"
+ }
+}
+
+test_objdump_f $testfile $testfile
+if { [ remote_file host exists $testarchive ] } then {
+ test_objdump_f $testarchive bintest2.o
}
# Test objdump -h
-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"]
+proc test_objdump_h { testfile dumpfile } {
+ global OBJDUMP
+ global OBJDUMPFLAGS
-set want "$testfile:\[ \]*file format.*Sections.*\[0-9\]+\[ \]+\[^ \]*(text|TEXT|P|\\\$CODE\\\$)\[^ \]*\[ \]*(\[0-9a-fA-F\]+).*\[0-9\]+\[ \]+\[^ \]*(\\.data|DATA|D_1)\[^ \]*\[ \]*(\[0-9a-fA-F\]+)"
+ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"]
-if ![regexp $want $got all text_name text_size data_name data_size] then {
- fail "objdump -h"
-} else {
- verbose "text name is $text_name size is $text_size"
- verbose "data name is $data_name size is $data_size"
- set ets 8
- set eds 4
- # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1
- if [istarget *c4x*-*-*] then {
- set ets 2
- set eds 1
- }
- # c54x section sizes are in bytes, not octets; adjust accordingly
- if [istarget *c54x*-*-*] then {
- set ets 4
- set eds 2
- }
- if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then {
- send_log "sizes too small\n"
- fail "objdump -h"
+ set want "$dumpfile:\[ \]*file format.*Sections.*\[0-9\]+\[ \]+\[^ \]*(text|TEXT|P|\\\$CODE\\\$)\[^ \]*\[ \]*(\[0-9a-fA-F\]+).*\[0-9\]+\[ \]+\[^ \]*(\\.data|DATA|D_1)\[^ \]*\[ \]*(\[0-9a-fA-F\]+)"
+
+ if ![regexp $want $got all text_name text_size data_name data_size] then {
+ fail "objdump -h ($testfile, $dumpfile)"
} else {
- pass "objdump -h"
+ verbose "text name is $text_name size is $text_size"
+ verbose "data name is $data_name size is $data_size"
+ set ets 8
+ set eds 4
+ # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1
+ if [istarget *c4x*-*-*] then {
+ set ets 2
+ set eds 1
+ }
+ # c54x section sizes are in bytes, not octets; adjust accordingly
+ if [istarget *c54x*-*-*] then {
+ set ets 4
+ set eds 2
+ }
+ if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then {
+ send_log "sizes too small\n"
+ fail "objdump -h ($testfile, $dumpfile)"
+ } else {
+ pass "objdump -h ($testfile, $dumpfile)"
+ }
}
}
+test_objdump_h $testfile $testfile
+if { [ remote_file host exists $testarchive ] } then {
+ test_objdump_h $testarchive bintest2.o
+}
+
# Test objdump -t
-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"]
+proc test_objdump_t { testfile} {
+ global OBJDUMP
+ global OBJDUMPFLAGS
+
+ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"]
+
+ if [info exists vars] then { unset vars }
+ while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} {
+ set vars($symbol) 1
+ set got $rest
+ }
-if [info exists vars] then { unset vars }
-while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} {
- set vars($symbol) 1
- set got $rest
+ if {![info exists vars(text_symbol)] \
+ || ![info exists vars(data_symbol)] \
+ || ![info exists vars(common_symbol)] \
+ || ![info exists vars(external_symbol)]} then {
+ fail "objdump -t ($testfile)"
+ } else {
+ pass "objdump -t ($testfile)"
+ }
}
-if {![info exists vars(text_symbol)] \
- || ![info exists vars(data_symbol)] \
- || ![info exists vars(common_symbol)] \
- || ![info exists vars(external_symbol)]} then {
- fail "objdump -t"
-} else {
- pass "objdump -t"
+test_objdump_t $testfile
+if { [ remote_file host exists $testarchive ] } then {
+ test_objdump_t $testarchive
}
# Test objdump -r
-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"]
+proc test_objdump_r { testfile dumpfile } {
+ global OBJDUMP
+ global OBJDUMPFLAGS
-set want "$testfile:\[ \]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol"
+ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"]
-if [regexp $want $got] then {
- pass "objdump -r"
-} else {
- fail "objdump -r"
+ set want "$dumpfile:\[ \]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol"
+
+ if [regexp $want $got] then {
+ pass "objdump -r ($testfile, $dumpfile)"
+ } else {
+ fail "objdump -r ($testfile, $dumpfile)"
+ }
+}
+
+test_objdump_r $testfile $testfile
+if { [ remote_file host exists $testarchive ] } then {
+ test_objdump_r $testarchive bintest2.o
}
# Test objdump -s
-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"]
+proc test_objdump_s { testfile dumpfile } {
+ global OBJDUMP
+ global OBJDUMPFLAGS
-set want "$testfile:\[ \]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000002|02000000|00000200)"
+ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"]
-if [regexp $want $got] then {
- pass "objdump -s"
-} else {
- fail "objdump -s"
+ set want "$dumpfile:\[ \]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000002|02000000|00000200)"
+
+ if [regexp $want $got] then {
+ pass "objdump -s ($testfile, $dumpfile)"
+ } else {
+ fail "objdump -s ($testfile, $dumpfile)"
+ }
+}
+
+test_objdump_s $testfile $testfile
+if { [ remote_file host exists $testarchive ] } then {
+ test_objdump_s $testarchive bintest2.o
}
# Test objdump -s on a file that contains a compressed .debug section
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 20:09:16.207050204 +0530
+++ git/bfd/ChangeLog 2017-09-21 20:13:41.504562787 +0530
@@ -158,6 +158,12 @@
(bfd_perform_relocation, bfd_install_relocation): Use it.
(_bfd_final_link_relocate): Likewise.
+2017-05-30 H.J. Lu <hongjiu.lu@intel.com>
+
+ PR binutils/21519
+ * bfdio.c (bfd_get_file_size): New function.
+ * bfd-in2.h: Regenerated.
+
2017-04-26 Nick Clifton <nickc@redhat.com>
PR binutils/21434
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog 2017-09-21 20:09:16.319050914 +0530
+++ git/binutils/ChangeLog 2017-09-21 20:12:42.624252645 +0530
@@ -25,6 +25,19 @@
section size against file size, but instead use an arbitrary 2Gb
limit. Issue a warning message if the section is too big.
+2017-05-30 H.J. Lu <hongjiu.lu@intel.com>
+
+ PR binutils/21519
+ * objdump.c (dump_relocs_in_section): Replace get_file_size
+ with bfd_get_file_size to get archive element size.
+ * testsuite/binutils-all/objdump.exp (test_objdump_f): New
+ proc.
+ (test_objdump_h): Likewise.
+ (test_objdump_t): Likewise.
+ (test_objdump_r): Likewise.
+ (test_objdump_s): Likewise.
+ Add objdump tests on archive.
+
2017-05-02 Nick Clifton <nickc@redhat.com>
PR 21440