Source: binutils-gdb.git
MR: 76766
Type: Security Fix
Disposition: Backport from binutils master
ChangeID: f080669b4e6f7c9088e30858238da5f4315192f3
Description:
PR22209, invalid memory read in find_abstract_instance_name
This patch adds bounds checking for DW_FORM_ref_addr die refs, and
calculates them relative to the first .debug_info section. See the
big comment for why calculating relative to the current .debug_info
section was wrong for relocatable object files.
PR 22209
* dwarf2.c (struct comp_unit): Delete sec_info_ptr field.
(find_abstract_instance_name): Calculate DW_FORM_ref_addr relative
to stash->info_ptr_memory, and check die_ref is within that memory.
Set info_ptr_end correctly when another CU is refd. Check die_ref
for DW_FORM_ref4 etc. is within CU.
Affects: <= 2.29
(From OE-Core rev: 592f315516e602bd9a9bdc3d116771528cd433d1)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: binutils-gdb.git
MR: 76524
Type: Security Fix
Disposition: Backport from binutils master
ChangeID: 5f22a66eabb228b655605b964ecd350aee700806
Description:
PR22187, infinite loop in find_abstract_instance_name
This patch prevents the simple case of infinite recursion in
find_abstract_instance_name by ensuring that the attributes being
processed are not the same as the previous call.
The patch also does a little cleanup, and leaves in place some changes
to the nested_funcs array that I made when I wrongly thought looping
might occur in scan_unit_for_symbols.
PR 22187
* dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
pname param. Return status. Make name const. Don't abort,
return an error. Formatting. Exit if current info_ptr matches
orig_info_ptr. Update callers.
(scan_unit_for_symbols): Start at nesting_level of zero. Make
nested_funcs an array of structs for extensibility. Formatting.
Affects: <= 2.29
(From OE-Core rev: 3e88bb5e933ebbf9c3445bac1814dc0ac105bf45)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: binutils-gdb.git
MR: 76278
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: 05de8bcd22d8d0b54badcd3826cd370b3aed81de
Description:
x86: Guard against corrupted PLT
There should be only one entry in PLT for a given symbol. Set howto to
NULL after processing a PLT entry to guard against corrupted PLT so that
the duplicated PLT entries are skipped.
PR binutils/22170
Affects: <= 2.29
(From OE-Core rev: 51fc4c8d86bc7c567794305bcc08e5054e9e204a)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: binutils-gdb.git
MR: 73971
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: fe0e1d0f234ed157135818c24f4270c34e093828
Description:
Fix potential address violations when processing a corrupt Alpha VMA binary.
PR binutils/21589
* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
maximum value for the ascic pointer. Check that name processing
does not read beyond this value.
(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
end of etir record.
Affects: <= 2.28
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: ea89dfe868085b463dfc24df78b49d1703989484)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: git://sourceware.org/git/binutils-gdb.git
MR: 74127
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: 410078b468de6dc1c908342283a6abe5bdf38d54
Description:
Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary.
PR binutils/21438
* dwarf.c (process_extended_line_op): Do not assume that the
string extracted from the section is NUL terminated.
(fetch_indirect_string): If the string retrieved from the section
is not NUL terminated, return an error message.
(fetch_indirect_line_string): Likewise.
(fetch_indexed_string): Likewise.
Affects: <= 2.29
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: 1e19e656a97caf61f26ab4f52339b9413d3bb29f)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: git://sourceware.org/git/binutils-gdb.git
MR: 74140
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: 5f6dd48c427de8663c5a80af6db44ce5c579d42c
Description:
Prevent memory exhaustion from a corrupt PE binary with an overlarge number of relocs.
PR 21440
* objdump.c (dump_relocs_in_section): Check for an excessive
number of relocs before attempting to dump them.
Affects: <= 2.29
Author: Alan Modra <amodra@gmail.com>
(From OE-Core rev: 09c642a70e2a12dcc01ffe45c333011a142c02a7)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: git://sourceware.org/git/binutils-gdb.git
MR: 74179
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: 976156cd25454143883090ca42010c38c6d6af0f
Description:
PR 21412, get_reloc_section assumes .rel/.rela name for SHT_REL/RELA.
This patch fixes an assumption made by code that runs for objcopy and
strip, that SHT_REL/SHR_RELA sections are always named starting with a
.rel/.rela prefix. I'm also modifying the interface for
elf_backend_get_reloc_section, so any backend function just needs to
handle name mapping.
Affects: <= 2.29
Author: Alan Modra <amodra@gmail.com>
(From OE-Core rev: 24124406a2a1657b80ba2933bef40ccf798c8097)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: git://sourceware.org/git/binutils-gdb.git
MR: 74296
Type: Security Fix
Disposition: Backport from binutils-2_29-branch
ChangeID: d2cf3ab15c89351c941c92e4cdf28c2bfa9dcda8
Description:
Fix seg-fault running addr2line on a corrupt binary.
PR binutils/20891
* aoutx.h (find_nearest_line): Handle the case where the main file
name and the directory name are both empty.
Affects: <= 2.29
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: ba01ee6899c8d36e6469f6d02d40866fb0502af9)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: git://sourceware.org/git/binutils-gdb.git
MR: 73854, 73827, 73814, 73801, 73775
Type: Security Fix
Disposition: Backport from binutils-2_29-branch
ChangeID: fb23096307f9903872a04edf171d1fd2099e35c5
Description:
Fix address violation errors parsing corrupt binary files.
PR 21813
binutils* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
string whilst concatenating symbol names.
bfd * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address
of the relocs to the canonicalize_one_reloc routine.
* mach-o.h (struct bfd_mach_o_backend_data): Update the prototype
for the _bfd_mach_o_canonicalize_one_reloc field.
* mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add
res_base parameter. Use to check for corrupt pair relocs.
* mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc):
Likewise.
* mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc):
Likewise.
* mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc):
Likewise.
* vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is
enough data in the record before attempting to parse it.
(_bfd_vms_slurp_eeom): Likewise.
(_bfd_vms_slurp_egsd): Check for an invalid section index.
(image_set_ptr): Likewise.
(alpha_vms_slurp_relocs): Likewise.
Affects: <= 2.29
(From OE-Core rev: 2cc3922462c9dd86f50a419a2a4abb0f3b5b4745)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: git://sourceware.org/git/binutils-gdb.git
MR: 73880
Type: Security Fix
Disposition: Backport from binutils-2_29-branch
ChangeID: 6ef7c8e941d7a1c069b29e4671178c0d02427e3f
Description:
Fix use-after-free error when parsing a corrupt nested archive.
PR 21787
* archive.c (bfd_generic_archive_p): If the bfd does not have the
correct magic bytes at the start, set the error to wrong format
and clear the format selector before returning NULL.
Affects: <= 2.29
(From OE-Core rev: 996e7af41b48107bab5eca0ea26f507541382bd5)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport upstream commit to address vulnerabilities:
CVE: CVE-2017-6965
[BZ 21137] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21137
Fix readelf writing to illegal addresses whilst processing corrupt input
files containing symbol-difference relocations.
PR binutils/21137
* readelf.c (target_specific_reloc_handling): Add end parameter.
Check for buffer overflow before writing relocated values.
(apply_relocations): Pass end to target_specific_reloc_handling.
CVE: CVE-2017-6966
[BZ 21139] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21139
Fix read-after-free error in readelf when processing multiple, relocated
sections in an MSP430 binary.
PR binutils/21139
* readelf.c (target_specific_reloc_handling): Add num_syms
parameter. Check for symbol table overflow before accessing
symbol value. If reloc pointer is NULL, discard all saved state.
(apply_relocations): Pass num_syms to target_specific_reloc_handling.
Call target_specific_reloc_handling with a NULL reloc pointer
after processing all of the relocs.
(From OE-Core rev: 477afc5634698d6c5cdb6d7705a31d859495695d)
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes segfaults when doing partial linking and generaring binary objects
/tmp/binu/ld/ld-new -r -b binary -o etc_certs_ui_ca_pem.o etc_certs_ui_ca_pem
0 elf32_arm_count_additional_relocs (sec=0x79bf40) at /mnt/a/work/oe/binutils-gdb/bfd/elf32-arm.c:18210
1 0x000000000047635a in bfd_elf_final_link (abfd=abfd@entry=0x783250, info=info@entry=0x748400 <link_info>) at /mnt/a/work/oe/binutils-gdb/bfd/elflink.c:11224
2 0x000000000044df7b in elf32_arm_final_link (abfd=0x783250, info=0x748400 <link_info>) at /mnt/a/work/oe/binutils-gdb/bfd/elf32-arm.c:12131
3 0x0000000000418917 in ldwrite () at /mnt/a/work/oe/binutils-gdb/ld/ldwrite.c:577
4 0x000000000040365f in main (argc=<optimized out>, argv=<optimized out>) at /mnt/a/work/oe/binutils-gdb/ld/ldmain.c:433
gold works ok. The patch is already applied in master binutils
(From OE-Core rev: 00d1913520f1572fa7def865e57852c7f25b0ec4)
(From OE-Core rev: 2b1a571899eec018d6f44876b743e06835ed761d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
