Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Maier <tamiko@gentoo.org>2017-06-07 14:44:23 +0000
committerMatthias Maier <tamiko@gentoo.org>2017-06-07 14:44:23 +0000
commita5fd92d145fbf2a608f8f612bb6b6a0cc4f118cb (patch)
treeeb8437c683ddfbac4ab4e25f314d97c5c0edb1d1
parentdrop one more script for tlcore (diff)
downloadgentoo-a5fd92d145fbf2a608f8f612bb6b6a0cc4f118cb.tar.gz
gentoo-a5fd92d145fbf2a608f8f612bb6b6a0cc4f118cb.tar.bz2
gentoo-a5fd92d145fbf2a608f8f612bb6b6a0cc4f118cb.zip
binutils-2.28: Update to patchset 1.2
Diffstat
-rw-r--r--src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch101
-rw-r--r--src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch210
-rw-r--r--src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch118
-rw-r--r--src/patchsets/binutils/2.28/README.history5
4 files changed, 434 insertions, 0 deletions
diff --git a/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch b/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch
new file mode 100644
index 0000000000..0f898c8bc1
--- /dev/null
+++ b/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch
@@ -0,0 +1,101 @@
+From 00e45d8e07536e7eee850f00a6101011e7088171 Mon Sep 17 00:00:00 2001
+From: Matthias Maier <tamiko@43-1.org>
+Date: Wed, 7 Jun 2017 09:29:37 -0500
+Subject: [PATCH 1/3] CVE-2017-6965
+
+[PATCH] Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations.
+
+[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493
+[2] https://bugs.gentoo.org/show_bug.cgi?id=621130
+---
+ binutils/readelf.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 5507663..7a908a1 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -11600,6 +11600,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
+ static bfd_boolean
+ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ unsigned char * start,
++ unsigned char * end,
+ Elf_Internal_Sym * symtab)
+ {
+ unsigned int reloc_type = get_reloc_type (reloc->r_info);
+@@ -11640,13 +11641,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ handle_sym_diff:
+ if (saved_sym != NULL)
+ {
++ int reloc_size = reloc_type == 1 ? 4 : 2;
+ bfd_vma value;
+
+ value = reloc->r_addend
+ + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+ - saved_sym->st_value);
+
+- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
++ if (start + reloc->r_offset + reloc_size >= end)
++ /* PR 21137 */
++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + reloc_size, end);
++ else
++ byte_put (start + reloc->r_offset, value, reloc_size);
+
+ saved_sym = NULL;
+ return TRUE;
+@@ -11677,13 +11684,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ case 2: /* R_MN10300_16 */
+ if (saved_sym != NULL)
+ {
++ int reloc_size = reloc_type == 1 ? 4 : 2;
+ bfd_vma value;
+
+ value = reloc->r_addend
+ + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+ - saved_sym->st_value);
+
+- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
++ if (start + reloc->r_offset + reloc_size >= end)
++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + reloc_size, end);
++ else
++ byte_put (start + reloc->r_offset, value, reloc_size);
+
+ saved_sym = NULL;
+ return TRUE;
+@@ -11718,12 +11730,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ break;
+
+ case 0x41: /* R_RL78_ABS32. */
+- byte_put (start + reloc->r_offset, value, 4);
++ if (start + reloc->r_offset + 4 >= end)
++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + 2, end);
++ else
++ byte_put (start + reloc->r_offset, value, 4);
+ value = 0;
+ return TRUE;
+
+ case 0x43: /* R_RL78_ABS16. */
+- byte_put (start + reloc->r_offset, value, 2);
++ if (start + reloc->r_offset + 2 >= end)
++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + 2, end);
++ else
++ byte_put (start + reloc->r_offset, value, 2);
+ value = 0;
+ return TRUE;
+
+@@ -12340,7 +12360,7 @@ apply_relocations (void * file,
+
+ reloc_type = get_reloc_type (rp->r_info);
+
+- if (target_specific_reloc_handling (rp, start, symtab))
++ if (target_specific_reloc_handling (rp, start, end, symtab))
+ continue;
+ else if (is_none_reloc (reloc_type))
+ continue;
+--
+2.13.0
+
diff --git a/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch b/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch
new file mode 100644
index 0000000000..1ca82520e9
--- /dev/null
+++ b/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch
@@ -0,0 +1,210 @@
+From f25ff3ce9735df03fcbe7ecc1897cf8e0de4b6ae Mon Sep 17 00:00:00 2001
+From: Matthias Maier <tamiko@43-1.org>
+Date: Wed, 7 Jun 2017 09:31:53 -0500
+Subject: [PATCH 2/3] CVE-2017-6966
+
+[PATCH] Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary.
+
+[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9
+[2] https://bugs.gentoo.org/show_bug.cgi?id=621130
+---
+ binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 84 insertions(+), 25 deletions(-)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 7a908a1..fd23b6b 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -11595,15 +11595,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
+
+ /* Check to see if the given reloc needs to be handled in a target specific
+ manner. If so then process the reloc and return TRUE otherwise return
+- FALSE. */
++ FALSE.
++
++ If called with reloc == NULL, then this is a signal that reloc processing
++ for the current section has finished, and any saved state should be
++ discarded. */
+
+ static bfd_boolean
+ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ unsigned char * start,
+ unsigned char * end,
+- Elf_Internal_Sym * symtab)
++ Elf_Internal_Sym * symtab,
++ unsigned long num_syms)
+ {
+- unsigned int reloc_type = get_reloc_type (reloc->r_info);
++ unsigned int reloc_type = 0;
++ unsigned long sym_index = 0;
++
++ if (reloc)
++ {
++ reloc_type = get_reloc_type (reloc->r_info);
++ sym_index = get_reloc_symindex (reloc->r_info);
++ }
+
+ switch (elf_header.e_machine)
+ {
+@@ -11612,6 +11624,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ {
+ static Elf_Internal_Sym * saved_sym = NULL;
+
++ if (reloc == NULL)
++ {
++ saved_sym = NULL;
++ return TRUE;
++ }
++
+ switch (reloc_type)
+ {
+ case 10: /* R_MSP430_SYM_DIFF */
+@@ -11619,7 +11637,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ break;
+ /* Fall through. */
+ case 21: /* R_MSP430X_SYM_DIFF */
+- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
++ /* PR 21139. */
++ if (sym_index >= num_syms)
++ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
++ sym_index);
++ else
++ saved_sym = symtab + sym_index;
+ return TRUE;
+
+ case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
+@@ -11644,16 +11667,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ int reloc_size = reloc_type == 1 ? 4 : 2;
+ bfd_vma value;
+
+- value = reloc->r_addend
+- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+- - saved_sym->st_value);
+-
+- if (start + reloc->r_offset + reloc_size >= end)
+- /* PR 21137 */
+- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
+- start + reloc->r_offset + reloc_size, end);
++ if (sym_index >= num_syms)
++ error (_("MSP430 reloc contains invalid symbol index %lu\n"),
++ sym_index);
+ else
+- byte_put (start + reloc->r_offset, value, reloc_size);
++ {
++ value = reloc->r_addend + (symtab[sym_index].st_value
++ - saved_sym->st_value);
++
++ if (start + reloc->r_offset + reloc_size >= end)
++ /* PR 21137 */
++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + reloc_size, end);
++ else
++ byte_put (start + reloc->r_offset, value, reloc_size);
++ }
+
+ saved_sym = NULL;
+ return TRUE;
+@@ -11673,13 +11701,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ {
+ static Elf_Internal_Sym * saved_sym = NULL;
+
++ if (reloc == NULL)
++ {
++ saved_sym = NULL;
++ return TRUE;
++ }
++
+ switch (reloc_type)
+ {
+ case 34: /* R_MN10300_ALIGN */
+ return TRUE;
+ case 33: /* R_MN10300_SYM_DIFF */
+- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
++ if (sym_index >= num_syms)
++ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
++ sym_index);
++ else
++ saved_sym = symtab + sym_index;
+ return TRUE;
++
+ case 1: /* R_MN10300_32 */
+ case 2: /* R_MN10300_16 */
+ if (saved_sym != NULL)
+@@ -11687,15 +11726,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ int reloc_size = reloc_type == 1 ? 4 : 2;
+ bfd_vma value;
+
+- value = reloc->r_addend
+- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+- - saved_sym->st_value);
+-
+- if (start + reloc->r_offset + reloc_size >= end)
+- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
+- start + reloc->r_offset + reloc_size, end);
++ if (sym_index >= num_syms)
++ error (_("MN10300 reloc contains invalid symbol index %lu\n"),
++ sym_index);
+ else
+- byte_put (start + reloc->r_offset, value, reloc_size);
++ {
++ value = reloc->r_addend + (symtab[sym_index].st_value
++ - saved_sym->st_value);
++
++ if (start + reloc->r_offset + reloc_size >= end)
++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + reloc_size, end);
++ else
++ byte_put (start + reloc->r_offset, value, reloc_size);
++ }
+
+ saved_sym = NULL;
+ return TRUE;
+@@ -11715,12 +11759,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ static bfd_vma saved_sym2 = 0;
+ static bfd_vma value;
+
++ if (reloc == NULL)
++ {
++ saved_sym1 = saved_sym2 = 0;
++ return TRUE;
++ }
++
+ switch (reloc_type)
+ {
+ case 0x80: /* R_RL78_SYM. */
+ saved_sym1 = saved_sym2;
+- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
+- saved_sym2 += reloc->r_addend;
++ if (sym_index >= num_syms)
++ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
++ sym_index);
++ else
++ {
++ saved_sym2 = symtab[sym_index].st_value;
++ saved_sym2 += reloc->r_addend;
++ }
+ return TRUE;
+
+ case 0x83: /* R_RL78_OPsub. */
+@@ -12360,7 +12416,7 @@ apply_relocations (void * file,
+
+ reloc_type = get_reloc_type (rp->r_info);
+
+- if (target_specific_reloc_handling (rp, start, end, symtab))
++ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
+ continue;
+ else if (is_none_reloc (reloc_type))
+ continue;
+@@ -12456,6 +12512,9 @@ apply_relocations (void * file,
+ }
+
+ free (symtab);
++ /* Let the target specific reloc processing code know that
++ we have finished with these relocs. */
++ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
+
+ if (relocs_return)
+ {
+--
+2.13.0
+
diff --git a/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch b/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch
new file mode 100644
index 0000000000..8958d313cb
--- /dev/null
+++ b/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch
@@ -0,0 +1,118 @@
+From bb8c412a9450141286bf4eef04b14fe47bbc364f Mon Sep 17 00:00:00 2001
+From: Matthias Maier <tamiko@43-1.org>
+Date: Wed, 7 Jun 2017 09:35:35 -0500
+Subject: [PATCH 3/3] CVE-2017-6969
+
+[PATCH] Fix illegal memory accesses in readelf when parsing a corrupt binary.
+[PATCH] Fix another memory access error in readelf when parsing a corrupt binary.
+
+[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456
+ https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14
+[2] https://bugs.gentoo.org/show_bug.cgi?id=621130
+---
+ binutils/dwarf.c | 34 ++++++++++++++++++++--------------
+ binutils/readelf.c | 10 ++++++++--
+ 2 files changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 05efa6e..3312bc5 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -76,7 +76,6 @@ int dwarf_check = 0;
+ as a zero-terminated list of section indexes comprising one set of debug
+ sections from a .dwo file. */
+
+-static int cu_tu_indexes_read = 0;
+ static unsigned int *shndx_pool = NULL;
+ static unsigned int shndx_pool_size = 0;
+ static unsigned int shndx_pool_used = 0;
+@@ -99,7 +98,7 @@ static int tu_count = 0;
+ static struct cu_tu_set *cu_sets = NULL;
+ static struct cu_tu_set *tu_sets = NULL;
+
+-static void load_cu_tu_indexes (void *file);
++static bfd_boolean load_cu_tu_indexes (void *);
+
+ /* Values for do_debug_lines. */
+ #define FLAG_DEBUG_LINES_RAW 1
+@@ -2739,7 +2738,7 @@ load_debug_info (void * file)
+ return num_debug_info_entries;
+
+ /* If this is a DWARF package file, load the CU and TU indexes. */
+- load_cu_tu_indexes (file);
++ (void) load_cu_tu_indexes (file);
+
+ if (load_debug_section (info, file)
+ && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0))
+@@ -7402,21 +7401,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
+ section sets that we can use to associate a .debug_info.dwo section
+ with its associated .debug_abbrev.dwo section in a .dwp file. */
+
+-static void
++static bfd_boolean
+ load_cu_tu_indexes (void *file)
+ {
++ static int cu_tu_indexes_read = -1; /* Tri-state variable. */
++
+ /* If we have already loaded (or tried to load) the CU and TU indexes
+ then do not bother to repeat the task. */
+- if (cu_tu_indexes_read)
+- return;
+-
+- if (load_debug_section (dwp_cu_index, file))
+- process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0);
+-
+- if (load_debug_section (dwp_tu_index, file))
+- process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0);
++ if (cu_tu_indexes_read == -1)
++ {
++ cu_tu_indexes_read = TRUE;
++
++ if (load_debug_section (dwp_cu_index, file))
++ if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0))
++ cu_tu_indexes_read = FALSE;
++
++ if (load_debug_section (dwp_tu_index, file))
++ if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0))
++ cu_tu_indexes_read = FALSE;
++ }
+
+- cu_tu_indexes_read = 1;
++ return (bfd_boolean) cu_tu_indexes_read;
+ }
+
+ /* Find the set of sections that includes section SHNDX. */
+@@ -7426,7 +7431,8 @@ find_cu_tu_set (void *file, unsigned int shndx)
+ {
+ unsigned int i;
+
+- load_cu_tu_indexes (file);
++ if (! load_cu_tu_indexes (file))
++ return NULL;
+
+ /* Find SHNDX in the shndx pool. */
+ for (i = 0; i < shndx_pool_used; i++)
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index fd23b6b..3950412 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -675,8 +675,14 @@ find_section_in_set (const char * name, unsigned int * set)
+ if (set != NULL)
+ {
+ while ((i = *set++) > 0)
+- if (streq (SECTION_NAME (section_headers + i), name))
+- return section_headers + i;
++ {
++ /* See PR 21156 for a reproducer. */
++ if (i >= elf_header.e_shnum)
++ continue; /* FIXME: Should we issue an error message ? */
++
++ if (streq (SECTION_NAME (section_headers + i), name))
++ return section_headers + i;
++ }
+ }
+
+ return find_section (name);
+--
+2.13.0
+
diff --git a/src/patchsets/binutils/2.28/README.history b/src/patchsets/binutils/2.28/README.history
index da396584ba..ce2a1e3fac 100644
--- a/src/patchsets/binutils/2.28/README.history
+++ b/src/patchsets/binutils/2.28/README.history
@@ -1,3 +1,8 @@
+1.2 07 Jun 2017
+ + 00_all_0018-CVE-2017-6965.patch
+ + 00_all_0019-CVE-2017-6966.patch
+ + 00_all_0020-CVE-2017-6969.patch
+
1.1 06 Jun 2017
+ 00_all_0007-CVE-2017-8398.patch
+ 00_all_0008-CVE-2017-8393.patch