diff options
author | Matthias Maier <tamiko@gentoo.org> | 2017-06-07 14:44:23 +0000 |
---|---|---|
committer | Matthias Maier <tamiko@gentoo.org> | 2017-06-07 14:44:23 +0000 |
commit | a5fd92d145fbf2a608f8f612bb6b6a0cc4f118cb (patch) | |
tree | eb8437c683ddfbac4ab4e25f314d97c5c0edb1d1 | |
parent | drop one more script for tlcore (diff) | |
download | gentoo-a5fd92d145fbf2a608f8f612bb6b6a0cc4f118cb.tar.gz gentoo-a5fd92d145fbf2a608f8f612bb6b6a0cc4f118cb.tar.bz2 gentoo-a5fd92d145fbf2a608f8f612bb6b6a0cc4f118cb.zip |
binutils-2.28: Update to patchset 1.2
4 files changed, 434 insertions, 0 deletions
diff --git a/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch b/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch new file mode 100644 index 0000000000..0f898c8bc1 --- /dev/null +++ b/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch @@ -0,0 +1,101 @@ +From 00e45d8e07536e7eee850f00a6101011e7088171 Mon Sep 17 00:00:00 2001 +From: Matthias Maier <tamiko@43-1.org> +Date: Wed, 7 Jun 2017 09:29:37 -0500 +Subject: [PATCH 1/3] CVE-2017-6965 + +[PATCH] Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations. + +[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493 +[2] https://bugs.gentoo.org/show_bug.cgi?id=621130 +--- + binutils/readelf.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +diff --git a/binutils/readelf.c b/binutils/readelf.c +index 5507663..7a908a1 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -11600,6 +11600,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) + static bfd_boolean + target_specific_reloc_handling (Elf_Internal_Rela * reloc, + unsigned char * start, ++ unsigned char * end, + Elf_Internal_Sym * symtab) + { + unsigned int reloc_type = get_reloc_type (reloc->r_info); +@@ -11640,13 +11641,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + handle_sym_diff: + if (saved_sym != NULL) + { ++ int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + + value = reloc->r_addend + + (symtab[get_reloc_symindex (reloc->r_info)].st_value + - saved_sym->st_value); + +- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); ++ if (start + reloc->r_offset + reloc_size >= end) ++ /* PR 21137 */ ++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); + + saved_sym = NULL; + return TRUE; +@@ -11677,13 +11684,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + case 2: /* R_MN10300_16 */ + if (saved_sym != NULL) + { ++ int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + + value = reloc->r_addend + + (symtab[get_reloc_symindex (reloc->r_info)].st_value + - saved_sym->st_value); + +- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); ++ if (start + reloc->r_offset + reloc_size >= end) ++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); + + saved_sym = NULL; + return TRUE; +@@ -11718,12 +11730,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + break; + + case 0x41: /* R_RL78_ABS32. */ +- byte_put (start + reloc->r_offset, value, 4); ++ if (start + reloc->r_offset + 4 >= end) ++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + 2, end); ++ else ++ byte_put (start + reloc->r_offset, value, 4); + value = 0; + return TRUE; + + case 0x43: /* R_RL78_ABS16. */ +- byte_put (start + reloc->r_offset, value, 2); ++ if (start + reloc->r_offset + 2 >= end) ++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + 2, end); ++ else ++ byte_put (start + reloc->r_offset, value, 2); + value = 0; + return TRUE; + +@@ -12340,7 +12360,7 @@ apply_relocations (void * file, + + reloc_type = get_reloc_type (rp->r_info); + +- if (target_specific_reloc_handling (rp, start, symtab)) ++ if (target_specific_reloc_handling (rp, start, end, symtab)) + continue; + else if (is_none_reloc (reloc_type)) + continue; +-- +2.13.0 + diff --git a/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch b/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch new file mode 100644 index 0000000000..1ca82520e9 --- /dev/null +++ b/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch @@ -0,0 +1,210 @@ +From f25ff3ce9735df03fcbe7ecc1897cf8e0de4b6ae Mon Sep 17 00:00:00 2001 +From: Matthias Maier <tamiko@43-1.org> +Date: Wed, 7 Jun 2017 09:31:53 -0500 +Subject: [PATCH 2/3] CVE-2017-6966 + +[PATCH] Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary. + +[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9 +[2] https://bugs.gentoo.org/show_bug.cgi?id=621130 +--- + binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 84 insertions(+), 25 deletions(-) + +diff --git a/binutils/readelf.c b/binutils/readelf.c +index 7a908a1..fd23b6b 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -11595,15 +11595,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) + + /* Check to see if the given reloc needs to be handled in a target specific + manner. If so then process the reloc and return TRUE otherwise return +- FALSE. */ ++ FALSE. ++ ++ If called with reloc == NULL, then this is a signal that reloc processing ++ for the current section has finished, and any saved state should be ++ discarded. */ + + static bfd_boolean + target_specific_reloc_handling (Elf_Internal_Rela * reloc, + unsigned char * start, + unsigned char * end, +- Elf_Internal_Sym * symtab) ++ Elf_Internal_Sym * symtab, ++ unsigned long num_syms) + { +- unsigned int reloc_type = get_reloc_type (reloc->r_info); ++ unsigned int reloc_type = 0; ++ unsigned long sym_index = 0; ++ ++ if (reloc) ++ { ++ reloc_type = get_reloc_type (reloc->r_info); ++ sym_index = get_reloc_symindex (reloc->r_info); ++ } + + switch (elf_header.e_machine) + { +@@ -11612,6 +11624,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + { + static Elf_Internal_Sym * saved_sym = NULL; + ++ if (reloc == NULL) ++ { ++ saved_sym = NULL; ++ return TRUE; ++ } ++ + switch (reloc_type) + { + case 10: /* R_MSP430_SYM_DIFF */ +@@ -11619,7 +11637,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + break; + /* Fall through. */ + case 21: /* R_MSP430X_SYM_DIFF */ +- saved_sym = symtab + get_reloc_symindex (reloc->r_info); ++ /* PR 21139. */ ++ if (sym_index >= num_syms) ++ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"), ++ sym_index); ++ else ++ saved_sym = symtab + sym_index; + return TRUE; + + case 1: /* R_MSP430_32 or R_MSP430_ABS32 */ +@@ -11644,16 +11667,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + +- value = reloc->r_addend +- + (symtab[get_reloc_symindex (reloc->r_info)].st_value +- - saved_sym->st_value); +- +- if (start + reloc->r_offset + reloc_size >= end) +- /* PR 21137 */ +- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), +- start + reloc->r_offset + reloc_size, end); ++ if (sym_index >= num_syms) ++ error (_("MSP430 reloc contains invalid symbol index %lu\n"), ++ sym_index); + else +- byte_put (start + reloc->r_offset, value, reloc_size); ++ { ++ value = reloc->r_addend + (symtab[sym_index].st_value ++ - saved_sym->st_value); ++ ++ if (start + reloc->r_offset + reloc_size >= end) ++ /* PR 21137 */ ++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); ++ } + + saved_sym = NULL; + return TRUE; +@@ -11673,13 +11701,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + { + static Elf_Internal_Sym * saved_sym = NULL; + ++ if (reloc == NULL) ++ { ++ saved_sym = NULL; ++ return TRUE; ++ } ++ + switch (reloc_type) + { + case 34: /* R_MN10300_ALIGN */ + return TRUE; + case 33: /* R_MN10300_SYM_DIFF */ +- saved_sym = symtab + get_reloc_symindex (reloc->r_info); ++ if (sym_index >= num_syms) ++ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"), ++ sym_index); ++ else ++ saved_sym = symtab + sym_index; + return TRUE; ++ + case 1: /* R_MN10300_32 */ + case 2: /* R_MN10300_16 */ + if (saved_sym != NULL) +@@ -11687,15 +11726,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + +- value = reloc->r_addend +- + (symtab[get_reloc_symindex (reloc->r_info)].st_value +- - saved_sym->st_value); +- +- if (start + reloc->r_offset + reloc_size >= end) +- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), +- start + reloc->r_offset + reloc_size, end); ++ if (sym_index >= num_syms) ++ error (_("MN10300 reloc contains invalid symbol index %lu\n"), ++ sym_index); + else +- byte_put (start + reloc->r_offset, value, reloc_size); ++ { ++ value = reloc->r_addend + (symtab[sym_index].st_value ++ - saved_sym->st_value); ++ ++ if (start + reloc->r_offset + reloc_size >= end) ++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); ++ } + + saved_sym = NULL; + return TRUE; +@@ -11715,12 +11759,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + static bfd_vma saved_sym2 = 0; + static bfd_vma value; + ++ if (reloc == NULL) ++ { ++ saved_sym1 = saved_sym2 = 0; ++ return TRUE; ++ } ++ + switch (reloc_type) + { + case 0x80: /* R_RL78_SYM. */ + saved_sym1 = saved_sym2; +- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value; +- saved_sym2 += reloc->r_addend; ++ if (sym_index >= num_syms) ++ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"), ++ sym_index); ++ else ++ { ++ saved_sym2 = symtab[sym_index].st_value; ++ saved_sym2 += reloc->r_addend; ++ } + return TRUE; + + case 0x83: /* R_RL78_OPsub. */ +@@ -12360,7 +12416,7 @@ apply_relocations (void * file, + + reloc_type = get_reloc_type (rp->r_info); + +- if (target_specific_reloc_handling (rp, start, end, symtab)) ++ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms)) + continue; + else if (is_none_reloc (reloc_type)) + continue; +@@ -12456,6 +12512,9 @@ apply_relocations (void * file, + } + + free (symtab); ++ /* Let the target specific reloc processing code know that ++ we have finished with these relocs. */ ++ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0); + + if (relocs_return) + { +-- +2.13.0 + diff --git a/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch b/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch new file mode 100644 index 0000000000..8958d313cb --- /dev/null +++ b/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch @@ -0,0 +1,118 @@ +From bb8c412a9450141286bf4eef04b14fe47bbc364f Mon Sep 17 00:00:00 2001 +From: Matthias Maier <tamiko@43-1.org> +Date: Wed, 7 Jun 2017 09:35:35 -0500 +Subject: [PATCH 3/3] CVE-2017-6969 + +[PATCH] Fix illegal memory accesses in readelf when parsing a corrupt binary. +[PATCH] Fix another memory access error in readelf when parsing a corrupt binary. + +[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456 + https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14 +[2] https://bugs.gentoo.org/show_bug.cgi?id=621130 +--- + binutils/dwarf.c | 34 ++++++++++++++++++++-------------- + binutils/readelf.c | 10 ++++++++-- + 2 files changed, 28 insertions(+), 16 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 05efa6e..3312bc5 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -76,7 +76,6 @@ int dwarf_check = 0; + as a zero-terminated list of section indexes comprising one set of debug + sections from a .dwo file. */ + +-static int cu_tu_indexes_read = 0; + static unsigned int *shndx_pool = NULL; + static unsigned int shndx_pool_size = 0; + static unsigned int shndx_pool_used = 0; +@@ -99,7 +98,7 @@ static int tu_count = 0; + static struct cu_tu_set *cu_sets = NULL; + static struct cu_tu_set *tu_sets = NULL; + +-static void load_cu_tu_indexes (void *file); ++static bfd_boolean load_cu_tu_indexes (void *); + + /* Values for do_debug_lines. */ + #define FLAG_DEBUG_LINES_RAW 1 +@@ -2739,7 +2738,7 @@ load_debug_info (void * file) + return num_debug_info_entries; + + /* If this is a DWARF package file, load the CU and TU indexes. */ +- load_cu_tu_indexes (file); ++ (void) load_cu_tu_indexes (file); + + if (load_debug_section (info, file) + && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0)) +@@ -7402,21 +7401,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) + section sets that we can use to associate a .debug_info.dwo section + with its associated .debug_abbrev.dwo section in a .dwp file. */ + +-static void ++static bfd_boolean + load_cu_tu_indexes (void *file) + { ++ static int cu_tu_indexes_read = -1; /* Tri-state variable. */ ++ + /* If we have already loaded (or tried to load) the CU and TU indexes + then do not bother to repeat the task. */ +- if (cu_tu_indexes_read) +- return; +- +- if (load_debug_section (dwp_cu_index, file)) +- process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0); +- +- if (load_debug_section (dwp_tu_index, file)) +- process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0); ++ if (cu_tu_indexes_read == -1) ++ { ++ cu_tu_indexes_read = TRUE; ++ ++ if (load_debug_section (dwp_cu_index, file)) ++ if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0)) ++ cu_tu_indexes_read = FALSE; ++ ++ if (load_debug_section (dwp_tu_index, file)) ++ if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0)) ++ cu_tu_indexes_read = FALSE; ++ } + +- cu_tu_indexes_read = 1; ++ return (bfd_boolean) cu_tu_indexes_read; + } + + /* Find the set of sections that includes section SHNDX. */ +@@ -7426,7 +7431,8 @@ find_cu_tu_set (void *file, unsigned int shndx) + { + unsigned int i; + +- load_cu_tu_indexes (file); ++ if (! load_cu_tu_indexes (file)) ++ return NULL; + + /* Find SHNDX in the shndx pool. */ + for (i = 0; i < shndx_pool_used; i++) +diff --git a/binutils/readelf.c b/binutils/readelf.c +index fd23b6b..3950412 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -675,8 +675,14 @@ find_section_in_set (const char * name, unsigned int * set) + if (set != NULL) + { + while ((i = *set++) > 0) +- if (streq (SECTION_NAME (section_headers + i), name)) +- return section_headers + i; ++ { ++ /* See PR 21156 for a reproducer. */ ++ if (i >= elf_header.e_shnum) ++ continue; /* FIXME: Should we issue an error message ? */ ++ ++ if (streq (SECTION_NAME (section_headers + i), name)) ++ return section_headers + i; ++ } + } + + return find_section (name); +-- +2.13.0 + diff --git a/src/patchsets/binutils/2.28/README.history b/src/patchsets/binutils/2.28/README.history index da396584ba..ce2a1e3fac 100644 --- a/src/patchsets/binutils/2.28/README.history +++ b/src/patchsets/binutils/2.28/README.history @@ -1,3 +1,8 @@ +1.2 07 Jun 2017 + + 00_all_0018-CVE-2017-6965.patch + + 00_all_0019-CVE-2017-6966.patch + + 00_all_0020-CVE-2017-6969.patch + 1.1 06 Jun 2017 + 00_all_0007-CVE-2017-8398.patch + 00_all_0008-CVE-2017-8393.patch |