From 2683d8287d6878868d3aa15ce6e6a80ce28d8737 Mon Sep 17 00:00:00 2001 From: Zhixiong Chi Date: Tue, 16 Oct 2018 00:55:04 -0700 Subject: binutils: fix three CVE issues Backport the CVE patches from the upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d [BZ 23686] https://sourceware.org/bugzilla/show_bug.cgi?id=23686 [BZ 23685] https://sourceware.org/bugzilla/show_bug.cgi?id=23685 The one is for CVE-2018-17358 and CVE-2018-17359, and the another is for CVE-2018-17360. Signed-off-by: Zhixiong Chi Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.31.inc | 2 + .../binutils/binutils/CVE-2018-17358.patch | 144 +++++++++++++++++++++ .../binutils/binutils/CVE-2018-17360.patch | 65 ++++++++++ 3 files changed, 211 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index 76add0fe4b..27a643d765 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc @@ -41,6 +41,8 @@ SRC_URI = "\ file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \ file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \ file://0021-PLT-information-was-still-being-generated-when-symbo.patch \ + file://CVE-2018-17358.patch \ + file://CVE-2018-17360.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch new file mode 100644 index 0000000000..813509160f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch @@ -0,0 +1,144 @@ +From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 20 Sep 2018 15:29:17 +0930 +Subject: [PATCH] Bug 23686, two segment faults in nm + +Fixes the bugs exposed by the testcases in the PR, plus two more bugs +I noticed when looking at _bfd_stab_section_find_nearest_line. + + PR 23686 + * dwarf2.c (read_section): Error when attempting to malloc + "(bfd_size_type) -1". + * syms.c (_bfd_stab_section_find_nearest_line): Bounds check + function_name. Bounds check reloc address. Formatting. Ensure + .stabstr zero terminated. +CVE: CVE-2018-17358 and CVE-2018-17359 +Upstream-Status: Backport +Signed-off-by: Zhixiong Chi +--- + bfd/ChangeLog | 9 +++++++++ + bfd/dwarf2.c | 9 ++++++++- + bfd/syms.c | 22 ++++++++++++++++------ + 3 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/bfd/ChangeLog b/bfd/ChangeLog +index 04c0c2a..fef5479 100644 +--- a/bfd/ChangeLog ++++ b/bfd/ChangeLog +@@ -1,3 +1,12 @@ ++2018-09-20 Alan Modra ++ ++ PR 23686 ++ * dwarf2.c (read_section): Error when attempting to malloc ++ "(bfd_size_type) -1". ++ * syms.c (_bfd_stab_section_find_nearest_line): Bounds check ++ function_name. Bounds check reloc address. Formatting. Ensure ++ .stabstr zero terminated. ++ + 2018-08-12 H.J. Lu + + PR ld/23428 +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 3b28855..77a7368 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -527,6 +527,7 @@ read_section (bfd * abfd, + asection *msec; + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; ++ bfd_size_type amt; + + /* The section may have already been read. */ + if (contents == NULL) +@@ -549,7 +550,13 @@ read_section (bfd * abfd, + *section_size = msec->rawsize ? msec->rawsize : msec->size; + /* Paranoia - alloc one extra so that we can make sure a string + section is NUL terminated. */ +- contents = (bfd_byte *) bfd_malloc (*section_size + 1); ++ amt = *section_size + 1; ++ if (amt == 0) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return FALSE; ++ } ++ contents = (bfd_byte *) bfd_malloc (amt); + if (contents == NULL) + return FALSE; + if (syms +diff --git a/bfd/syms.c b/bfd/syms.c +index 187071f..e09640a 100644 +--- a/bfd/syms.c ++++ b/bfd/syms.c +@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, + 0, strsize)) + return FALSE; + ++ /* Stab strings ought to be nul terminated. Ensure the last one ++ is, to prevent running off the end of the buffer. */ ++ info->strs[strsize - 1] = 0; ++ + /* If this is a relocatable object file, we have to relocate + the entries in .stab. This should always be simple 32 bit + relocations against symbols defined in this object file, so +@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, + || r->howto->bitsize != 32 + || r->howto->pc_relative + || r->howto->bitpos != 0 +- || r->howto->dst_mask != 0xffffffff) ++ || r->howto->dst_mask != 0xffffffff ++ || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize) + { + _bfd_error_handler + (_("unsupported .stab relocation")); +@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, + { + nul_fun = stab; + nul_str = str; +- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) ++ if (file_name >= (char *) info->strs + strsize ++ || file_name < (char *) str) + file_name = NULL; + if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize + && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO) +@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, + directory_name = file_name; + file_name = ((char *) str + + bfd_get_32 (abfd, stab + STRDXOFF)); +- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) ++ if (file_name >= (char *) info->strs + strsize ++ || file_name < (char *) str) + file_name = NULL; + } + } +@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, + file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); + /* PR 17512: file: 0c680a1f. */ + /* PR 17512: file: 5da8aec4. */ +- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) ++ if (file_name >= (char *) info->strs + strsize ++ || file_name < (char *) str) + file_name = NULL; + break; + +@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, + function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); + if (function_name == (char *) str) + continue; +- if (function_name >= (char *) info->strs + strsize) ++ if (function_name >= (char *) info->strs + strsize ++ || function_name < (char *) str) + function_name = NULL; + + nul_fun = NULL; +@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, + if (val <= offset) + { + file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); +- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) ++ if (file_name >= (char *) info->strs + strsize ++ || file_name < (char *) str) + file_name = NULL; + *pline = 0; + } +-- +2.9.3 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch new file mode 100644 index 0000000000..cef10a7546 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch @@ -0,0 +1,65 @@ +From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 20 Sep 2018 18:23:17 +0930 +Subject: [PATCH] PR23685, buffer overflow + + PR 23685 + * peXXigen.c (pe_print_edata): Correct export address table + overflow checks. Check dataoff against section size too. + +CVE: CVE-2018-17360 +Upstream-Status: Backport +Signed-off-by: Zhixiong Chi +--- + bfd/ChangeLog | 6 ++++++ + bfd/peXXigen.c | 11 ++++++----- + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/bfd/ChangeLog b/bfd/ChangeLog +index fef5479..81b9e56 100644 +--- a/bfd/ChangeLog ++++ b/bfd/ChangeLog +@@ -1,5 +1,11 @@ + 2018-09-20 Alan Modra + ++ PR 23685 ++ * peXXigen.c (pe_print_edata): Correct export address table ++ overflow checks. Check dataoff against section size too. ++ ++2018-09-20 Alan Modra ++ + PR 23686 + * dwarf2.c (read_section): Error when attempting to malloc + "(bfd_size_type) -1". +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index 598f2ca..1645ef4 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile) + + dataoff = addr - section->vma; + datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size; +- if (datasize > section->size - dataoff) ++ if (dataoff > section->size ++ || datasize > section->size - dataoff) + { + fprintf (file, + _("\nThere is an export table in %s, but it does not fit into that section\n"), +@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile) + edt.base); + + /* PR 17512: Handle corrupt PE binaries. */ +- if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize ++ /* PR 17512 file: 140-165018-0.004. */ ++ if (edt.eat_addr - adj >= datasize + /* PR 17512: file: 092b1829 */ +- || (edt.num_functions * 4) < edt.num_functions +- /* PR 17512 file: 140-165018-0.004. */ +- || data + edt.eat_addr - adj < data) ++ || (edt.num_functions + 1) * 4 < edt.num_functions ++ || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize) + fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), + (long) edt.eat_addr, + (long) edt.num_functions); +-- +2.9.3 -- cgit 1.2.3-korg