From 020863d45d39a336723300138777583afb0b12c7 Mon Sep 17 00:00:00 2001 From: Thiruvadi Rajaraman Date: Wed, 20 Sep 2017 14:27:21 +0530 Subject: binutils: CVE-2017-7299 Source: git://sourceware.org/git/binutils-gdb.git MR: 74257 Type: Security Fix Disposition: Backport from 'embedded-binutils-master' ChangeID: b55df05e3d3fd21bd30edaea124135892747b1ee Description: Linking non-ELF file broken by PR20908 fix PR ld/20968 PR ld/20908 * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move reloc counting code later after ELF flavour test. PR lf/20908 * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries when following indirect links. Affects: <= 2.28 Author: Nick Clifton Signed-off-by: Thiruvadi Rajaraman Reviewed-by: Armin Kuster Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster --- meta/recipes-devtools/binutils/binutils-2.27.inc | 2 + .../binutils/binutils/CVE-2017-7299_1.patch | 47 ++++++++ .../binutils/binutils/CVE-2017-7299_2.patch | 120 +++++++++++++++++++++ 3 files changed, 169 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 35e26fc0dd..1e55be69f7 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc @@ -76,6 +76,8 @@ SRC_URI = "\ file://CVE-2017-8394_1.patch \ file://CVE-2017-8394.patch \ file://CVE-2017-8398.patch \ + file://CVE-2017-7299_1.patch \ + file://CVE-2017-7299_2.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch new file mode 100644 index 0000000000..50a48bc549 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch @@ -0,0 +1,47 @@ +commit d7f399a8de4c55eb841db6493597a587fac002de +Author: Nick Clifton +Date: Fri Dec 2 17:46:26 2016 +0000 + + Fix seg-fault in linker when passed a corrupt binary input file. + + PR lf/20908 + * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries + when following indirect links. + +Upstream-Status: Backport + +CVE: CVE-2017-7299 +Signed-off-by: Thiruvadi Rajaraman + +Index: git/bfd/elflink.c +=================================================================== +--- git.orig/bfd/elflink.c 2017-09-20 14:15:26.337333504 +0530 ++++ git/bfd/elflink.c 2017-09-20 14:20:19.000000000 +0530 +@@ -11201,6 +11201,12 @@ + asection *sec; + + sec = p->u.indirect.section; ++ /* See PR 20908 for a reproducer. */ ++ if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour) ++ { ++ _bfd_error_handler (_("%B: not in ELF format"), sec->owner); ++ goto error_return; ++ } + esdi = elf_section_data (sec); + + /* Mark all sections which are to be included in the +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-20 14:20:19.000000000 +0530 ++++ git/bfd/ChangeLog 2017-09-20 14:23:48.743556932 +0530 +@@ -192,6 +192,10 @@ + + 2016-12-02 Nick Clifton + ++ PR lf/20908 ++ * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries ++ when following indirect links. ++ + PR ld/20909 + * aoutx.h (aout_link_add_symbols): Fix off-by-one error in check + for an illegal string offset. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch new file mode 100644 index 0000000000..7691b122ce --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch @@ -0,0 +1,120 @@ +commit a961cdd5f139d3c3e09170db52bd8df7dafae13f +Author: Alan Modra +Date: Thu Dec 15 21:29:44 2016 +1030 + + Linking non-ELF file broken by PR20908 fix + + PR ld/20968 + PR ld/20908 + * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move + reloc counting code later after ELF flavour test. + +Upstream-Status: Backport + +CVE: CVE-2017-7299 +Signed-off-by: Thiruvadi Rajaraman + +Index: git/bfd/elflink.c +=================================================================== +--- git.orig/bfd/elflink.c 2017-09-20 14:15:28.133343092 +0530 ++++ git/bfd/elflink.c 2017-09-20 14:15:28.189343391 +0530 +@@ -11201,13 +11201,6 @@ + asection *sec; + + sec = p->u.indirect.section; +- /* See PR 20908 for a reproducer. */ +- if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour) +- { +- _bfd_error_handler (_("%B: not in ELF format"), sec->owner); +- goto error_return; +- } +- esdi = elf_section_data (sec); + + /* Mark all sections which are to be included in the + link. This will normally be every section. We need +@@ -11218,37 +11211,18 @@ + if (sec->flags & SEC_MERGE) + merged = TRUE; + +- if (esdo->this_hdr.sh_type == SHT_REL +- || esdo->this_hdr.sh_type == SHT_RELA) +- /* Some backends use reloc_count in relocation sections +- to count particular types of relocs. Of course, +- reloc sections themselves can't have relocations. */ +- reloc_count = 0; +- else if (emit_relocs) +- { +- reloc_count = sec->reloc_count; +- if (bed->elf_backend_count_additional_relocs) +- { +- int c; +- c = (*bed->elf_backend_count_additional_relocs) (sec); +- additional_reloc_count += c; +- } +- } +- else if (bed->elf_backend_count_relocs) +- reloc_count = (*bed->elf_backend_count_relocs) (info, sec); +- + if (sec->rawsize > max_contents_size) + max_contents_size = sec->rawsize; + if (sec->size > max_contents_size) + max_contents_size = sec->size; + +- /* We are interested in just local symbols, not all +- symbols. */ + if (bfd_get_flavour (sec->owner) == bfd_target_elf_flavour + && (sec->owner->flags & DYNAMIC) == 0) + { + size_t sym_count; + ++ /* We are interested in just local symbols, not all ++ symbols. */ + if (elf_bad_symtab (sec->owner)) + sym_count = (elf_tdata (sec->owner)->symtab_hdr.sh_size + / bed->s->sizeof_sym); +@@ -11262,6 +11236,27 @@ + && elf_symtab_shndx_list (sec->owner) != NULL) + max_sym_shndx_count = sym_count; + ++ if (esdo->this_hdr.sh_type == SHT_REL ++ || esdo->this_hdr.sh_type == SHT_RELA) ++ /* Some backends use reloc_count in relocation sections ++ to count particular types of relocs. Of course, ++ reloc sections themselves can't have relocations. */ ++ ; ++ else if (emit_relocs) ++ { ++ reloc_count = sec->reloc_count; ++ if (bed->elf_backend_count_additional_relocs) ++ { ++ int c; ++ c = (*bed->elf_backend_count_additional_relocs) (sec); ++ additional_reloc_count += c; ++ } ++ } ++ else if (bed->elf_backend_count_relocs) ++ reloc_count = (*bed->elf_backend_count_relocs) (info, sec); ++ ++ esdi = elf_section_data (sec); ++ + if ((sec->flags & SEC_RELOC) != 0) + { + size_t ext_size = 0; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-20 14:15:28.013342453 +0530 ++++ git/bfd/ChangeLog 2017-09-20 14:19:06.990419395 +0530 +@@ -156,6 +156,13 @@ + (bfd_elf_final_link): Only initialize the extended symbol index + section if there are extended symbol tables to list. + ++2016-12-15 Alan Modra ++ ++ PR ld/20968 ++ PR ld/20908 ++ * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move ++ reloc counting code later after ELF flavour test. ++ + 2016-12-06 Nick Clifton + + PR binutils/20931 -- cgit 1.2.3-korg