Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Matthias Maier (tamiko)" <tamiko@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in src/patchsets/binutils/2.28: 00_all_0018-CVE-2017-6965.patch 00_all_0019-CVE-2017-6966.patch 00_all_0020-CVE-2017-6969.patch README.history
Date: Wed, 07 Jun 2017 14:44:26
Message-Id: 20170607144423.16CA67476@oystercatcher.gentoo.org
1 tamiko 17/06/07 14:44:23
2
3 Modified: README.history
4 Added: 00_all_0018-CVE-2017-6965.patch
5 00_all_0019-CVE-2017-6966.patch
6 00_all_0020-CVE-2017-6969.patch
7 Log:
8 binutils-2.28: Update to patchset 1.2
9
10 Revision Changes Path
11 1.3 src/patchsets/binutils/2.28/README.history
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/README.history?rev=1.3&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/README.history?rev=1.3&content-type=text/plain
15 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/README.history?r1=1.2&r2=1.3
16
17 Index: README.history
18 ===================================================================
19 RCS file: /var/cvsroot/gentoo/src/patchsets/binutils/2.28/README.history,v
20 retrieving revision 1.2
21 retrieving revision 1.3
22 diff -u -r1.2 -r1.3
23 --- README.history 6 Jun 2017 22:17:49 -0000 1.2
24 +++ README.history 7 Jun 2017 14:44:23 -0000 1.3
25 @@ -1,3 +1,8 @@
26 +1.2 07 Jun 2017
27 + + 00_all_0018-CVE-2017-6965.patch
28 + + 00_all_0019-CVE-2017-6966.patch
29 + + 00_all_0020-CVE-2017-6969.patch
30 +
31 1.1 06 Jun 2017
32 + 00_all_0007-CVE-2017-8398.patch
33 + 00_all_0008-CVE-2017-8393.patch
34
35
36
37 1.1 src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch
38
39 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch?rev=1.1&view=markup
40 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch?rev=1.1&content-type=text/plain
41
42 Index: 00_all_0018-CVE-2017-6965.patch
43 ===================================================================
44 From 00e45d8e07536e7eee850f00a6101011e7088171 Mon Sep 17 00:00:00 2001
45 From: Matthias Maier <tamiko@××××.org>
46 Date: Wed, 7 Jun 2017 09:29:37 -0500
47 Subject: [PATCH 1/3] CVE-2017-6965
48
49 [PATCH] Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations.
50
51 [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493
52 [2] https://bugs.gentoo.org/show_bug.cgi?id=621130
53 ---
54 binutils/readelf.c | 30 +++++++++++++++++++++++++-----
55 1 file changed, 25 insertions(+), 5 deletions(-)
56
57 diff --git a/binutils/readelf.c b/binutils/readelf.c
58 index 5507663..7a908a1 100644
59 --- a/binutils/readelf.c
60 +++ b/binutils/readelf.c
61 @@ -11600,6 +11600,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
62 static bfd_boolean
63 target_specific_reloc_handling (Elf_Internal_Rela * reloc,
64 unsigned char * start,
65 + unsigned char * end,
66 Elf_Internal_Sym * symtab)
67 {
68 unsigned int reloc_type = get_reloc_type (reloc->r_info);
69 @@ -11640,13 +11641,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
70 handle_sym_diff:
71 if (saved_sym != NULL)
72 {
73 + int reloc_size = reloc_type == 1 ? 4 : 2;
74 bfd_vma value;
75
76 value = reloc->r_addend
77 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
78 - saved_sym->st_value);
79
80 - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
81 + if (start + reloc->r_offset + reloc_size >= end)
82 + /* PR 21137 */
83 + error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
84 + start + reloc->r_offset + reloc_size, end);
85 + else
86 + byte_put (start + reloc->r_offset, value, reloc_size);
87
88 saved_sym = NULL;
89 return TRUE;
90 @@ -11677,13 +11684,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
91 case 2: /* R_MN10300_16 */
92 if (saved_sym != NULL)
93 {
94 + int reloc_size = reloc_type == 1 ? 4 : 2;
95 bfd_vma value;
96
97 value = reloc->r_addend
98 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
99 - saved_sym->st_value);
100
101 - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
102 + if (start + reloc->r_offset + reloc_size >= end)
103 + error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
104 + start + reloc->r_offset + reloc_size, end);
105 + else
106 + byte_put (start + reloc->r_offset, value, reloc_size);
107
108 saved_sym = NULL;
109 return TRUE;
110 @@ -11718,12 +11730,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
111 break;
112
113 case 0x41: /* R_RL78_ABS32. */
114 - byte_put (start + reloc->r_offset, value, 4);
115 + if (start + reloc->r_offset + 4 >= end)
116 + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
117 + start + reloc->r_offset + 2, end);
118 + else
119 + byte_put (start + reloc->r_offset, value, 4);
120 value = 0;
121 return TRUE;
122
123 case 0x43: /* R_RL78_ABS16. */
124 - byte_put (start + reloc->r_offset, value, 2);
125 + if (start + reloc->r_offset + 2 >= end)
126 + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
127 + start + reloc->r_offset + 2, end);
128 + else
129 + byte_put (start + reloc->r_offset, value, 2);
130 value = 0;
131 return TRUE;
132
133 @@ -12340,7 +12360,7 @@ apply_relocations (void * file,
134
135 reloc_type = get_reloc_type (rp->r_info);
136
137 - if (target_specific_reloc_handling (rp, start, symtab))
138 + if (target_specific_reloc_handling (rp, start, end, symtab))
139 continue;
140 else if (is_none_reloc (reloc_type))
141 continue;
142 --
143 2.13.0
144
145
146
147
148 1.1 src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch
149
150 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch?rev=1.1&view=markup
151 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch?rev=1.1&content-type=text/plain
152
153 Index: 00_all_0019-CVE-2017-6966.patch
154 ===================================================================
155 From f25ff3ce9735df03fcbe7ecc1897cf8e0de4b6ae Mon Sep 17 00:00:00 2001
156 From: Matthias Maier <tamiko@××××.org>
157 Date: Wed, 7 Jun 2017 09:31:53 -0500
158 Subject: [PATCH 2/3] CVE-2017-6966
159
160 [PATCH] Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary.
161
162 [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9
163 [2] https://bugs.gentoo.org/show_bug.cgi?id=621130
164 ---
165 binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------
166 1 file changed, 84 insertions(+), 25 deletions(-)
167
168 diff --git a/binutils/readelf.c b/binutils/readelf.c
169 index 7a908a1..fd23b6b 100644
170 --- a/binutils/readelf.c
171 +++ b/binutils/readelf.c
172 @@ -11595,15 +11595,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
173
174 /* Check to see if the given reloc needs to be handled in a target specific
175 manner. If so then process the reloc and return TRUE otherwise return
176 - FALSE. */
177 + FALSE.
178 +
179 + If called with reloc == NULL, then this is a signal that reloc processing
180 + for the current section has finished, and any saved state should be
181 + discarded. */
182
183 static bfd_boolean
184 target_specific_reloc_handling (Elf_Internal_Rela * reloc,
185 unsigned char * start,
186 unsigned char * end,
187 - Elf_Internal_Sym * symtab)
188 + Elf_Internal_Sym * symtab,
189 + unsigned long num_syms)
190 {
191 - unsigned int reloc_type = get_reloc_type (reloc->r_info);
192 + unsigned int reloc_type = 0;
193 + unsigned long sym_index = 0;
194 +
195 + if (reloc)
196 + {
197 + reloc_type = get_reloc_type (reloc->r_info);
198 + sym_index = get_reloc_symindex (reloc->r_info);
199 + }
200
201 switch (elf_header.e_machine)
202 {
203 @@ -11612,6 +11624,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
204 {
205 static Elf_Internal_Sym * saved_sym = NULL;
206
207 + if (reloc == NULL)
208 + {
209 + saved_sym = NULL;
210 + return TRUE;
211 + }
212 +
213 switch (reloc_type)
214 {
215 case 10: /* R_MSP430_SYM_DIFF */
216 @@ -11619,7 +11637,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
217 break;
218 /* Fall through. */
219 case 21: /* R_MSP430X_SYM_DIFF */
220 - saved_sym = symtab + get_reloc_symindex (reloc->r_info);
221 + /* PR 21139. */
222 + if (sym_index >= num_syms)
223 + error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
224 + sym_index);
225 + else
226 + saved_sym = symtab + sym_index;
227 return TRUE;
228
229 case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
230 @@ -11644,16 +11667,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
231 int reloc_size = reloc_type == 1 ? 4 : 2;
232 bfd_vma value;
233
234 - value = reloc->r_addend
235 - + (symtab[get_reloc_symindex (reloc->r_info)].st_value
236 - - saved_sym->st_value);
237 -
238 - if (start + reloc->r_offset + reloc_size >= end)
239 - /* PR 21137 */
240 - error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
241 - start + reloc->r_offset + reloc_size, end);
242 + if (sym_index >= num_syms)
243 + error (_("MSP430 reloc contains invalid symbol index %lu\n"),
244 + sym_index);
245 else
246 - byte_put (start + reloc->r_offset, value, reloc_size);
247 + {
248 + value = reloc->r_addend + (symtab[sym_index].st_value
249 + - saved_sym->st_value);
250 +
251 + if (start + reloc->r_offset + reloc_size >= end)
252 + /* PR 21137 */
253 + error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
254 + start + reloc->r_offset + reloc_size, end);
255 + else
256 + byte_put (start + reloc->r_offset, value, reloc_size);
257 + }
258
259 saved_sym = NULL;
260 return TRUE;
261 @@ -11673,13 +11701,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
262 {
263 static Elf_Internal_Sym * saved_sym = NULL;
264
265 + if (reloc == NULL)
266 + {
267 + saved_sym = NULL;
268 + return TRUE;
269 + }
270 +
271 switch (reloc_type)
272 {
273 case 34: /* R_MN10300_ALIGN */
274 return TRUE;
275 case 33: /* R_MN10300_SYM_DIFF */
276 - saved_sym = symtab + get_reloc_symindex (reloc->r_info);
277 + if (sym_index >= num_syms)
278 + error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
279 + sym_index);
280 + else
281 + saved_sym = symtab + sym_index;
282 return TRUE;
283 +
284 case 1: /* R_MN10300_32 */
285 case 2: /* R_MN10300_16 */
286 if (saved_sym != NULL)
287 @@ -11687,15 +11726,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
288 int reloc_size = reloc_type == 1 ? 4 : 2;
289 bfd_vma value;
290
291 - value = reloc->r_addend
292 - + (symtab[get_reloc_symindex (reloc->r_info)].st_value
293 - - saved_sym->st_value);
294 -
295 - if (start + reloc->r_offset + reloc_size >= end)
296 - error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
297 - start + reloc->r_offset + reloc_size, end);
298 + if (sym_index >= num_syms)
299 + error (_("MN10300 reloc contains invalid symbol index %lu\n"),
300 + sym_index);
301 else
302 - byte_put (start + reloc->r_offset, value, reloc_size);
303 + {
304 + value = reloc->r_addend + (symtab[sym_index].st_value
305 + - saved_sym->st_value);
306 +
307 + if (start + reloc->r_offset + reloc_size >= end)
308 + error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
309 + start + reloc->r_offset + reloc_size, end);
310 + else
311 + byte_put (start + reloc->r_offset, value, reloc_size);
312 + }
313
314 saved_sym = NULL;
315 return TRUE;
316 @@ -11715,12 +11759,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
317 static bfd_vma saved_sym2 = 0;
318 static bfd_vma value;
319
320 + if (reloc == NULL)
321 + {
322 + saved_sym1 = saved_sym2 = 0;
323 + return TRUE;
324 + }
325 +
326 switch (reloc_type)
327 {
328 case 0x80: /* R_RL78_SYM. */
329 saved_sym1 = saved_sym2;
330 - saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
331 - saved_sym2 += reloc->r_addend;
332 + if (sym_index >= num_syms)
333 + error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
334 + sym_index);
335 + else
336 + {
337 + saved_sym2 = symtab[sym_index].st_value;
338 + saved_sym2 += reloc->r_addend;
339 + }
340 return TRUE;
341
342 case 0x83: /* R_RL78_OPsub. */
343 @@ -12360,7 +12416,7 @@ apply_relocations (void * file,
344
345 reloc_type = get_reloc_type (rp->r_info);
346
347 - if (target_specific_reloc_handling (rp, start, end, symtab))
348 + if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
349 continue;
350 else if (is_none_reloc (reloc_type))
351 continue;
352 @@ -12456,6 +12512,9 @@ apply_relocations (void * file,
353 }
354
355 free (symtab);
356 + /* Let the target specific reloc processing code know that
357 + we have finished with these relocs. */
358 + target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
359
360 if (relocs_return)
361 {
362 --
363 2.13.0
364
365
366
367
368 1.1 src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch
369
370 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch?rev=1.1&view=markup
371 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch?rev=1.1&content-type=text/plain
372
373 Index: 00_all_0020-CVE-2017-6969.patch
374 ===================================================================
375 From bb8c412a9450141286bf4eef04b14fe47bbc364f Mon Sep 17 00:00:00 2001
376 From: Matthias Maier <tamiko@××××.org>
377 Date: Wed, 7 Jun 2017 09:35:35 -0500
378 Subject: [PATCH 3/3] CVE-2017-6969
379
380 [PATCH] Fix illegal memory accesses in readelf when parsing a corrupt binary.
381 [PATCH] Fix another memory access error in readelf when parsing a corrupt binary.
382
383 [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456
384 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14
385 [2] https://bugs.gentoo.org/show_bug.cgi?id=621130
386 ---
387 binutils/dwarf.c | 34 ++++++++++++++++++++--------------
388 binutils/readelf.c | 10 ++++++++--
389 2 files changed, 28 insertions(+), 16 deletions(-)
390
391 diff --git a/binutils/dwarf.c b/binutils/dwarf.c
392 index 05efa6e..3312bc5 100644
393 --- a/binutils/dwarf.c
394 +++ b/binutils/dwarf.c
395 @@ -76,7 +76,6 @@ int dwarf_check = 0;
396 as a zero-terminated list of section indexes comprising one set of debug
397 sections from a .dwo file. */
398
399 -static int cu_tu_indexes_read = 0;
400 static unsigned int *shndx_pool = NULL;
401 static unsigned int shndx_pool_size = 0;
402 static unsigned int shndx_pool_used = 0;
403 @@ -99,7 +98,7 @@ static int tu_count = 0;
404 static struct cu_tu_set *cu_sets = NULL;
405 static struct cu_tu_set *tu_sets = NULL;
406
407 -static void load_cu_tu_indexes (void *file);
408 +static bfd_boolean load_cu_tu_indexes (void *);
409
410 /* Values for do_debug_lines. */
411 #define FLAG_DEBUG_LINES_RAW 1
412 @@ -2739,7 +2738,7 @@ load_debug_info (void * file)
413 return num_debug_info_entries;
414
415 /* If this is a DWARF package file, load the CU and TU indexes. */
416 - load_cu_tu_indexes (file);
417 + (void) load_cu_tu_indexes (file);
418
419 if (load_debug_section (info, file)
420 && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0))
421 @@ -7402,21 +7401,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
422 section sets that we can use to associate a .debug_info.dwo section
423 with its associated .debug_abbrev.dwo section in a .dwp file. */
424
425 -static void
426 +static bfd_boolean
427 load_cu_tu_indexes (void *file)
428 {
429 + static int cu_tu_indexes_read = -1; /* Tri-state variable. */
430 +
431 /* If we have already loaded (or tried to load) the CU and TU indexes
432 then do not bother to repeat the task. */
433 - if (cu_tu_indexes_read)
434 - return;
435 -
436 - if (load_debug_section (dwp_cu_index, file))
437 - process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0);
438 -
439 - if (load_debug_section (dwp_tu_index, file))
440 - process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0);
441 + if (cu_tu_indexes_read == -1)
442 + {
443 + cu_tu_indexes_read = TRUE;
444 +
445 + if (load_debug_section (dwp_cu_index, file))
446 + if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0))
447 + cu_tu_indexes_read = FALSE;
448 +
449 + if (load_debug_section (dwp_tu_index, file))
450 + if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0))
451 + cu_tu_indexes_read = FALSE;
452 + }
453
454 - cu_tu_indexes_read = 1;
455 + return (bfd_boolean) cu_tu_indexes_read;
456 }
457
458 /* Find the set of sections that includes section SHNDX. */
459 @@ -7426,7 +7431,8 @@ find_cu_tu_set (void *file, unsigned int shndx)
460 {
461 unsigned int i;
462
463 - load_cu_tu_indexes (file);
464 + if (! load_cu_tu_indexes (file))
465 + return NULL;
466
467 /* Find SHNDX in the shndx pool. */
468 for (i = 0; i < shndx_pool_used; i++)
469 diff --git a/binutils/readelf.c b/binutils/readelf.c
470 index fd23b6b..3950412 100644
471 --- a/binutils/readelf.c
472 +++ b/binutils/readelf.c
473 @@ -675,8 +675,14 @@ find_section_in_set (const char * name, unsigned int * set)
474 if (set != NULL)
475 {
476 while ((i = *set++) > 0)
477 - if (streq (SECTION_NAME (section_headers + i), name))
478 - return section_headers + i;
479 + {
480 + /* See PR 21156 for a reproducer. */
481 + if (i >= elf_header.e_shnum)
482 + continue; /* FIXME: Should we issue an error message ? */
483 +
484 + if (streq (SECTION_NAME (section_headers + i), name))
485 + return section_headers + i;
486 + }
487 }
488
489 return find_section (name);
490 --
491 2.13.0
Report Message
Find on MARC Find on Google Groups