1 |
tamiko 17/06/06 20:57:47 |
2 |
|
3 |
Modified: README.history |
4 |
Added: 00_all_0007-CVE-2017-8421.patch |
5 |
00_all_0008-CVE-2017-9038.patch |
6 |
00_all_0009-CVE-2017-9039.patch |
7 |
00_all_0010-CVE-2017-9040-CVE-2017-9042.patch |
8 |
00_all_0011-0011-CVE-2017-9041.patch |
9 |
binutils-2.27-CVE-2017-8421.patch |
10 |
Log: |
11 |
binutils-2.27: Update to patchset 1.1 |
12 |
|
13 |
Revision Changes Path |
14 |
1.2 src/patchsets/binutils/2.27/README.history |
15 |
|
16 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?rev=1.2&view=markup |
17 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?rev=1.2&content-type=text/plain |
18 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?r1=1.1&r2=1.2 |
19 |
|
20 |
Index: README.history |
21 |
=================================================================== |
22 |
RCS file: /var/cvsroot/gentoo/src/patchsets/binutils/2.27/README.history,v |
23 |
retrieving revision 1.1 |
24 |
retrieving revision 1.2 |
25 |
diff -u -r1.1 -r1.2 |
26 |
--- README.history 15 Nov 2016 07:08:40 -0000 1.1 |
27 |
+++ README.history 6 Jun 2017 20:57:47 -0000 1.2 |
28 |
@@ -1,3 +1,10 @@ |
29 |
+1.1 06 Jun 2017 |
30 |
+ + 00_all_0007-CVE-2017-8421.patch |
31 |
+ + 00_all_0008-CVE-2017-9038.patch |
32 |
+ + 00_all_0009-CVE-2017-9039.patch |
33 |
+ + 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch |
34 |
+ + 00_all_0011-0011-CVE-2017-9041.patch |
35 |
+ |
36 |
1.0 12 Nov 2016 |
37 |
+ 00_all_0001-ld-always-warn-about-textrels-in-files.patch |
38 |
+ 00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch |
39 |
|
40 |
|
41 |
|
42 |
1.1 src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch |
43 |
|
44 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch?rev=1.1&view=markup |
45 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch?rev=1.1&content-type=text/plain |
46 |
|
47 |
Index: 00_all_0007-CVE-2017-8421.patch |
48 |
=================================================================== |
49 |
From 066b5b9598ffcf4d8e99034fa370e1ba8393341c Mon Sep 17 00:00:00 2001 |
50 |
From: Matthias Maier <tamiko@××××.org> |
51 |
Date: Tue, 6 Jun 2017 13:04:17 -0500 |
52 |
Subject: [PATCH 1/5] CVE-2017-8421 |
53 |
|
54 |
[PATCH] Prevent memory exhaustion from a corrupt PE binary with an overlarge number of relocs. |
55 |
|
56 |
Patch taken from [1]. Gentoo bug [2] |
57 |
|
58 |
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=39ff1b79f687b65f4144ddb379f22587003443fb |
59 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=618520 |
60 |
--- |
61 |
binutils/objdump.c | 8 ++++++++ |
62 |
1 file changed, 8 insertions(+) |
63 |
|
64 |
diff --git a/binutils/objdump.c b/binutils/objdump.c |
65 |
index bf9c592..cbe2e0a 100644 |
66 |
--- a/binutils/objdump.c |
67 |
+++ b/binutils/objdump.c |
68 |
@@ -3238,6 +3238,14 @@ dump_relocs_in_section (bfd *abfd, |
69 |
return; |
70 |
} |
71 |
|
72 |
+ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 |
73 |
+ && relsize > get_file_size (bfd_get_filename (abfd))) |
74 |
+ { |
75 |
+ printf (" (too many: 0x%x)\n", section->reloc_count); |
76 |
+ bfd_set_error (bfd_error_file_truncated); |
77 |
+ bfd_fatal (bfd_get_filename (abfd)); |
78 |
+ } |
79 |
+ |
80 |
relpp = (arelent **) xmalloc (relsize); |
81 |
relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms); |
82 |
|
83 |
-- |
84 |
2.13.0 |
85 |
|
86 |
|
87 |
|
88 |
|
89 |
1.1 src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch |
90 |
|
91 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch?rev=1.1&view=markup |
92 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch?rev=1.1&content-type=text/plain |
93 |
|
94 |
Index: 00_all_0008-CVE-2017-9038.patch |
95 |
=================================================================== |
96 |
From 581a94cb18d994071f9660a7b84d1d2bc104fc4f Mon Sep 17 00:00:00 2001 |
97 |
From: Matthias Maier <tamiko@××××.org> |
98 |
Date: Tue, 6 Jun 2017 13:18:07 -0500 |
99 |
Subject: [PATCH 2/5] CVE-2017-9038 |
100 |
|
101 |
readelf: Update check for invalid word offsets in ARM unwind information. |
102 |
|
103 |
Patch taken from [1]. Gentoo bug [2] |
104 |
|
105 |
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d |
106 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826 |
107 |
--- |
108 |
binutils/readelf.c | 6 +++--- |
109 |
1 file changed, 3 insertions(+), 3 deletions(-) |
110 |
|
111 |
diff --git a/binutils/readelf.c b/binutils/readelf.c |
112 |
index 274ddd1..9a515ff 100644 |
113 |
--- a/binutils/readelf.c |
114 |
+++ b/binutils/readelf.c |
115 |
@@ -7738,9 +7738,9 @@ get_unwind_section_word (struct arm_unw_aux_info * aux, |
116 |
return FALSE; |
117 |
|
118 |
/* If the offset is invalid then fail. */ |
119 |
- if (word_offset > (sec->sh_size - 4) |
120 |
- /* PR 18879 */ |
121 |
- || (sec->sh_size < 5 && word_offset >= sec->sh_size) |
122 |
+ if (/* PR 21343 *//* PR 18879 */ |
123 |
+ sec->sh_size < 4 |
124 |
+ || word_offset > (sec->sh_size - 4) |
125 |
|| ((bfd_signed_vma) word_offset) < 0) |
126 |
return FALSE; |
127 |
|
128 |
-- |
129 |
2.13.0 |
130 |
|
131 |
|
132 |
|
133 |
|
134 |
1.1 src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch |
135 |
|
136 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch?rev=1.1&view=markup |
137 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch?rev=1.1&content-type=text/plain |
138 |
|
139 |
Index: 00_all_0009-CVE-2017-9039.patch |
140 |
=================================================================== |
141 |
From b365e09549f642683fd21e5804be962077882d33 Mon Sep 17 00:00:00 2001 |
142 |
From: Matthias Maier <tamiko@××××.org> |
143 |
Date: Tue, 6 Jun 2017 13:24:24 -0500 |
144 |
Subject: [PATCH 3/5] CVE-2017-9039 |
145 |
|
146 |
readelf: Fix overlarge memory allocation when reading a binary with an excessive number of program headers. |
147 |
|
148 |
Patch taken from [1]. Gentoo bug [2] |
149 |
|
150 |
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5 |
151 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826 |
152 |
--- |
153 |
binutils/readelf.c | 14 ++++++++++++-- |
154 |
1 file changed, 12 insertions(+), 2 deletions(-) |
155 |
|
156 |
diff --git a/binutils/readelf.c b/binutils/readelf.c |
157 |
index 9a515ff..a11931d 100644 |
158 |
--- a/binutils/readelf.c |
159 |
+++ b/binutils/readelf.c |
160 |
@@ -4698,9 +4698,19 @@ get_program_headers (FILE * file) |
161 |
if (program_headers != NULL) |
162 |
return 1; |
163 |
|
164 |
- phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, |
165 |
- sizeof (Elf_Internal_Phdr)); |
166 |
+ /* Be kind to memory checkers by looking for |
167 |
+ e_phnum values which we know must be invalid. */ |
168 |
+ if (elf_header.e_phnum |
169 |
+ * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr)) |
170 |
+ >= current_file_size) |
171 |
+ { |
172 |
+ error (_("Too many program headers - %#x - the file is not that big\n"), |
173 |
+ elf_header.e_phnum); |
174 |
+ return FALSE; |
175 |
+ } |
176 |
|
177 |
+ phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, |
178 |
+ sizeof (Elf_Internal_Phdr)); |
179 |
if (phdrs == NULL) |
180 |
{ |
181 |
error (_("Out of memory reading %u program headers\n"), |
182 |
-- |
183 |
2.13.0 |
184 |
|
185 |
|
186 |
|
187 |
|
188 |
1.1 src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch |
189 |
|
190 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&view=markup |
191 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&content-type=text/plain |
192 |
|
193 |
Index: 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch |
194 |
=================================================================== |
195 |
From 264947c1489c7d7469d34db92672f8c3bde37fb2 Mon Sep 17 00:00:00 2001 |
196 |
From: Matthias Maier <tamiko@××××.org> |
197 |
Date: Tue, 6 Jun 2017 13:30:14 -0500 |
198 |
Subject: [PATCH 4/5] CVE-2017-9040, CVE-2017-9042 |
199 |
|
200 |
readelf: fix out of range subtraction, seg fault from a NULL pointer and memory exhaustion, all from parsing corrupt binaries. |
201 |
|
202 |
Patch taken from [1]. Gentoo bug [2] |
203 |
|
204 |
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf |
205 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826 |
206 |
--- |
207 |
binutils/readelf.c | 15 +++++++++++++++ |
208 |
1 file changed, 15 insertions(+) |
209 |
|
210 |
diff --git a/binutils/readelf.c b/binutils/readelf.c |
211 |
index a11931d..b3ec415 100644 |
212 |
--- a/binutils/readelf.c |
213 |
+++ b/binutils/readelf.c |
214 |
@@ -9072,6 +9072,12 @@ process_dynamic_section (FILE * file) |
215 |
processing that. This is overkill, I know, but it |
216 |
should work. */ |
217 |
section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0); |
218 |
+ if ((bfd_size_type) section.sh_offset > current_file_size) |
219 |
+ { |
220 |
+ /* See PR 21379 for a reproducer. */ |
221 |
+ error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset); |
222 |
+ return FALSE; |
223 |
+ } |
224 |
|
225 |
if (archive_file_offset != 0) |
226 |
section.sh_size = archive_file_size - section.sh_offset; |
227 |
@@ -14788,6 +14794,15 @@ process_mips_specific (FILE * file) |
228 |
return 0; |
229 |
} |
230 |
|
231 |
+ /* PR 21345 - print a slightly more helpful error message |
232 |
+ if we are sure that the cmalloc will fail. */ |
233 |
+ if (conflictsno * sizeof (* iconf) > current_file_size) |
234 |
+ { |
235 |
+ error (_("Overlarge number of conflicts detected: %lx\n"), |
236 |
+ (long) conflictsno); |
237 |
+ return FALSE; |
238 |
+ } |
239 |
+ |
240 |
iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf)); |
241 |
if (iconf == NULL) |
242 |
{ |
243 |
-- |
244 |
2.13.0 |
245 |
|
246 |
|
247 |
|
248 |
|
249 |
1.1 src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch |
250 |
|
251 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch?rev=1.1&view=markup |
252 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch?rev=1.1&content-type=text/plain |
253 |
|
254 |
Index: 00_all_0011-0011-CVE-2017-9041.patch |
255 |
=================================================================== |
256 |
From 268cb749fe1b1f78929d3df43f3142c9c73f2bda Mon Sep 17 00:00:00 2001 |
257 |
From: Matthias Maier <tamiko@××××.org> |
258 |
Date: Tue, 6 Jun 2017 13:40:06 -0500 |
259 |
Subject: [PATCH 5/5] CVE-2017-9041 |
260 |
|
261 |
Patch taken from [1]. Gentoo bug [2] |
262 |
|
263 |
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 |
264 |
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 |
265 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826 |
266 |
--- |
267 |
binutils/readelf.c | 7 +++++++ |
268 |
1 file changed, 7 insertions(+) |
269 |
|
270 |
diff --git a/binutils/readelf.c b/binutils/readelf.c |
271 |
index b3ec415..984fb9b 100644 |
272 |
--- a/binutils/readelf.c |
273 |
+++ b/binutils/readelf.c |
274 |
@@ -14918,7 +14918,14 @@ process_mips_specific (FILE * file) |
275 |
printf (_(" Lazy resolver\n")); |
276 |
if (ent == (bfd_vma) -1) |
277 |
goto got_print_fail; |
278 |
+ |
279 |
+ /* Check for the MSB of GOT[1] being set, denoting a GNU object. |
280 |
+ This entry will be used by some runtime loaders, to store the |
281 |
+ module pointer. Otherwise this is an ordinary local entry. |
282 |
+ PR 21344: Check for the entry being fully available before |
283 |
+ fetching it. */ |
284 |
if (data |
285 |
+ && data + ent - pltgot + addr_size <= data_end |
286 |
&& (byte_get (data + ent - pltgot, addr_size) |
287 |
>> (addr_size * 8 - 1)) != 0) |
288 |
{ |
289 |
-- |
290 |
2.13.0 |
291 |
|
292 |
|
293 |
|
294 |
|
295 |
1.1 src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch |
296 |
|
297 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch?rev=1.1&view=markup |
298 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch?rev=1.1&content-type=text/plain |
299 |
|
300 |
Index: binutils-2.27-CVE-2017-8421.patch |
301 |
=================================================================== |
302 |
From 39ff1b79f687b65f4144ddb379f22587003443fb Mon Sep 17 00:00:00 2001 |
303 |
From: Nick Clifton <nickc@××××××.com> |
304 |
Date: Tue, 2 May 2017 11:54:53 +0100 |
305 |
Subject: [PATCH] Prevent memory exhaustion from a corrupt PE binary with an |
306 |
overlarge number of relocs. |
307 |
|
308 |
PR 21440 |
309 |
* objdump.c (dump_relocs_in_section): Check for an excessive |
310 |
number of relocs before attempting to dump them. |
311 |
--- |
312 |
binutils/ChangeLog | 6 ++++++ |
313 |
binutils/objdump.c | 8 ++++++++ |
314 |
2 files changed, 14 insertions(+) |
315 |
|
316 |
diff --git a/binutils/objdump.c b/binutils/objdump.c |
317 |
index bc61000..5972da1 100644 |
318 |
--- a/binutils/objdump.c |
319 |
+++ b/binutils/objdump.c |
320 |
@@ -3379,6 +3379,14 @@ dump_relocs_in_section (bfd *abfd, |
321 |
return; |
322 |
} |
323 |
|
324 |
+ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 |
325 |
+ && relsize > get_file_size (bfd_get_filename (abfd))) |
326 |
+ { |
327 |
+ printf (" (too many: 0x%x)\n", section->reloc_count); |
328 |
+ bfd_set_error (bfd_error_file_truncated); |
329 |
+ bfd_fatal (bfd_get_filename (abfd)); |
330 |
+ } |
331 |
+ |
332 |
relpp = (arelent **) xmalloc (relsize); |
333 |
relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms); |
334 |
|
335 |
-- |
336 |
2.9.3 |