[oe-commits] [openembedded-core] 05/51: binutils: Security Fix CVE-2017-9041

git at git.openembedded.org git at git.openembedded.org
Sun Jan 7 17:11:14 UTC 2018 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch morty
in repository openembedded-core.

commit d445a9abe7af0a1a54e466bdae8978f6ffb5f6bc
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Wed Jun 21 12:01:25 2017 -0700

    binutils: Security Fix CVE-2017-9041
    
    Source: binutils-gdb.git
    MR: 72791
    Type: Security Fix
    Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=919383ac718c2a3187ee2a9ad659daa22da26258
    ChangeID: 7b4588368a367a4d57efbfdcd9c00fcc0875af7b
    Description:
    
    Affects: <= 2.28
    Signed-off-by: Armin Kuster <akuster at mvista.com>
    Reviewed-by  Jeremy Puhlman <jpuhlman at mvista.com>
    
    Signed-off-by: Armin Kuster <akuster at mvista.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.27.inc   |  2 +
 .../binutils/binutils/CVE-2017-9041_1.patch        | 51 +++++++++++++
 .../binutils/binutils/CVE-2017-9041_2.patch        | 84 ++++++++++++++++++++++
 3 files changed, 137 insertions(+)

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 53c09e6..3f8a5fe 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -50,6 +50,8 @@ SRC_URI = "\
      file://CVE-2017-9039.patch \
      file://CVE-2017-9039_1.patch \
      file://CVE-2017-9040_and_9042.patch \
+     file://CVE-2017-9041_1.patch \
+     file://CVE-2017-9041_2.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch
new file mode 100644
index 0000000..857cd4a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch
@@ -0,0 +1,51 @@
+From 919383ac718c2a3187ee2a9ad659daa22da26258 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro at imgtec.com>
+Date: Wed, 12 Apr 2017 00:02:13 +0100
+Subject: [PATCH] MIPS/readelf: Remove extraneous null GOT data check
+
+Null data is handled gracefully throughout in MIPS GOT processing, with
+addresses printed normally and unavailable data shown as `<unknown>' by
+`print_mips_got_entry', and special processing code for GOT[1] doing an
+explicit check.  Remove an unwanted null GOT data check then, introduced
+with commit 592458412fb2 in the course of addressing PR binutils/12855.
+
+	binutils/
+	* readelf.c (process_mips_specific): Remove null GOT data check.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9041 patch #1
+VER: <= 2.28
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ binutils/ChangeLog | 4 ++++
+ binutils/readelf.c | 3 +--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
++++ git/binutils/readelf.c
+@@ -14995,8 +14995,8 @@ process_mips_specific (FILE * file)
+       data = (unsigned char *) get_data (NULL, file, offset,
+                                          global_end - pltgot, 1,
+ 					 _("Global Offset Table data"));
+-      if (data == NULL)
+-	return 0;
++
++      /* PR 12855: Null data is handled gracefully throughout.  */
+       data_end = data + (global_end - pltgot);
+ 
+       printf (_("\nPrimary GOT:\n"));
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,7 @@
++2017-04-25  Maciej W. Rozycki  <macro at imgtec.com>
++ 
++       * readelf.c (process_mips_specific): Remove null GOT data check.
++
+ 2017-04-13  Nick Clifton  <nickc at redhat.com>
+  
+        PR binutils/21379
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch
new file mode 100644
index 0000000..9c3cb8c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch
@@ -0,0 +1,84 @@
+From c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro at imgtec.com>
+Date: Wed, 12 Apr 2017 00:03:41 +0100
+Subject: [PATCH] MIPS/readelf: Simplify GOT[1] data availability check
+
+Unavailable data is handled gracefully in MIPS GOT processing done by
+`print_mips_got_entry', so all that is needed in special GOT[1] handling
+is to verify whether data can be retrieved for the purpose of the GNU
+marker check done with `byte_get'.  Remove the extra error reporting
+code then, introduced with commit 75ec1fdbb797 ("Fix runtime seg-fault
+in readelf when parsing a corrupt MIPS binary.") in the course of
+addressing PR binutils/21344, and defer the error case to regular local
+GOT entry processing.
+
+	binutils/
+	* readelf.c (process_mips_specific): Remove error reporting from
+	GOT[1] processing.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9041
+VER: <= 2.28
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ binutils/ChangeLog |  5 +++++
+ binutils/readelf.c | 32 ++++++++++++++------------------
+ 2 files changed, 19 insertions(+), 18 deletions(-)
+
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
++++ git/binutils/readelf.c
+@@ -15013,24 +15013,20 @@ process_mips_specific (FILE * file)
+       if (ent == (bfd_vma) -1)
+ 	goto got_print_fail;
+ 
+-      if (data)
++      /* Check for the MSB of GOT[1] being set, denoting a GNU object.
++	 This entry will be used by some runtime loaders, to store the
++	 module pointer.  Otherwise this is an ordinary local entry.
++	 PR 21344: Check for the entry being fully available before
++	 fetching it.  */
++      if (data
++	  && data + ent - pltgot + addr_size <= data_end
++	  && (byte_get (data + ent - pltgot, addr_size)
++	      >> (addr_size * 8 - 1)) != 0)
+ 	{
+-	  /* PR 21344 */
+-	  if (data + ent - pltgot > data_end - addr_size)
+-	    {
+-	      error (_("Invalid got entry - %#lx - overflows GOT table\n"),
+-		     (long) ent);
+-	      goto got_print_fail;
+-	    }
+-	  
+-	  if (byte_get (data + ent - pltgot, addr_size)
+-	      >> (addr_size * 8 - 1) != 0)
+-	    {
+-	      ent = print_mips_got_entry (data, pltgot, ent, data_end);
+-	      printf (_(" Module pointer (GNU extension)\n"));
+-	      if (ent == (bfd_vma) -1)
+-		goto got_print_fail;
+-	    }
++	  ent = print_mips_got_entry (data, pltgot, ent, data_end);
++	  printf (_(" Module pointer (GNU extension)\n"));
++	  if (ent == (bfd_vma) -1)
++	    goto got_print_fail;
+ 	}
+       printf ("\n");
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,9 @@
+ 2017-04-25  Maciej W. Rozycki  <macro at imgtec.com>
++
++       * readelf.c (process_mips_specific): Remove error reporting from
++       GOT[1] processing.
++
++2017-04-25  Maciej W. Rozycki  <macro at imgtec.com>
+  
+        * readelf.c (process_mips_specific): Remove null GOT data check.
+ 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list