[OE-core] [thud] binutils: Fix 4 CVEs
akuster808
akuster808 at gmail.com
Mon Sep 9 21:16:13 UTC 2019
On 9/9/19 10:31 AM, msft.dantran at gmail.com wrote:
> From: Dan Tran <dantran at microsoft.com>
>
> Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and
> CVE-2018-1000876 for binutils 2.31.1.
thanks. in thud test stagging.( contrib: stable/thud-nmut )
- armin
>
> Signed-off-by: Dan Tran <dantran at microsoft.com>
> ---
> meta/recipes-devtools/binutils/binutils-2.31.inc | 4 +
> .../binutils/binutils/CVE-2018-1000876.patch | 180 +++++++++++++++++++++
> .../binutils/binutils/CVE-2018-20623.patch | 74 +++++++++
> .../binutils/binutils/CVE-2018-20651.patch | 35 ++++
> .../binutils/binutils/CVE-2018-20671.patch | 49 ++++++
> 5 files changed, 342 insertions(+)
> create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
> create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
> create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
> create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc
> index 62acec5..ba9272a 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.31.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
> @@ -46,6 +46,10 @@ SRC_URI = "\
> file://CVE-2018-18605.patch \
> file://CVE-2018-18606.patch \
> file://CVE-2018-18607.patch \
> + file://CVE-2018-20623.patch \
> + file://CVE-2018-20651.patch \
> + file://CVE-2018-20671.patch \
> + file://CVE-2018-1000876.patch \
> "
> S = "${WORKDIR}/git"
>
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
> new file mode 100644
> index 0000000..ff85351
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
> @@ -0,0 +1,180 @@
> +From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra at gmail.com>
> +Date: Sun, 16 Dec 2018 23:02:50 +1030
> +Subject: [PATCH] PR23994, libbfd integer overflow
> +
> + PR 23994
> + * aoutx.h: Include limits.h.
> + (get_reloc_upper_bound): Detect long overflow and return a file
> + too big error if it occurs.
> + * elf.c: Include limits.h.
> + (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
> + a file too big error if it occurs.
> + (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
> + (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
> +
> +CVE: CVE-2018-1000876
> +Upstream-Status: Backport
> +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
> +
> +Signed-off-by: Dan Tran <dantran at microsoft.com>
> +---
> + bfd/aoutx.h | 40 +++++++++++++++++++++-------------------
> + bfd/elf.c | 32 ++++++++++++++++++++++++--------
> + 2 files changed, 45 insertions(+), 27 deletions(-)
> +
> +diff --git a/bfd/aoutx.h b/bfd/aoutx.h
> +index 023843b0be..78eaa9c503 100644
> +--- a/bfd/aoutx.h
> ++++ b/bfd/aoutx.h
> +@@ -117,6 +117,7 @@ DESCRIPTION
> + #define KEEPIT udata.i
> +
> + #include "sysdep.h"
> ++#include <limits.h>
> + #include "bfd.h"
> + #include "safe-ctype.h"
> + #include "bfdlink.h"
> +@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
> + long
> + NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
> + {
> ++ bfd_size_type count;
> ++
> + if (bfd_get_format (abfd) != bfd_object)
> + {
> + bfd_set_error (bfd_error_invalid_operation);
> +@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
> + }
> +
> + if (asect->flags & SEC_CONSTRUCTOR)
> +- return sizeof (arelent *) * (asect->reloc_count + 1);
> +-
> +- if (asect == obj_datasec (abfd))
> +- return sizeof (arelent *)
> +- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
> +- + 1);
> +-
> +- if (asect == obj_textsec (abfd))
> +- return sizeof (arelent *)
> +- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
> +- + 1);
> +-
> +- if (asect == obj_bsssec (abfd))
> +- return sizeof (arelent *);
> +-
> +- if (asect == obj_bsssec (abfd))
> +- return 0;
> ++ count = asect->reloc_count;
> ++ else if (asect == obj_datasec (abfd))
> ++ count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
> ++ else if (asect == obj_textsec (abfd))
> ++ count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
> ++ else if (asect == obj_bsssec (abfd))
> ++ count = 0;
> ++ else
> ++ {
> ++ bfd_set_error (bfd_error_invalid_operation);
> ++ return -1;
> ++ }
> +
> +- bfd_set_error (bfd_error_invalid_operation);
> +- return -1;
> ++ if (count >= LONG_MAX / sizeof (arelent *))
> ++ {
> ++ bfd_set_error (bfd_error_file_too_big);
> ++ return -1;
> ++ }
> ++ return (count + 1) * sizeof (arelent *);
> + }
> +
> + long
> +diff --git a/bfd/elf.c b/bfd/elf.c
> +index 828241d48a..10037176a3 100644
> +--- a/bfd/elf.c
> ++++ b/bfd/elf.c
> +@@ -35,6 +35,7 @@ SECTION
> + /* For sparc64-cross-sparc32. */
> + #define _SYSCALL32
> + #include "sysdep.h"
> ++#include <limits.h>
> + #include "bfd.h"
> + #include "bfdlink.h"
> + #include "libbfd.h"
> +@@ -8114,11 +8115,16 @@ error_return:
> + long
> + _bfd_elf_get_symtab_upper_bound (bfd *abfd)
> + {
> +- long symcount;
> ++ bfd_size_type symcount;
> + long symtab_size;
> + Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
> +
> + symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
> ++ if (symcount >= LONG_MAX / sizeof (asymbol *))
> ++ {
> ++ bfd_set_error (bfd_error_file_too_big);
> ++ return -1;
> ++ }
> + symtab_size = (symcount + 1) * (sizeof (asymbol *));
> + if (symcount > 0)
> + symtab_size -= sizeof (asymbol *);
> +@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
> + long
> + _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
> + {
> +- long symcount;
> ++ bfd_size_type symcount;
> + long symtab_size;
> + Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
> +
> +@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
> + }
> +
> + symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
> ++ if (symcount >= LONG_MAX / sizeof (asymbol *))
> ++ {
> ++ bfd_set_error (bfd_error_file_too_big);
> ++ return -1;
> ++ }
> + symtab_size = (symcount + 1) * (sizeof (asymbol *));
> + if (symcount > 0)
> + symtab_size -= sizeof (asymbol *);
> +@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,
> + long
> + _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
> + {
> +- long ret;
> ++ bfd_size_type count;
> + asection *s;
> +
> + if (elf_dynsymtab (abfd) == 0)
> +@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
> + return -1;
> + }
> +
> +- ret = sizeof (arelent *);
> ++ count = 1;
> + for (s = abfd->sections; s != NULL; s = s->next)
> + if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
> + && (elf_section_data (s)->this_hdr.sh_type == SHT_REL
> + || elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
> +- ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
> +- * sizeof (arelent *));
> +-
> +- return ret;
> ++ {
> ++ count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
> ++ if (count > LONG_MAX / sizeof (arelent *))
> ++ {
> ++ bfd_set_error (bfd_error_file_too_big);
> ++ return -1;
> ++ }
> ++ }
> ++ return count * sizeof (arelent *);
> + }
> +
> + /* Canonicalize the dynamic relocation entries. Note that we return the
> +--
> +2.22.0.vfs.1.1.57.gbaf16c8
> +
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
> new file mode 100644
> index 0000000..b44d448
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
> @@ -0,0 +1,74 @@
> +From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001
> +From: Nick Clifton <nickc at redhat.com>
> +Date: Wed, 9 Jan 2019 12:25:16 +0000
> +Subject: [PATCH] Fix a heap use after free memory access fault when displaying
> + error messages about malformed archives.
> +
> + PR 14049
> + * readelf.c (process_archive): Use arch.file_name in error
> + messages until the qualified name is available.
> +
> +CVE: CVE-2018-20623
> +Upstream-Status: Backport
> +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837]
> +
> +Signed-off-by: Dan Tran <dantran at microsoft.com>
> +---
> + binutils/readelf.c | 13 ++++++++-----
> + 1 file changed, 8 insertions(+), 5 deletions(-)
> +
> +diff --git a/binutils/readelf.c b/binutils/readelf.c
> +index f4df697a7d..280023d8de 100644
> +--- a/binutils/readelf.c
> ++++ b/binutils/readelf.c
> +@@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
> + /* Read the next archive header. */
> + if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0)
> + {
> +- error (_("%s: failed to seek to next archive header\n"), filedata->file_name);
> ++ error (_("%s: failed to seek to next archive header\n"), arch.file_name);
> + return FALSE;
> + }
> + got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle);
> +@@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
> + {
> + if (got == 0)
> + break;
> +- error (_("%s: failed to read archive header\n"), filedata->file_name);
> ++ /* PR 24049 - we cannot use filedata->file_name as this will
> ++ have already been freed. */
> ++ error (_("%s: failed to read archive header\n"), arch.file_name);
> ++
> + ret = FALSE;
> + break;
> + }
> +@@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
> + name = get_archive_member_name (&arch, &nested_arch);
> + if (name == NULL)
> + {
> +- error (_("%s: bad archive file name\n"), filedata->file_name);
> ++ error (_("%s: bad archive file name\n"), arch.file_name);
> + ret = FALSE;
> + break;
> + }
> +@@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
> + qualified_name = make_qualified_name (&arch, &nested_arch, name);
> + if (qualified_name == NULL)
> + {
> +- error (_("%s: bad archive file name\n"), filedata->file_name);
> ++ error (_("%s: bad archive file name\n"), arch.file_name);
> + ret = FALSE;
> + break;
> + }
> +@@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
> + if (nested_arch.file == NULL)
> + {
> + error (_("%s: contains corrupt thin archive: %s\n"),
> +- filedata->file_name, name);
> ++ qualified_name, name);
> + ret = FALSE;
> + break;
> + }
> +--
> +2.22.0.vfs.1.1.57.gbaf16c8
> +
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
> new file mode 100644
> index 0000000..24fb031
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
> @@ -0,0 +1,35 @@
> +From 6a29d95602b09bb83d2c82b45ed935157fb780aa Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra at gmail.com>
> +Date: Mon, 31 Dec 2018 15:40:08 +1030
> +Subject: [PATCH] PR24041, Invalid Memory Address Dereference in
> + elf_link_add_object_symbols
> +
> + PR 24041
> + * elflink.c (elf_link_add_object_symbols): Don't segfault on
> + crafted ET_DYN with no program headers.
> +
> +CVE: CVE-2018-20651
> +Upstream-Status: Backport
> +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f]
> +
> +Signed-off-by: Dan Tran <dantran at microsoft.com>
> +---
> + bfd/elflink.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/bfd/elflink.c b/bfd/elflink.c
> +index 46091b6341..557c550082 100644
> +--- a/bfd/elflink.c
> ++++ b/bfd/elflink.c
> +@@ -4178,7 +4178,7 @@ error_free_dyn:
> + all sections contained fully therein. This makes relro
> + shared library sections appear as they will at run-time. */
> + phdr = elf_tdata (abfd)->phdr + elf_elfheader (abfd)->e_phnum;
> +- while (--phdr >= elf_tdata (abfd)->phdr)
> ++ while (phdr-- > elf_tdata (abfd)->phdr)
> + if (phdr->p_type == PT_GNU_RELRO)
> + {
> + for (s = abfd->sections; s != NULL; s = s->next)
> +--
> +2.22.0.vfs.1.1.57.gbaf16c8
> +
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
> new file mode 100644
> index 0000000..9bd9207
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
> @@ -0,0 +1,49 @@
> +From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001
> +From: Nick Clifton <nickc at redhat.com>
> +Date: Fri, 4 Jan 2019 13:44:34 +0000
> +Subject: [PATCH] Fix a possible integer overflow problem when examining
> + corrupt binaries using a 32-bit binutil.
> +
> + PR 24005
> + * objdump.c (load_specific_debug_section): Check for integer
> + overflow before attempting to allocate contents.
> +
> +CVE: CVE-2018-20671
> +Upstream-Status: Backport
> +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca]
> +
> +Signed-off-by: Dan Tran <dantran at microsoft.com>
> +---
> + binutils/objdump.c | 13 ++++++++++---
> + 1 file changed, 10 insertions(+), 3 deletions(-)
> +
> +diff --git a/binutils/objdump.c b/binutils/objdump.c
> +index f468fcdb59..89ca688938 100644
> +--- a/binutils/objdump.c
> ++++ b/binutils/objdump.c
> +@@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
> + section->reloc_info = NULL;
> + section->num_relocs = 0;
> + section->address = bfd_get_section_vma (abfd, sec);
> ++ section->user_data = sec;
> + section->size = bfd_get_section_size (sec);
> + amt = section->size + 1;
> ++ if (amt == 0 || amt > bfd_get_file_size (abfd))
> ++ {
> ++ section->start = NULL;
> ++ free_debug_section (debug);
> ++ printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
> ++ section->name, (unsigned long long) section->size);
> ++ return FALSE;
> ++ }
> + section->start = contents = malloc (amt);
> +- section->user_data = sec;
> +- if (amt == 0
> +- || section->start == NULL
> ++ if (section->start == NULL
> + || !bfd_get_full_section_contents (abfd, sec, &contents))
> + {
> + free_debug_section (debug);
> +--
> +2.22.0.vfs.1.1.57.gbaf16c8
> +
More information about the Openembedded-core
mailing list