diff options
Diffstat (limited to 'external/poky/meta/recipes-devtools/binutils/binutils')
6 files changed, 410 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch new file mode 100644 index 00000000..ff853511 --- /dev/null +++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch @@ -0,0 +1,180 @@ +From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 16 Dec 2018 23:02:50 +1030 +Subject: [PATCH] PR23994, libbfd integer overflow + + PR 23994 + * aoutx.h: Include limits.h. + (get_reloc_upper_bound): Detect long overflow and return a file + too big error if it occurs. + * elf.c: Include limits.h. + (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return + a file too big error if it occurs. + (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise. + (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise. + +CVE: CVE-2018-1000876 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + bfd/aoutx.h | 40 +++++++++++++++++++++------------------- + bfd/elf.c | 32 ++++++++++++++++++++++++-------- + 2 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/bfd/aoutx.h b/bfd/aoutx.h +index 023843b0be..78eaa9c503 100644 +--- a/bfd/aoutx.h ++++ b/bfd/aoutx.h +@@ -117,6 +117,7 @@ DESCRIPTION + #define KEEPIT udata.i + + #include "sysdep.h" ++#include <limits.h> + #include "bfd.h" + #include "safe-ctype.h" + #include "bfdlink.h" +@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd, + long + NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) + { ++ bfd_size_type count; ++ + if (bfd_get_format (abfd) != bfd_object) + { + bfd_set_error (bfd_error_invalid_operation); +@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) + } + + if (asect->flags & SEC_CONSTRUCTOR) +- return sizeof (arelent *) * (asect->reloc_count + 1); +- +- if (asect == obj_datasec (abfd)) +- return sizeof (arelent *) +- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd)) +- + 1); +- +- if (asect == obj_textsec (abfd)) +- return sizeof (arelent *) +- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd)) +- + 1); +- +- if (asect == obj_bsssec (abfd)) +- return sizeof (arelent *); +- +- if (asect == obj_bsssec (abfd)) +- return 0; ++ count = asect->reloc_count; ++ else if (asect == obj_datasec (abfd)) ++ count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd); ++ else if (asect == obj_textsec (abfd)) ++ count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd); ++ else if (asect == obj_bsssec (abfd)) ++ count = 0; ++ else ++ { ++ bfd_set_error (bfd_error_invalid_operation); ++ return -1; ++ } + +- bfd_set_error (bfd_error_invalid_operation); +- return -1; ++ if (count >= LONG_MAX / sizeof (arelent *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } ++ return (count + 1) * sizeof (arelent *); + } + + long +diff --git a/bfd/elf.c b/bfd/elf.c +index 828241d48a..10037176a3 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -35,6 +35,7 @@ SECTION + /* For sparc64-cross-sparc32. */ + #define _SYSCALL32 + #include "sysdep.h" ++#include <limits.h> + #include "bfd.h" + #include "bfdlink.h" + #include "libbfd.h" +@@ -8114,11 +8115,16 @@ error_return: + long + _bfd_elf_get_symtab_upper_bound (bfd *abfd) + { +- long symcount; ++ bfd_size_type symcount; + long symtab_size; + Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr; + + symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; ++ if (symcount >= LONG_MAX / sizeof (asymbol *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } + symtab_size = (symcount + 1) * (sizeof (asymbol *)); + if (symcount > 0) + symtab_size -= sizeof (asymbol *); +@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd) + long + _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) + { +- long symcount; ++ bfd_size_type symcount; + long symtab_size; + Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr; + +@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) + } + + symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; ++ if (symcount >= LONG_MAX / sizeof (asymbol *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } + symtab_size = (symcount + 1) * (sizeof (asymbol *)); + if (symcount > 0) + symtab_size -= sizeof (asymbol *); +@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd, + long + _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) + { +- long ret; ++ bfd_size_type count; + asection *s; + + if (elf_dynsymtab (abfd) == 0) +@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) + return -1; + } + +- ret = sizeof (arelent *); ++ count = 1; + for (s = abfd->sections; s != NULL; s = s->next) + if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd) + && (elf_section_data (s)->this_hdr.sh_type == SHT_REL + || elf_section_data (s)->this_hdr.sh_type == SHT_RELA)) +- ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize) +- * sizeof (arelent *)); +- +- return ret; ++ { ++ count += s->size / elf_section_data (s)->this_hdr.sh_entsize; ++ if (count > LONG_MAX / sizeof (arelent *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } ++ } ++ return count * sizeof (arelent *); + } + + /* Canonicalize the dynamic relocation entries. Note that we return the +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch new file mode 100644 index 00000000..b44d448f --- /dev/null +++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch @@ -0,0 +1,74 @@ +From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 9 Jan 2019 12:25:16 +0000 +Subject: [PATCH] Fix a heap use after free memory access fault when displaying + error messages about malformed archives. + + PR 14049 + * readelf.c (process_archive): Use arch.file_name in error + messages until the qualified name is available. + +CVE: CVE-2018-20623 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + binutils/readelf.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/binutils/readelf.c b/binutils/readelf.c +index f4df697a7d..280023d8de 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + /* Read the next archive header. */ + if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0) + { +- error (_("%s: failed to seek to next archive header\n"), filedata->file_name); ++ error (_("%s: failed to seek to next archive header\n"), arch.file_name); + return FALSE; + } + got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle); +@@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + { + if (got == 0) + break; +- error (_("%s: failed to read archive header\n"), filedata->file_name); ++ /* PR 24049 - we cannot use filedata->file_name as this will ++ have already been freed. */ ++ error (_("%s: failed to read archive header\n"), arch.file_name); ++ + ret = FALSE; + break; + } +@@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + name = get_archive_member_name (&arch, &nested_arch); + if (name == NULL) + { +- error (_("%s: bad archive file name\n"), filedata->file_name); ++ error (_("%s: bad archive file name\n"), arch.file_name); + ret = FALSE; + break; + } +@@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + qualified_name = make_qualified_name (&arch, &nested_arch, name); + if (qualified_name == NULL) + { +- error (_("%s: bad archive file name\n"), filedata->file_name); ++ error (_("%s: bad archive file name\n"), arch.file_name); + ret = FALSE; + break; + } +@@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) + if (nested_arch.file == NULL) + { + error (_("%s: contains corrupt thin archive: %s\n"), +- filedata->file_name, name); ++ qualified_name, name); + ret = FALSE; + break; + } +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch new file mode 100644 index 00000000..24fb0312 --- /dev/null +++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch @@ -0,0 +1,35 @@ +From 6a29d95602b09bb83d2c82b45ed935157fb780aa Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Mon, 31 Dec 2018 15:40:08 +1030 +Subject: [PATCH] PR24041, Invalid Memory Address Dereference in + elf_link_add_object_symbols + + PR 24041 + * elflink.c (elf_link_add_object_symbols): Don't segfault on + crafted ET_DYN with no program headers. + +CVE: CVE-2018-20651 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + bfd/elflink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 46091b6341..557c550082 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -4178,7 +4178,7 @@ error_free_dyn: + all sections contained fully therein. This makes relro + shared library sections appear as they will at run-time. */ + phdr = elf_tdata (abfd)->phdr + elf_elfheader (abfd)->e_phnum; +- while (--phdr >= elf_tdata (abfd)->phdr) ++ while (phdr-- > elf_tdata (abfd)->phdr) + if (phdr->p_type == PT_GNU_RELRO) + { + for (s = abfd->sections; s != NULL; s = s->next) +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch new file mode 100644 index 00000000..9bd9207b --- /dev/null +++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch @@ -0,0 +1,49 @@ +From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 4 Jan 2019 13:44:34 +0000 +Subject: [PATCH] Fix a possible integer overflow problem when examining + corrupt binaries using a 32-bit binutil. + + PR 24005 + * objdump.c (load_specific_debug_section): Check for integer + overflow before attempting to allocate contents. + +CVE: CVE-2018-20671 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + binutils/objdump.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index f468fcdb59..89ca688938 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, + section->reloc_info = NULL; + section->num_relocs = 0; + section->address = bfd_get_section_vma (abfd, sec); ++ section->user_data = sec; + section->size = bfd_get_section_size (sec); + amt = section->size + 1; ++ if (amt == 0 || amt > bfd_get_file_size (abfd)) ++ { ++ section->start = NULL; ++ free_debug_section (debug); ++ printf (_("\nSection '%s' has an invalid size: %#llx.\n"), ++ section->name, (unsigned long long) section->size); ++ return FALSE; ++ } + section->start = contents = malloc (amt); +- section->user_data = sec; +- if (amt == 0 +- || section->start == NULL ++ if (section->start == NULL + || !bfd_get_full_section_contents (abfd, sec, &contents)) + { + free_debug_section (debug); +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch new file mode 100644 index 00000000..3e95b922 --- /dev/null +++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch @@ -0,0 +1,39 @@ +From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 21 Jun 2019 11:51:38 +0930 +Subject: [PATCH] PR24689, string table corruption + +The testcase in the PR had a e_shstrndx section of type SHT_GROUP. +hdr->contents were initialized by setup_group rather than being read +from the file, thus last byte was not zero and string dereference ran +off the end of the buffer. + + PR 24689 + * elfcode.h (elf_object_p): Check type of e_shstrndx section. + +Upstream-Status: Backport +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 + +CVE: CVE-2019-12972 +Affects: <= 2.23.0 +Dropped Changelog +Signed-off-by Armin Kuster <akuster@mvista.com> +--- + bfd/ChangeLog | 5 +++++ + bfd/elfcode.h | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/elfcode.h +=================================================================== +--- git.orig/bfd/elfcode.h ++++ git/bfd/elfcode.h +@@ -747,7 +747,8 @@ elf_object_p (bfd *abfd) + /* A further sanity check. */ + if (i_ehdrp->e_shnum != 0) + { +- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)) ++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd) ++ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB) + { + /* PR 2257: + We used to just goto got_wrong_format_error here diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch new file mode 100644 index 00000000..499cf0e0 --- /dev/null +++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch @@ -0,0 +1,33 @@ +From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 5 Aug 2019 10:40:35 +0100 +Subject: [PATCH] Catch potential integer overflow in readelf when processing + corrupt binaries. + + PR 24829 + * readelf.c (apply_relocations): Catch potential integer overflow + whilst checking reloc location against section size. + +Upstream-Status: Backport +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 +CVE: CVE-2019-14444 +Dropped changelog +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/readelf.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -13113,7 +13113,7 @@ apply_relocations (Filedata * + } + + rloc = start + rp->r_offset; +- if ((rloc + reloc_size) > end || (rloc < start)) ++ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start)) + { + warn (_("skipping invalid relocation offset 0x%lx in section %s\n"), + (unsigned long) rp->r_offset, |