diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-devtools/binutils')
10 files changed, 895 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils-2.27.inc b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils-2.27.inc index af1420b24..0936d974d 100644 --- a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils-2.27.inc @@ -36,6 +36,15 @@ SRC_URI = "\ file://0014-libtool-remove-rpath.patch \ file://0015-binutils-mips-gas-pic-relax-linkonce.diff \ file://0015-Refine-.cfi_sections-check-to-only-consider-compact-.patch \ + file://0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch \ + file://0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch \ + file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \ + file://CVE-2017-6965.patch \ + file://CVE-2017-6966.patch \ + file://CVE-2017-6969.patch \ + file://CVE-2017-6969_2.patch \ + file://CVE-2017-7209.patch \ + file://CVE-2017-7210.patch \ " S = "${WORKDIR}/git" diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch new file mode 100644 index 000000000..d82a0b694 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch @@ -0,0 +1,37 @@ +From 8941017bc0226b60ce306d5271df15820ce66a53 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 30 Aug 2016 20:57:32 +0930 +Subject: [PATCH] ppc apuinfo for spe parsed incorrectly +Organization: O.S. Systems Software LTDA. + +apuinfo saying SPE resulted in mach = bfd_mach_ppc_vle due to a +missing break. + + PR 20531 + * elf32-ppc.c (_bfd_elf_ppc_set_arch): Add missing "break". + + +Backport from : +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=8941017b + +Upstream-Status: Backport +Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br> +--- + bfd/elf32-ppc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c +index 95ce1dc..e42ef1c 100644 +--- a/bfd/elf32-ppc.c ++++ b/bfd/elf32-ppc.c +@@ -2246,6 +2246,7 @@ _bfd_elf_ppc_set_arch (bfd *abfd) + case PPC_APUINFO_BRLOCK: + if (mach != bfd_mach_ppc_vle) + mach = bfd_mach_ppc_e500; ++ break; + + case PPC_APUINFO_VLE: + mach = bfd_mach_ppc_vle; +-- +2.1.4 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch new file mode 100644 index 000000000..33bf1e8f6 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch @@ -0,0 +1,31 @@ +From 72b09de92cc597c53b1d762882b67a17fe56846c Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 23 Aug 2016 09:45:11 +0100 +Subject: [PATCH 16/16] Fix seg-fault in ARM linker when trying to parse a + binary file. + + * elf32-arm.c (elf32_arm_count_additional_relocs): Return zero if + there is no arm data associated with the section. +--- +Upstream-Status: Backport +Signed-off-by: Khem Raj <raj.khem@gmail.com> + + bfd/elf32-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/elf32-arm.c b/bfd/elf32-arm.c +index 700bec3..3fab609 100644 +--- a/bfd/elf32-arm.c ++++ b/bfd/elf32-arm.c +@@ -18207,7 +18207,7 @@ elf32_arm_count_additional_relocs (asection *sec) + { + struct _arm_elf_section_data *arm_data; + arm_data = get_arm_elf_section_data (sec); +- return arm_data->additional_reloc_count; ++ return arm_data == NULL ? 0 : arm_data->additional_reloc_count; + } + + /* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which +-- +2.10.1 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch new file mode 100644 index 000000000..f8b46be69 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch @@ -0,0 +1,139 @@ +From 4a4286465b5d6c28968bc2b29ae08daca7f219a3 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 18 Nov 2016 11:42:48 -0800 +Subject: [PATCH] Fix the generation of alignment frags in code sections for AArch64. + +PR gas/20364 +* config/tc-aarch64.c (s_ltorg): Change the mapping state after +aligning the frag. +(aarch64_init): Treat rs_align frags in code sections as +containing code, not data. +* testsuite/gas/aarch64/pr20364.s: New test. +* testsuite/gas/aarch64/pr20364.d: New test driver. + +Backporting the patch from binutils mainline +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7ea12e5c3ad54da440c08f32da09534e63e515ca + +Upstream-Status: Backport + +Signed-off-by: Manjukumar Matha <manjukumar.harthikote-matha@xilinx.com> +--- + gas/ChangeLog | 10 ++++++++++ + gas/config/tc-aarch64.c | 10 +++++++--- + gas/testsuite/gas/aarch64/pr20364.d | 13 +++++++++++++ + gas/testsuite/gas/aarch64/pr20364.s | 28 ++++++++++++++++++++++++++++ + 4 files changed, 58 insertions(+), 3 deletions(-) + create mode 100644 gas/testsuite/gas/aarch64/pr20364.d + create mode 100644 gas/testsuite/gas/aarch64/pr20364.s + +diff --git a/gas/ChangeLog b/gas/ChangeLog +index a39895a..fad06dc 100644 +--- a/gas/ChangeLog ++++ b/gas/ChangeLog +@@ -1,3 +1,13 @@ ++2016-08-05 Nick Clifton <nickc@redhat.com> ++ ++ PR gas/20364 ++ * config/tc-aarch64.c (s_ltorg): Change the mapping state after ++ aligning the frag. ++ (aarch64_init): Treat rs_align frags in code sections as ++ containing code, not data. ++ * testsuite/gas/aarch64/pr20364.s: New test. ++ * testsuite/gas/aarch64/pr20364.d: New test driver. ++ + 2016-08-03 Tristan Gingold <gingold@adacore.com> + + * configure: Regenerate. +diff --git a/gas/config/tc-aarch64.c b/gas/config/tc-aarch64.c +index ddc40f2..74933cb 100644 +--- a/gas/config/tc-aarch64.c ++++ b/gas/config/tc-aarch64.c +@@ -1736,13 +1736,13 @@ s_ltorg (int ignored ATTRIBUTE_UNUSED) + if (pool == NULL || pool->symbol == NULL || pool->next_free_entry == 0) + continue; + +- mapping_state (MAP_DATA); +- + /* Align pool as you have word accesses. + Only make a frag if we have to. */ + if (!need_pass_2) + frag_align (align, 0, 0); + ++ mapping_state (MAP_DATA); ++ + record_alignment (now_seg, align); + + sprintf (sym_name, "$$lit_\002%x", pool->id); +@@ -6373,11 +6373,15 @@ aarch64_init_frag (fragS * fragP, int max_chars) + + switch (fragP->fr_type) + { +- case rs_align: + case rs_align_test: + case rs_fill: + mapping_state_2 (MAP_DATA, max_chars); + break; ++ case rs_align: ++ /* PR 20364: We can get alignment frags in code sections, ++ so do not just assume that we should use the MAP_DATA state. */ ++ mapping_state_2 (subseg_text_p (now_seg) ? MAP_INSN : MAP_DATA, max_chars); ++ break; + case rs_align_code: + mapping_state_2 (MAP_INSN, max_chars); + break; +diff --git a/gas/testsuite/gas/aarch64/pr20364.d b/gas/testsuite/gas/aarch64/pr20364.d +new file mode 100644 +index 0000000..babcff1 +--- /dev/null ++++ b/gas/testsuite/gas/aarch64/pr20364.d +@@ -0,0 +1,13 @@ ++# Check that ".align <size>, <fill>" does not set the mapping state to DATA, causing unnecessary frag generation. ++#name: PR20364 ++#objdump: -d ++ ++.*: file format .* ++ ++Disassembly of section \.vectors: ++ ++0+000 <.*>: ++ 0: d2800000 mov x0, #0x0 // #0 ++ 4: 94000000 bl 0 <plat_report_exception> ++ 8: 17fffffe b 0 <bl1_exceptions> ++ +diff --git a/gas/testsuite/gas/aarch64/pr20364.s b/gas/testsuite/gas/aarch64/pr20364.s +new file mode 100644 +index 0000000..594ad7c +--- /dev/null ++++ b/gas/testsuite/gas/aarch64/pr20364.s +@@ -0,0 +1,28 @@ ++ .macro vector_base label ++ .section .vectors, "ax" ++ .align 11, 0 ++ \label: ++ .endm ++ ++ .macro vector_entry label ++ .section .vectors, "ax" ++ .align 7, 0 ++ \label: ++ .endm ++ ++ .macro check_vector_size since ++ .if (. - \since) > (32 * 4) ++ .error "Vector exceeds 32 instructions" ++ .endif ++ .endm ++ ++ .globl bl1_exceptions ++ ++vector_base bl1_exceptions ++ ++vector_entry SynchronousExceptionSP0 ++ mov x0, #0x0 ++ bl plat_report_exception ++ b SynchronousExceptionSP0 ++ check_vector_size SynchronousExceptionSP0 ++ +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch new file mode 100644 index 000000000..85f7f98fe --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch @@ -0,0 +1,127 @@ +From 6f898c17b1d6f6a29a05ca6de31f0fc8f52cfbfe Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 13 Feb 2017 13:08:32 +0000 +Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst + processing corrupt input files containing symbol-difference relocations. + + PR binutils/21137 + * readelf.c (target_specific_reloc_handling): Add end parameter. + Check for buffer overflow before writing relocated values. + (apply_relocations): Pass end to target_specific_reloc_handling. + +(cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493) +Upstream-Status: Backport [master] +CVE: CVE-2017-6965 + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + binutils/ChangeLog | 7 +++++++ + binutils/readelf.c | 30 +++++++++++++++++++++++++----- + 2 files changed, 32 insertions(+), 5 deletions(-) + +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index 995de87dc3..154b797a29 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -5,6 +5,13 @@ + Check for buffer overflow before writing relocated values. + (apply_relocations): Pass end to target_specific_reloc_handling. + ++2017-02-13 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21137 ++ * readelf.c (target_specific_reloc_handling): Add end parameter. ++ Check for buffer overflow before writing relocated values. ++ (apply_relocations): Pass end to target_specific_reloc_handling. ++ + 2016-08-03 Tristan Gingold <gingold@adacore.com> + + * configure: Regenerate. +diff --git a/binutils/readelf.c b/binutils/readelf.c +index d31558c3b4..220671f76f 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -11345,6 +11345,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) + static bfd_boolean + target_specific_reloc_handling (Elf_Internal_Rela * reloc, + unsigned char * start, ++ unsigned char * end, + Elf_Internal_Sym * symtab) + { + unsigned int reloc_type = get_reloc_type (reloc->r_info); +@@ -11384,13 +11385,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + handle_sym_diff: + if (saved_sym != NULL) + { ++ int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + + value = reloc->r_addend + + (symtab[get_reloc_symindex (reloc->r_info)].st_value + - saved_sym->st_value); + +- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); ++ if (start + reloc->r_offset + reloc_size >= end) ++ /* PR 21137 */ ++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); + + saved_sym = NULL; + return TRUE; +@@ -11421,13 +11428,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + case 2: /* R_MN10300_16 */ + if (saved_sym != NULL) + { ++ int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + + value = reloc->r_addend + + (symtab[get_reloc_symindex (reloc->r_info)].st_value + - saved_sym->st_value); + +- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); ++ if (start + reloc->r_offset + reloc_size >= end) ++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); + + saved_sym = NULL; + return TRUE; +@@ -11462,12 +11474,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + break; + + case 0x41: /* R_RL78_ABS32. */ +- byte_put (start + reloc->r_offset, value, 4); ++ if (start + reloc->r_offset + 4 >= end) ++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + 2, end); ++ else ++ byte_put (start + reloc->r_offset, value, 4); + value = 0; + return TRUE; + + case 0x43: /* R_RL78_ABS16. */ +- byte_put (start + reloc->r_offset, value, 2); ++ if (start + reloc->r_offset + 2 >= end) ++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + 2, end); ++ else ++ byte_put (start + reloc->r_offset, value, 2); + value = 0; + return TRUE; + +@@ -12074,7 +12094,7 @@ apply_relocations (void * file, + + reloc_type = get_reloc_type (rp->r_info); + +- if (target_specific_reloc_handling (rp, start, symtab)) ++ if (target_specific_reloc_handling (rp, start, end, symtab)) + continue; + else if (is_none_reloc (reloc_type)) + continue; +-- +2.11.0 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch new file mode 100644 index 000000000..5e364ef69 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch @@ -0,0 +1,240 @@ +From 310e2cdc0a46ef62602097f5c21c393571e76df4 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 13 Feb 2017 14:03:22 +0000 +Subject: [PATCH 2/2] Fix read-after-free error in readelf when processing + multiple, relocated sections in an MSP430 binary. + + PR binutils/21139 + * readelf.c (target_specific_reloc_handling): Add num_syms + parameter. Check for symbol table overflow before accessing + symbol value. If reloc pointer is NULL, discard all saved state. + (apply_relocations): Pass num_syms to target_specific_reloc_handling. + Call target_specific_reloc_handling with a NULL reloc pointer + after processing all of the relocs. + +(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9) +Upstream-Status: Backport [master] +CVE: CVE-2017-6966 + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + binutils/ChangeLog | 10 +++++ + binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------ + 2 files changed, 94 insertions(+), 25 deletions(-) + +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index 154b797a29..aef0a51f19 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -1,5 +1,15 @@ + 2017-02-13 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21139 ++ * readelf.c (target_specific_reloc_handling): Add num_syms ++ parameter. Check for symbol table overflow before accessing ++ symbol value. If reloc pointer is NULL, discard all saved state. ++ (apply_relocations): Pass num_syms to target_specific_reloc_handling. ++ Call target_specific_reloc_handling with a NULL reloc pointer ++ after processing all of the relocs. ++ ++2017-02-13 Nick Clifton <nickc@redhat.com> ++ + PR binutils/21137 + * readelf.c (target_specific_reloc_handling): Add end parameter. + Check for buffer overflow before writing relocated values. +diff --git a/binutils/readelf.c b/binutils/readelf.c +index 220671f76f..2b6cef1638 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -11340,15 +11340,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) + + /* Check to see if the given reloc needs to be handled in a target specific + manner. If so then process the reloc and return TRUE otherwise return +- FALSE. */ ++ FALSE. ++ ++ If called with reloc == NULL, then this is a signal that reloc processing ++ for the current section has finished, and any saved state should be ++ discarded. */ + + static bfd_boolean + target_specific_reloc_handling (Elf_Internal_Rela * reloc, + unsigned char * start, + unsigned char * end, +- Elf_Internal_Sym * symtab) ++ Elf_Internal_Sym * symtab, ++ unsigned long num_syms) + { +- unsigned int reloc_type = get_reloc_type (reloc->r_info); ++ unsigned int reloc_type = 0; ++ unsigned long sym_index = 0; ++ ++ if (reloc) ++ { ++ reloc_type = get_reloc_type (reloc->r_info); ++ sym_index = get_reloc_symindex (reloc->r_info); ++ } + + switch (elf_header.e_machine) + { +@@ -11357,13 +11369,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + { + static Elf_Internal_Sym * saved_sym = NULL; + ++ if (reloc == NULL) ++ { ++ saved_sym = NULL; ++ return TRUE; ++ } ++ + switch (reloc_type) + { + case 10: /* R_MSP430_SYM_DIFF */ + if (uses_msp430x_relocs ()) + break; + case 21: /* R_MSP430X_SYM_DIFF */ +- saved_sym = symtab + get_reloc_symindex (reloc->r_info); ++ /* PR 21139. */ ++ if (sym_index >= num_syms) ++ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"), ++ sym_index); ++ else ++ saved_sym = symtab + sym_index; + return TRUE; + + case 1: /* R_MSP430_32 or R_MSP430_ABS32 */ +@@ -11388,16 +11411,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + +- value = reloc->r_addend +- + (symtab[get_reloc_symindex (reloc->r_info)].st_value +- - saved_sym->st_value); +- +- if (start + reloc->r_offset + reloc_size >= end) +- /* PR 21137 */ +- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), +- start + reloc->r_offset + reloc_size, end); ++ if (sym_index >= num_syms) ++ error (_("MSP430 reloc contains invalid symbol index %lu\n"), ++ sym_index); + else +- byte_put (start + reloc->r_offset, value, reloc_size); ++ { ++ value = reloc->r_addend + (symtab[sym_index].st_value ++ - saved_sym->st_value); ++ ++ if (start + reloc->r_offset + reloc_size >= end) ++ /* PR 21137 */ ++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); ++ } + + saved_sym = NULL; + return TRUE; +@@ -11417,13 +11445,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + { + static Elf_Internal_Sym * saved_sym = NULL; + ++ if (reloc == NULL) ++ { ++ saved_sym = NULL; ++ return TRUE; ++ } ++ + switch (reloc_type) + { + case 34: /* R_MN10300_ALIGN */ + return TRUE; + case 33: /* R_MN10300_SYM_DIFF */ +- saved_sym = symtab + get_reloc_symindex (reloc->r_info); ++ if (sym_index >= num_syms) ++ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"), ++ sym_index); ++ else ++ saved_sym = symtab + sym_index; + return TRUE; ++ + case 1: /* R_MN10300_32 */ + case 2: /* R_MN10300_16 */ + if (saved_sym != NULL) +@@ -11431,15 +11470,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + int reloc_size = reloc_type == 1 ? 4 : 2; + bfd_vma value; + +- value = reloc->r_addend +- + (symtab[get_reloc_symindex (reloc->r_info)].st_value +- - saved_sym->st_value); +- +- if (start + reloc->r_offset + reloc_size >= end) +- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), +- start + reloc->r_offset + reloc_size, end); ++ if (sym_index >= num_syms) ++ error (_("MN10300 reloc contains invalid symbol index %lu\n"), ++ sym_index); + else +- byte_put (start + reloc->r_offset, value, reloc_size); ++ { ++ value = reloc->r_addend + (symtab[sym_index].st_value ++ - saved_sym->st_value); ++ ++ if (start + reloc->r_offset + reloc_size >= end) ++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), ++ start + reloc->r_offset + reloc_size, end); ++ else ++ byte_put (start + reloc->r_offset, value, reloc_size); ++ } + + saved_sym = NULL; + return TRUE; +@@ -11459,12 +11503,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, + static bfd_vma saved_sym2 = 0; + static bfd_vma value; + ++ if (reloc == NULL) ++ { ++ saved_sym1 = saved_sym2 = 0; ++ return TRUE; ++ } ++ + switch (reloc_type) + { + case 0x80: /* R_RL78_SYM. */ + saved_sym1 = saved_sym2; +- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value; +- saved_sym2 += reloc->r_addend; ++ if (sym_index >= num_syms) ++ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"), ++ sym_index); ++ else ++ { ++ saved_sym2 = symtab[sym_index].st_value; ++ saved_sym2 += reloc->r_addend; ++ } + return TRUE; + + case 0x83: /* R_RL78_OPsub. */ +@@ -12094,7 +12150,7 @@ apply_relocations (void * file, + + reloc_type = get_reloc_type (rp->r_info); + +- if (target_specific_reloc_handling (rp, start, end, symtab)) ++ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms)) + continue; + else if (is_none_reloc (reloc_type)) + continue; +@@ -12190,6 +12246,9 @@ apply_relocations (void * file, + } + + free (symtab); ++ /* Let the target specific reloc processing code know that ++ we have finished with these relocs. */ ++ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0); + + if (relocs_return) + { +-- +2.11.0 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch new file mode 100644 index 000000000..3d036c4cf --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch @@ -0,0 +1,56 @@ +From 489246368e2c49a795ad5ecbc8895cbc854292fa Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 17 Feb 2017 15:59:45 +0000 +Subject: Fix illegal memory accesses in readelf when parsing a corrupt binary. + + PR binutils/21156 + * readelf.c (find_section_in_set): Test for invalid section + indicies. + +CVE: CVE-2017-6969 +Upstream-Status: Backport [master] + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 10 ++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index a70bdb7a7b..dbf8eb079e 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-02-17 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21156 ++ * readelf.c (find_section_in_set): Test for invalid section ++ indicies. ++ + 2016-08-03 Tristan Gingold <gingold@adacore.com> + + * configure: Regenerate. +diff --git a/binutils/readelf.c b/binutils/readelf.c +index d31558c3b4..7f7365dbc5 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -674,8 +674,14 @@ find_section_in_set (const char * name, unsigned int * set) + if (set != NULL) + { + while ((i = *set++) > 0) +- if (streq (SECTION_NAME (section_headers + i), name)) +- return section_headers + i; ++ { ++ /* See PR 21156 for a reproducer. */ ++ if (i >= elf_header.e_shnum) ++ continue; /* FIXME: Should we issue an error message ? */ ++ ++ if (streq (SECTION_NAME (section_headers + i), name)) ++ return section_headers + i; ++ } + } + + return find_section (name); +-- +2.11.0 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch new file mode 100644 index 000000000..491c7086e --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch @@ -0,0 +1,122 @@ +From 59fcd64fe65a89fb0acaf5463840310701189375 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 20 Feb 2017 14:40:39 +0000 +Subject: Fix another memory access error in readelf when parsing a corrupt + binary. + + PR binutils/21156 + * dwarf.c (cu_tu_indexes_read): Move into... + (load_cu_tu_indexes): ... here. Change the variable into + tri-state. Change the function into boolean, returning + false if the indicies could not be loaded. + (find_cu_tu_set): Return NULL if the indicies could not be + loaded. + +CVE: CVE-2017-6969 +Upstream-Status: Backport [master] + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + binutils/ChangeLog | 10 ++++++++++ + binutils/dwarf.c | 34 ++++++++++++++++++++-------------- + 2 files changed, 30 insertions(+), 14 deletions(-) + +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index dbf8eb079e..55d2f8ba40 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -1,3 +1,13 @@ ++2017-02-20 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21156 ++ * dwarf.c (cu_tu_indexes_read): Move into... ++ (load_cu_tu_indexes): ... here. Change the variable into ++ tri-state. Change the function into boolean, returning ++ false if the indicies could not be loaded. ++ (find_cu_tu_set): Return NULL if the indicies could not be ++ loaded. ++ + 2017-02-17 Nick Clifton <nickc@redhat.com> + + PR binutils/21156 +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 282e069958..a23267feb6 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -76,7 +76,6 @@ int dwarf_check = 0; + as a zero-terminated list of section indexes comprising one set of debug + sections from a .dwo file. */ + +-static int cu_tu_indexes_read = 0; + static unsigned int *shndx_pool = NULL; + static unsigned int shndx_pool_size = 0; + static unsigned int shndx_pool_used = 0; +@@ -99,7 +98,7 @@ static int tu_count = 0; + static struct cu_tu_set *cu_sets = NULL; + static struct cu_tu_set *tu_sets = NULL; + +-static void load_cu_tu_indexes (void *file); ++static bfd_boolean load_cu_tu_indexes (void *); + + /* Values for do_debug_lines. */ + #define FLAG_DEBUG_LINES_RAW 1 +@@ -2713,7 +2712,7 @@ load_debug_info (void * file) + return num_debug_info_entries; + + /* If this is a DWARF package file, load the CU and TU indexes. */ +- load_cu_tu_indexes (file); ++ (void) load_cu_tu_indexes (file); + + if (load_debug_section (info, file) + && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0)) +@@ -7302,21 +7301,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) + section sets that we can use to associate a .debug_info.dwo section + with its associated .debug_abbrev.dwo section in a .dwp file. */ + +-static void ++static bfd_boolean + load_cu_tu_indexes (void *file) + { ++ static int cu_tu_indexes_read = -1; /* Tri-state variable. */ ++ + /* If we have already loaded (or tried to load) the CU and TU indexes + then do not bother to repeat the task. */ +- if (cu_tu_indexes_read) +- return; +- +- if (load_debug_section (dwp_cu_index, file)) +- process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0); +- +- if (load_debug_section (dwp_tu_index, file)) +- process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0); ++ if (cu_tu_indexes_read == -1) ++ { ++ cu_tu_indexes_read = TRUE; ++ ++ if (load_debug_section (dwp_cu_index, file)) ++ if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0)) ++ cu_tu_indexes_read = FALSE; ++ ++ if (load_debug_section (dwp_tu_index, file)) ++ if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0)) ++ cu_tu_indexes_read = FALSE; ++ } + +- cu_tu_indexes_read = 1; ++ return (bfd_boolean) cu_tu_indexes_read; + } + + /* Find the set of sections that includes section SHNDX. */ +@@ -7326,7 +7331,8 @@ find_cu_tu_set (void *file, unsigned int shndx) + { + unsigned int i; + +- load_cu_tu_indexes (file); ++ if (! load_cu_tu_indexes (file)) ++ return NULL; + + /* Find SHNDX in the shndx pool. */ + for (i = 0; i < shndx_pool_used; i++) +-- +2.11.0 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch new file mode 100644 index 000000000..336d72cfe --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch @@ -0,0 +1,63 @@ +From 6e5e9d96b5bd7dc3147db9917d6a7a20682915cc Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 13 Feb 2017 15:04:37 +0000 +Subject: Fix invalid read of section contents whilst processing a corrupt + binary. + + PR binutils/21135 + * readelf.c (dump_section_as_bytes): Handle the case where + uncompress_section_contents returns false. + +CVE: CVE-2017-7209 +Upstream-Status: Backport[master] + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 16 ++++++++++++---- + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index 55d2f8ba40..c4d8e60eca 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-02-13 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21135 ++ * readelf.c (dump_section_as_bytes): Handle the case where ++ uncompress_section_contents returns false. ++ + 2017-02-20 Nick Clifton <nickc@redhat.com> + + PR binutils/21156 +diff --git a/binutils/readelf.c b/binutils/readelf.c +index 7f7365dbc5..bc4e92fa81 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -12473,10 +12473,18 @@ dump_section_as_bytes (Elf_Internal_Shdr * section, + new_size -= 12; + } + +- if (uncompressed_size +- && uncompress_section_contents (& start, uncompressed_size, +- & new_size)) +- section_size = new_size; ++ if (uncompressed_size) ++ { ++ if (uncompress_section_contents (& start, uncompressed_size, ++ & new_size)) ++ section_size = new_size; ++ else ++ { ++ error (_("Unable to decompress section %s\n"), ++ printable_section_name (section)); ++ return; ++ } ++ } + } + + if (relocate) +-- +2.11.0 + diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch new file mode 100644 index 000000000..211d2bfd8 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch @@ -0,0 +1,71 @@ +From 80958b04c91edcd41c42807225a7ad1b2a4ce0e6 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 14 Feb 2017 14:07:29 +0000 +Subject: Fix handling of corrupt STABS enum type strings. + + PR binutils/21157 + * stabs.c (parse_stab_enum_type): Check for corrupt NAME:VALUE + pairs. + (parse_number): Exit early if passed an empty string. + +CVE: CVE-2017-7210 +Upstream-Status: Backport [master] + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + binutils/ChangeLog | 7 +++++++ + binutils/stabs.c | 14 +++++++++++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index c4d8e60eca..2bae9ec587 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -1,3 +1,10 @@ ++2017-02-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21157 ++ * stabs.c (parse_stab_enum_type): Check for corrupt NAME:VALUE ++ pairs. ++ (parse_number): Exit early if passed an empty string. ++ + 2017-02-13 Nick Clifton <nickc@redhat.com> + + PR binutils/21135 +diff --git a/binutils/stabs.c b/binutils/stabs.c +index aebde7afe9..c425afe98e 100644 +--- a/binutils/stabs.c ++++ b/binutils/stabs.c +@@ -232,6 +232,10 @@ parse_number (const char **pp, bfd_boolean *poverflow) + + orig = *pp; + ++ /* Stop early if we are passed an empty string. */ ++ if (*orig == 0) ++ return (bfd_vma) 0; ++ + errno = 0; + ul = strtoul (*pp, (char **) pp, 0); + if (ul + 1 != 0 || errno == 0) +@@ -1975,9 +1979,17 @@ parse_stab_enum_type (void *dhandle, const char **pp) + bfd_signed_vma val; + + p = *pp; +- while (*p != ':') ++ while (*p != ':' && *p != 0) + ++p; + ++ if (*p == 0) ++ { ++ bad_stab (orig); ++ free (names); ++ free (values); ++ return DEBUG_TYPE_NULL; ++ } ++ + name = savestring (*pp, p - *pp); + + *pp = p + 1; +-- +2.11.0 + |