[arch-commits] Commit in binutils/trunk (3 files)

Wed, 14 Mar 2018 23:07:10 -0700 

    Date: Thursday, March 15, 2018 @ 06:06:46
  Author: foutrelis
Revision: 319155

upgpkg: binutils 2.29.1-3

- Prevent tools such as objcopy/strip from incorrectly removing
  the PT_GNU_RELRO program segment from binaries linked with LLD
- Fix CVE-2018-7208: missing bounds check in coff_pointerize_aux()

Added:
  binutils/trunk/0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch
  binutils/trunk/0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch
Modified:
  binutils/trunk/PKGBUILD

-----------------------------------------------------------------+
 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch       |   29 ++
 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch |  145 
++++++++++
 PKGBUILD                                                        |   16 -
 3 files changed, 187 insertions(+), 3 deletions(-)

Added: 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch
===================================================================
--- 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch                   
        (rev 0)
+++ 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch   2018-03-15 
06:06:46 UTC (rev 319155)
@@ -0,0 +1,29 @@
+From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001
+From: Alan Modra <[email protected]>
+Date: Sat, 27 Jan 2018 08:19:33 +1030
+Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object
+
+       PR 22741
+       * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+       range before converting to a symbol table pointer.
+---
+ bfd/coffgen.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/coffgen.c b/bfd/coffgen.c
+index b2410873d0..4f90eaddd9 100644
+--- a/bfd/coffgen.c
++++ b/bfd/coffgen.c
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
++  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
++      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+       table_base + auxent->u.auxent.x_sym.x_tagndx.l;
+-- 
+2.16.2
+

Added: 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch
===================================================================
--- 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch             
                (rev 0)
+++ 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch     
2018-03-15 06:06:46 UTC (rev 319155)
@@ -0,0 +1,145 @@
+From 3b56a1358768563d9cf320559ebdedfb30f122dd Mon Sep 17 00:00:00 2001
+From: Alan Modra <[email protected]>
+Date: Mon, 12 Feb 2018 13:06:07 +1030
+Subject: [PATCH] PR22829, objcopy/strip removes PT_GNU_RELRO from lld binaries
+
+lld lays out the relro segment differently to GNU ld, not bothering to
+include the first few bytes of .got.plt and padding out to a page at
+the end of the segment.  This patch teaches binutils to recognize the
+different (and somewhat inferior) layout as valid.
+
+bfd/
+       PR 22829
+       * elf.c (assign_file_positions_for_non_load_sections): Rewrite
+       PT_GNU_RELRO setup.
+ld/
+       * testsuite/ld-x86-64/pr14207.d: Adjust relro p_filesz.
+
+(cherry picked from commit f2731e0c374e5323ce4cdae2bcc7b7fe22da1a6f)
+---
+ bfd/elf.c                        | 78 ++++++++++++++++++++++++++--------------
+ ld/testsuite/ld-x86-64/pr14207.d |  2 +-
+ 2 files changed, 52 insertions(+), 28 deletions(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index bbaab26918..f5a230cd77 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -5826,50 +5826,74 @@ assign_file_positions_for_non_load_sections (bfd *abfd,
+     {
+       if (p->p_type == PT_GNU_RELRO)
+       {
+-        const Elf_Internal_Phdr *lp;
+-        struct elf_segment_map *lm;
++        bfd_vma start, end;
+ 
+         if (link_info != NULL)
+           {
+             /* During linking the range of the RELRO segment is passed
+-               in link_info.  */
++               in link_info.  Note that there may be padding between
++               relro_start and the first RELRO section.  */
++            start = link_info->relro_start;
++            end = link_info->relro_end;
++          }
++        else if (m->count != 0)
++          {
++            if (!m->p_size_valid)
++              abort ();
++            start = m->sections[0]->vma;
++            end = start + m->p_size;
++          }
++        else
++          {
++            start = 0;
++            end = 0;
++          }
++
++        if (start < end)
++          {
++            struct elf_segment_map *lm;
++            const Elf_Internal_Phdr *lp;
++            unsigned int i;
++
++            /* Find a LOAD segment containing a section in the RELRO
++               segment.  */
+             for (lm = elf_seg_map (abfd), lp = phdrs;
+                  lm != NULL;
+                  lm = lm->next, lp++)
+               {
+                 if (lp->p_type == PT_LOAD
+-                    && lp->p_vaddr < link_info->relro_end
+                     && lm->count != 0
+-                    && lm->sections[0]->vma >= link_info->relro_start)
++                    && lm->sections[lm->count - 1]->vma >= start
++                    && lm->sections[0]->vma < end)
+                   break;
+               }
+-
+             BFD_ASSERT (lm != NULL);
+-          }
+-        else
+-          {
+-            /* Otherwise we are copying an executable or shared
+-               library, but we need to use the same linker logic.  */
+-            for (lp = phdrs; lp < phdrs + count; ++lp)
++
++            /* Find the section starting the RELRO segment.  */
++            for (i = 0; i < lm->count; i++)
+               {
+-                if (lp->p_type == PT_LOAD
+-                    && lp->p_paddr == p->p_paddr)
++                asection *s = lm->sections[i];
++                if (s->vma >= start
++                    && s->vma < end
++                    && s->size != 0)
+                   break;
+               }
+-          }
++            BFD_ASSERT (i < lm->count);
++
++            p->p_vaddr = lm->sections[i]->vma;
++            p->p_paddr = lm->sections[i]->lma;
++            p->p_offset = lm->sections[i]->filepos;
++            p->p_memsz = end - p->p_vaddr;
++            p->p_filesz = p->p_memsz;
++
++            /* The RELRO segment typically ends a few bytes into
++               .got.plt but other layouts are possible.  In cases
++               where the end does not match any loaded section (for
++               instance is in file padding), trim p_filesz back to
++               correspond to the end of loaded section contents.  */
++            if (p->p_filesz > lp->p_vaddr + lp->p_filesz - p->p_vaddr)
++              p->p_filesz = lp->p_vaddr + lp->p_filesz - p->p_vaddr;
+ 
+-        if (lp < phdrs + count)
+-          {
+-            p->p_vaddr = lp->p_vaddr;
+-            p->p_paddr = lp->p_paddr;
+-            p->p_offset = lp->p_offset;
+-            if (link_info != NULL)
+-              p->p_filesz = link_info->relro_end - lp->p_vaddr;
+-            else if (m->p_size_valid)
+-              p->p_filesz = m->p_size;
+-            else
+-              abort ();
+-            p->p_memsz = p->p_filesz;
+             /* Preserve the alignment and flags if they are valid. The
+                gold linker generates RW/4 for the PT_GNU_RELRO section.
+                It is better for objcopy/strip to honor these attributes
+diff --git a/ld/testsuite/ld-x86-64/pr14207.d 
b/ld/testsuite/ld-x86-64/pr14207.d
+index f6558e7cd7..41f92b8bd8 100644
+--- a/ld/testsuite/ld-x86-64/pr14207.d
++++ b/ld/testsuite/ld-x86-64/pr14207.d
+@@ -13,7 +13,7 @@ Program Headers:
+   LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x0001c8 
0x0001c8 R   0x200000
+   LOAD           0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.0 
0x000c.8 RW  0x200000
+   DYNAMIC        0x000b.0 0x0000000000200b.0 0x0000000000200b.0 0x0001.0 
0x0001.0 RW  0x8
+-  GNU_RELRO      0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.8 
0x0004.8 R   0x1
++  GNU_RELRO      0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.0 
0x0004.8 R   0x1
+ 
+  Section to Segment mapping:
+   Segment Sections...
+-- 
+2.16.2
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2018-03-15 05:08:26 UTC (rev 319154)
+++ PKGBUILD    2018-03-15 06:06:46 UTC (rev 319155)
@@ -5,7 +5,7 @@
 
 pkgname=binutils
 pkgver=2.29.1
-pkgrel=2
+pkgrel=3
 pkgdesc='A set of programs to assemble and manipulate binary and object files'
 arch=(x86_64)
 url='http://www.gnu.org/software/binutils/'
@@ -20,11 +20,15 @@
 #_commit=d1a6e7195b9bb0255fa77588985b969ad8aaacf5
 #source=(git+https://sourceware.org/git/binutils-gdb.git#commit=${_commit}
 source=(https://ftp.gnu.org/gnu/binutils/binutils-$pkgver.tar.xz{,.sig}
-        0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch)
+        0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch
+        0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch
+        0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch)
 validpgpkeys=(3A24BC1E8FB409FA9F14371813FCEF89DD9E3C4F)
 md5sums=('acc9cd826edb9954ac7cecb81c727793'
          'SKIP'
-         'e4be936139ef46122cb3841881c432b2')
+         'e4be936139ef46122cb3841881c432b2'
+         '469164f3c93a0e92a697537b60c9806c'
+         '0c679b37e90fb23de60a4d28329b956a')
 
 prepare() {
   mkdir -p binutils-build
@@ -37,6 +41,12 @@
 
   # https://bugs.archlinux.org/task/55741
   git apply ../0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch
+
+  # https://sourceware.org/bugzilla/show_bug.cgi?id=22741
+  git apply ../0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch
+
+  # https://sourceware.org/bugzilla/show_bug.cgi?id=22829
+  git apply ../0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch
 }
 
 build() {

Reply via email to