tamiko 17/06/06 20:57:47 Modified: README.history Added: 00_all_0007-CVE-2017-8421.patch 00_all_0008-CVE-2017-9038.patch 00_all_0009-CVE-2017-9039.patch 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch 00_all_0011-0011-CVE-2017-9041.patch binutils-2.27-CVE-2017-8421.patch Log: binutils-2.27: Update to patchset 1.1
Revision Changes Path 1.2 src/patchsets/binutils/2.27/README.history file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?rev=1.2&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?rev=1.2&content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?r1=1.1&r2=1.2 Index: README.history =================================================================== RCS file: /var/cvsroot/gentoo/src/patchsets/binutils/2.27/README.history,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- README.history 15 Nov 2016 07:08:40 -0000 1.1 +++ README.history 6 Jun 2017 20:57:47 -0000 1.2 @@ -1,3 +1,10 @@ +1.1 06 Jun 2017 + + 00_all_0007-CVE-2017-8421.patch + + 00_all_0008-CVE-2017-9038.patch + + 00_all_0009-CVE-2017-9039.patch + + 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch + + 00_all_0011-0011-CVE-2017-9041.patch + 1.0 12 Nov 2016 + 00_all_0001-ld-always-warn-about-textrels-in-files.patch + 00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch 1.1 src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch?rev=1.1&content-type=text/plain Index: 00_all_0007-CVE-2017-8421.patch =================================================================== >From 066b5b9598ffcf4d8e99034fa370e1ba8393341c Mon Sep 17 00:00:00 2001 From: Matthias Maier <tam...@43-1.org> Date: Tue, 6 Jun 2017 13:04:17 -0500 Subject: [PATCH 1/5] CVE-2017-8421 [PATCH] Prevent memory exhaustion from a corrupt PE binary with an overlarge number of relocs. Patch taken from [1]. Gentoo bug [2] [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=39ff1b79f687b65f4144ddb379f22587003443fb [2] https://bugs.gentoo.org/show_bug.cgi?id=618520 --- binutils/objdump.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/binutils/objdump.c b/binutils/objdump.c index bf9c592..cbe2e0a 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -3238,6 +3238,14 @@ dump_relocs_in_section (bfd *abfd, return; } + if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 + && relsize > get_file_size (bfd_get_filename (abfd))) + { + printf (" (too many: 0x%x)\n", section->reloc_count); + bfd_set_error (bfd_error_file_truncated); + bfd_fatal (bfd_get_filename (abfd)); + } + relpp = (arelent **) xmalloc (relsize); relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms); -- 2.13.0 1.1 src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch?rev=1.1&content-type=text/plain Index: 00_all_0008-CVE-2017-9038.patch =================================================================== >From 581a94cb18d994071f9660a7b84d1d2bc104fc4f Mon Sep 17 00:00:00 2001 From: Matthias Maier <tam...@43-1.org> Date: Tue, 6 Jun 2017 13:18:07 -0500 Subject: [PATCH 2/5] CVE-2017-9038 readelf: Update check for invalid word offsets in ARM unwind information. Patch taken from [1]. Gentoo bug [2] [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d [2] https://bugs.gentoo.org/show_bug.cgi?id=618826 --- binutils/readelf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/binutils/readelf.c b/binutils/readelf.c index 274ddd1..9a515ff 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -7738,9 +7738,9 @@ get_unwind_section_word (struct arm_unw_aux_info * aux, return FALSE; /* If the offset is invalid then fail. */ - if (word_offset > (sec->sh_size - 4) - /* PR 18879 */ - || (sec->sh_size < 5 && word_offset >= sec->sh_size) + if (/* PR 21343 *//* PR 18879 */ + sec->sh_size < 4 + || word_offset > (sec->sh_size - 4) || ((bfd_signed_vma) word_offset) < 0) return FALSE; -- 2.13.0 1.1 src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch?rev=1.1&content-type=text/plain Index: 00_all_0009-CVE-2017-9039.patch =================================================================== >From b365e09549f642683fd21e5804be962077882d33 Mon Sep 17 00:00:00 2001 From: Matthias Maier <tam...@43-1.org> Date: Tue, 6 Jun 2017 13:24:24 -0500 Subject: [PATCH 3/5] CVE-2017-9039 readelf: Fix overlarge memory allocation when reading a binary with an excessive number of program headers. Patch taken from [1]. Gentoo bug [2] [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5 [2] https://bugs.gentoo.org/show_bug.cgi?id=618826 --- binutils/readelf.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/binutils/readelf.c b/binutils/readelf.c index 9a515ff..a11931d 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -4698,9 +4698,19 @@ get_program_headers (FILE * file) if (program_headers != NULL) return 1; - phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, - sizeof (Elf_Internal_Phdr)); + /* Be kind to memory checkers by looking for + e_phnum values which we know must be invalid. */ + if (elf_header.e_phnum + * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr)) + >= current_file_size) + { + error (_("Too many program headers - %#x - the file is not that big\n"), + elf_header.e_phnum); + return FALSE; + } + phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, + sizeof (Elf_Internal_Phdr)); if (phdrs == NULL) { error (_("Out of memory reading %u program headers\n"), -- 2.13.0 1.1 src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&content-type=text/plain Index: 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch =================================================================== >From 264947c1489c7d7469d34db92672f8c3bde37fb2 Mon Sep 17 00:00:00 2001 From: Matthias Maier <tam...@43-1.org> Date: Tue, 6 Jun 2017 13:30:14 -0500 Subject: [PATCH 4/5] CVE-2017-9040, CVE-2017-9042 readelf: fix out of range subtraction, seg fault from a NULL pointer and memory exhaustion, all from parsing corrupt binaries. Patch taken from [1]. Gentoo bug [2] [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf [2] https://bugs.gentoo.org/show_bug.cgi?id=618826 --- binutils/readelf.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/binutils/readelf.c b/binutils/readelf.c index a11931d..b3ec415 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -9072,6 +9072,12 @@ process_dynamic_section (FILE * file) processing that. This is overkill, I know, but it should work. */ section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0); + if ((bfd_size_type) section.sh_offset > current_file_size) + { + /* See PR 21379 for a reproducer. */ + error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset); + return FALSE; + } if (archive_file_offset != 0) section.sh_size = archive_file_size - section.sh_offset; @@ -14788,6 +14794,15 @@ process_mips_specific (FILE * file) return 0; } + /* PR 21345 - print a slightly more helpful error message + if we are sure that the cmalloc will fail. */ + if (conflictsno * sizeof (* iconf) > current_file_size) + { + error (_("Overlarge number of conflicts detected: %lx\n"), + (long) conflictsno); + return FALSE; + } + iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf)); if (iconf == NULL) { -- 2.13.0 1.1 src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch?rev=1.1&content-type=text/plain Index: 00_all_0011-0011-CVE-2017-9041.patch =================================================================== >From 268cb749fe1b1f78929d3df43f3142c9c73f2bda Mon Sep 17 00:00:00 2001 From: Matthias Maier <tam...@43-1.org> Date: Tue, 6 Jun 2017 13:40:06 -0500 Subject: [PATCH 5/5] CVE-2017-9041 Patch taken from [1]. Gentoo bug [2] [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 [2] https://bugs.gentoo.org/show_bug.cgi?id=618826 --- binutils/readelf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/binutils/readelf.c b/binutils/readelf.c index b3ec415..984fb9b 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -14918,7 +14918,14 @@ process_mips_specific (FILE * file) printf (_(" Lazy resolver\n")); if (ent == (bfd_vma) -1) goto got_print_fail; + + /* Check for the MSB of GOT[1] being set, denoting a GNU object. + This entry will be used by some runtime loaders, to store the + module pointer. Otherwise this is an ordinary local entry. + PR 21344: Check for the entry being fully available before + fetching it. */ if (data + && data + ent - pltgot + addr_size <= data_end && (byte_get (data + ent - pltgot, addr_size) >> (addr_size * 8 - 1)) != 0) { -- 2.13.0 1.1 src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch?rev=1.1&content-type=text/plain Index: binutils-2.27-CVE-2017-8421.patch =================================================================== >From 39ff1b79f687b65f4144ddb379f22587003443fb Mon Sep 17 00:00:00 2001 From: Nick Clifton <ni...@redhat.com> Date: Tue, 2 May 2017 11:54:53 +0100 Subject: [PATCH] Prevent memory exhaustion from a corrupt PE binary with an overlarge number of relocs. PR 21440 * objdump.c (dump_relocs_in_section): Check for an excessive number of relocs before attempting to dump them. --- binutils/ChangeLog | 6 ++++++ binutils/objdump.c | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/binutils/objdump.c b/binutils/objdump.c index bc61000..5972da1 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -3379,6 +3379,14 @@ dump_relocs_in_section (bfd *abfd, return; } + if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 + && relsize > get_file_size (bfd_get_filename (abfd))) + { + printf (" (too many: 0x%x)\n", section->reloc_count); + bfd_set_error (bfd_error_file_truncated); + bfd_fatal (bfd_get_filename (abfd)); + } + relpp = (arelent **) xmalloc (relsize); relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms); -- 2.9.3