Re: [OE-core] [thud] binutils: Fix 4 CVEs
On 9/9/19 10:31 AM, msft.dant...@gmail.com wrote:
> From: Dan Tran
>
> Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and
> CVE-2018-1000876 for binutils 2.31.1.
thanks. in thud test stagging.( contrib: stable/thud-nmut )
- armin
>
> Signed-off-by: Dan Tran
> ---
> meta/recipes-devtools/binutils/binutils-2.31.inc | 4 +
> .../binutils/binutils/CVE-2018-1000876.patch | 180
> +
> .../binutils/binutils/CVE-2018-20623.patch | 74 +
> .../binutils/binutils/CVE-2018-20651.patch | 35
> .../binutils/binutils/CVE-2018-20671.patch | 49 ++
> 5 files changed, 342 insertions(+)
> create mode 100644
> meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
> create mode 100644
> meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
> create mode 100644
> meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
> create mode 100644
> meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc
> b/meta/recipes-devtools/binutils/binutils-2.31.inc
> index 62acec5..ba9272a 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.31.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
> @@ -46,6 +46,10 @@ SRC_URI = "\
> file://CVE-2018-18605.patch \
> file://CVE-2018-18606.patch \
> file://CVE-2018-18607.patch \
> + file://CVE-2018-20623.patch \
> + file://CVE-2018-20651.patch \
> + file://CVE-2018-20671.patch \
> + file://CVE-2018-1000876.patch \
> "
> S = "${WORKDIR}/git"
>
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
> b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
> new file mode 100644
> index 000..ff85351
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
> @@ -0,0 +1,180 @@
> +From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
> +From: Alan Modra
> +Date: Sun, 16 Dec 2018 23:02:50 +1030
> +Subject: [PATCH] PR23994, libbfd integer overflow
> +
> + PR 23994
> + * aoutx.h: Include limits.h.
> + (get_reloc_upper_bound): Detect long overflow and return a file
> + too big error if it occurs.
> + * elf.c: Include limits.h.
> + (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
> + a file too big error if it occurs.
> + (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
> + (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
> +
> +CVE: CVE-2018-1000876
> +Upstream-Status: Backport
> +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
> +
> +Signed-off-by: Dan Tran
> +---
> + bfd/aoutx.h | 40 +---
> + bfd/elf.c | 32
> + 2 files changed, 45 insertions(+), 27 deletions(-)
> +
> +diff --git a/bfd/aoutx.h b/bfd/aoutx.h
> +index 023843b0be..78eaa9c503 100644
> +--- a/bfd/aoutx.h
> b/bfd/aoutx.h
> +@@ -117,6 +117,7 @@ DESCRIPTION
> + #define KEEPIT udata.i
> +
> + #include "sysdep.h"
> ++#include
> + #include "bfd.h"
> + #include "safe-ctype.h"
> + #include "bfdlink.h"
> +@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
> + long
> + NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
> + {
> ++ bfd_size_type count;
> ++
> + if (bfd_get_format (abfd) != bfd_object)
> + {
> + bfd_set_error (bfd_error_invalid_operation);
> +@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd,
> sec_ptr asect)
> + }
> +
> + if (asect->flags & SEC_CONSTRUCTOR)
> +-return sizeof (arelent *) * (asect->reloc_count + 1);
> +-
> +- if (asect == obj_datasec (abfd))
> +-return sizeof (arelent *)
> +- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
> +- + 1);
> +-
> +- if (asect == obj_textsec (abfd))
> +-return sizeof (arelent *)
> +- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
> +- + 1);
> +-
> +- if (asect == obj_bsssec (abfd))
> +-return sizeof (arelent *);
> +-
> +- if (asect == obj_bsssec (abfd))
> +-return 0;
> ++count = asect->reloc_count;
> ++ else if (asect == obj_datasec (abfd))
> ++count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
> ++ else if (asect == obj_textsec (abfd))
> ++count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
> ++ else if (asect == obj_bsssec (abfd))
> ++count = 0;
> ++ else
> ++{
> ++ bfd_set_error (bfd_error_invalid_operation);
> ++ return -1;
> ++}
> +
> +- bfd_set_error (bfd_error_invalid_operation);
> +- return -1;
> ++ if (count >= LONG_MAX / sizeof (arelent *))
> ++{
> ++ bfd_set_error (bfd_error_file_too_big);
> ++ return -1;
> ++}
> ++ return (count + 1) * sizeof (arelent *);
> + }
> +
> + long
> +diff --git a/bfd/elf.c b/bfd/elf.c
> +index 828241d48a..10037176a3 100644
>
[OE-core] [thud] binutils: Fix 4 CVEs
From: Dan Tran
Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and
CVE-2018-1000876 for binutils 2.31.1.
Signed-off-by: Dan Tran
---
meta/recipes-devtools/binutils/binutils-2.31.inc | 4 +
.../binutils/binutils/CVE-2018-1000876.patch | 180 +
.../binutils/binutils/CVE-2018-20623.patch | 74 +
.../binutils/binutils/CVE-2018-20651.patch | 35
.../binutils/binutils/CVE-2018-20671.patch | 49 ++
5 files changed, 342 insertions(+)
create mode 100644
meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc
b/meta/recipes-devtools/binutils/binutils-2.31.inc
index 62acec5..ba9272a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -46,6 +46,10 @@ SRC_URI = "\
file://CVE-2018-18605.patch \
file://CVE-2018-18606.patch \
file://CVE-2018-18607.patch \
+ file://CVE-2018-20623.patch \
+ file://CVE-2018-20651.patch \
+ file://CVE-2018-20671.patch \
+ file://CVE-2018-1000876.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
new file mode 100644
index 000..ff85351
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
@@ -0,0 +1,180 @@
+From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
+From: Alan Modra
+Date: Sun, 16 Dec 2018 23:02:50 +1030
+Subject: [PATCH] PR23994, libbfd integer overflow
+
+ PR 23994
+ * aoutx.h: Include limits.h.
+ (get_reloc_upper_bound): Detect long overflow and return a file
+ too big error if it occurs.
+ * elf.c: Include limits.h.
+ (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
+ a file too big error if it occurs.
+ (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
+ (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
+
+CVE: CVE-2018-1000876
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
+
+Signed-off-by: Dan Tran
+---
+ bfd/aoutx.h | 40 +---
+ bfd/elf.c | 32
+ 2 files changed, 45 insertions(+), 27 deletions(-)
+
+diff --git a/bfd/aoutx.h b/bfd/aoutx.h
+index 023843b0be..78eaa9c503 100644
+--- a/bfd/aoutx.h
b/bfd/aoutx.h
+@@ -117,6 +117,7 @@ DESCRIPTION
+ #define KEEPIT udata.i
+
+ #include "sysdep.h"
++#include
+ #include "bfd.h"
+ #include "safe-ctype.h"
+ #include "bfdlink.h"
+@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
+ long
+ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+ {
++ bfd_size_type count;
++
+ if (bfd_get_format (abfd) != bfd_object)
+ {
+ bfd_set_error (bfd_error_invalid_operation);
+@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr
asect)
+ }
+
+ if (asect->flags & SEC_CONSTRUCTOR)
+-return sizeof (arelent *) * (asect->reloc_count + 1);
+-
+- if (asect == obj_datasec (abfd))
+-return sizeof (arelent *)
+- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
+- + 1);
+-
+- if (asect == obj_textsec (abfd))
+-return sizeof (arelent *)
+- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
+- + 1);
+-
+- if (asect == obj_bsssec (abfd))
+-return sizeof (arelent *);
+-
+- if (asect == obj_bsssec (abfd))
+-return 0;
++count = asect->reloc_count;
++ else if (asect == obj_datasec (abfd))
++count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
++ else if (asect == obj_textsec (abfd))
++count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
++ else if (asect == obj_bsssec (abfd))
++count = 0;
++ else
++{
++ bfd_set_error (bfd_error_invalid_operation);
++ return -1;
++}
+
+- bfd_set_error (bfd_error_invalid_operation);
+- return -1;
++ if (count >= LONG_MAX / sizeof (arelent *))
++{
++ bfd_set_error (bfd_error_file_too_big);
++ return -1;
++}
++ return (count + 1) * sizeof (arelent *);
+ }
+
+ long
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 828241d48a..10037176a3 100644
+--- a/bfd/elf.c
b/bfd/elf.c
+@@ -35,6 +35,7 @@ SECTION
+ /* For sparc64-cross-sparc32. */
+ #define _SYSCALL32
+ #include "sysdep.h"
++#include
+ #include "bfd.h"
+ #include "bfdlink.h"
+ #include "libbfd.h"
+@@ -8114,11 +8115,16 @@ error_return:
+ long
+ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ {
+- long symcount;
++ bfd_size_type symcount;
+ long symtab_size;
+
