Re: [OE-core] [thud] binutils: Fix 4 CVEs
On 9/9/19 10:31 AM, msft.dant...@gmail.com wrote: > From: Dan Tran > > Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and > CVE-2018-1000876 for binutils 2.31.1. thanks. in thud test stagging.( contrib: stable/thud-nmut ) - armin > > Signed-off-by: Dan Tran > --- > meta/recipes-devtools/binutils/binutils-2.31.inc | 4 + > .../binutils/binutils/CVE-2018-1000876.patch | 180 > + > .../binutils/binutils/CVE-2018-20623.patch | 74 + > .../binutils/binutils/CVE-2018-20651.patch | 35 > .../binutils/binutils/CVE-2018-20671.patch | 49 ++ > 5 files changed, 342 insertions(+) > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc > b/meta/recipes-devtools/binutils/binutils-2.31.inc > index 62acec5..ba9272a 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.31.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc > @@ -46,6 +46,10 @@ SRC_URI = "\ > file://CVE-2018-18605.patch \ > file://CVE-2018-18606.patch \ > file://CVE-2018-18607.patch \ > + file://CVE-2018-20623.patch \ > + file://CVE-2018-20651.patch \ > + file://CVE-2018-20671.patch \ > + file://CVE-2018-1000876.patch \ > " > S = "${WORKDIR}/git" > > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch > b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch > new file mode 100644 > index 000..ff85351 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch > @@ -0,0 +1,180 @@ > +From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001 > +From: Alan Modra > +Date: Sun, 16 Dec 2018 23:02:50 +1030 > +Subject: [PATCH] PR23994, libbfd integer overflow > + > + PR 23994 > + * aoutx.h: Include limits.h. > + (get_reloc_upper_bound): Detect long overflow and return a file > + too big error if it occurs. > + * elf.c: Include limits.h. > + (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return > + a file too big error if it occurs. > + (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise. > + (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise. > + > +CVE: CVE-2018-1000876 > +Upstream-Status: Backport > +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f] > + > +Signed-off-by: Dan Tran > +--- > + bfd/aoutx.h | 40 +--- > + bfd/elf.c | 32 > + 2 files changed, 45 insertions(+), 27 deletions(-) > + > +diff --git a/bfd/aoutx.h b/bfd/aoutx.h > +index 023843b0be..78eaa9c503 100644 > +--- a/bfd/aoutx.h > b/bfd/aoutx.h > +@@ -117,6 +117,7 @@ DESCRIPTION > + #define KEEPIT udata.i > + > + #include "sysdep.h" > ++#include > + #include "bfd.h" > + #include "safe-ctype.h" > + #include "bfdlink.h" > +@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd, > + long > + NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) > + { > ++ bfd_size_type count; > ++ > + if (bfd_get_format (abfd) != bfd_object) > + { > + bfd_set_error (bfd_error_invalid_operation); > +@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, > sec_ptr asect) > + } > + > + if (asect->flags & SEC_CONSTRUCTOR) > +-return sizeof (arelent *) * (asect->reloc_count + 1); > +- > +- if (asect == obj_datasec (abfd)) > +-return sizeof (arelent *) > +- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd)) > +- + 1); > +- > +- if (asect == obj_textsec (abfd)) > +-return sizeof (arelent *) > +- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd)) > +- + 1); > +- > +- if (asect == obj_bsssec (abfd)) > +-return sizeof (arelent *); > +- > +- if (asect == obj_bsssec (abfd)) > +-return 0; > ++count = asect->reloc_count; > ++ else if (asect == obj_datasec (abfd)) > ++count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd); > ++ else if (asect == obj_textsec (abfd)) > ++count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd); > ++ else if (asect == obj_bsssec (abfd)) > ++count = 0; > ++ else > ++{ > ++ bfd_set_error (bfd_error_invalid_operation); > ++ return -1; > ++} > + > +- bfd_set_error (bfd_error_invalid_operation); > +- return -1; > ++ if (count >= LONG_MAX / sizeof (arelent *)) > ++{ > ++ bfd_set_error (bfd_error_file_too_big); > ++ return -1; > ++} > ++ return (count + 1) * sizeof (arelent *); > + } > + > + long > +diff --git a/bfd/elf.c b/bfd/elf.c > +index 828241d48a..10037176a3 100644 >
[OE-core] [thud] binutils: Fix 4 CVEs
From: Dan Tran Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and CVE-2018-1000876 for binutils 2.31.1. Signed-off-by: Dan Tran --- meta/recipes-devtools/binutils/binutils-2.31.inc | 4 + .../binutils/binutils/CVE-2018-1000876.patch | 180 + .../binutils/binutils/CVE-2018-20623.patch | 74 + .../binutils/binutils/CVE-2018-20651.patch | 35 .../binutils/binutils/CVE-2018-20671.patch | 49 ++ 5 files changed, 342 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index 62acec5..ba9272a 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc @@ -46,6 +46,10 @@ SRC_URI = "\ file://CVE-2018-18605.patch \ file://CVE-2018-18606.patch \ file://CVE-2018-18607.patch \ + file://CVE-2018-20623.patch \ + file://CVE-2018-20651.patch \ + file://CVE-2018-20671.patch \ + file://CVE-2018-1000876.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch new file mode 100644 index 000..ff85351 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch @@ -0,0 +1,180 @@ +From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sun, 16 Dec 2018 23:02:50 +1030 +Subject: [PATCH] PR23994, libbfd integer overflow + + PR 23994 + * aoutx.h: Include limits.h. + (get_reloc_upper_bound): Detect long overflow and return a file + too big error if it occurs. + * elf.c: Include limits.h. + (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return + a file too big error if it occurs. + (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise. + (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise. + +CVE: CVE-2018-1000876 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f] + +Signed-off-by: Dan Tran +--- + bfd/aoutx.h | 40 +--- + bfd/elf.c | 32 + 2 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/bfd/aoutx.h b/bfd/aoutx.h +index 023843b0be..78eaa9c503 100644 +--- a/bfd/aoutx.h b/bfd/aoutx.h +@@ -117,6 +117,7 @@ DESCRIPTION + #define KEEPIT udata.i + + #include "sysdep.h" ++#include + #include "bfd.h" + #include "safe-ctype.h" + #include "bfdlink.h" +@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd, + long + NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) + { ++ bfd_size_type count; ++ + if (bfd_get_format (abfd) != bfd_object) + { + bfd_set_error (bfd_error_invalid_operation); +@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) + } + + if (asect->flags & SEC_CONSTRUCTOR) +-return sizeof (arelent *) * (asect->reloc_count + 1); +- +- if (asect == obj_datasec (abfd)) +-return sizeof (arelent *) +- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd)) +- + 1); +- +- if (asect == obj_textsec (abfd)) +-return sizeof (arelent *) +- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd)) +- + 1); +- +- if (asect == obj_bsssec (abfd)) +-return sizeof (arelent *); +- +- if (asect == obj_bsssec (abfd)) +-return 0; ++count = asect->reloc_count; ++ else if (asect == obj_datasec (abfd)) ++count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd); ++ else if (asect == obj_textsec (abfd)) ++count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd); ++ else if (asect == obj_bsssec (abfd)) ++count = 0; ++ else ++{ ++ bfd_set_error (bfd_error_invalid_operation); ++ return -1; ++} + +- bfd_set_error (bfd_error_invalid_operation); +- return -1; ++ if (count >= LONG_MAX / sizeof (arelent *)) ++{ ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++} ++ return (count + 1) * sizeof (arelent *); + } + + long +diff --git a/bfd/elf.c b/bfd/elf.c +index 828241d48a..10037176a3 100644 +--- a/bfd/elf.c b/bfd/elf.c +@@ -35,6 +35,7 @@ SECTION + /* For sparc64-cross-sparc32. */ + #define _SYSCALL32 + #include "sysdep.h" ++#include + #include "bfd.h" + #include "bfdlink.h" + #include "libbfd.h" +@@ -8114,11 +8115,16 @@ error_return: + long + _bfd_elf_get_symtab_upper_bound (bfd *abfd) + { +- long symcount; ++ bfd_size_type symcount; + long symtab_size; +