tamiko 17/08/02 00:01:36
Added:
00_all_0001-ld-always-warn-about-textrels-in-files.patch
00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch
00_all_0003-ld-enable-new-dtags-by-default-for-linux-gnu-targets.patch
00_all_0004-gold-ld-enable-gnu-hash-by-default.patch
00_all_0005-libiberty-install-PIC-version-of-libiberty.a.patch
00_all_0006-opcodes-link-against-libbfd.la-for-rpath-deps.patch
00_all_0007-CVE-2017-8398.patch
00_all_0008-CVE-2017-8393.patch
00_all_0009-CVE-2017-8394.patch
00_all_0010-CVE-2017-8395.patch
00_all_0011-CVE-2017-8396-CVE-2017-8397.patch
00_all_0012-CVE-2017-8421.patch
00_all_0013-CVE-2017-9038.patch
00_all_0014-CVE-2017-9039.patch
00_all_0015-CVE-2017-9040-CVE-2017-9042.patch
00_all_0016-CVE-2017-9041.patch
00_all_0017-CVE-2017-7614.patch
00_all_0018-CVE-2017-6965.patch
00_all_0019-CVE-2017-6966.patch
00_all_0020-CVE-2017-6969.patch
00_all_0021-fix-out-of-bounds-access-in-elf.c.patch
00_all_0022-fixing-linking-configure-generated-tests-of-ifunc.patch
00_all_0023-readelf-dont-error-on-.debug-files-with-NOBITS-.dynamic-sectio.patch
00_all_0024-CVE-2017-9742.patch
00_all_0025-CVE-2017-9954.patch README.history
Log:
2.28.1 patchset 1.0
Revision Changes Path
1.1
src/patchsets/binutils/2.28.1/00_all_0001-ld-always-warn-about-textrels-in-files.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0001-ld-always-warn-about-textrels-in-files.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0001-ld-always-warn-about-textrels-in-files.patch?rev=1.1&content-type=text/plain
Index: 00_all_0001-ld-always-warn-about-textrels-in-files.patch
===================================================================
>From bb101959912073f460669d75097215cde7b20019 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vap...@gentoo.org>
Date: Mon, 16 May 2005 22:10:19 -0400
Subject: [PATCH] ld: always warn about textrels in files
textrels are bad for forcing copy-on-write (this affects everyone), and for
security/runtime code generation, this affects security ppl. But in either
case, it doesn't matter who needs textrels, it's the very fact that they're
needed at all.
---
ld/ldmain.c | 1 +
ld/testsuite/lib/ld-lib.exp | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/ld/ldmain.c b/ld/ldmain.c
index 1e48b1a2dbbc..f634eaa908a5 100644
--- a/ld/ldmain.c
+++ b/ld/ldmain.c
@@ -294,6 +294,7 @@ main (int argc, char **argv)
link_info.dynamic_undefined_weak = -1;
link_info.pei386_auto_import = -1;
link_info.spare_dynamic_tags = 5;
+ link_info.warn_shared_textrel = TRUE;
link_info.path_separator = ':';
#ifdef DEFAULT_FLAG_COMPRESS_DEBUG
link_info.compress_debug = COMPRESS_DEBUG_GABI_ZLIB;
diff --git a/ld/testsuite/lib/ld-lib.exp b/ld/testsuite/lib/ld-lib.exp
index cf7886b4866f..6c6a0b7a001e 100644
--- a/ld/testsuite/lib/ld-lib.exp
+++ b/ld/testsuite/lib/ld-lib.exp
@@ -250,6 +250,10 @@ proc default_ld_simple_link { ld target objects } {
# symbol, since the default linker script might use ENTRY.
regsub -all "(^|\n)(\[^\n\]*: warning: cannot find entry
symbol\[^\n\]*\n?)" $exec_output "\\1" exec_output
+ # Gentoo tweak:
+ # We want to ignore TEXTREL warnings since we force enable them by default
+ regsub -all "^lt-ld-new: warning: creating a DT_TEXTREL in object\."
$exec_output "\\1" exec_output
+
return [string match "" $exec_output]
}
--
2.11.1
1.1
src/patchsets/binutils/2.28.1/00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch?rev=1.1&content-type=text/plain
Index: 00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch
===================================================================
>From 9c3fda8166172bb9fa818bf2b7fec003847393d8 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vap...@gentoo.org>
Date: Mon, 25 May 2015 04:42:58 -0400
Subject: [PATCH] gold/ld: add support for poisoned system directories
This is based on the old CodeSourcery patch written by Joseph Myers to add
support to the link for detecting & rejecting bad -L paths when using a
cross-compiler. The differences here:
* The command line flags are always available.
* We can turn on & off the warning via the command line.
* The configure option controls the default warning behavior.
* Add support for gold.
It is not currently upstream, nor has it been submitted at all. There are
no plans to do so currently either.
BUG=chromium:488360
TEST=`cbuildbot chromiumos-sdk` passes # tests arm/amd64/mipsel/x86
TEST=`cbuildbot panther_moblab-full whirlwind-release` pass
TEST=`cbuildbot {x32,arm64}-generic-full` has no new failures
TEST=x86_64-cros-linux-gnu-ld throws warnings when using -L/lib (gold & bfd)
Reviewed-on: https://chromium-review.googlesource.com/272083
---
gold/options.cc | 33 +++++++++++++++++++++++++++++++++
gold/options.h | 7 +++++++
ld/config.in | 3 +++
ld/configure | 14 ++++++++++++++
ld/configure.ac | 10 ++++++++++
ld/ld.h | 7 +++++++
ld/ld.texinfo | 18 ++++++++++++++++++
ld/ldfile.c | 20 ++++++++++++++++++++
ld/ldlex.h | 3 +++
ld/ldmain.c | 7 +++++++
ld/lexsup.c | 24 ++++++++++++++++++++++++
11 files changed, 146 insertions(+)
diff --git a/gold/options.cc b/gold/options.cc
index ed63b6f04feb..5de289b5dd2e 100644
--- a/gold/options.cc
+++ b/gold/options.cc
@@ -1285,6 +1285,39 @@ General_options::finalize()
// in the path, as appropriate.
this->add_sysroot();
+ // Now check if library_path is poisoned.
+ if (this->warn_poison_system_directories())
+ {
+ std::vector<std::string> bad_paths;
+
+ bad_paths.push_back("/lib");
+ // TODO: This check is disabled for now due to a bunch of packages that
+ // use libtool and relink with -L/usr/lib paths (albeit after the right
+ // sysroot path). Once those are fixed we can enable.
+ // We also need to adjust it so it only rejects one or two levels deep.
+ // Gcc's internal paths also live below /usr/lib.
+ // http://crbug.com/488360
+ // bad_paths.push_back("/usr/lib");
+ bad_paths.push_back("/usr/local/lib");
+ bad_paths.push_back("/usr/X11R6/lib");
+
+ for (std::vector<std::string>::const_iterator b = bad_paths.begin();
+ b != bad_paths.end();
+ ++b)
+ for (Dir_list::iterator p = this->library_path_.value.begin();
+ p != this->library_path_.value.end();
+ ++p)
+ if (!p->name().compare(0, b->size(), *b))
+ {
+ if (this->error_poison_system_directories())
+ gold_fatal(_("library search path \"%s\" is unsafe for "
+ "cross-compilation"), p->name().c_str());
+ else
+ gold_warning(_("library search path \"%s\" is unsafe for "
+ "cross-compilation"), p->name().c_str());
+ }
+ }
+
// Now that we've normalized the options, check for contradictory ones.
if (this->shared() && this->is_static())
gold_fatal(_("-shared and -static are incompatible"));
diff --git a/gold/options.h b/gold/options.h
index a8b1d46aa109..b7c725a82539 100644
--- a/gold/options.h
+++ b/gold/options.h
@@ -1344,6 +1344,13 @@ class General_options
DEFINE_bool(warn_multiple_gp, options::TWO_DASHES, '\0', false,
N_("Ignored"), NULL);
+ DEFINE_bool(warn_poison_system_directories, options::TWO_DASHES, '\0', false,
+ N_("Warn for -L options using system directories"),
+ N_("Do not warn for -L options using system directories"));
+ DEFINE_bool(error_poison_system_directories, options::TWO_DASHES, '\0',
false,
+ N_("Give an error for -L options using system directories"),
+ NULL);
+
DEFINE_bool(warn_search_mismatch, options::TWO_DASHES, '\0', true,
N_("Warn when skipping an incompatible library"),
N_("Don't warn when skipping an incompatible library"));
diff --git a/ld/config.in b/ld/config.in
index 2c6d698b6ce1..d3cb7e882de9 100644
--- a/ld/config.in
+++ b/ld/config.in
@@ -17,6 +17,9 @@
language is requested. */
#undef ENABLE_NLS
+/* Define to warn for use of native system library directories */
+#undef ENABLE_POISON_SYSTEM_DIRECTORIES
+
/* Additional extension a shared object might have. */
#undef EXTRA_SHLIB_EXTENSION
diff --git a/ld/configure b/ld/configure
index 36af9695b1c8..bd1d677e0920 100755
--- a/ld/configure
+++ b/ld/configure
@@ -789,6 +789,7 @@ with_lib_path
enable_targets
enable_64_bit_bfd
with_sysroot
+enable_poison_system_directories
enable_gold
enable_got
enable_compressed_debug_sections
@@ -1446,6 +1447,8 @@ Optional Features:
--disable-largefile omit support for large files
--enable-targets alternative target configurations
--enable-64-bit-bfd 64-bit support (on hosts with narrower word sizes)
+ --enable-poison-system-directories
+ warn for use of native system library directories
--enable-gold[=ARG] build gold [ARG={default,yes,no}]
--enable-got=<type> GOT handling scheme (target, single, negative,
multigot)
@@ -15499,7 +15502,18 @@ else
fi
+# Check whether --enable-poison-system-directories was given.
+if test "${enable_poison_system_directories+set}" = set; then :
+ enableval=$enable_poison_system_directories;
+else
+ enable_poison_system_directories=no
+fi
+
+if test "x${enable_poison_system_directories}" = "xyes"; then
+$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
+
+fi
# Check whether --enable-got was given.
if test "${enable_got+set}" = set; then :
diff --git a/ld/configure.ac b/ld/configure.ac
index 36a9f5083aea..47f1d33fa58c 100644
--- a/ld/configure.ac
+++ b/ld/configure.ac
@@ -95,6 +95,16 @@ AC_SUBST(use_sysroot)
AC_SUBST(TARGET_SYSTEM_ROOT)
AC_SUBST(TARGET_SYSTEM_ROOT_DEFINE)
+AC_ARG_ENABLE([poison-system-directories],
+ AS_HELP_STRING([--enable-poison-system-directories],
+ [warn for use of native system library directories]),,
+ [enable_poison_system_directories=no])
+if test "x${enable_poison_system_directories}" = "xyes"; then
+ AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
+ [1],
+ [Define to warn for use of native system library directories])
+fi
+
dnl Use --enable-gold to decide if this linker should be the default.
dnl "install_as_default" is set to false if gold is the default linker.
dnl "installed_linker" is the installed BFD linker name.
diff --git a/ld/ld.h b/ld/ld.h
index 104bb8e2376b..e1c3f744862d 100644
--- a/ld/ld.h
+++ b/ld/ld.h
@@ -172,6 +172,13 @@ typedef struct
/* If set, display the target memory usage (per memory region). */
bfd_boolean print_memory_usage;
+ /* If TRUE warn for uses of system directories when cross linking. */
+ bfd_boolean warn_poison_system_directories;
+
+ /* If TRUE (default FALSE) give an error for uses of system
+ directories when cross linking instead of a warning. */
+ bfd_boolean error_poison_system_directories;
+
/* Big or little endian as set on command line. */
enum endian_enum endian;
diff --git a/ld/ld.texinfo b/ld/ld.texinfo
index d393acdd9406..8eb156efb8dd 100644
--- a/ld/ld.texinfo
+++ b/ld/ld.texinfo
@@ -2403,6 +2403,24 @@ string identifying the original linked file does not
change.
Passing @code{none} for @var{style} disables the setting from any
@code{--build-id} options earlier on the command line.
+
+@kindex --warn-poison-system-directories
+@item --warn-poison-system-directories
+Warn for @option{-L} options using system directories such as
+@file{/usr/lib} when cross linking. This option is intended for use
+in environments that want to detect and reject incorrect link settings.
+
+@kindex --no-warn-poison-system-directories
+@item --no-warn-poison-system-directories
+Do not warn for @option{-L} options using system directories such as
+@file{/usr/lib} when cross linking. This option is intended for use
+in chroot environments when such directories contain the correct
+libraries for the target system rather than the host.
+
+@kindex --error-poison-system-directories
+@item --error-poison-system-directories
+Give an error instead of a warning for @option{-L} options using
+system directories when cross linking.
@end table
@c man end
diff --git a/ld/ldfile.c b/ld/ldfile.c
index 0943bb2dfa0f..b3bc22469900 100644
--- a/ld/ldfile.c
+++ b/ld/ldfile.c
@@ -114,6 +114,26 @@ ldfile_add_library_path (const char *name, bfd_boolean
cmdline)
new_dirs->name = concat (ld_sysroot, name + 1, (const char *) NULL);
else
new_dirs->name = xstrdup (name);
+
+ if (command_line.warn_poison_system_directories
+ && (!strncmp (name, "/lib", 4)
+ /* TODO: This check is disabled for now due to a bunch of packages that
+ * use libtool and relink with -L/usr/lib paths (albeit after the right
+ * sysroot path). Once those are fixed we can enable.
+ * We also need to adjust it so it only rejects one or two levels deep.
+ * Gcc's internal paths also live below /usr/lib.
+ * http://crbug.com/488360 */
+ /* || !strncmp (name, "/usr/lib", 8) */
+ || !strncmp (name, "/usr/local/lib", 14)
+ || !strncmp (name, "/usr/X11R6/lib", 14)))
+ {
+ if (command_line.error_poison_system_directories)
+ einfo (_("%X%P: error: library search path \"%s\" is unsafe for "
+ "cross-compilation\n"), name);
+ else
+ einfo (_("%P: warning: library search path \"%s\" is unsafe for "
+ "cross-compilation\n"), name);
+ }
}
/* Try to open a BFD for a lang_input_statement. */
diff --git a/ld/ldlex.h b/ld/ldlex.h
index 3ecac2bc865e..7ed67bae3f23 100644
--- a/ld/ldlex.h
+++ b/ld/ldlex.h
@@ -141,6 +141,9 @@ enum option_values
OPTION_PRINT_OUTPUT_FORMAT,
OPTION_PRINT_SYSROOT,
OPTION_IGNORE_UNRESOLVED_SYMBOL,
+ OPTION_WARN_POISON_SYSTEM_DIRECTORIES,
+ OPTION_NO_WARN_POISON_SYSTEM_DIRECTORIES,
+ OPTION_ERROR_POISON_SYSTEM_DIRECTORIES,
OPTION_PUSH_STATE,
OPTION_POP_STATE,
OPTION_PRINT_MEMORY_USAGE,
diff --git a/ld/ldmain.c b/ld/ldmain.c
index f634eaa908a5..bba193355b0d 100644
--- a/ld/ldmain.c
+++ b/ld/ldmain.c
@@ -270,6 +270,13 @@ main (int argc, char **argv)
command_line.warn_mismatch = TRUE;
command_line.warn_search_mismatch = TRUE;
command_line.check_section_addresses = -1;
+ command_line.warn_poison_system_directories =
+#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
+ TRUE;
+#else
+ FALSE;
+#endif
+ command_line.error_poison_system_directories = FALSE;
/* We initialize DEMANGLING based on the environment variable
COLLECT_NO_DEMANGLE. The gcc collect2 program will demangle the
diff --git a/ld/lexsup.c b/ld/lexsup.c
index 0b7d4976ac90..327b203eeb25 100644
--- a/ld/lexsup.c
+++ b/ld/lexsup.c
@@ -524,6 +524,18 @@ static const struct ld_option ld_options[] =
OPTION_IGNORE_UNRESOLVED_SYMBOL},
'\0', N_("SYMBOL"),
N_("Unresolved SYMBOL will not cause an error or warning"), TWO_DASHES },
+ { {"warn-poison-system-directories", no_argument, NULL,
+ OPTION_WARN_POISON_SYSTEM_DIRECTORIES},
+ '\0', NULL, N_("Warn for -L options using system directories"),
+ TWO_DASHES },
+ { {"no-warn-poison-system-directories", no_argument, NULL,
+ OPTION_NO_WARN_POISON_SYSTEM_DIRECTORIES},
+ '\0', NULL, N_("Do not warn for -L options using system directories"),
+ TWO_DASHES },
+ { {"error-poison-system-directories", no_argument, NULL,
+ OPTION_ERROR_POISON_SYSTEM_DIRECTORIES},
+ '\0', NULL, N_("Give an error for -L options using system directories"),
+ TWO_DASHES },
{ {"push-state", no_argument, NULL, OPTION_PUSH_STATE},
'\0', NULL, N_("Push state of flags governing input file handling"),
TWO_DASHES },
@@ -1528,6 +1540,18 @@ parse_args (unsigned argc, char **argv)
}
break;
+ case OPTION_WARN_POISON_SYSTEM_DIRECTORIES:
+ command_line.warn_poison_system_directories = TRUE;
+ break;
+
+ case OPTION_NO_WARN_POISON_SYSTEM_DIRECTORIES:
+ command_line.warn_poison_system_directories = FALSE;
+ break;
+
+ case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
+ command_line.error_poison_system_directories = TRUE;
+ break;
+
case OPTION_PUSH_STATE:
input_flags.pushed = xmemdup (&input_flags,
sizeof (input_flags),
--
2.11.1
1.1
src/patchsets/binutils/2.28.1/00_all_0003-ld-enable-new-dtags-by-default-for-linux-gnu-targets.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0003-ld-enable-new-dtags-by-default-for-linux-gnu-targets.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0003-ld-enable-new-dtags-by-default-for-linux-gnu-targets.patch?rev=1.1&content-type=text/plain
Index: 00_all_0003-ld-enable-new-dtags-by-default-for-linux-gnu-targets.patch
===================================================================
>From da0140fb5c8a9bccd0c66166c8e21cb3e37e2f1d Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vap...@gentoo.org>
Date: Fri, 7 Jan 2005 00:15:53 -0500
Subject: [PATCH] ld: enable new dtags by default for linux/gnu targets
The "new" dtags options have been around for 14+ years now, so for Linux
and GNU targets, enable them by default.
2012-01-21 Mike Frysinger <vap...@gentoo.org>
* emultempl/elf32.em (gld${EMULATION_NAME}_before_parse): Set
link_info.new_dtags to TRUE for linux/gnu targets.
* NEWS: Mention new dtags default.
2013-01-22 Roland McGrath <mcgra...@google.com>
* emultempl/elf32.em (gld${EMULATION_NAME}_before_parse): Set
new_dtags to TRUE for *-*-nacl* targets.
---
ld/emultempl/elf32.em | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ld/emultempl/elf32.em b/ld/emultempl/elf32.em
index 84adaef6dfe1..92b7e4aabd0b 100644
--- a/ld/emultempl/elf32.em
+++ b/ld/emultempl/elf32.em
@@ -103,6 +103,16 @@ gld${EMULATION_NAME}_before_parse (void)
input_flags.dynamic = ${DYNAMIC_LINK-TRUE};
config.has_shared = `if test -n "$GENERATE_SHLIB_SCRIPT" ; then echo TRUE ;
else echo FALSE ; fi`;
config.separate_code = `if test "x${SEPARATE_CODE}" = xyes ; then echo TRUE
; else echo FALSE ; fi`;
+EOF
+
+case ${target} in
+ *-*-linux-* | *-*-k*bsd*-* | *-*-gnu* | *-*-nacl*)
+ fragment <<EOF
+ link_info.new_dtags = TRUE;
+EOF
+ ;;
+esac
+fragment <<EOF
`if test -n "$CALL_NOP_BYTE" ; then echo link_info.call_nop_byte =
$CALL_NOP_BYTE; fi`;
link_info.check_relocs_after_open_input = `if test
"x${CHECK_RELOCS_AFTER_OPEN_INPUT}" = xyes ; then echo TRUE ; else echo FALSE ;
fi`;
link_info.relro = DEFAULT_LD_Z_RELRO;
--
2.11.1
1.1
src/patchsets/binutils/2.28.1/00_all_0004-gold-ld-enable-gnu-hash-by-default.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0004-gold-ld-enable-gnu-hash-by-default.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0004-gold-ld-enable-gnu-hash-by-default.patch?rev=1.1&content-type=text/plain
Index: 00_all_0004-gold-ld-enable-gnu-hash-by-default.patch
===================================================================
>From a6c35c40daf508b4f236b870c2b60bfa9b68de9e Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vap...@gentoo.org>
Date: Sat, 27 Jan 2007 15:01:08 -0500
Subject: [PATCH] gold/ld: enable gnu hash by default
Glibc first added .gnu.hash support to glibc-2.5 (released 29 Sep 2006),
and gold was first released after that. Let's default the gnu hash style
to the new "gnu" rather than the classic sysv.
gold/:
2012-02-03 Mike Frysinger <vap...@gentoo.org>
* options.h (General_options): Change default to gnu for hash_style.
---
gold/options.h | 2 +-
ld/emultempl/elf32.em | 13 +++++++++++++
ld/testsuite/lib/ld-lib.exp | 4 ++--
3 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/gold/options.h b/gold/options.h
index b7c725a82539..ef1756671242 100644
--- a/gold/options.h
+++ b/gold/options.h
@@ -921,7 +921,7 @@ class General_options
N_("Min fraction of empty buckets in dynamic hash"),
N_("FRACTION"));
- DEFINE_enum(hash_style, options::TWO_DASHES, '\0', "sysv",
+ DEFINE_enum(hash_style, options::TWO_DASHES, '\0', "gnu",
N_("Dynamic hash style"), N_("[sysv,gnu,both]"),
{"sysv", "gnu", "both"});
diff --git a/ld/emultempl/elf32.em b/ld/emultempl/elf32.em
index 92b7e4aabd0b..ac2090a54eb1 100644
--- a/ld/emultempl/elf32.em
+++ b/ld/emultempl/elf32.em
@@ -100,6 +100,19 @@ static void
gld${EMULATION_NAME}_before_parse (void)
{
ldfile_set_output_arch ("${OUTPUT_ARCH}", bfd_arch_`echo ${ARCH} | sed -e
's/:.*//'`);
+EOF
+# Enable gnu hash by default for Linux (non-mips) targets.
+# This has been supported since glibc-2.5.
+case ${target} in
+ mips*) ;;
+ *-*-linux-* | *-*-gnu*)
+ fragment <<EOF
+ link_info.emit_hash = FALSE;
+ link_info.emit_gnu_hash = TRUE;
+EOF
+ ;;
+esac
+fragment <<EOF
input_flags.dynamic = ${DYNAMIC_LINK-TRUE};
config.has_shared = `if test -n "$GENERATE_SHLIB_SCRIPT" ; then echo TRUE ;
else echo FALSE ; fi`;
config.separate_code = `if test "x${SEPARATE_CODE}" = xyes ; then echo TRUE
; else echo FALSE ; fi`;
diff --git a/ld/testsuite/lib/ld-lib.exp b/ld/testsuite/lib/ld-lib.exp
index 6c6a0b7a001e..53ad4a15e983 100644
--- a/ld/testsuite/lib/ld-lib.exp
+++ b/ld/testsuite/lib/ld-lib.exp
@@ -147,7 +147,7 @@ proc default_ld_relocate { ld target objects } {
global HOSTING_EMU
remote_file host delete $target
- return [run_host_cmd_yesno "$ld" "$HOSTING_EMU -o $target -r $objects"]
+ return [run_host_cmd_yesno "$ld" "$HOSTING_EMU --hash-style=sysv -o
$target -r $objects"]
}
# Check to see if ld is being invoked with a non-endian output format
@@ -228,7 +228,7 @@ proc default_ld_link { ld target objects } {
remote_file host delete $target
- return [run_host_cmd_yesno "$ld" "$HOSTING_EMU $flags -o $target $objs
$libs"]
+ return [run_host_cmd_yesno "$ld" "$HOSTING_EMU --hash-style=sysv $flags -o
$target $objs $libs"]
}
# Link a program using ld, without including any libraries.
--
2.11.1
1.1
src/patchsets/binutils/2.28.1/00_all_0005-libiberty-install-PIC-version-of-libiberty.a.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0005-libiberty-install-PIC-version-of-libiberty.a.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0005-libiberty-install-PIC-version-of-libiberty.a.patch?rev=1.1&content-type=text/plain
Index: 00_all_0005-libiberty-install-PIC-version-of-libiberty.a.patch
===================================================================
>From bb4bd6b89365800a7b403ce505401d0c02ad02f8 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vap...@gentoo.org>
Date: Fri, 7 Jan 2005 00:15:53 -0500
Subject: [PATCH] libiberty: install PIC version of libiberty.a
This will install a PIC version of libiberty.a by overwriting the non-PIC
version of libiberty.a while compiling. We do this because there is no
shared version of libiberty for random apps to link against which means if
someone wants to use this in a shared library or PIE, they're out of luck.
It's arguable whether people should be able to use this in a shared lib,
but usage in PIE should be fine. You could argue that this penalizes the
non-PIE users, but the counter point is that people using this library in
general are fairly low, and we'd rather have things work for all of them.
---
libiberty/Makefile.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/libiberty/Makefile.in b/libiberty/Makefile.in
index 0ff9e45e45ef..55a70330ffb8 100644
--- a/libiberty/Makefile.in
+++ b/libiberty/Makefile.in
@@ -256,6 +256,7 @@ $(TARGETLIB): $(REQUIRED_OFILES) $(EXTRA_OFILES) $(LIBOBJS)
$(AR) $(AR_FLAGS) $(TARGETLIB) \
$(REQUIRED_OFILES) $(EXTRA_OFILES) $(LIBOBJS); \
$(RANLIB) $(TARGETLIB); \
+ cp $(TARGETLIB) ../ ; \
cd ..; \
else true; fi; \
if [ x"$(NOASANFLAG)" != x ]; then \
--
2.11.1
1.1
src/patchsets/binutils/2.28.1/00_all_0006-opcodes-link-against-libbfd.la-for-rpath-deps.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0006-opcodes-link-against-libbfd.la-for-rpath-deps.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0006-opcodes-link-against-libbfd.la-for-rpath-deps.patch?rev=1.1&content-type=text/plain
Index: 00_all_0006-opcodes-link-against-libbfd.la-for-rpath-deps.patch
===================================================================
>From 561d984aa3a3b99bbd9c6ddf6ba08dadd107d62c Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vap...@gentoo.org>
Date: Tue, 5 Jul 2016 20:24:00 +0545
Subject: [PATCH] opcodes: link against libbfd.la for rpath deps
The reason opcodes doesn't link against libbfd.la is to workaround a
libtool bug where it uses installed -L paths ahead of DESTDIR paths.
The downside is that the library itself lacks rpath tags to find the
right version of libbfd.so.
Since Gentoo has patched the libtool bug for a while, we don't need
the workaround. Use the .la file so we get the rpath tags.
URL: https://bugs.gentoo.org/563934
---
opcodes/configure | 2 +-
opcodes/configure.ac | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/opcodes/configure b/opcodes/configure
index be87eb22a5f0..19528bef6906 100755
--- a/opcodes/configure
+++ b/opcodes/configure
@@ -12561,7 +12561,7 @@ if test "$enable_shared" = "yes"; then
SHARED_LIBADD="-Wl,`pwd`/../bfd/.libs/libbfd.sl ${SHARED_LIBADD}"
;;
*)
- SHARED_LIBADD="-Wl,`pwd`/../bfd/.libs/libbfd.so ${SHARED_LIBADD}"
+ SHARED_LIBADD="../bfd/libbfd.la ${SHARED_LIBADD}"
;;
esac
SHARED_DEPENDENCIES="../bfd/libbfd.la"
diff --git a/opcodes/configure.ac b/opcodes/configure.ac
index b9f5eb8a4fdf..b5ff57a341ea 100644
--- a/opcodes/configure.ac
+++ b/opcodes/configure.ac
@@ -185,7 +185,7 @@ changequote([,])dnl
SHARED_LIBADD="-Wl,`pwd`/../bfd/.libs/libbfd.sl ${SHARED_LIBADD}"
;;
*)
- SHARED_LIBADD="-Wl,`pwd`/../bfd/.libs/libbfd.so ${SHARED_LIBADD}"
+ SHARED_LIBADD="../bfd/libbfd.la ${SHARED_LIBADD}"
;;
esac
SHARED_DEPENDENCIES="../bfd/libbfd.la"
--
2.11.1
1.1
src/patchsets/binutils/2.28.1/00_all_0007-CVE-2017-8398.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0007-CVE-2017-8398.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0007-CVE-2017-8398.patch?rev=1.1&content-type=text/plain
Index: 00_all_0007-CVE-2017-8398.patch
===================================================================
>From 9e7b0cc09e3b8a9db2fdab786894757b7e1aab4c Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:07:32 -0500
Subject: [PATCH 01/10] CVE-2017-8398
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
[2] https://bugs.gentoo.org/show_bug.cgi?id=618514
---
binutils/dwarf.c | 52 ++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 38 insertions(+), 14 deletions(-)
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 0184a7a..05efa6e 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -473,15 +473,20 @@ process_extended_line_op (unsigned char * data,
printf (_(" Entry\tDir\tTime\tSize\tName\n"));
printf (" %d\t", ++state_machine_regs.last_file_entry);
- name = data;
- data += strnlen ((char *) data, end - data) + 1;
- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read,
end)));
- data += bytes_read;
- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read,
end)));
- data += bytes_read;
- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read,
end)));
- data += bytes_read;
- printf ("%s\n\n", name);
+ {
+ size_t l;
+
+ name = data;
+ l = strnlen ((char *) data, end - data);
+ data += len + 1;
+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read,
end)));
+ data += bytes_read;
+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read,
end)));
+ data += bytes_read;
+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read,
end)));
+ data += bytes_read;
+ printf ("%.*s\n\n", (int) l, name);
+ }
if (((unsigned int) (data - orig_data) != len) || data == end)
warn (_("DW_LNE_define_file: Bad opcode length\n"));
@@ -598,18 +603,28 @@ static const unsigned char *
fetch_indirect_string (dwarf_vma offset)
{
struct dwarf_section *section = &debug_displays [str].section;
+ const unsigned char * ret;
if (section->start == NULL)
return (const unsigned char *) _("<no .debug_str section>");
- if (offset > section->size)
+ if (offset >= section->size)
{
warn (_("DW_FORM_strp offset too big: %s\n"),
dwarf_vmatoa ("x", offset));
return (const unsigned char *) _("<offset is too big>");
}
- return (const unsigned char *) section->start + offset;
+ ret = section->start + offset;
+ /* Unfortunately we cannot rely upon the .debug_str section ending with a
+ NUL byte. Since our caller is expecting to receive a well formed C
+ string we test for the lack of a terminating byte here. */
+ if (strnlen ((const char *) ret, section->size - offset)
+ == section->size - offset)
+ ret = (const unsigned char *)
+ _("<no NUL byte at end of .debug_str section>");
+
+ return ret;
}
static const char *
@@ -622,6 +637,7 @@ fetch_indexed_string (dwarf_vma idx, struct cu_tu_set
*this_set,
struct dwarf_section *str_section = &debug_displays [str_sec_idx].section;
dwarf_vma index_offset = idx * offset_size;
dwarf_vma str_offset;
+ const char * ret;
if (index_section->start == NULL)
return (dwo ? _("<no .debug_str_offsets.dwo section>")
@@ -629,7 +645,7 @@ fetch_indexed_string (dwarf_vma idx, struct cu_tu_set
*this_set,
if (this_set != NULL)
index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS];
- if (index_offset > index_section->size)
+ if (index_offset >= index_section->size)
{
warn (_("DW_FORM_GNU_str_index offset too big: %s\n"),
dwarf_vmatoa ("x", index_offset));
@@ -642,14 +658,22 @@ fetch_indexed_string (dwarf_vma idx, struct cu_tu_set
*this_set,
str_offset = byte_get (index_section->start + index_offset, offset_size);
str_offset -= str_section->address;
- if (str_offset > str_section->size)
+ if (str_offset >= str_section->size)
{
warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"),
dwarf_vmatoa ("x", str_offset));
return _("<indirect index offset is too big>");
}
- return (const char *) str_section->start + str_offset;
+ ret = (const char *) str_section->start + str_offset;
+ /* Unfortunately we cannot rely upon str_section ending with a NUL byte.
+ Since our caller is expecting to receive a well formed C string we test
+ for the lack of a terminating byte here. */
+ if (strnlen (ret, str_section->size - str_offset)
+ == str_section->size - str_offset)
+ ret = (const char *) _("<no NUL byte at end of section>");
+
+ return ret;
}
static const char *
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0008-CVE-2017-8393.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0008-CVE-2017-8393.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0008-CVE-2017-8393.patch?rev=1.1&content-type=text/plain
Index: 00_all_0008-CVE-2017-8393.patch
===================================================================
>From 86b4e5aeedbcf022e4d02810b48cb3e1a9d52d32 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:13:05 -0500
Subject: [PATCH 02/10] CVE-2017-8393
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3
[2] https://bugs.gentoo.org/show_bug.cgi?id=618516
---
bfd/elf-bfd.h | 8 ++++---
bfd/elf.c | 61 +++++++++++++++++++++++++++++++-----------------------
bfd/elf64-ppc.c | 1 +
bfd/elfxx-target.h | 2 +-
4 files changed, 42 insertions(+), 30 deletions(-)
diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
index 5de9ab6..366660a 100644
--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
@@ -1322,8 +1322,10 @@ struct elf_backend_data
bfd_size_type (*maybe_function_sym) (const asymbol *sym, asection *sec,
bfd_vma *code_off);
- /* Return the section which RELOC_SEC applies to. */
- asection *(*get_reloc_section) (asection *reloc_sec);
+ /* Given NAME, the name of a relocation section stripped of its
+ .rel/.rela prefix, return the section in ABFD to which the
+ relocations apply. */
+ asection *(*get_reloc_section) (bfd *abfd, const char *name);
/* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which
has a type >= SHT_LOOS. Returns TRUE if the fields were initialised,
@@ -2392,7 +2394,7 @@ extern bfd_boolean _bfd_elf_is_function_type (unsigned
int);
extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol *, asection *,
bfd_vma *);
-extern asection *_bfd_elf_get_reloc_section (asection *);
+extern asection *_bfd_elf_plt_get_reloc_section (bfd *, const char *);
extern int bfd_elf_get_default_section_type (flagword);
diff --git a/bfd/elf.c b/bfd/elf.c
index 94726ba..4ddcb1f 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -3532,17 +3532,39 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec,
void *failedptrarg)
H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
}
-/* Return the section which RELOC_SEC applies to. */
+/* Given NAME, the name of a relocation section stripped of its
+ .rel/.rela prefix, return the section in ABFD to which the
+ relocations apply. */
asection *
-_bfd_elf_get_reloc_section (asection *reloc_sec)
+_bfd_elf_plt_get_reloc_section (bfd *abfd, const char *name)
+{
+ /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
+ section likely apply to .got.plt or .got section. */
+ if (get_elf_backend_data (abfd)->want_got_plt
+ && strcmp (name, ".plt") == 0)
+ {
+ asection *sec;
+
+ name = ".got.plt";
+ sec = bfd_get_section_by_name (abfd, name);
+ if (sec != NULL)
+ return sec;
+ name = ".got";
+ }
+
+ return bfd_get_section_by_name (abfd, name);
+}
+
+/* Return the section to which RELOC_SEC applies. */
+
+static asection *
+elf_get_reloc_section (asection *reloc_sec)
{
const char *name;
unsigned int type;
bfd *abfd;
-
- if (reloc_sec == NULL)
- return NULL;
+ const struct elf_backend_data *bed;
type = elf_section_data (reloc_sec)->this_hdr.sh_type;
if (type != SHT_REL && type != SHT_RELA)
@@ -3550,28 +3572,15 @@ _bfd_elf_get_reloc_section (asection *reloc_sec)
/* We look up the section the relocs apply to by name. */
name = reloc_sec->name;
- if (type == SHT_REL)
- name += 4;
- else
- name += 5;
+ if (strncmp (name, ".rel", 4) != 0)
+ return NULL;
+ name += 4;
+ if (type == SHT_RELA && *name++ != 'a')
+ return NULL;
- /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
- section apply to .got.plt section. */
abfd = reloc_sec->owner;
- if (get_elf_backend_data (abfd)->want_got_plt
- && strcmp (name, ".plt") == 0)
- {
- /* .got.plt is a linker created input section. It may be mapped
- to some other output section. Try two likely sections. */
- name = ".got.plt";
- reloc_sec = bfd_get_section_by_name (abfd, name);
- if (reloc_sec != NULL)
- return reloc_sec;
- name = ".got";
- }
-
- reloc_sec = bfd_get_section_by_name (abfd, name);
- return reloc_sec;
+ bed = get_elf_backend_data (abfd);
+ return bed->get_reloc_section (abfd, name);
}
/* Assign all ELF section numbers. The dummy first section is handled here
@@ -3833,7 +3842,7 @@ assign_section_numbers (bfd *abfd, struct bfd_link_info
*link_info)
if (s != NULL)
d->this_hdr.sh_link = elf_section_data (s)->this_idx;
- s = get_elf_backend_data (abfd)->get_reloc_section (sec);
+ s = elf_get_reloc_section (sec);
if (s != NULL)
{
d->this_hdr.sh_info = elf_section_data (s)->this_idx;
diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c
index e7d4792..81eccd8 100644
--- a/bfd/elf64-ppc.c
+++ b/bfd/elf64-ppc.c
@@ -121,6 +121,7 @@ static bfd_vma opd_entry_value
#define elf_backend_special_sections ppc64_elf_special_sections
#define elf_backend_merge_symbol_attribute ppc64_elf_merge_symbol_attribute
#define elf_backend_merge_symbol ppc64_elf_merge_symbol
+#define elf_backend_get_reloc_section bfd_get_section_by_name
/* The name of the dynamic interpreter. This is put in the .interp
section. */
diff --git a/bfd/elfxx-target.h b/bfd/elfxx-target.h
index d063fb7..ad8c5d9 100644
--- a/bfd/elfxx-target.h
+++ b/bfd/elfxx-target.h
@@ -706,7 +706,7 @@
#endif
#ifndef elf_backend_get_reloc_section
-#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section
+#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section
#endif
#ifndef elf_backend_copy_special_section_fields
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0009-CVE-2017-8394.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0009-CVE-2017-8394.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0009-CVE-2017-8394.patch?rev=1.1&content-type=text/plain
Index: 00_all_0009-CVE-2017-8394.patch
===================================================================
>From d33b8e5e50b3eb33313e3c61039cf93d31e840b9 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:15:05 -0500
Subject: [PATCH 03/10] CVE-2017-8394
[1] https://bugs.gentoo.org/show_bug.cgi?id=618516
[2]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7eacd66b086cabb1daab20890d5481894d4f56b2
---
bfd/bfd-in2.h | 12 ++++++++++++
bfd/elf.c | 6 ++++--
bfd/section.c | 24 ++++++++++++------------
3 files changed, 28 insertions(+), 14 deletions(-)
diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h
index 6288c3b..44e8711 100644
--- a/bfd/bfd-in2.h
+++ b/bfd/bfd-in2.h
@@ -1838,6 +1838,18 @@ extern asection _bfd_std_section[4];
{ NULL }, { NULL } \
}
+/* We use a macro to initialize the static asymbol structures because
+ traditional C does not permit us to initialize a union member while
+ gcc warns if we don't initialize it.
+ the_bfd, name, value, attr, section [, udata] */
+#ifdef __STDC__
+#define GLOBAL_SYM_INIT(NAME, SECTION) \
+ { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }}
+#else
+#define GLOBAL_SYM_INIT(NAME, SECTION) \
+ { 0, NAME, 0, BSF_SECTION_SYM, SECTION }
+#endif
+
void bfd_section_list_clear (bfd *);
asection *bfd_get_section_by_name (bfd *abfd, const char *name);
diff --git a/bfd/elf.c b/bfd/elf.c
index 4ddcb1f..22c199a 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -11164,9 +11164,11 @@ _bfd_elf_get_synthetic_symtab (bfd *abfd,
/* It is only used by x86-64 so far.
??? This repeats *COM* id of zero. sec->id is supposed to be unique,
- but current usage would allow all of _bfd_std_section to be zero. t*/
+ but current usage would allow all of _bfd_std_section to be zero. */
+static const asymbol lcomm_sym
+ = GLOBAL_SYM_INIT ("LARGE_COMMON", &_bfd_elf_large_com_section);
asection _bfd_elf_large_com_section
- = BFD_FAKE_SECTION (_bfd_elf_large_com_section, NULL,
+ = BFD_FAKE_SECTION (_bfd_elf_large_com_section, &lcomm_sym,
"LARGE_COMMON", 0, SEC_IS_COMMON);
void
diff --git a/bfd/section.c b/bfd/section.c
index 4b3cf6a..28eee7f 100644
--- a/bfd/section.c
+++ b/bfd/section.c
@@ -738,20 +738,20 @@ CODE_FRAGMENT
. { NULL }, { NULL } \
. }
.
+.{* We use a macro to initialize the static asymbol structures because
+. traditional C does not permit us to initialize a union member while
+. gcc warns if we don't initialize it.
+. the_bfd, name, value, attr, section [, udata] *}
+.#ifdef __STDC__
+.#define GLOBAL_SYM_INIT(NAME, SECTION) \
+. { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }}
+.#else
+.#define GLOBAL_SYM_INIT(NAME, SECTION) \
+. { 0, NAME, 0, BSF_SECTION_SYM, SECTION }
+.#endif
+.
*/
-/* We use a macro to initialize the static asymbol structures because
- traditional C does not permit us to initialize a union member while
- gcc warns if we don't initialize it. */
- /* the_bfd, name, value, attr, section [, udata] */
-#ifdef __STDC__
-#define GLOBAL_SYM_INIT(NAME, SECTION) \
- { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }}
-#else
-#define GLOBAL_SYM_INIT(NAME, SECTION) \
- { 0, NAME, 0, BSF_SECTION_SYM, SECTION }
-#endif
-
/* These symbols are global, not specific to any BFD. Therefore, anything
that tries to change them is broken, and should be repaired. */
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0010-CVE-2017-8395.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0010-CVE-2017-8395.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0010-CVE-2017-8395.patch?rev=1.1&content-type=text/plain
Index: 00_all_0010-CVE-2017-8395.patch
===================================================================
>From a5e7c6c6fcc0aa2ad70a7b02c928f2b075140a5e Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:16:39 -0500
Subject: [PATCH 04/10] CVE-2017-8395
[1] https://bugs.gentoo.org/show_bug.cgi?id=618516
[2]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3
---
bfd/compress.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/bfd/compress.c b/bfd/compress.c
index 1ed7d74..4a2d98a 100644
--- a/bfd/compress.c
+++ b/bfd/compress.c
@@ -542,7 +542,6 @@ bfd_init_section_compress_status (bfd *abfd, sec_ptr sec)
{
bfd_size_type uncompressed_size;
bfd_byte *uncompressed_buffer;
- bfd_boolean ret;
/* Error if not opened for read. */
if (abfd->direction != read_direction
@@ -558,18 +557,18 @@ bfd_init_section_compress_status (bfd *abfd, sec_ptr sec)
/* Read in the full section contents and compress it. */
uncompressed_size = sec->size;
uncompressed_buffer = (bfd_byte *) bfd_malloc (uncompressed_size);
+ /* PR 21431 */
+ if (uncompressed_buffer == NULL)
+ return FALSE;
+
if (!bfd_get_section_contents (abfd, sec, uncompressed_buffer,
0, uncompressed_size))
- ret = FALSE;
- else
- {
- uncompressed_size = bfd_compress_section_contents (abfd, sec,
- uncompressed_buffer,
- uncompressed_size);
- ret = uncompressed_size != 0;
- }
+ return FALSE;
- return ret;
+ uncompressed_size = bfd_compress_section_contents (abfd, sec,
+ uncompressed_buffer,
+ uncompressed_size);
+ return uncompressed_size != 0;
}
/*
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0011-CVE-2017-8396-CVE-2017-8397.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0011-CVE-2017-8396-CVE-2017-8397.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0011-CVE-2017-8396-CVE-2017-8397.patch?rev=1.1&content-type=text/plain
Index: 00_all_0011-CVE-2017-8396-CVE-2017-8397.patch
===================================================================
>From b3ef1a9331f8eaf178084393f1525ab9150c39d8 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:20:20 -0500
Subject: [PATCH 05/10] CVE-2017-8396, CVE-2017-8397
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab
[2] https://bugs.gentoo.org/show_bug.cgi?id=618516
---
bfd/reloc.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/bfd/reloc.c b/bfd/reloc.c
index 9021a52..80986b3 100644
--- a/bfd/reloc.c
+++ b/bfd/reloc.c
@@ -538,6 +538,22 @@ bfd_check_overflow (enum complain_overflow how,
return flag;
}
+/* HOWTO describes a relocation, at offset OCTET. Return whether the
+ relocation field is within SECTION of ABFD. */
+
+static bfd_boolean
+reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd,
+ asection *section, bfd_size_type octet)
+{
+ bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section);
+ bfd_size_type reloc_size = bfd_get_reloc_size (howto);
+
+ /* The reloc field must be contained entirely within the section.
+ Allow zero length fields (marker relocs or NONE relocs where no
+ relocation will be performed) at the end of the section. */
+ return octet <= octet_end && octet + reloc_size <= octet_end;
+}
+
/*
FUNCTION
bfd_perform_relocation
@@ -619,12 +635,9 @@ bfd_perform_relocation (bfd *abfd,
if (howto == NULL)
return bfd_reloc_undefined;
- /* Is the address of the relocation really within the section?
- Include the size of the reloc in the test for out of range addresses.
- PR 17512: file: c146ab8b, 46dff27f, 38e53ebf. */
+ /* Is the address of the relocation really within the section? */
octets = reloc_entry->address * bfd_octets_per_byte (abfd);
- if (octets + bfd_get_reloc_size (howto)
- > bfd_get_section_limit_octets (abfd, input_section))
+ if (!reloc_offset_in_range (howto, abfd, input_section, octets))
return bfd_reloc_outofrange;
/* Work out which section the relocation is targeted at and the
@@ -1012,8 +1025,7 @@ bfd_install_relocation (bfd *abfd,
/* Is the address of the relocation really within the section? */
octets = reloc_entry->address * bfd_octets_per_byte (abfd);
- if (octets + bfd_get_reloc_size (howto)
- > bfd_get_section_limit_octets (abfd, input_section))
+ if (!reloc_offset_in_range (howto, abfd, input_section, octets))
return bfd_reloc_outofrange;
/* Work out which section the relocation is targeted at and the
@@ -1351,8 +1363,7 @@ _bfd_final_link_relocate (reloc_howto_type *howto,
bfd_size_type octets = address * bfd_octets_per_byte (input_bfd);
/* Sanity check the address. */
- if (octets + bfd_get_reloc_size (howto)
- > bfd_get_section_limit_octets (input_bfd, input_section))
+ if (!reloc_offset_in_range (howto, input_bfd, input_section, octets))
return bfd_reloc_outofrange;
/* This function assumes that we are dealing with a basic relocation
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0012-CVE-2017-8421.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0012-CVE-2017-8421.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0012-CVE-2017-8421.patch?rev=1.1&content-type=text/plain
Index: 00_all_0012-CVE-2017-8421.patch
===================================================================
>From a25bb8053a025a07741c4798720dc186800792da Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:27:20 -0500
Subject: [PATCH 06/10] CVE-2017-8421
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39ff1b79f687b65f4144ddb379f22587003443fb
[2] https://bugs.gentoo.org/show_bug.cgi?id=618520
---
binutils/objdump.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/binutils/objdump.c b/binutils/objdump.c
index f61968b..0ec31f2 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -3311,6 +3311,14 @@ dump_relocs_in_section (bfd *abfd,
return;
}
+ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
+ && relsize > get_file_size (bfd_get_filename (abfd)))
+ {
+ printf (" (too many: 0x%x)\n", section->reloc_count);
+ bfd_set_error (bfd_error_file_truncated);
+ bfd_fatal (bfd_get_filename (abfd));
+ }
+
relpp = (arelent **) xmalloc (relsize);
relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms);
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0013-CVE-2017-9038.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0013-CVE-2017-9038.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0013-CVE-2017-9038.patch?rev=1.1&content-type=text/plain
Index: 00_all_0013-CVE-2017-9038.patch
===================================================================
>From 02debfb464c87f7981db56e2d3e0372c8060c112 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:29:36 -0500
Subject: [PATCH 07/10] CVE-2017-9038
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826
---
binutils/readelf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 8dca490..76b0446 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -7965,9 +7965,9 @@ get_unwind_section_word (struct arm_unw_aux_info * aux,
return FALSE;
/* If the offset is invalid then fail. */
- if (word_offset > (sec->sh_size - 4)
- /* PR 18879 */
- || (sec->sh_size < 5 && word_offset >= sec->sh_size)
+ if (/* PR 21343 *//* PR 18879 */
+ sec->sh_size < 4
+ || word_offset > (sec->sh_size - 4)
|| ((bfd_signed_vma) word_offset) < 0)
return FALSE;
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0014-CVE-2017-9039.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0014-CVE-2017-9039.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0014-CVE-2017-9039.patch?rev=1.1&content-type=text/plain
Index: 00_all_0014-CVE-2017-9039.patch
===================================================================
>From cbd6b5d21e987c7799db6bc237ace666762e8ab9 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:33:56 -0500
Subject: [PATCH 08/10] CVE-2017-9039
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826
---
binutils/readelf.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 76b0446..659b777 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -4758,9 +4758,19 @@ get_program_headers (FILE * file)
if (program_headers != NULL)
return 1;
- phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum,
- sizeof (Elf_Internal_Phdr));
+ /* Be kind to memory checkers by looking for
+ e_phnum values which we know must be invalid. */
+ if (elf_header.e_phnum
+ * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof
(Elf64_External_Phdr))
+ >= current_file_size)
+ {
+ error (_("Too many program headers - %#x - the file is not that big\n"),
+ elf_header.e_phnum);
+ return FALSE;
+ }
+ phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum,
+ sizeof (Elf_Internal_Phdr));
if (phdrs == NULL)
{
error (_("Out of memory reading %u program headers\n"),
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0015-CVE-2017-9040-CVE-2017-9042.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0015-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0015-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&content-type=text/plain
Index: 00_all_0015-CVE-2017-9040-CVE-2017-9042.patch
===================================================================
>From 5eeab6e574d9712efe1f2ddaf48b6dddba69dc52 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:37:58 -0500
Subject: [PATCH 09/10] CVE-2017-9040, CVE-2017-9042
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826
---
binutils/readelf.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 659b777..74e4c3a 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -9299,6 +9299,12 @@ process_dynamic_section (FILE * file)
processing that. This is overkill, I know, but it
should work. */
section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0);
+ if ((bfd_size_type) section.sh_offset > current_file_size)
+ {
+ /* See PR 21379 for a reproducer. */
+ error (_("Invalid DT_SYMTAB entry: %lx"), (long)
section.sh_offset);
+ return FALSE;
+ }
if (archive_file_offset != 0)
section.sh_size = archive_file_size - section.sh_offset;
@@ -15081,6 +15087,15 @@ process_mips_specific (FILE * file)
return 0;
}
+ /* PR 21345 - print a slightly more helpful error message
+ if we are sure that the cmalloc will fail. */
+ if (conflictsno * sizeof (* iconf) > current_file_size)
+ {
+ error (_("Overlarge number of conflicts detected: %lx\n"),
+ (long) conflictsno);
+ return FALSE;
+ }
+
iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf));
if (iconf == NULL)
{
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0016-CVE-2017-9041.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0016-CVE-2017-9041.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0016-CVE-2017-9041.patch?rev=1.1&content-type=text/plain
Index: 00_all_0016-CVE-2017-9041.patch
===================================================================
>From 936856858aebc77e8d480f25c69e486057b05dfe Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 16:41:59 -0500
Subject: [PATCH 10/10] CVE-2017-9041
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826
---
binutils/readelf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 74e4c3a..5507663 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -15211,7 +15211,14 @@ process_mips_specific (FILE * file)
printf (_(" Lazy resolver\n"));
if (ent == (bfd_vma) -1)
goto got_print_fail;
+
+ /* Check for the MSB of GOT[1] being set, denoting a GNU object.
+ This entry will be used by some runtime loaders, to store the
+ module pointer. Otherwise this is an ordinary local entry.
+ PR 21344: Check for the entry being fully available before
+ fetching it. */
if (data
+ && data + ent - pltgot + addr_size <= data_end
&& (byte_get (data + ent - pltgot, addr_size)
>> (addr_size * 8 - 1)) != 0)
{
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0017-CVE-2017-7614.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0017-CVE-2017-7614.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0017-CVE-2017-7614.patch?rev=1.1&content-type=text/plain
Index: 00_all_0017-CVE-2017-7614.patch
===================================================================
>From 398dc44e4596294a24f74771db0ea6006034b501 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Tue, 6 Jun 2017 17:12:24 -0500
Subject: [PATCH] CVE-2017-7614
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8
[2] https://bugs.gentoo.org/show_bug.cgi?id=618006
---
bfd/elflink.c | 35 +++++++++++++++++++++--------------
1 file changed, 21 insertions(+), 14 deletions(-)
diff --git a/bfd/elflink.c b/bfd/elflink.c
index 69b66f2..96f74be 100644
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -119,15 +119,18 @@ _bfd_elf_define_linkage_sym (bfd *abfd,
defined in shared libraries can't be overridden, because we
lose the link to the bfd which is via the symbol section. */
h->root.type = bfd_link_hash_new;
+ bh = &h->root;
}
+ else
+ bh = NULL;
- bh = &h->root;
bed = get_elf_backend_data (abfd);
if (!_bfd_generic_link_add_one_symbol (info, abfd, name, BSF_GLOBAL,
sec, 0, NULL, FALSE, bed->collect,
&bh))
return NULL;
h = (struct elf_link_hash_entry *) bh;
+ BFD_ASSERT (h != NULL);
h->def_regular = 1;
h->non_elf = 0;
h->root.linker_def = 1;
@@ -11973,24 +11976,28 @@ bfd_elf_final_link (bfd *abfd, struct bfd_link_info
*info)
{
/* Finish up and write out the symbol string table (.strtab)
section. */
- Elf_Internal_Shdr *symstrtab_hdr;
+ Elf_Internal_Shdr *symstrtab_hdr = NULL;
file_ptr off = symtab_hdr->sh_offset + symtab_hdr->sh_size;
- symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr;
- if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0)
+ if (elf_symtab_shndx_list (abfd))
{
- symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX;
- symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx);
- symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx);
- amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx);
- symtab_shndx_hdr->sh_size = amt;
+ symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr;
- off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr,
- off, TRUE);
+ if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0)
+ {
+ symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX;
+ symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx);
+ symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx);
+ amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx);
+ symtab_shndx_hdr->sh_size = amt;
- if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0
- || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt))
- return FALSE;
+ off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr,
+ off, TRUE);
+
+ if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0
+ || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt))
+ return FALSE;
+ }
}
symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr;
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0018-CVE-2017-6965.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0018-CVE-2017-6965.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0018-CVE-2017-6965.patch?rev=1.1&content-type=text/plain
Index: 00_all_0018-CVE-2017-6965.patch
===================================================================
>From 00e45d8e07536e7eee850f00a6101011e7088171 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Wed, 7 Jun 2017 09:29:37 -0500
Subject: [PATCH 1/3] CVE-2017-6965
[PATCH] Fix readelf writing to illegal addresses whilst processing corrupt
input files containing symbol-difference relocations.
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493
[2] https://bugs.gentoo.org/show_bug.cgi?id=621130
---
binutils/readelf.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 5507663..7a908a1 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -11600,6 +11600,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
static bfd_boolean
target_specific_reloc_handling (Elf_Internal_Rela * reloc,
unsigned char * start,
+ unsigned char * end,
Elf_Internal_Sym * symtab)
{
unsigned int reloc_type = get_reloc_type (reloc->r_info);
@@ -11640,13 +11641,19 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
handle_sym_diff:
if (saved_sym != NULL)
{
+ int reloc_size = reloc_type == 1 ? 4 : 2;
bfd_vma value;
value = reloc->r_addend
+ (symtab[get_reloc_symindex (reloc->r_info)].st_value
- saved_sym->st_value);
- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 :
2);
+ if (start + reloc->r_offset + reloc_size >= end)
+ /* PR 21137 */
+ error (_("MSP430 sym diff reloc writes past end of section
(%p vs %p)\n"),
+ start + reloc->r_offset + reloc_size, end);
+ else
+ byte_put (start + reloc->r_offset, value, reloc_size);
saved_sym = NULL;
return TRUE;
@@ -11677,13 +11684,18 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
case 2: /* R_MN10300_16 */
if (saved_sym != NULL)
{
+ int reloc_size = reloc_type == 1 ? 4 : 2;
bfd_vma value;
value = reloc->r_addend
+ (symtab[get_reloc_symindex (reloc->r_info)].st_value
- saved_sym->st_value);
- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 :
2);
+ if (start + reloc->r_offset + reloc_size >= end)
+ error (_("MN10300 sym diff reloc writes past end of section
(%p vs %p)\n"),
+ start + reloc->r_offset + reloc_size, end);
+ else
+ byte_put (start + reloc->r_offset, value, reloc_size);
saved_sym = NULL;
return TRUE;
@@ -11718,12 +11730,20 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
break;
case 0x41: /* R_RL78_ABS32. */
- byte_put (start + reloc->r_offset, value, 4);
+ if (start + reloc->r_offset + 4 >= end)
+ error (_("RL78 sym diff reloc writes past end of section (%p vs
%p)\n"),
+ start + reloc->r_offset + 2, end);
+ else
+ byte_put (start + reloc->r_offset, value, 4);
value = 0;
return TRUE;
case 0x43: /* R_RL78_ABS16. */
- byte_put (start + reloc->r_offset, value, 2);
+ if (start + reloc->r_offset + 2 >= end)
+ error (_("RL78 sym diff reloc writes past end of section (%p vs
%p)\n"),
+ start + reloc->r_offset + 2, end);
+ else
+ byte_put (start + reloc->r_offset, value, 2);
value = 0;
return TRUE;
@@ -12340,7 +12360,7 @@ apply_relocations (void * file,
reloc_type = get_reloc_type (rp->r_info);
- if (target_specific_reloc_handling (rp, start, symtab))
+ if (target_specific_reloc_handling (rp, start, end, symtab))
continue;
else if (is_none_reloc (reloc_type))
continue;
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0019-CVE-2017-6966.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0019-CVE-2017-6966.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0019-CVE-2017-6966.patch?rev=1.1&content-type=text/plain
Index: 00_all_0019-CVE-2017-6966.patch
===================================================================
>From f25ff3ce9735df03fcbe7ecc1897cf8e0de4b6ae Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Wed, 7 Jun 2017 09:31:53 -0500
Subject: [PATCH 2/3] CVE-2017-6966
[PATCH] Fix read-after-free error in readelf when processing multiple,
relocated sections in an MSP430 binary.
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9
[2] https://bugs.gentoo.org/show_bug.cgi?id=621130
---
binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 84 insertions(+), 25 deletions(-)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 7a908a1..fd23b6b 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -11595,15 +11595,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
/* Check to see if the given reloc needs to be handled in a target specific
manner. If so then process the reloc and return TRUE otherwise return
- FALSE. */
+ FALSE.
+
+ If called with reloc == NULL, then this is a signal that reloc processing
+ for the current section has finished, and any saved state should be
+ discarded. */
static bfd_boolean
target_specific_reloc_handling (Elf_Internal_Rela * reloc,
unsigned char * start,
unsigned char * end,
- Elf_Internal_Sym * symtab)
+ Elf_Internal_Sym * symtab,
+ unsigned long num_syms)
{
- unsigned int reloc_type = get_reloc_type (reloc->r_info);
+ unsigned int reloc_type = 0;
+ unsigned long sym_index = 0;
+
+ if (reloc)
+ {
+ reloc_type = get_reloc_type (reloc->r_info);
+ sym_index = get_reloc_symindex (reloc->r_info);
+ }
switch (elf_header.e_machine)
{
@@ -11612,6 +11624,12 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
{
static Elf_Internal_Sym * saved_sym = NULL;
+ if (reloc == NULL)
+ {
+ saved_sym = NULL;
+ return TRUE;
+ }
+
switch (reloc_type)
{
case 10: /* R_MSP430_SYM_DIFF */
@@ -11619,7 +11637,12 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
break;
/* Fall through. */
case 21: /* R_MSP430X_SYM_DIFF */
- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
+ /* PR 21139. */
+ if (sym_index >= num_syms)
+ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index
%lu\n"),
+ sym_index);
+ else
+ saved_sym = symtab + sym_index;
return TRUE;
case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
@@ -11644,16 +11667,21 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
int reloc_size = reloc_type == 1 ? 4 : 2;
bfd_vma value;
- value = reloc->r_addend
- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
- - saved_sym->st_value);
-
- if (start + reloc->r_offset + reloc_size >= end)
- /* PR 21137 */
- error (_("MSP430 sym diff reloc writes past end of section
(%p vs %p)\n"),
- start + reloc->r_offset + reloc_size, end);
+ if (sym_index >= num_syms)
+ error (_("MSP430 reloc contains invalid symbol index %lu\n"),
+ sym_index);
else
- byte_put (start + reloc->r_offset, value, reloc_size);
+ {
+ value = reloc->r_addend + (symtab[sym_index].st_value
+ - saved_sym->st_value);
+
+ if (start + reloc->r_offset + reloc_size >= end)
+ /* PR 21137 */
+ error (_("MSP430 sym diff reloc writes past end of
section (%p vs %p)\n"),
+ start + reloc->r_offset + reloc_size, end);
+ else
+ byte_put (start + reloc->r_offset, value, reloc_size);
+ }
saved_sym = NULL;
return TRUE;
@@ -11673,13 +11701,24 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
{
static Elf_Internal_Sym * saved_sym = NULL;
+ if (reloc == NULL)
+ {
+ saved_sym = NULL;
+ return TRUE;
+ }
+
switch (reloc_type)
{
case 34: /* R_MN10300_ALIGN */
return TRUE;
case 33: /* R_MN10300_SYM_DIFF */
- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
+ if (sym_index >= num_syms)
+ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index
%lu\n"),
+ sym_index);
+ else
+ saved_sym = symtab + sym_index;
return TRUE;
+
case 1: /* R_MN10300_32 */
case 2: /* R_MN10300_16 */
if (saved_sym != NULL)
@@ -11687,15 +11726,20 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
int reloc_size = reloc_type == 1 ? 4 : 2;
bfd_vma value;
- value = reloc->r_addend
- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
- - saved_sym->st_value);
-
- if (start + reloc->r_offset + reloc_size >= end)
- error (_("MN10300 sym diff reloc writes past end of section
(%p vs %p)\n"),
- start + reloc->r_offset + reloc_size, end);
+ if (sym_index >= num_syms)
+ error (_("MN10300 reloc contains invalid symbol index %lu\n"),
+ sym_index);
else
- byte_put (start + reloc->r_offset, value, reloc_size);
+ {
+ value = reloc->r_addend + (symtab[sym_index].st_value
+ - saved_sym->st_value);
+
+ if (start + reloc->r_offset + reloc_size >= end)
+ error (_("MN10300 sym diff reloc writes past end of
section (%p vs %p)\n"),
+ start + reloc->r_offset + reloc_size, end);
+ else
+ byte_put (start + reloc->r_offset, value, reloc_size);
+ }
saved_sym = NULL;
return TRUE;
@@ -11715,12 +11759,24 @@ target_specific_reloc_handling (Elf_Internal_Rela *
reloc,
static bfd_vma saved_sym2 = 0;
static bfd_vma value;
+ if (reloc == NULL)
+ {
+ saved_sym1 = saved_sym2 = 0;
+ return TRUE;
+ }
+
switch (reloc_type)
{
case 0x80: /* R_RL78_SYM. */
saved_sym1 = saved_sym2;
- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
- saved_sym2 += reloc->r_addend;
+ if (sym_index >= num_syms)
+ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
+ sym_index);
+ else
+ {
+ saved_sym2 = symtab[sym_index].st_value;
+ saved_sym2 += reloc->r_addend;
+ }
return TRUE;
case 0x83: /* R_RL78_OPsub. */
@@ -12360,7 +12416,7 @@ apply_relocations (void * file,
reloc_type = get_reloc_type (rp->r_info);
- if (target_specific_reloc_handling (rp, start, end, symtab))
+ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
continue;
else if (is_none_reloc (reloc_type))
continue;
@@ -12456,6 +12512,9 @@ apply_relocations (void * file,
}
free (symtab);
+ /* Let the target specific reloc processing code know that
+ we have finished with these relocs. */
+ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
if (relocs_return)
{
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0020-CVE-2017-6969.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0020-CVE-2017-6969.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0020-CVE-2017-6969.patch?rev=1.1&content-type=text/plain
Index: 00_all_0020-CVE-2017-6969.patch
===================================================================
>From bb8c412a9450141286bf4eef04b14fe47bbc364f Mon Sep 17 00:00:00 2001
From: Matthias Maier <tam...@43-1.org>
Date: Wed, 7 Jun 2017 09:35:35 -0500
Subject: [PATCH 3/3] CVE-2017-6969
[PATCH] Fix illegal memory accesses in readelf when parsing a corrupt binary.
[PATCH] Fix another memory access error in readelf when parsing a corrupt
binary.
[1]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14
[2] https://bugs.gentoo.org/show_bug.cgi?id=621130
---
binutils/dwarf.c | 34 ++++++++++++++++++++--------------
binutils/readelf.c | 10 ++++++++--
2 files changed, 28 insertions(+), 16 deletions(-)
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 05efa6e..3312bc5 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -76,7 +76,6 @@ int dwarf_check = 0;
as a zero-terminated list of section indexes comprising one set of debug
sections from a .dwo file. */
-static int cu_tu_indexes_read = 0;
static unsigned int *shndx_pool = NULL;
static unsigned int shndx_pool_size = 0;
static unsigned int shndx_pool_used = 0;
@@ -99,7 +98,7 @@ static int tu_count = 0;
static struct cu_tu_set *cu_sets = NULL;
static struct cu_tu_set *tu_sets = NULL;
-static void load_cu_tu_indexes (void *file);
+static bfd_boolean load_cu_tu_indexes (void *);
/* Values for do_debug_lines. */
#define FLAG_DEBUG_LINES_RAW 1
@@ -2739,7 +2738,7 @@ load_debug_info (void * file)
return num_debug_info_entries;
/* If this is a DWARF package file, load the CU and TU indexes. */
- load_cu_tu_indexes (file);
+ (void) load_cu_tu_indexes (file);
if (load_debug_section (info, file)
&& process_debug_info (&debug_displays [info].section, file, abbrev, 1,
0))
@@ -7402,21 +7401,27 @@ process_cu_tu_index (struct dwarf_section *section, int
do_display)
section sets that we can use to associate a .debug_info.dwo section
with its associated .debug_abbrev.dwo section in a .dwp file. */
-static void
+static bfd_boolean
load_cu_tu_indexes (void *file)
{
+ static int cu_tu_indexes_read = -1; /* Tri-state variable. */
+
/* If we have already loaded (or tried to load) the CU and TU indexes
then do not bother to repeat the task. */
- if (cu_tu_indexes_read)
- return;
-
- if (load_debug_section (dwp_cu_index, file))
- process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0);
-
- if (load_debug_section (dwp_tu_index, file))
- process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0);
+ if (cu_tu_indexes_read == -1)
+ {
+ cu_tu_indexes_read = TRUE;
+
+ if (load_debug_section (dwp_cu_index, file))
+ if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0))
+ cu_tu_indexes_read = FALSE;
+
+ if (load_debug_section (dwp_tu_index, file))
+ if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0))
+ cu_tu_indexes_read = FALSE;
+ }
- cu_tu_indexes_read = 1;
+ return (bfd_boolean) cu_tu_indexes_read;
}
/* Find the set of sections that includes section SHNDX. */
@@ -7426,7 +7431,8 @@ find_cu_tu_set (void *file, unsigned int shndx)
{
unsigned int i;
- load_cu_tu_indexes (file);
+ if (! load_cu_tu_indexes (file))
+ return NULL;
/* Find SHNDX in the shndx pool. */
for (i = 0; i < shndx_pool_used; i++)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index fd23b6b..3950412 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -675,8 +675,14 @@ find_section_in_set (const char * name, unsigned int * set)
if (set != NULL)
{
while ((i = *set++) > 0)
- if (streq (SECTION_NAME (section_headers + i), name))
- return section_headers + i;
+ {
+ /* See PR 21156 for a reproducer. */
+ if (i >= elf_header.e_shnum)
+ continue; /* FIXME: Should we issue an error message ? */
+
+ if (streq (SECTION_NAME (section_headers + i), name))
+ return section_headers + i;
+ }
}
return find_section (name);
--
2.13.0
1.1
src/patchsets/binutils/2.28.1/00_all_0021-fix-out-of-bounds-access-in-elf.c.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0021-fix-out-of-bounds-access-in-elf.c.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0021-fix-out-of-bounds-access-in-elf.c.patch?rev=1.1&content-type=text/plain
Index: 00_all_0021-fix-out-of-bounds-access-in-elf.c.patch
===================================================================
>From 5cc4ca837deac7dc962d8a3741aa120c50ab41da Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <sly...@gentoo.org>
Date: Sat, 24 Jun 2017 18:40:41 +0100
Subject: [PATCH] fix out-of-bounds access in elf.c:find_link
The out-of-bounds access is reproducible on 'ia64-strip' command
(see sample from https://bugs.gentoo.org/show_bug.cgi?id=622500)
The output file contains less section than original one.
This tricks 'hint' access to go out-of-bounds:
* elf.c (find_link): Bounds check "hint".
---
bfd/elf.c | 6 ++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/bfd/elf.c b/bfd/elf.c
index 5f37e7f..76c6a5c 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -1283,7 +1283,8 @@ section_match (const Elf_Internal_Shdr * a,
to be the correct section. */
static unsigned int
-find_link (const bfd * obfd, const Elf_Internal_Shdr * iheader, const unsigned
int hint)
+find_link (const bfd *obfd, const Elf_Internal_Shdr *iheader,
+ const unsigned int hint)
{
Elf_Internal_Shdr ** oheaders = elf_elfsections (obfd);
unsigned int i;
@@ -1291,7 +1292,8 @@ find_link (const bfd * obfd, const Elf_Internal_Shdr *
iheader, const unsigned i
BFD_ASSERT (iheader != NULL);
/* See PR 20922 for a reproducer of the NULL test. */
- if (oheaders[hint] != NULL
+ if (hint < elf_numsections (obfd)
+ && oheaders[hint] != NULL
&& section_match (oheaders[hint], iheader))
return hint;
--
2.9.3
1.1
src/patchsets/binutils/2.28.1/00_all_0022-fixing-linking-configure-generated-tests-of-ifunc.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0022-fixing-linking-configure-generated-tests-of-ifunc.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0022-fixing-linking-configure-generated-tests-of-ifunc.patch?rev=1.1&content-type=text/plain
Index: 00_all_0022-fixing-linking-configure-generated-tests-of-ifunc.patch
===================================================================
>From 4b48e2f6a50e85e5acc316289c4a6af693ad98f0 Mon Sep 17 00:00:00 2001
From: Nick Clifton <ni...@redhat.com>
Date: Fri, 16 Jun 2017 15:16:19 +0100
Subject: [PATCH 1/1] Fixing linking configure generated tests of ifunc
support.
* elflink.c (bfd_elf_size_dynsym_hash_dynstr): Do not fail if the
bucketlist is empty because there are no symbols to add to the
list.
http://bugs.gentoo.org/622036
---
bfd/ChangeLog | 6 ++++++
bfd/elflink.c | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/bfd/elflink.c b/bfd/elflink.c
index 1a83b88..e35ec63 100644
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -6940,7 +6940,7 @@ bfd_elf_size_dynsym_hash_dynstr (bfd *output_bfd, struct
bfd_link_info *info)
= compute_bucket_count (info, hashcodes, nsyms, 0);
free (hashcodes);
- if (bucketcount == 0)
+ if (bucketcount == 0 && nsyms > 0)
return FALSE;
elf_hash_table (info)->bucketcount = bucketcount;
--
2.9.3
1.1
src/patchsets/binutils/2.28.1/00_all_0023-readelf-dont-error-on-.debug-files-with-NOBITS-.dynamic-sectio.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0023-readelf-dont-error-on-.debug-files-with-NOBITS-.dynamic-sectio.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0023-readelf-dont-error-on-.debug-files-with-NOBITS-.dynamic-sectio.patch?rev=1.1&content-type=text/plain
Index:
00_all_0023-readelf-dont-error-on-.debug-files-with-NOBITS-.dynamic-sectio.patch
===================================================================
Subject: [PATCH] readelf: Don't error on .debug files with NOBITS .dynamic
section.
From: Mark Wielaard <m...@klomp.org>
The fix for PR binutils/17512 added a check for the dynamic segment being
inside the actual ELF file. If not an error message would be produced:
readelf: Error: the dynamic segment offset + size exceeds the size of the file
Unfortunately for separate debuginfo files it is common for the dynamic
segment not being inside the file because the .dynamic section is NOBITS.
Since the check is done unconditionally in process_program_headers and
process_program_headers is always called (to setup dynamic_addr in case
it is needed). The error is produced on any operations done on any .debug
file (even if no program headers or the dynamic segment is used).
If there are section headers then a cross check is done to see if the
.dynamic section is NOBITS in which case dynamic_addr is set to zero
without a warning or error (which is then checked first before any
operation on the dynamic segement is done).
Move the check for the dynamic segment being inside the actual ELF file
after the cross check with the section headers to suppress the error for
.debug files.
binutils/ChangeLog:
* readelf.c (process_program_headers): Move dynamic_addr check
after .dynamic section cross check.
---
binutils/ChangeLog | 5 +++++
binutils/readelf.c | 16 ++++++++++------
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index ad65f07..8b1d924 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -4997,12 +4997,6 @@ process_program_headers (FILE * file)
section in the DYNAMIC segment. */
dynamic_addr = segment->p_offset;
dynamic_size = segment->p_filesz;
- /* PR binutils/17512: Avoid corrupt dynamic section info in the
segment. */
- if (dynamic_addr + dynamic_size >= current_file_size)
- {
- error (_("the dynamic segment offset + size exceeds the size of
the file\n"));
- dynamic_addr = dynamic_size = 0;
- }
/* Try to locate the .dynamic section. If there is
a section header table, we can easily locate it. */
@@ -5037,6 +5031,16 @@ process_program_headers (FILE * file)
warn (_("the .dynamic section is not the first section"
" in the dynamic segment.\n"));
}
+
+ /* PR binutils/17512: Avoid corrupt dynamic section info in the
+ segment. Check this after matching against the section headers
+ so we don't warn on debuginfo file (which have NOBITS .dynamic
+ sections). */
+ if (dynamic_addr + dynamic_size >= current_file_size)
+ {
+ error (_("the dynamic segment offset + size exceeds the size of
the file\n"));
+ dynamic_addr = dynamic_size = 0;
+ }
break;
case PT_INTERP:
--
1.8.3.1
1.1
src/patchsets/binutils/2.28.1/00_all_0024-CVE-2017-9742.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0024-CVE-2017-9742.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0024-CVE-2017-9742.patch?rev=1.1&content-type=text/plain
Index: 00_all_0024-CVE-2017-9742.patch
===================================================================
>From e64519d1ed7fd8f990f05a5562d5b5c0c44b7d7e Mon Sep 17 00:00:00 2001
From: Nick Clifton <ni...@redhat.com>
Date: Wed, 14 Jun 2017 17:10:28 +0100
Subject: [PATCH] Fix seg-fault when trying to disassemble a corrupt score
binary.
PR binutils/21576
* score7-dis.c (score_opcodes): Add sentinel.
---
opcodes/score7-dis.c | 3 ++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/opcodes/score7-dis.c b/opcodes/score7-dis.c
index c50a60f..8d0d969 100644
--- a/opcodes/score7-dis.c
+++ b/opcodes/score7-dis.c
@@ -513,7 +513,8 @@ static struct score_opcode score_opcodes[] =
{0x00000d05, 0x00007f0f, "tvc!"},
{0x00000026, 0x3e0003ff, "xor\t\t%20-24r, %15-19r, %10-14r"},
{0x00000027, 0x3e0003ff, "xor.c\t\t%20-24r, %15-19r, %10-14r"},
- {0x00002007, 0x0000700f, "xor!\t\t%8-11r, %4-7r"}
+ {0x00002007, 0x0000700f, "xor!\t\t%8-11r, %4-7r"},
+ { 0, 0, NULL }
};
typedef struct
--
2.9.3
1.1
src/patchsets/binutils/2.28.1/00_all_0025-CVE-2017-9954.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0025-CVE-2017-9954.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/00_all_0025-CVE-2017-9954.patch?rev=1.1&content-type=text/plain
Index: 00_all_0025-CVE-2017-9954.patch
===================================================================
>From 04e15b4a9462cb1ae819e878a6009829aab8020b Mon Sep 17 00:00:00 2001
From: Nick Clifton <ni...@redhat.com>
Date: Mon, 26 Jun 2017 15:46:34 +0100
Subject: [PATCH] Fix address violation parsing a corrupt texhex format file.
PR binutils/21670
* tekhex.c (getvalue): Check for the source pointer exceeding the
end pointer before the first byte is read.
---
bfd/tekhex.c | 6 +++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/bfd/tekhex.c b/bfd/tekhex.c
index 214b54a..cfa75d5 100644
--- a/bfd/tekhex.c
+++ b/bfd/tekhex.c
@@ -273,6 +273,9 @@ getvalue (char **srcp, bfd_vma *valuep, char * endp)
bfd_vma value = 0;
unsigned int len;
+ if (src >= endp)
+ return FALSE;
+
if (!ISHEX (*src))
return FALSE;
@@ -514,9 +517,10 @@ pass_over (bfd *abfd, bfd_boolean (*func) (bfd *, int,
char *, char *))
/* To the front of the file. */
if (bfd_seek (abfd, (file_ptr) 0, SEEK_SET) != 0)
return FALSE;
+
while (! is_eof)
{
- char src[MAXCHUNK];
+ static char src[MAXCHUNK];
char type;
/* Find first '%'. */
--
2.9.3
1.1 src/patchsets/binutils/2.28.1/README.history
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/README.history?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28.1/README.history?rev=1.1&content-type=text/plain
Index: README.history
===================================================================
1.0 01 Aug 2017
+ 00_all_0001-ld-always-warn-about-textrels-in-files.patch
+ 00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch
+ 00_all_0003-ld-enable-new-dtags-by-default-for-linux-gnu-targets.patch
+ 00_all_0004-gold-ld-enable-gnu-hash-by-default.patch
+ 00_all_0005-libiberty-install-PIC-version-of-libiberty.a.patch
+ 00_all_0006-opcodes-link-against-libbfd.la-for-rpath-deps.patch
+ 00_all_0007-CVE-2017-8398.patch
+ 00_all_0008-CVE-2017-8393.patch
+ 00_all_0009-CVE-2017-8394.patch
+ 00_all_0010-CVE-2017-8395.patch
+ 00_all_0011-CVE-2017-8396-CVE-2017-8397.patch
+ 00_all_0012-CVE-2017-8421.patch
+ 00_all_0013-CVE-2017-9038.patch
+ 00_all_0014-CVE-2017-9039.patch
+ 00_all_0015-CVE-2017-9040-CVE-2017-9042.patch
+ 00_all_0016-CVE-2017-9041.patch
+ 00_all_0017-CVE-2017-7614.patch
+ 00_all_0018-CVE-2017-6965.patch
+ 00_all_0019-CVE-2017-6966.patch
+ 00_all_0020-CVE-2017-6969.patch
+ 00_all_0021-fix-out-of-bounds-access-in-elf.c
+ 00_all_0022-fixing-linking-configure-generated-tests-of-ifunc.patch
+
00_all_0023-readelf-dont-error-on-.debug-files-with-NOBITS-.dynamic-sectio.patch
+ 00_all_0024-CVE-2017-9742.patch
+ 00_all_0025-CVE-2017-9954.patch
