summaryrefslogtreecommitdiffstats
path: root/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch
diff options
context:
space:
mode:
Diffstat (limited to 'poky/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch')
-rw-r--r--poky/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch308
1 files changed, 308 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch
new file mode 100644
index 000000000..b240a3f99
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch
@@ -0,0 +1,308 @@
+From 0930cb3021b8078b34cf216e79eb8608d017864f Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 13 Oct 2018 22:03:02 +1030
+Subject: [PATCH] _bfd_clear_contents bounds checking
+
+This PR shows a fuzzed binary triggering a segfault via a bad
+relocation in .debug_line. It turns out that unlike normal
+relocations applied to a section, the linker applies those with
+symbols from discarded sections via _bfd_clear_contents without
+checking that the relocation is within the section bounds. The same
+thing now happens when reading debug sections since commit
+a4cd947aca23, the PR23425 fix.
+
+ PR 23770
+ PR 23425
+ * reloc.c (_bfd_clear_contents): Replace "location" param with
+ "buf" and "off". Bounds check "off". Return status.
+ * cofflink.c (_bfd_coff_generic_relocate_section): Update
+ _bfd_clear_contents call.
+ * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
+ * elf32-arc.c (elf_arc_relocate_section): Likewise.
+ * elf32-i386.c (elf_i386_relocate_section): Likewise.
+ * elf32-metag.c (metag_final_link_relocate): Likewise.
+ * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
+ * elf32-ppc.c (ppc_elf_relocate_section): Likewise.
+ * elf32-visium.c (visium_elf_relocate_section): Likewise.
+ * elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
+ * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
+ * libbfd-in.h (_bfd_clear_contents): Update prototype.
+ * libbfd.h: Regenerate.
+
+Upstream-Status: Backport
+CVE: CVE-2018-18605
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog | 20 ++++++++++++++++++++
+ bfd/cofflink.c | 2 +-
+ bfd/elf-bfd.h | 2 +-
+ bfd/elf32-arc.c | 2 +-
+ bfd/elf32-i386.c | 2 +-
+ bfd/elf32-metag.c | 2 +-
+ bfd/elf32-nds32.c | 8 ++++----
+ bfd/elf32-ppc.c | 2 +-
+ bfd/elf32-visium.c | 2 +-
+ bfd/elf64-ppc.c | 2 +-
+ bfd/elf64-x86-64.c | 2 +-
+ bfd/libbfd-in.h | 4 ++--
+ bfd/libbfd.h | 4 ++--
+ bfd/reloc.c | 19 +++++++++++++------
+ 14 files changed, 50 insertions(+), 23 deletions(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 68c1ff665b..e9696ee314 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,23 @@
++2018-10-13 Alan Modra <amodra@gmail.com>
++
++ PR 23770
++ PR 23425
++ * reloc.c (_bfd_clear_contents): Replace "location" param with
++ "buf" and "off". Bounds check "off". Return status.
++ * cofflink.c (_bfd_coff_generic_relocate_section): Update
++ _bfd_clear_contents call.
++ * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
++ * elf32-arc.c (elf_arc_relocate_section): Likewise.
++ * elf32-i386.c (elf_i386_relocate_section): Likewise.
++ * elf32-metag.c (metag_final_link_relocate): Likewise.
++ * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
++ * elf32-ppc.c (ppc_elf_relocate_section): Likewise.
++ * elf32-visium.c (visium_elf_relocate_section): Likewise.
++ * elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
++ * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
++ * libbfd-in.h (_bfd_clear_contents): Update prototype.
++ * libbfd.h: Regenerate.
++
+ 2018-09-20 Alan Modra <amodra@gmail.com>
+
+ PR 23685
+diff --git a/bfd/cofflink.c b/bfd/cofflink.c
+index 2f73f72e31..b7ea69b7f9 100644
+--- a/bfd/cofflink.c
++++ b/bfd/cofflink.c
+@@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd *output_bfd,
+ if (sec != NULL && discarded_section (sec))
+ {
+ _bfd_clear_contents (howto, input_bfd, input_section,
+- contents + (rel->r_vaddr - input_section->vma));
++ contents, rel->r_vaddr - input_section->vma);
+ continue;
+ }
+
+diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
+index cf256f70e0..3374f411f9 100644
+--- a/bfd/elf-bfd.h
++++ b/bfd/elf-bfd.h
+@@ -2811,7 +2811,7 @@ extern asection _bfd_elf_large_com_section;
+ { \
+ int i_; \
+ _bfd_clear_contents (howto, input_bfd, input_section, \
+- contents + rel[index].r_offset); \
++ contents, rel[index].r_offset); \
+ \
+ if (bfd_link_relocatable (info) \
+ && (input_section->flags & SEC_DEBUGGING)) \
+diff --git a/bfd/elf32-arc.c b/bfd/elf32-arc.c
+index 7a1b3042ae..30f47a5b22 100644
+--- a/bfd/elf32-arc.c
++++ b/bfd/elf32-arc.c
+@@ -1549,7 +1549,7 @@ elf_arc_relocate_section (bfd * output_bfd,
+ if (sec != NULL && discarded_section (sec))
+ {
+ _bfd_clear_contents (howto, input_bfd, input_section,
+- contents + rel->r_offset);
++ contents, rel->r_offset);
+ rel->r_info = 0;
+ rel->r_addend = 0;
+
+diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
+index 49797dcbfa..177471777d 100644
+--- a/bfd/elf32-i386.c
++++ b/bfd/elf32-i386.c
+@@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_bfd,
+ if (sec != NULL && discarded_section (sec))
+ {
+ _bfd_clear_contents (howto, input_bfd, input_section,
+- contents + rel->r_offset);
++ contents, rel->r_offset);
+ wrel->r_offset = rel->r_offset;
+ wrel->r_info = 0;
+ wrel->r_addend = 0;
+diff --git a/bfd/elf32-metag.c b/bfd/elf32-metag.c
+index efe95bddff..7f96246e5d 100644
+--- a/bfd/elf32-metag.c
++++ b/bfd/elf32-metag.c
+@@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_type *howto,
+ rel, relend, howto, contents) \
+ { \
+ _bfd_clear_contents (howto, input_bfd, input_section, \
+- contents + rel->r_offset); \
++ contents, rel->r_offset); \
+ \
+ if (bfd_link_relocatable (info) \
+ && (input_section->flags & SEC_DEBUGGING)) \
+diff --git a/bfd/elf32-nds32.c b/bfd/elf32-nds32.c
+index 0d86e5b865..184cf320f7 100644
+--- a/bfd/elf32-nds32.c
++++ b/bfd/elf32-nds32.c
+@@ -12582,14 +12582,14 @@ nds32_elf_get_relocated_section_contents (bfd *abfd,
+ symbol = *(*parent)->sym_ptr_ptr;
+ if (symbol->section && discarded_section (symbol->section))
+ {
+- bfd_byte *p;
++ bfd_vma off;
+ static reloc_howto_type none_howto
+ = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
+ "unused", FALSE, 0, 0, FALSE);
+
+- p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
+- _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
+- p);
++ off = (*parent)->address * bfd_octets_per_byte (input_bfd);
++ _bfd_clear_contents ((*parent)->howto, input_bfd,
++ input_section, data, off);
+ (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+ (*parent)->addend = 0;
+ (*parent)->howto = &none_howto;
+diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c
+index 61f70de12e..c31e26efd7 100644
+--- a/bfd/elf32-ppc.c
++++ b/bfd/elf32-ppc.c
+@@ -8232,7 +8232,7 @@ ppc_elf_relocate_section (bfd *output_bfd,
+ howto = ppc_elf_howto_table[r_type];
+
+ _bfd_clear_contents (howto, input_bfd, input_section,
+- contents + rel->r_offset);
++ contents, rel->r_offset);
+ wrel->r_offset = rel->r_offset;
+ wrel->r_info = 0;
+ wrel->r_addend = 0;
+diff --git a/bfd/elf32-visium.c b/bfd/elf32-visium.c
+index e8f1c4c9e4..961366cd87 100644
+--- a/bfd/elf32-visium.c
++++ b/bfd/elf32-visium.c
+@@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output_bfd,
+ or sections discarded by a linker script, we just want the
+ section contents zeroed. Avoid any special processing. */
+ _bfd_clear_contents (howto, input_bfd, input_section,
+- contents + rel->r_offset);
++ contents, rel->r_offset);
+
+ rel->r_info = 0;
+ rel->r_addend = 0;
+diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c
+index eadde17615..7c3534ac65 100644
+--- a/bfd/elf64-ppc.c
++++ b/bfd/elf64-ppc.c
+@@ -14073,7 +14073,7 @@ ppc64_elf_relocate_section (bfd *output_bfd,
+ {
+ _bfd_clear_contents (ppc64_elf_howto_table[r_type],
+ input_bfd, input_section,
+- contents + rel->r_offset);
++ contents, rel->r_offset);
+ wrel->r_offset = rel->r_offset;
+ wrel->r_info = 0;
+ wrel->r_addend = 0;
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index c3a6c31ed2..4dcab43478 100644
+--- a/bfd/elf64-x86-64.c
++++ b/bfd/elf64-x86-64.c
+@@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output_bfd,
+ if (sec != NULL && discarded_section (sec))
+ {
+ _bfd_clear_contents (howto, input_bfd, input_section,
+- contents + rel->r_offset);
++ contents, rel->r_offset);
+ wrel->r_offset = rel->r_offset;
+ wrel->r_info = 0;
+ wrel->r_addend = 0;
+diff --git a/bfd/libbfd-in.h b/bfd/libbfd-in.h
+index e53b255dad..f6d9565f03 100644
+--- a/bfd/libbfd-in.h
++++ b/bfd/libbfd-in.h
+@@ -696,8 +696,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
+ (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
+
+ /* Clear a given location using a given howto. */
+-extern void _bfd_clear_contents
+- (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
++extern bfd_reloc_status_type _bfd_clear_contents
++ (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
+
+ /* Link stabs in sections in the first pass. */
+
+diff --git a/bfd/libbfd.h b/bfd/libbfd.h
+index a8851c8026..1189e63358 100644
+--- a/bfd/libbfd.h
++++ b/bfd/libbfd.h
+@@ -701,8 +701,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
+ (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
+
+ /* Clear a given location using a given howto. */
+-extern void _bfd_clear_contents
+- (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
++extern bfd_reloc_status_type _bfd_clear_contents
++ (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
+
+ /* Link stabs in sections in the first pass. */
+
+diff --git a/bfd/reloc.c b/bfd/reloc.c
+index 8dbb8896d3..1686780669 100644
+--- a/bfd/reloc.c
++++ b/bfd/reloc.c
+@@ -1613,16 +1613,22 @@ _bfd_relocate_contents (reloc_howto_type *howto,
+ relocations against discarded symbols, to make ignorable debug or unwind
+ information more obvious. */
+
+-void
++bfd_reloc_status_type
+ _bfd_clear_contents (reloc_howto_type *howto,
+ bfd *input_bfd,
+ asection *input_section,
+- bfd_byte *location)
++ bfd_byte *buf,
++ bfd_vma off)
+ {
+ int size;
+ bfd_vma x = 0;
++ bfd_byte *location;
++
++ if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off))
++ return bfd_reloc_outofrange;
+
+ /* Get the value we are going to relocate. */
++ location = buf + off;
+ size = bfd_get_reloc_size (howto);
+ switch (size)
+ {
+@@ -1687,6 +1693,7 @@ _bfd_clear_contents (reloc_howto_type *howto,
+ #endif
+ break;
+ }
++ return bfd_reloc_ok;
+ }
+
+ /*
+@@ -8275,14 +8282,14 @@ bfd_generic_get_relocated_section_contents (bfd *abfd,
+
+ if (symbol->section && discarded_section (symbol->section))
+ {
+- bfd_byte *p;
++ bfd_vma off;
+ static reloc_howto_type none_howto
+ = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
+ "unused", FALSE, 0, 0, FALSE);
+
+- p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
+- _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
+- p);
++ off = (*parent)->address * bfd_octets_per_byte (input_bfd);
++ _bfd_clear_contents ((*parent)->howto, input_bfd,
++ input_section, data, off);
+ (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+ (*parent)->addend = 0;
+ (*parent)->howto = &none_howto;
+--
+2.13.3
+
OpenPOWER on IntegriCloud