[morty][PATCH 1/3] binutils: fix CVE-2017-6969 in readelf

* [morty][PATCH 1/3] binutils: fix CVE-2017-6969 in readelf
@ 2017-05-31  8:37 Yuanjie Huang
  2017-05-31  8:37 ` [morty][PATCH 2/3] binutils: fix CVE-2017-7209 " Yuanjie Huang
  2017-05-31  8:37 ` [morty][PATCH 3/3] binutils: fix CVE-2017-7210 Yuanjie Huang
  0 siblings, 2 replies; 3+ messages in thread
From: Yuanjie Huang @ 2017-05-31  8:37 UTC (permalink / raw)
  To: openembedded-core

CVE: CVE-2017-6969
[BZ 21156] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21156

PR binutils/21156: Fix illegal memory accesses in readelf when
ing a corrupt binary.
PR binutils/21156: Fix another memory access error in readelf when
parsing a corrupt binary.

Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
---
 meta/recipes-devtools/binutils/binutils-2.27.inc   |   2 +
 .../binutils/binutils/CVE-2017-6969.patch          |  56 ++++++++++
 .../binutils/binutils/CVE-2017-6969_2.patch        | 122 +++++++++++++++++++++
 3 files changed, 180 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index f98fef9e02..d32ce25dd5 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -41,6 +41,8 @@ SRC_URI = "\
      file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \
      file://CVE-2017-6965.patch \
      file://CVE-2017-6966.patch \
+     file://CVE-2017-6969.patch \
+     file://CVE-2017-6969_2.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
new file mode 100644
index 0000000000..3d036c4cf6
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
@@ -0,0 +1,56 @@
+From 489246368e2c49a795ad5ecbc8895cbc854292fa Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 17 Feb 2017 15:59:45 +0000
+Subject: Fix illegal memory accesses in readelf when parsing a corrupt binary.
+
+	PR binutils/21156
+	* readelf.c (find_section_in_set): Test for invalid section
+	indicies.
+
+CVE: CVE-2017-6969
+Upstream-Status: Backport [master]
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/readelf.c | 10 ++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index a70bdb7a7b..dbf8eb079e 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-02-17  Nick Clifton  <nickc@redhat.com>
++
++	PR binutils/21156
++	* readelf.c (find_section_in_set): Test for invalid section
++	indicies.
++
+ 2016-08-03  Tristan Gingold  <gingold@adacore.com>
+ 
+ 	* configure: Regenerate.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index d31558c3b4..7f7365dbc5 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -674,8 +674,14 @@ find_section_in_set (const char * name, unsigned int * set)
+   if (set != NULL)
+     {
+       while ((i = *set++) > 0)
+-	if (streq (SECTION_NAME (section_headers + i), name))
+-	  return section_headers + i;
++	{
++	  /* See PR 21156 for a reproducer.  */
++	  if (i >= elf_header.e_shnum)
++	    continue; /* FIXME: Should we issue an error message ?  */
++
++	  if (streq (SECTION_NAME (section_headers + i), name))
++	    return section_headers + i;
++	}
+     }
+ 
+   return find_section (name);
+-- 
+2.11.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
new file mode 100644
index 0000000000..491c7086ee
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
@@ -0,0 +1,122 @@
+From 59fcd64fe65a89fb0acaf5463840310701189375 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 20 Feb 2017 14:40:39 +0000
+Subject: Fix another memory access error in readelf when parsing a corrupt
+ binary.
+
+	PR binutils/21156
+	* dwarf.c (cu_tu_indexes_read): Move into...
+	(load_cu_tu_indexes): ... here.  Change the variable into
+	tri-state.  Change the function into boolean, returning
+	false if the indicies could not be loaded.
+	(find_cu_tu_set): Return NULL if the indicies could not be
+	loaded.
+
+CVE: CVE-2017-6969
+Upstream-Status: Backport [master]
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog | 10 ++++++++++
+ binutils/dwarf.c   | 34 ++++++++++++++++++++--------------
+ 2 files changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index dbf8eb079e..55d2f8ba40 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,13 @@
++2017-02-20  Nick Clifton  <nickc@redhat.com>
++
++	PR binutils/21156
++	* dwarf.c (cu_tu_indexes_read): Move into...
++	(load_cu_tu_indexes): ... here.  Change the variable into
++	tri-state.  Change the function into boolean, returning
++	false if the indicies could not be loaded.
++	(find_cu_tu_set): Return NULL if the indicies could not be
++	loaded.
++
+ 2017-02-17  Nick Clifton  <nickc@redhat.com>
+ 
+ 	PR binutils/21156
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 282e069958..a23267feb6 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -76,7 +76,6 @@ int dwarf_check = 0;
+    as a zero-terminated list of section indexes comprising one set of debug
+    sections from a .dwo file.  */
+ 
+-static int cu_tu_indexes_read = 0;
+ static unsigned int *shndx_pool = NULL;
+ static unsigned int shndx_pool_size = 0;
+ static unsigned int shndx_pool_used = 0;
+@@ -99,7 +98,7 @@ static int tu_count = 0;
+ static struct cu_tu_set *cu_sets = NULL;
+ static struct cu_tu_set *tu_sets = NULL;
+ 
+-static void load_cu_tu_indexes (void *file);
++static bfd_boolean load_cu_tu_indexes (void *);
+ 
+ /* Values for do_debug_lines.  */
+ #define FLAG_DEBUG_LINES_RAW	 1
+@@ -2713,7 +2712,7 @@ load_debug_info (void * file)
+     return num_debug_info_entries;
+ 
+   /* If this is a DWARF package file, load the CU and TU indexes.  */
+-  load_cu_tu_indexes (file);
++  (void) load_cu_tu_indexes (file);
+ 
+   if (load_debug_section (info, file)
+       && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0))
+@@ -7302,21 +7301,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
+    section sets that we can use to associate a .debug_info.dwo section
+    with its associated .debug_abbrev.dwo section in a .dwp file.  */
+ 
+-static void
++static bfd_boolean
+ load_cu_tu_indexes (void *file)
+ {
++  static int cu_tu_indexes_read = -1; /* Tri-state variable.  */
++
+   /* If we have already loaded (or tried to load) the CU and TU indexes
+      then do not bother to repeat the task.  */
+-  if (cu_tu_indexes_read)
+-    return;
+-
+-  if (load_debug_section (dwp_cu_index, file))
+-    process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0);
+-
+-  if (load_debug_section (dwp_tu_index, file))
+-    process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0);
++  if (cu_tu_indexes_read == -1)
++    {
++      cu_tu_indexes_read = TRUE;
++  
++      if (load_debug_section (dwp_cu_index, file))
++	if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0))
++	  cu_tu_indexes_read = FALSE;
++
++      if (load_debug_section (dwp_tu_index, file))
++	if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0))
++	  cu_tu_indexes_read = FALSE;
++    }
+ 
+-  cu_tu_indexes_read = 1;
++  return (bfd_boolean) cu_tu_indexes_read;
+ }
+ 
+ /* Find the set of sections that includes section SHNDX.  */
+@@ -7326,7 +7331,8 @@ find_cu_tu_set (void *file, unsigned int shndx)
+ {
+   unsigned int i;
+ 
+-  load_cu_tu_indexes (file);
++  if (! load_cu_tu_indexes (file))
++    return NULL;
+ 
+   /* Find SHNDX in the shndx pool.  */
+   for (i = 0; i < shndx_pool_used; i++)
+-- 
+2.11.0
+
-- 
2.11.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread