* [gentoo-commits] gentoo commit in src/patchsets/binutils/2.27: 00_all_0007-CVE-2017-8421.patch 00_all_0008-CVE-2017-9038.patch 00_all_0009-CVE-2017-9039.patch 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch 00_all_0011-0011-CVE-2017-9041.patch README.history binutils-2.27-CVE-2017-8421.patch
@ 2017-06-06 20:57 Matthias Maier (tamiko)
0 siblings, 0 replies; only message in thread
From: Matthias Maier (tamiko) @ 2017-06-06 20:57 UTC (permalink / raw
To: gentoo-commits
tamiko 17/06/06 20:57:47
Modified: README.history
Added: 00_all_0007-CVE-2017-8421.patch
00_all_0008-CVE-2017-9038.patch
00_all_0009-CVE-2017-9039.patch
00_all_0010-CVE-2017-9040-CVE-2017-9042.patch
00_all_0011-0011-CVE-2017-9041.patch
binutils-2.27-CVE-2017-8421.patch
Log:
binutils-2.27: Update to patchset 1.1
Revision Changes Path
1.2 src/patchsets/binutils/2.27/README.history
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/README.history?r1=1.1&r2=1.2
Index: README.history
===================================================================
RCS file: /var/cvsroot/gentoo/src/patchsets/binutils/2.27/README.history,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- README.history 15 Nov 2016 07:08:40 -0000 1.1
+++ README.history 6 Jun 2017 20:57:47 -0000 1.2
@@ -1,3 +1,10 @@
+1.1 06 Jun 2017
+ + 00_all_0007-CVE-2017-8421.patch
+ + 00_all_0008-CVE-2017-9038.patch
+ + 00_all_0009-CVE-2017-9039.patch
+ + 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch
+ + 00_all_0011-0011-CVE-2017-9041.patch
+
1.0 12 Nov 2016
+ 00_all_0001-ld-always-warn-about-textrels-in-files.patch
+ 00_all_0002-gold-ld-add-support-for-poisoned-system-directories.patch
1.1 src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0007-CVE-2017-8421.patch?rev=1.1&content-type=text/plain
Index: 00_all_0007-CVE-2017-8421.patch
===================================================================
From 066b5b9598ffcf4d8e99034fa370e1ba8393341c Mon Sep 17 00:00:00 2001
From: Matthias Maier <tamiko@43-1.org>
Date: Tue, 6 Jun 2017 13:04:17 -0500
Subject: [PATCH 1/5] CVE-2017-8421
[PATCH] Prevent memory exhaustion from a corrupt PE binary with an overlarge number of relocs.
Patch taken from [1]. Gentoo bug [2]
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=39ff1b79f687b65f4144ddb379f22587003443fb
[2] https://bugs.gentoo.org/show_bug.cgi?id=618520
---
binutils/objdump.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/binutils/objdump.c b/binutils/objdump.c
index bf9c592..cbe2e0a 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -3238,6 +3238,14 @@ dump_relocs_in_section (bfd *abfd,
return;
}
+ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
+ && relsize > get_file_size (bfd_get_filename (abfd)))
+ {
+ printf (" (too many: 0x%x)\n", section->reloc_count);
+ bfd_set_error (bfd_error_file_truncated);
+ bfd_fatal (bfd_get_filename (abfd));
+ }
+
relpp = (arelent **) xmalloc (relsize);
relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms);
--
2.13.0
1.1 src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0008-CVE-2017-9038.patch?rev=1.1&content-type=text/plain
Index: 00_all_0008-CVE-2017-9038.patch
===================================================================
From 581a94cb18d994071f9660a7b84d1d2bc104fc4f Mon Sep 17 00:00:00 2001
From: Matthias Maier <tamiko@43-1.org>
Date: Tue, 6 Jun 2017 13:18:07 -0500
Subject: [PATCH 2/5] CVE-2017-9038
readelf: Update check for invalid word offsets in ARM unwind information.
Patch taken from [1]. Gentoo bug [2]
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826
---
binutils/readelf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 274ddd1..9a515ff 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -7738,9 +7738,9 @@ get_unwind_section_word (struct arm_unw_aux_info * aux,
return FALSE;
/* If the offset is invalid then fail. */
- if (word_offset > (sec->sh_size - 4)
- /* PR 18879 */
- || (sec->sh_size < 5 && word_offset >= sec->sh_size)
+ if (/* PR 21343 *//* PR 18879 */
+ sec->sh_size < 4
+ || word_offset > (sec->sh_size - 4)
|| ((bfd_signed_vma) word_offset) < 0)
return FALSE;
--
2.13.0
1.1 src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0009-CVE-2017-9039.patch?rev=1.1&content-type=text/plain
Index: 00_all_0009-CVE-2017-9039.patch
===================================================================
From b365e09549f642683fd21e5804be962077882d33 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tamiko@43-1.org>
Date: Tue, 6 Jun 2017 13:24:24 -0500
Subject: [PATCH 3/5] CVE-2017-9039
readelf: Fix overlarge memory allocation when reading a binary with an excessive number of program headers.
Patch taken from [1]. Gentoo bug [2]
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826
---
binutils/readelf.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 9a515ff..a11931d 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -4698,9 +4698,19 @@ get_program_headers (FILE * file)
if (program_headers != NULL)
return 1;
- phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum,
- sizeof (Elf_Internal_Phdr));
+ /* Be kind to memory checkers by looking for
+ e_phnum values which we know must be invalid. */
+ if (elf_header.e_phnum
+ * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr))
+ >= current_file_size)
+ {
+ error (_("Too many program headers - %#x - the file is not that big\n"),
+ elf_header.e_phnum);
+ return FALSE;
+ }
+ phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum,
+ sizeof (Elf_Internal_Phdr));
if (phdrs == NULL)
{
error (_("Out of memory reading %u program headers\n"),
--
2.13.0
1.1 src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0010-CVE-2017-9040-CVE-2017-9042.patch?rev=1.1&content-type=text/plain
Index: 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch
===================================================================
From 264947c1489c7d7469d34db92672f8c3bde37fb2 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tamiko@43-1.org>
Date: Tue, 6 Jun 2017 13:30:14 -0500
Subject: [PATCH 4/5] CVE-2017-9040, CVE-2017-9042
readelf: fix out of range subtraction, seg fault from a NULL pointer and memory exhaustion, all from parsing corrupt binaries.
Patch taken from [1]. Gentoo bug [2]
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826
---
binutils/readelf.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index a11931d..b3ec415 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -9072,6 +9072,12 @@ process_dynamic_section (FILE * file)
processing that. This is overkill, I know, but it
should work. */
section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0);
+ if ((bfd_size_type) section.sh_offset > current_file_size)
+ {
+ /* See PR 21379 for a reproducer. */
+ error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset);
+ return FALSE;
+ }
if (archive_file_offset != 0)
section.sh_size = archive_file_size - section.sh_offset;
@@ -14788,6 +14794,15 @@ process_mips_specific (FILE * file)
return 0;
}
+ /* PR 21345 - print a slightly more helpful error message
+ if we are sure that the cmalloc will fail. */
+ if (conflictsno * sizeof (* iconf) > current_file_size)
+ {
+ error (_("Overlarge number of conflicts detected: %lx\n"),
+ (long) conflictsno);
+ return FALSE;
+ }
+
iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf));
if (iconf == NULL)
{
--
2.13.0
1.1 src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/00_all_0011-0011-CVE-2017-9041.patch?rev=1.1&content-type=text/plain
Index: 00_all_0011-0011-CVE-2017-9041.patch
===================================================================
From 268cb749fe1b1f78929d3df43f3142c9c73f2bda Mon Sep 17 00:00:00 2001
From: Matthias Maier <tamiko@43-1.org>
Date: Tue, 6 Jun 2017 13:40:06 -0500
Subject: [PATCH 5/5] CVE-2017-9041
Patch taken from [1]. Gentoo bug [2]
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3
[2] https://bugs.gentoo.org/show_bug.cgi?id=618826
---
binutils/readelf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/binutils/readelf.c b/binutils/readelf.c
index b3ec415..984fb9b 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -14918,7 +14918,14 @@ process_mips_specific (FILE * file)
printf (_(" Lazy resolver\n"));
if (ent == (bfd_vma) -1)
goto got_print_fail;
+
+ /* Check for the MSB of GOT[1] being set, denoting a GNU object.
+ This entry will be used by some runtime loaders, to store the
+ module pointer. Otherwise this is an ordinary local entry.
+ PR 21344: Check for the entry being fully available before
+ fetching it. */
if (data
+ && data + ent - pltgot + addr_size <= data_end
&& (byte_get (data + ent - pltgot, addr_size)
>> (addr_size * 8 - 1)) != 0)
{
--
2.13.0
1.1 src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.27/binutils-2.27-CVE-2017-8421.patch?rev=1.1&content-type=text/plain
Index: binutils-2.27-CVE-2017-8421.patch
===================================================================
From 39ff1b79f687b65f4144ddb379f22587003443fb Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 2 May 2017 11:54:53 +0100
Subject: [PATCH] Prevent memory exhaustion from a corrupt PE binary with an
overlarge number of relocs.
PR 21440
* objdump.c (dump_relocs_in_section): Check for an excessive
number of relocs before attempting to dump them.
---
binutils/ChangeLog | 6 ++++++
binutils/objdump.c | 8 ++++++++
2 files changed, 14 insertions(+)
diff --git a/binutils/objdump.c b/binutils/objdump.c
index bc61000..5972da1 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -3379,6 +3379,14 @@ dump_relocs_in_section (bfd *abfd,
return;
}
+ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
+ && relsize > get_file_size (bfd_get_filename (abfd)))
+ {
+ printf (" (too many: 0x%x)\n", section->reloc_count);
+ bfd_set_error (bfd_error_file_truncated);
+ bfd_fatal (bfd_get_filename (abfd));
+ }
+
relpp = (arelent **) xmalloc (relsize);
relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms);
--
2.9.3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2017-06-06 20:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-06 20:57 [gentoo-commits] gentoo commit in src/patchsets/binutils/2.27: 00_all_0007-CVE-2017-8421.patch 00_all_0008-CVE-2017-9038.patch 00_all_0009-CVE-2017-9039.patch 00_all_0010-CVE-2017-9040-CVE-2017-9042.patch 00_all_0011-0011-CVE-2017-9041.patch README.history binutils-2.27-CVE-2017-8421.patch Matthias Maier (tamiko)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox