diff --git a/binutils-CVE-2018-10372.patch b/binutils-CVE-2018-10372.patch new file mode 100644 index 0000000..073a407 --- /dev/null +++ b/binutils-CVE-2018-10372.patch @@ -0,0 +1,22 @@ +--- binutils.orig/binutils/dwarf.c 2018-05-01 11:42:02.656431736 +0100 ++++ binutils-2.30/binutils/dwarf.c 2018-05-01 11:43:24.210383020 +0100 +@@ -9244,7 +9244,18 @@ process_cu_tu_index (struct dwarf_sectio + } + + if (!do_display) +- memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t)); ++ { ++ size_t num_copy = sizeof (uint64_t); ++ ++ /* PR 23064: Beware of buffer overflow. */ ++ if (ph + num_copy < limit) ++ memcpy (&this_set[row - 1].signature, ph, num_copy); ++ else ++ { ++ warn (_("Signature (%p) extends beyond end of space in section\n"), ph); ++ return 0; ++ } ++ } + + prow = poffsets + (row - 1) * ncols * 4; + /* PR 17531: file: b8ce60a8. */ diff --git a/binutils-CVE-2018-10373.patch b/binutils-CVE-2018-10373.patch new file mode 100644 index 0000000..21964f8 --- /dev/null +++ b/binutils-CVE-2018-10373.patch @@ -0,0 +1,11 @@ +--- binutils.orig/bfd/dwarf2.c 2018-05-01 11:42:03.152425647 +0100 ++++ binutils-2.30/bfd/dwarf2.c 2018-05-01 12:03:27.533735710 +0100 +@@ -1559,7 +1559,7 @@ concat_filename (struct line_info_table + { + char *filename; + +- if (file - 1 >= table->num_files) ++ if (table == NULL || file - 1 >= table->num_files) + { + /* FILE == 0 means unknown. */ + if (file) diff --git a/binutils-CVE-2018-6323.patch b/binutils-CVE-2018-6323.patch new file mode 100644 index 0000000..bb698b8 --- /dev/null +++ b/binutils-CVE-2018-6323.patch @@ -0,0 +1,20 @@ +--- binutils.orig/bfd/elfcode.h 2018-05-01 11:42:03.250424443 +0100 ++++ binutils-2.30/bfd/elfcode.h 2018-05-01 12:41:00.745780026 +0100 +@@ -680,7 +680,7 @@ elf_object_p (bfd *abfd) + if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp)) + goto got_wrong_format_error; + #endif +- amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum; ++ amt = sizeof (*i_shdrp) * (bfd_size_type) i_ehdrp->e_shnum; + i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); + if (!i_shdrp) + goto got_no_match; +@@ -776,7 +776,7 @@ elf_object_p (bfd *abfd) + if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr)) + goto got_wrong_format_error; + #endif +- amt = i_ehdrp->e_phnum * sizeof (*i_phdr); ++ amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr); + elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt); + if (elf_tdata (abfd)->phdr == NULL) + goto got_no_match; diff --git a/binutils-CVE-2018-6759.patch b/binutils-CVE-2018-6759.patch new file mode 100644 index 0000000..c52a636 --- /dev/null +++ b/binutils-CVE-2018-6759.patch @@ -0,0 +1,69 @@ +--- binutils.orig/bfd/opncls.c 2018-05-01 11:42:03.266424248 +0100 ++++ binutils-2.30/bfd/opncls.c 2018-05-01 12:52:36.792579838 +0100 +@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo + bfd_byte *contents; + unsigned int crc_offset; + char *name; ++ bfd_size_type size; + + BFD_ASSERT (abfd); + BFD_ASSERT (crc32_out); +@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo + if (sect == NULL) + return NULL; + ++ size = bfd_get_section_size (sect); ++ ++ /* PR 22794: Make sure that the section has a reasonable size. */ ++ if (size < 8 || size >= bfd_get_size (abfd)) ++ return NULL; ++ + if (!bfd_malloc_and_get_section (abfd, sect, &contents)) + { + if (contents != NULL) +@@ -1198,9 +1205,9 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo + /* CRC value is stored after the filename, aligned up to 4 bytes. */ + name = (char *) contents; + /* PR 17597: avoid reading off the end of the buffer. */ +- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; ++ crc_offset = strnlen (name, size) + 1; + crc_offset = (crc_offset + 3) & ~3; +- if (crc_offset + 4 > bfd_get_section_size (sect)) ++ if (crc_offset + 4 > size) + return NULL; + + *crc32 = bfd_get_32 (abfd, contents + crc_offset); +@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, + bfd_byte *contents; + unsigned int buildid_offset; + char *name; ++ bfd_size_type size; + + BFD_ASSERT (abfd); + BFD_ASSERT (buildid_len); +@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, + if (sect == NULL) + return NULL; + ++ size = bfd_get_section_size (sect); ++ if (size < 8 || size >= bfd_get_size (abfd)) ++ return NULL; ++ + if (!bfd_malloc_and_get_section (abfd, sect, & contents)) + { + if (contents != NULL) +@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, + + /* BuildID value is stored after the filename. */ + name = (char *) contents; +- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1; +- if (buildid_offset >= bfd_get_section_size (sect)) ++ buildid_offset = strnlen (name, size) + 1; ++ if (buildid_offset >= size) + return NULL; + +- *buildid_len = bfd_get_section_size (sect) - buildid_offset; ++ *buildid_len = size - buildid_offset; + *buildid_out = bfd_malloc (*buildid_len); + memcpy (*buildid_out, contents + buildid_offset, *buildid_len); + diff --git a/binutils-CVE-2018-7568.patch b/binutils-CVE-2018-7568.patch new file mode 100644 index 0000000..7ce6f3e --- /dev/null +++ b/binutils-CVE-2018-7568.patch @@ -0,0 +1,37 @@ +--- binutils.orig/bfd/dwarf1.c 2018-05-01 13:04:35.060041875 +0100 ++++ binutils-2.30/bfd/dwarf1.c 2018-05-01 13:24:17.943833855 +0100 +@@ -213,6 +213,7 @@ parse_die (bfd * abfd, + /* Then the attributes. */ + while (xptr + 2 <= aDiePtrEnd) + { ++ unsigned int block_len; + unsigned short attr; + + /* Parse the attribute based on its form. This section +@@ -255,12 +256,24 @@ parse_die (bfd * abfd, + break; + case FORM_BLOCK2: + if (xptr + 2 <= aDiePtrEnd) +- xptr += bfd_get_16 (abfd, xptr); ++ { ++ block_len = bfd_get_16 (abfd, xptr); ++ if (xptr + block_len > aDiePtrEnd ++ || xptr + block_len < xptr) ++ return FALSE; ++ xptr += block_len; ++ } + xptr += 2; + break; + case FORM_BLOCK4: + if (xptr + 4 <= aDiePtrEnd) +- xptr += bfd_get_32 (abfd, xptr); ++ { ++ block_len = bfd_get_32 (abfd, xptr); ++ if (xptr + block_len > aDiePtrEnd ++ || xptr + block_len < xptr) ++ return FALSE; ++ xptr += block_len; ++ } + xptr += 4; + break; + case FORM_STRING: diff --git a/binutils-CVE-2018-7569.patch b/binutils-CVE-2018-7569.patch new file mode 100644 index 0000000..32962bd --- /dev/null +++ b/binutils-CVE-2018-7569.patch @@ -0,0 +1,75 @@ +--- binutils.orig/bfd/dwarf2.c 2018-05-01 13:04:35.055041935 +0100 ++++ binutils-2.30/bfd/dwarf2.c 2018-05-01 13:31:32.882624448 +0100 +@@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf, + } + + static bfd_byte * +-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED, +- bfd_byte *buf, +- bfd_byte *end, +- unsigned int size ATTRIBUTE_UNUSED) +-{ +- if (buf + size > end) +- return NULL; +- return buf; ++read_n_bytes (bfd_byte * buf, ++ bfd_byte * end, ++ struct dwarf_block * block) ++{ ++ unsigned int size = block->size; ++ bfd_byte * block_end = buf + size; ++ ++ if (block_end > end || block_end < buf) ++ { ++ block->data = NULL; ++ block->size = 0; ++ return end; ++ } ++ else ++ { ++ block->data = buf; ++ return block_end; ++ } + } + + /* Scans a NUL terminated string starting at BUF, returning a pointer to it. +@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute * + return NULL; + blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end); + info_ptr += 2; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_block4: +@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute * + return NULL; + blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end); + info_ptr += 4; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_data2: +@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute * + blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read, + FALSE, info_ptr_end); + info_ptr += bytes_read; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_block1: +@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute * + return NULL; + blk->size = read_1_byte (abfd, info_ptr, info_ptr_end); + info_ptr += 1; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_data1: diff --git a/binutils-CVE-2018-7570.patch b/binutils-CVE-2018-7570.patch new file mode 100644 index 0000000..e057d63 --- /dev/null +++ b/binutils-CVE-2018-7570.patch @@ -0,0 +1,156 @@ +--- binutils.orig/bfd/elf.c 2018-05-01 11:42:03.151425659 +0100 ++++ binutils-2.30/bfd/elf.c 2018-05-01 12:30:42.129206856 +0100 +@@ -5713,6 +5713,9 @@ assign_file_positions_for_load_sections + return TRUE; + } + ++#define IS_TBSS(s) \ ++ ((s->flags & (SEC_THREAD_LOCAL | SEC_LOAD)) == SEC_THREAD_LOCAL) ++ + /* Assign file positions for the other sections. */ + + static bfd_boolean +@@ -5862,65 +5865,100 @@ assign_file_positions_for_non_load_secti + { + if (p->p_type == PT_GNU_RELRO) + { +- const Elf_Internal_Phdr *lp; +- struct elf_segment_map *lm; ++ bfd_vma start, end; ++ bfd_boolean ok; + + if (link_info != NULL) + { + /* During linking the range of the RELRO segment is passed +- in link_info. */ ++ in link_info. Note that there may be padding between ++ relro_start and the first RELRO section. */ ++ start = link_info->relro_start; ++ end = link_info->relro_end; ++ } ++ else if (m->count != 0) ++ { ++ if (!m->p_size_valid) ++ abort (); ++ start = m->sections[0]->vma; ++ end = start + m->p_size; ++ } ++ else ++ { ++ start = 0; ++ end = 0; ++ } ++ ++ ok = FALSE; ++ if (start < end) ++ { ++ struct elf_segment_map *lm; ++ const Elf_Internal_Phdr *lp; ++ unsigned int i; ++ ++ /* Find a LOAD segment containing a section in the RELRO ++ segment. */ + for (lm = elf_seg_map (abfd), lp = phdrs; + lm != NULL; + lm = lm->next, lp++) + { + if (lp->p_type == PT_LOAD +- && lp->p_vaddr < link_info->relro_end + && lm->count != 0 +- && lm->sections[0]->vma >= link_info->relro_start) ++ && (lm->sections[lm->count - 1]->vma ++ + (!IS_TBSS (lm->sections[lm->count - 1]) ++ ? lm->sections[lm->count - 1]->size ++ : 0)) > start ++ && lm->sections[0]->vma < end) + break; + } + +- BFD_ASSERT (lm != NULL); +- } +- else +- { +- /* Otherwise we are copying an executable or shared +- library, but we need to use the same linker logic. */ +- for (lp = phdrs; lp < phdrs + count; ++lp) ++ if (lm != NULL) + { +- if (lp->p_type == PT_LOAD +- && lp->p_paddr == p->p_paddr) +- break; ++ /* Find the section starting the RELRO segment. */ ++ for (i = 0; i < lm->count; i++) ++ { ++ asection *s = lm->sections[i]; ++ if (s->vma >= start ++ && s->vma < end ++ && s->size != 0) ++ break; ++ } ++ ++ if (i < lm->count) ++ { ++ p->p_vaddr = lm->sections[i]->vma; ++ p->p_paddr = lm->sections[i]->lma; ++ p->p_offset = lm->sections[i]->filepos; ++ p->p_memsz = end - p->p_vaddr; ++ p->p_filesz = p->p_memsz; ++ ++ /* The RELRO segment typically ends a few bytes ++ into .got.plt but other layouts are possible. ++ In cases where the end does not match any ++ loaded section (for instance is in file ++ padding), trim p_filesz back to correspond to ++ the end of loaded section contents. */ ++ if (p->p_filesz > lp->p_vaddr + lp->p_filesz - p->p_vaddr) ++ p->p_filesz = lp->p_vaddr + lp->p_filesz - p->p_vaddr; ++ ++ /* Preserve the alignment and flags if they are ++ valid. The gold linker generates RW/4 for ++ the PT_GNU_RELRO section. It is better for ++ objcopy/strip to honor these attributes ++ otherwise gdb will choke when using separate ++ debug files. */ ++ if (!m->p_align_valid) ++ p->p_align = 1; ++ if (!m->p_flags_valid) ++ p->p_flags = PF_R; ++ ok = TRUE; ++ } + } + } +- +- if (lp < phdrs + count) +- { +- p->p_vaddr = lp->p_vaddr; +- p->p_paddr = lp->p_paddr; +- p->p_offset = lp->p_offset; +- if (link_info != NULL) +- p->p_filesz = link_info->relro_end - lp->p_vaddr; +- else if (m->p_size_valid) +- p->p_filesz = m->p_size; +- else +- abort (); +- p->p_memsz = p->p_filesz; +- /* Preserve the alignment and flags if they are valid. The +- gold linker generates RW/4 for the PT_GNU_RELRO section. +- It is better for objcopy/strip to honor these attributes +- otherwise gdb will choke when using separate debug files. +- */ +- if (!m->p_align_valid) +- p->p_align = 1; +- if (!m->p_flags_valid) +- p->p_flags = PF_R; +- } +- else +- { +- memset (p, 0, sizeof *p); +- p->p_type = PT_NULL; +- } ++ if (link_info != NULL) ++ BFD_ASSERT (ok); ++ if (!ok) ++ memset (p, 0, sizeof *p); + } + else if (p->p_type == PT_GNU_STACK) + { diff --git a/binutils.spec b/binutils.spec index dc7fdb5..5c27242 100644 --- a/binutils.spec +++ b/binutils.spec @@ -24,6 +24,8 @@ # Disable the default generation of GNU Build notes by the assembler. # This has turned out to be problematic for the i686 architecture. # although the extact reason has not been determined. (See BZ 1572485) +# It also breaks building EFI binaries on AArch64, as these cannot have +# relocations against absolute symbols. %define default_generate_notes 0 #----End of Configure Options------------------------------------------------ @@ -67,7 +69,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.30 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv3+ Group: Development/Tools URL: https://sourceware.org/binutils @@ -204,21 +206,55 @@ Patch19: binutils-gold-llvm-plugin.patch # Lifetime: Fixed in 2.31 Patch20: binutils-gas-build-notes.patch -# Purpose: Fix a CVE triggered by running objdump on a corrupt AOUT +# Purpose: Fix a seg-fault triggered by running objdump on a corrupt AOUT # format file. # Lifetime: Fixed in 2.31 Patch21: binutils-CVE-2018-7642.patch -# Purpose: Fix a CVE triggered by running objdump on a binary containing -# corrupt DWARF debug information. +# Purpose: Fix a seg-fault triggered by running readelf or objdump on a +# file containing corrupt DWARF debug information. # Lifetime: Fixed in 2.31 Patch22: binutils-CVE-2018-7643.patch -# Purpose: Fix a CVE triggered by running objdump on a corrupt COFF +# Purpose: Fix a seg-fault triggered by running objdump on a corrupt COFF # format file. # Lifetime: Fixed in 2.31 Patch23: binutils-CVE-2018-7208.patch +# Purpose: Fix a seg-fault triggered by running readelf or objdump on a +# file containing corrupt DWARF debug information. +# Lifetime: Fixed in 2.31 +Patch24: binutils-CVE-2018-10372.patch + +# Purpose: Fix another seg-fault triggered by running readelf or objdump on a +# file containing corrupt DWARF debug information. +# Lifetime: Fixed in 2.31 +Patch25: binutils-CVE-2018-10373.patch + +# Purpose: Fix a seg-fault triggered by running objcopy on a corrupt ELF +# file. +# Lifetime: Fixed in 2.31 +Patch26: binutils-CVE-2018-7570.patch + +# Purpose: Fix a seg-fault triggered by running objcopy on a large ELF +# file on a 32-bit host machine. +# Lifetime: Fixed in 2.31 +Patch27: binutils-CVE-2018-6323.patch + +# Purpose: Fix a seg-fault triggered by running nm on a corrupt ELF file. +# Lifetime: Fixed in 2.31 +Patch28: binutils-CVE-2018-6759.patch + +# Purpose: Fix a seg-fault triggered by running nm on a file containing +# corrupt DWARF information. +# Lifetime: Fixed in 2.31 +Patch29: binutils-CVE-2018-7569.patch + +# Purpose: Fix a seg-fault triggered by running nm on a file containing +# corrupt DWARF information. +# Lifetime: Fixed in 2.31 +Patch30: binutils-CVE-2018-7568.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -367,6 +403,13 @@ using libelf instead of BFD. %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. @@ -780,6 +823,15 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Tue May 01 2018 Nick Clifton 2.30-18 +- Fix a seg-fault parsing corrupt DWARF information. (#1573360) +- Fix another seg-fault parsing corrupt DWARF information. (#1573367) +- Fix a seg-fault copying a corrupt ELF file. (#1551788) +- Fix a seg-fault parsing a large ELF files on a 32-bit host. (#1539891) +- Fix a seg-fault running nm on a corrupt ELF file. (#15343247) +- Fix a seg-fault running nm on a file containing corrupt DWARF information. (#1551781) +- Fix another seg-fault running nm on a file containing corrupt DWARF information. (#1551763) + * Fri Apr 27 2018 Nick Clifton 2.30-17 - Disable the automatic generation of annobin notes. (#1572485)