From: Armin Kuster <akuster808@gmail.com>
To: akuster@mvista.com, openembedded-core@lists.openembedded.org
Subject: [ROCKO][PATCH 27/27] binutls: Security fix for CVE-2017-17125
Date: Wed, 8 Aug 2018 08:35:22 -0700 [thread overview]
Message-ID: <1533742522-24357-27-git-send-email-akuster808@gmail.com> (raw)
In-Reply-To: <1533742522-24357-1-git-send-email-akuster808@gmail.com>
From: Armin Kuster <akuster@mvista.com>
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 +
.../binutils/binutils/CVE-2017-17125.patch | 129 +++++++++++++++++++++
2 files changed, 130 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 577bbf0..c4d40ea 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
file://CVE-2017-17080.patch \
file://CVE-2017-17121.patch \
file://CVE-2017-17122.patch \
+ file://CVE-2017-17125.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch
new file mode 100644
index 0000000..30dc6d5
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch
@@ -0,0 +1,129 @@
+From 160b1a618ad94988410dc81fce9189fcda5b7ff4 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 18 Nov 2017 23:18:22 +1030
+Subject: [PATCH] PR22443, Global buffer overflow in
+ _bfd_elf_get_symbol_version_string
+
+Symbols like *ABS* defined in bfd/section.c:global_syms are not
+elf_symbol_type. They can appear on relocs and perhaps other places
+in an ELF bfd, so a number of places in nm.c and objdump.c are wrong
+to cast an asymbol based on the bfd being ELF. I think we lose
+nothing by excluding all section symbols, not just the global_syms.
+
+ PR 22443
+ * nm.c (sort_symbols_by_size): Don't attempt to access
+ section symbol internal_elf_sym.
+ (print_symbol): Likewise. Don't call bfd_get_symbol_version_string
+ for section symbols.
+ * objdump.c (compare_symbols): Don't attempt to access
+ section symbol internal_elf_sym.
+ (objdump_print_symname): Don't call bfd_get_symbol_version_string
+ for section symbols.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-17125
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 12 ++++++++++++
+ binutils/nm.c | 17 ++++++++++-------
+ binutils/objdump.c | 6 +++---
+ 3 files changed, 25 insertions(+), 10 deletions(-)
+
+Index: git/binutils/nm.c
+===================================================================
+--- git.orig/binutils/nm.c
++++ git/binutils/nm.c
+@@ -765,7 +765,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boo
+ asection *sec;
+ bfd_vma sz;
+ asymbol *temp;
+- int synthetic = (sym->flags & BSF_SYNTHETIC);
+
+ if (from + size < fromend)
+ {
+@@ -782,10 +781,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boo
+ sec = bfd_get_section (sym);
+
+ /* Synthetic symbols don't have a full type set of data available, thus
+- we can't rely on that information for the symbol size. */
+- if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
++ we can't rely on that information for the symbol size. Ditto for
++ bfd/section.c:global_syms like *ABS*. */
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
++ && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+ sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size;
+- else if (!synthetic && bfd_is_com_section (sec))
++ else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
++ && bfd_is_com_section (sec))
+ sz = sym->value;
+ else
+ {
+@@ -874,8 +876,9 @@ print_symbol (bfd * abfd,
+
+ info.sinfo = &syminfo;
+ info.ssize = ssize;
+- /* Synthetic symbols do not have a full symbol type set of data available. */
+- if ((sym->flags & BSF_SYNTHETIC) != 0)
++ /* Synthetic symbols do not have a full symbol type set of data available.
++ Nor do bfd/section.c:global_syms like *ABS*. */
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0)
+ {
+ info.elfinfo = NULL;
+ info.coffinfo = NULL;
+@@ -893,7 +896,7 @@ print_symbol (bfd * abfd,
+ const char * version_string = NULL;
+ bfd_boolean hidden = FALSE;
+
+- if ((sym->flags & BSF_SYNTHETIC) == 0)
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
+
+ if (bfd_is_und_section (bfd_get_section (sym)))
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const v
+ bfd_vma asz, bsz;
+
+ asz = 0;
+- if ((a->flags & BSF_SYNTHETIC) == 0)
++ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
+ bsz = 0;
+- if ((b->flags & BSF_SYNTHETIC) == 0)
++ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
+ if (asz != bsz)
+ return asz > bsz ? -1 : 1;
+@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct
+ name = alloc;
+ }
+
+- if ((sym->flags & BSF_SYNTHETIC) == 0)
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
+
+ if (bfd_is_und_section (bfd_get_section (sym)))
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,15 @@
++2017-11-18 Alan Modra <amodra@gmail.com>
++
++ PR 22443
++ * nm.c (sort_symbols_by_size): Don't attempt to access
++ section symbol internal_elf_sym.
++ (print_symbol): Likewise. Don't call bfd_get_symbol_version_string
++ for section symbols.
++ * objdump.c (compare_symbols): Don't attempt to access
++ section symbol internal_elf_sym.
++ (objdump_print_symname): Don't call bfd_get_symbol_version_string
++ for section symbols.
++
+ 2017-11-29 Nick Clifton <nickc@redhat.com>
+
+ PR 22508
--
2.7.4
next prev parent reply other threads:[~2018-08-08 15:35 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-08 15:34 [ROCKO][PATCH 01/27] binutils: Security fix CVE-2017-12967 Armin Kuster
2018-08-08 15:34 ` [ROCKO][PATCH 02/27] binutils: Secuirty fix CVE-2017-14930 Armin Kuster
2018-08-08 15:34 ` [ROCKO][PATCH 03/27] binutls: Security fix CVE-2017-14932 Armin Kuster
2018-08-08 15:34 ` [ROCKO][PATCH 04/27] binutls: Security fix CVE-2017-14933 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 05/27] binutls: Security fix CVE-2017-14934 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 06/27] binutls: Security fix for CVE-2017-14938 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 07/27] binutls: Security fix for CVE-2017-14939 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 08/27] binutils: Security fix for CVE-2017-14940 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 09/27] binutls: Security fix for CVE-2017-15021 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 10/27] binutls: Security fix for CVE-2017-15022 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 11/27] binutls: Security fix for CVE-2017-15023 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 12/27] binutls: Security fix for CVE-2017-15024 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 13/27] binutls: Security fix for CVE-2017-15025 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 14/27] binutls: Security fix for CVE-2017-15225 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 15/27] binutls: Security fix for CVE-2017-15939 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 16/27] binutls: Security fix for CVE-2017-15996 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 17/27] binutls: Security fix for CVE-2017-16826 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 18/27] binutls: Security fix for CVE-2017-16827 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 19/27] binutls: Security fix for CVE-2017-16828 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 20/27] binutls: Security fix for CVE-2017-16829 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 21/27] binutls: Security fix for CVE-2017-16830 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 22/27] binutls: Security fix for CVE-2017-16831 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 23/27] binutls: Security fix for CVE-2017-16832 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 24/27] binutls: Security fix for CVE-2017-17080 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 25/27] Binutils: Security fix for CVE-2017-17121 Armin Kuster
2018-08-08 15:35 ` [ROCKO][PATCH 26/27] binutls: Security fix for CVE-2017-17122 Armin Kuster
2018-08-08 15:35 ` Armin Kuster [this message]
2018-08-08 16:06 ` ✗ patchtest: failure for "[ROCKO] binutils: Security fix..." and 26 more Patchwork
2018-08-08 16:40 ` [ROCKO][PATCH 01/27] binutils: Security fix CVE-2017-12967 akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1533742522-24357-27-git-send-email-akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=akuster@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox