system/binutils: patch multiple CVEs (#116)

8 files changed, 423 insertions, 3 deletions

diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD
index 47b3609a2..c7924b43e 100644
--- a/system/binutils/APKBUILD
+++ b/system/binutils/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
 pkgname=binutils
 pkgver=2.32
-pkgrel=1
+pkgrel=2
 pkgdesc="Tools necessary to build programs"
 url="https://www.gnu.org/software/binutils/"
 depends=""
@@ -23,6 +23,13 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
 	remove-pr19719-test.patch
 	remove-pr19553c-test.patch
 	srec.patch
+	CVE-2019-9070-and-9071.patch
+	CVE-2019-9073.patch
+	CVE-2019-9074.patch
+	CVE-2019-9075.patch
+	CVE-2019-9077.patch
+	CVE-2019-12972.patch
+	CVE-2019-14250.patch
 	"
 
 if [ "$CHOST" != "$CTARGET" ]; then
@@ -33,12 +40,23 @@ if [ "$CHOST" != "$CTARGET" ]; then
 	builddir="$srcdir"/binutils-$pkgver
 fi
 
-# secfixes:
+# secfixes: binutils
 #   2.28-r1:
 #     - CVE-2017-7614
 #   2.31.1-r2:
 #     - CVE-2018-19931
 #     - CVE-2018-19932
+#   2.32-r0:
+#     - CVE-2018-1000876
+#   2.32-r2:
+#     - CVE-2019-9070
+#     - CVE-2019-9071
+#     - CVE-2019-9073
+#     - CVE-2019-9074
+#     - CVE-2019-9075
+#     - CVE-2019-9077
+#     - CVE-2019-12972
+#     - CVE-2019-14250
 
 build() {
 	local _sysroot=/
@@ -124,4 +142,11 @@ d378fdf1964f8f2bd0b1e62827ac5884bdf943aa435ec89c29fc84bb045d406b733fffaff8fdd8bd
 32ab4215669c728648179c124632467573a3d4675e79f0f0d221c22eb2ec1ca5488b79910bd09142f90a1e0d0b81d99ca4846297f4f9561f158db63745facb66  remove-pr2404-tests.patch
 a193d1fa7f42d91915960460a15e4d24e0df529d81e23014bcf45d283fae76bb7b300fdcb0d0a9d521cdb9137322efa1dc357112596d6ae7a7fd05988ac359b9  remove-pr19719-test.patch
 39ef9c76dd5db6b15f11ffa8061f7ca844fb79c3fb9879c3b1466eef332a28b833597c87003ab9f260b1b85023fae264659088aee27cad7e5aa77b2d58b9a3f6  remove-pr19553c-test.patch
-f720b3356b88e366c52941da056e543e4b42bc77f012e5b0290f79e15b0a31d855989ad01920680507a9df0544e5b8e26d0cf8d6f22fbdeb874af31cff4c16d3  srec.patch"
+f720b3356b88e366c52941da056e543e4b42bc77f012e5b0290f79e15b0a31d855989ad01920680507a9df0544e5b8e26d0cf8d6f22fbdeb874af31cff4c16d3  srec.patch
+f52d21f194c2d7dbdc56e93636d3228034ee1718b457e5a5ce289bba2454155846d1ff6ea8530d11a901a85c9af945360bc17cda9e7370c36362aa6c762154c7  CVE-2019-9070-and-9071.patch
+032fed723b610fe06e210e2ebee8d24962ecad1dc69d98d38e95f768c9ed64cb991158758ef71e684d6d762a30e9a852287836be2bb8a2aba27fe31d2792c0a0  CVE-2019-9073.patch
+16b4cc094a6846399e47271da6fe8d8bd8b70246e12e872fcafb85f11809b5699eddba723fbac664c062c02f9b5658ea9770e14c522e151cdea1d39e69c851dd  CVE-2019-9074.patch
+a46b9211608e2f35219b95363a5ba90506742dcb9e4bd4a43915af6c0b3e74bd8339a8318dc2923c0952ef579112412cb1cf619a5f090066769a852587b27d03  CVE-2019-9075.patch
+c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be34df4954dbf02feb5232ebbecc596277fc2fe63673ed347c  CVE-2019-9077.patch
+9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42  CVE-2019-12972.patch
+c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f  CVE-2019-14250.patch"
diff --git a/system/binutils/CVE-2019-12972.patch b/system/binutils/CVE-2019-12972.patch
new file mode 100644
index 000000000..82b41c014
--- /dev/null
+++ b/system/binutils/CVE-2019-12972.patch
@@ -0,0 +1,33 @@
+From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+
+	PR 24689
+	* elfcode.h (elf_object_p): Check type of e_shstrndx section.
+---
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index a0487b0..5180f79 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -754,7 +754,8 @@ elf_object_p (bfd *abfd)
+   /* A further sanity check.  */
+   if (i_ehdrp->e_shnum != 0)
+     {
+-      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
++      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
++	  || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+ 	{
+ 	  /* PR 2257:
+ 	     We used to just goto got_wrong_format_error here
+-- 
+2.9.3
+
diff --git a/system/binutils/CVE-2019-14250.patch b/system/binutils/CVE-2019-14250.patch
new file mode 100644
index 000000000..fedc4fa7f
--- /dev/null
+++ b/system/binutils/CVE-2019-14250.patch
@@ -0,0 +1,25 @@
+Author: marxin
+Date: Tue Jul 23 07:33:32 2019 UTC
+https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=273718
+
+libiberty: Check zero value shstrndx in simple-object-elf.c
+
+--- trunk/libiberty/simple-object-elf.c	2019/07/23 07:31:50	273717
++++ trunk/libiberty/simple-object-elf.c	2019/07/23 07:33:32	273718
+@@ -548,7 +548,15 @@
+       XDELETE (eor);
+       return NULL;
+     }
+-
++  
++  if (eor->shstrndx == 0)
++    {
++      *errmsg = "invalid ELF shstrndx == 0";
++      *err = 0;
++      XDELETE (eor);
++      return NULL;
++    }
++  
+   return (void *) eor;
+ }
+ 
diff --git a/system/binutils/CVE-2019-9070-and-9071.patch b/system/binutils/CVE-2019-9070-and-9071.patch
new file mode 100644
index 000000000..5f401d147
--- /dev/null
+++ b/system/binutils/CVE-2019-9070-and-9071.patch
@@ -0,0 +1,128 @@
+Author: nickc
+Date: Wed Apr 10 14:44:47 2019 UTC
+https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=270258
+
+Fix a stack exhaustion bug in libiberty's demangler when decoding a
+pathalogically constructed mangled name.
+
+PR 89394
+* cp-demangle.c (cplus_demangle_fill_name): Reject negative
+lengths.
+(d_count_templates_scopes): Replace num_templates and num_scopes
+parameters with a struct d_print_info pointer parameter.  Adjust
+body of the function accordingly.  Add recursion counter and check
+that the recursion limit is not reached.
+(d_print_init): Pass dpi parameter to d_count_templates_scopes.
+Reset recursion counter afterwards, unless the recursion limit was
+reached.
+
+--- trunk/libiberty/cp-demangle.c	2019/04/10 14:39:59	270257
++++ trunk/libiberty/cp-demangle.c	2019/04/10 14:44:47	270258
+@@ -861,7 +861,7 @@
+ int
+ cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len)
+ {
+-  if (p == NULL || s == NULL || len == 0)
++  if (p == NULL || s == NULL || len <= 0)
+     return 0;
+   p->d_printing = 0;
+   p->type = DEMANGLE_COMPONENT_NAME;
+@@ -4061,7 +4061,7 @@
+    are larger than the actual numbers encountered.  */
+ 
+ static void
+-d_count_templates_scopes (int *num_templates, int *num_scopes,
++d_count_templates_scopes (struct d_print_info *dpi,
+ 			  const struct demangle_component *dc)
+ {
+   if (dc == NULL)
+@@ -4081,13 +4081,13 @@
+       break;
+ 
+     case DEMANGLE_COMPONENT_TEMPLATE:
+-      (*num_templates)++;
++      dpi->num_copy_templates++;
+       goto recurse_left_right;
+ 
+     case DEMANGLE_COMPONENT_REFERENCE:
+     case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
+       if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
+-	(*num_scopes)++;
++	dpi->num_saved_scopes++;
+       goto recurse_left_right;
+ 
+     case DEMANGLE_COMPONENT_QUAL_NAME:
+@@ -4152,42 +4152,42 @@
+     case DEMANGLE_COMPONENT_TAGGED_NAME:
+     case DEMANGLE_COMPONENT_CLONE:
+     recurse_left_right:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				d_left (dc));
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				d_right (dc));
++      /* PR 89394 - Check for too much recursion.  */
++      if (dpi->recursion > DEMANGLE_RECURSION_LIMIT)
++	/* FIXME: There ought to be a way to report to the
++	   user that the recursion limit has been reached.  */
++	return;
++
++      ++ dpi->recursion;
++      d_count_templates_scopes (dpi, d_left (dc));
++      d_count_templates_scopes (dpi, d_right (dc));
++      -- dpi->recursion;
+       break;
+ 
+     case DEMANGLE_COMPONENT_CTOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				dc->u.s_ctor.name);
++      d_count_templates_scopes (dpi, dc->u.s_ctor.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_DTOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				dc->u.s_dtor.name);
++      d_count_templates_scopes (dpi, dc->u.s_dtor.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				dc->u.s_extended_operator.name);
++      d_count_templates_scopes (dpi, dc->u.s_extended_operator.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_FIXED_TYPE:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                                dc->u.s_fixed.length);
++      d_count_templates_scopes (dpi, dc->u.s_fixed.length);
+       break;
+ 
+     case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS:
+     case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				d_left (dc));
++      d_count_templates_scopes (dpi, d_left (dc));
+       break;
+ 
+     case DEMANGLE_COMPONENT_LAMBDA:
+     case DEMANGLE_COMPONENT_DEFAULT_ARG:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				dc->u.s_unary_num.sub);
++      d_count_templates_scopes (dpi, dc->u.s_unary_num.sub);
+       break;
+     }
+ }
+@@ -4222,8 +4222,12 @@
+   dpi->next_copy_template = 0;
+   dpi->num_copy_templates = 0;
+ 
+-  d_count_templates_scopes (&dpi->num_copy_templates,
+-			    &dpi->num_saved_scopes, dc);
++  d_count_templates_scopes (dpi, dc);
++  /* If we did not reach the recursion limit, then reset the
++     current recursion value back to 0, so that we can print
++     the templates.  */
++  if (dpi->recursion < DEMANGLE_RECURSION_LIMIT)
++    dpi->recursion = 0;
+   dpi->num_copy_templates *= dpi->num_saved_scopes;
+ 
+   dpi->current_template = NULL;
diff --git a/system/binutils/CVE-2019-9073.patch b/system/binutils/CVE-2019-9073.patch
new file mode 100644
index 000000000..9ea45707b
--- /dev/null
+++ b/system/binutils/CVE-2019-9073.patch
@@ -0,0 +1,31 @@
+From 7d272a55caebfc26ab2e15d1e9439bac978b9bb7 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Feb 2019 12:06:31 +1030
+Subject: [PATCH] PR24233, Out of memory
+
+	PR 24233
+	* objdump.c (dump_bfd_private_header): Print warning if
+	bfd_print_private_bfd_data returns false.
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/objdump.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 8725390..7d0c6a4 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -3178,7 +3178,9 @@ dump_bfd_header (bfd *abfd)
+ static void
+ dump_bfd_private_header (bfd *abfd)
+ {
+-  bfd_print_private_bfd_data (abfd, stdout);
++  if (!bfd_print_private_bfd_data (abfd, stdout))
++    non_fatal (_("warning: private headers incomplete: %s"),
++	       bfd_errmsg (bfd_get_error ()));
+ }
+ 
+ static void
+-- 
+2.9.3
+
diff --git a/system/binutils/CVE-2019-9074.patch b/system/binutils/CVE-2019-9074.patch
new file mode 100644
index 000000000..74b6c2040
--- /dev/null
+++ b/system/binutils/CVE-2019-9074.patch
@@ -0,0 +1,49 @@
+From 179f2db0d9c397d7dd8a59907b84208b79f7f48c Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 19 Feb 2019 22:48:44 +1030
+Subject: [PATCH] PR24235, Read memory violation in pei-x86_64.c
+
+	PR 24235
+	* pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
+	attempting to prevent read past end of section.
+---
+ bfd/pei-x86_64.c | 9 ++++-----
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
+index ff1093c..7e75104 100644
+--- a/bfd/pei-x86_64.c
++++ b/bfd/pei-x86_64.c
+@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+   /* virt_size might be zero for objects.  */
+   if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
+     {
+-      stop = (datasize / onaline) * onaline;
++      stop = datasize;
+       virt_size_is_zero = TRUE;
+     }
+   else if (datasize < stop)
+@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+ 		 _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
+ 		 pdata_section->name, (unsigned long) datasize,
+ 		 (unsigned long) stop);
+-	/* Be sure not to read passed datasize.  */
+-	stop = datasize / onaline;
++	/* Be sure not to read past datasize.  */
++	stop = datasize;
+       }
+ 
+   /* Display functions table.  */
+@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+ 	      altent += imagebase;
+ 
+ 	      if (altent >= pdata_vma
+-		  && (altent + PDATA_ROW_SIZE <= pdata_vma
+-		      + pei_section_data (abfd, pdata_section)->virt_size))
++		  && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
+ 		{
+ 		  pex64_get_runtime_function
+ 		    (abfd, &arf, &pdata[altent - pdata_vma]);
+-- 
+2.9.3
+
diff --git a/system/binutils/CVE-2019-9075.patch b/system/binutils/CVE-2019-9075.patch
new file mode 100644
index 000000000..0084d3368
--- /dev/null
+++ b/system/binutils/CVE-2019-9075.patch
@@ -0,0 +1,96 @@
+From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Feb 2019 08:21:24 +1030
+Subject: [PATCH] PR24236, Heap buffer overflow in
+ _bfd_archive_64_bit_slurp_armap
+
+	PR 24236
+	* archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
+	sentinel NUL to string buffer nearer to loop where it is used.
+	Don't go past sentinel when scanning strings, and don't write
+	NUL again.
+	* archive.c (do_slurp_coff_armap): Simplify string handling to
+	archive64.c style.
+---
+ bfd/archive.c   | 17 +++++++----------
+ bfd/archive64.c | 10 +++++-----
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/bfd/archive.c b/bfd/archive.c
+index d2d9b72..68a92a3 100644
+--- a/bfd/archive.c
++++ b/bfd/archive.c
+@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
+   int *raw_armap, *rawptr;
+   struct artdata *ardata = bfd_ardata (abfd);
+   char *stringbase;
++  char *stringend;
+   bfd_size_type stringsize;
+   bfd_size_type parsed_size;
+   carsym *carsyms;
+@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
+     }
+ 
+   /* OK, build the carsyms.  */
+-  for (i = 0; i < nsymz && stringsize > 0; i++)
++  stringend = stringbase + stringsize;
++  *stringend = 0;
++  for (i = 0; i < nsymz; i++)
+     {
+-      bfd_size_type len;
+-
+       rawptr = raw_armap + i;
+       carsyms->file_offset = swap ((bfd_byte *) rawptr);
+       carsyms->name = stringbase;
+-      /* PR 17512: file: 4a1d50c1.  */
+-      len = strnlen (stringbase, stringsize);
+-      if (len < stringsize)
+-	len ++;
+-      stringbase += len;
+-      stringsize -= len;
++      stringbase += strlen (stringbase);
++      if (stringbase != stringend)
++	++stringbase;
+       carsyms++;
+     }
+-  *stringbase = 0;
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);
+diff --git a/bfd/archive64.c b/bfd/archive64.c
+index 312bf82..42f6ed9 100644
+--- a/bfd/archive64.c
++++ b/bfd/archive64.c
+@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
+     return FALSE;
+   carsyms = ardata->symdefs;
+   stringbase = ((char *) ardata->symdefs) + carsym_size;
+-  stringbase[stringsize] = 0;
+-  stringend = stringbase + stringsize;
+ 
+   raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
+   if (raw_armap == NULL)
+@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
+       goto release_raw_armap;
+     }
+ 
++  stringend = stringbase + stringsize;
++  *stringend = 0;
+   for (i = 0; i < nsymz; i++)
+     {
+       carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
+       carsyms->name = stringbase;
+-      if (stringbase < stringend)
+-	stringbase += strlen (stringbase) + 1;
++      stringbase += strlen (stringbase);
++      if (stringbase != stringend)
++	++stringbase;
+       ++carsyms;
+     }
+-  *stringbase = '\0';
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);
+-- 
+2.9.3
+
diff --git a/system/binutils/CVE-2019-9077.patch b/system/binutils/CVE-2019-9077.patch
new file mode 100644
index 000000000..de044e387
--- /dev/null
+++ b/system/binutils/CVE-2019-9077.patch
@@ -0,0 +1,33 @@
+From 7fc0c668f2aceb8582d74db1ad2528e2bba8a921 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 20 Feb 2019 17:03:47 +0000
+Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS
+ option section using readelf.
+
+	PR 24243
+	* readelf.c (process_mips_specific): Check for an options section
+	that is too small to even contain a single option.
+---
+ binutils/readelf.c | 6 ++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 54d165e..20ebacc 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -16187,6 +16187,12 @@ process_mips_specific (Filedata * filedata)
+ 	  error (_("No MIPS_OPTIONS header found\n"));
+ 	  return FALSE;
+ 	}
++      /* PR 24243  */
++      if (sect->sh_size < sizeof (* eopt))
++	{
++	  error (_("The MIPS options section is too small.\n"));
++	  return FALSE;
++	}
+ 
+       eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1,
+                                                 sect->sh_size, _("options"));
+-- 
+2.9.3
+