From 0a29ea8a1e1a794d19ba9f23ccc2836379419e18 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 1 Aug 2019 03:15:42 -0500 Subject: system/binutils: patch multiple CVEs (#116) --- system/binutils/APKBUILD | 31 ++++++- system/binutils/CVE-2019-12972.patch | 33 +++++++ system/binutils/CVE-2019-14250.patch | 25 ++++++ system/binutils/CVE-2019-9070-and-9071.patch | 128 +++++++++++++++++++++++++++ system/binutils/CVE-2019-9073.patch | 31 +++++++ system/binutils/CVE-2019-9074.patch | 49 ++++++++++ system/binutils/CVE-2019-9075.patch | 96 ++++++++++++++++++++ system/binutils/CVE-2019-9077.patch | 33 +++++++ 8 files changed, 423 insertions(+), 3 deletions(-) create mode 100644 system/binutils/CVE-2019-12972.patch create mode 100644 system/binutils/CVE-2019-14250.patch create mode 100644 system/binutils/CVE-2019-9070-and-9071.patch create mode 100644 system/binutils/CVE-2019-9073.patch create mode 100644 system/binutils/CVE-2019-9074.patch create mode 100644 system/binutils/CVE-2019-9075.patch create mode 100644 system/binutils/CVE-2019-9077.patch diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD index 47b3609a2..c7924b43e 100644 --- a/system/binutils/APKBUILD +++ b/system/binutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Adelie Platform Group pkgname=binutils pkgver=2.32 -pkgrel=1 +pkgrel=2 pkgdesc="Tools necessary to build programs" url="https://www.gnu.org/software/binutils/" depends="" @@ -23,6 +23,13 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz remove-pr19719-test.patch remove-pr19553c-test.patch srec.patch + CVE-2019-9070-and-9071.patch + CVE-2019-9073.patch + CVE-2019-9074.patch + CVE-2019-9075.patch + CVE-2019-9077.patch + CVE-2019-12972.patch + CVE-2019-14250.patch " if [ "$CHOST" != "$CTARGET" ]; then @@ -33,12 +40,23 @@ if [ "$CHOST" != "$CTARGET" ]; then builddir="$srcdir"/binutils-$pkgver fi -# secfixes: +# secfixes: binutils # 2.28-r1: # - CVE-2017-7614 # 2.31.1-r2: # - CVE-2018-19931 # - CVE-2018-19932 +# 2.32-r0: +# - CVE-2018-1000876 +# 2.32-r2: +# - CVE-2019-9070 +# - CVE-2019-9071 +# - CVE-2019-9073 +# - CVE-2019-9074 +# - CVE-2019-9075 +# - CVE-2019-9077 +# - CVE-2019-12972 +# - CVE-2019-14250 build() { local _sysroot=/ @@ -124,4 +142,11 @@ d378fdf1964f8f2bd0b1e62827ac5884bdf943aa435ec89c29fc84bb045d406b733fffaff8fdd8bd 32ab4215669c728648179c124632467573a3d4675e79f0f0d221c22eb2ec1ca5488b79910bd09142f90a1e0d0b81d99ca4846297f4f9561f158db63745facb66 remove-pr2404-tests.patch a193d1fa7f42d91915960460a15e4d24e0df529d81e23014bcf45d283fae76bb7b300fdcb0d0a9d521cdb9137322efa1dc357112596d6ae7a7fd05988ac359b9 remove-pr19719-test.patch 39ef9c76dd5db6b15f11ffa8061f7ca844fb79c3fb9879c3b1466eef332a28b833597c87003ab9f260b1b85023fae264659088aee27cad7e5aa77b2d58b9a3f6 remove-pr19553c-test.patch -f720b3356b88e366c52941da056e543e4b42bc77f012e5b0290f79e15b0a31d855989ad01920680507a9df0544e5b8e26d0cf8d6f22fbdeb874af31cff4c16d3 srec.patch" +f720b3356b88e366c52941da056e543e4b42bc77f012e5b0290f79e15b0a31d855989ad01920680507a9df0544e5b8e26d0cf8d6f22fbdeb874af31cff4c16d3 srec.patch +f52d21f194c2d7dbdc56e93636d3228034ee1718b457e5a5ce289bba2454155846d1ff6ea8530d11a901a85c9af945360bc17cda9e7370c36362aa6c762154c7 CVE-2019-9070-and-9071.patch +032fed723b610fe06e210e2ebee8d24962ecad1dc69d98d38e95f768c9ed64cb991158758ef71e684d6d762a30e9a852287836be2bb8a2aba27fe31d2792c0a0 CVE-2019-9073.patch +16b4cc094a6846399e47271da6fe8d8bd8b70246e12e872fcafb85f11809b5699eddba723fbac664c062c02f9b5658ea9770e14c522e151cdea1d39e69c851dd CVE-2019-9074.patch +a46b9211608e2f35219b95363a5ba90506742dcb9e4bd4a43915af6c0b3e74bd8339a8318dc2923c0952ef579112412cb1cf619a5f090066769a852587b27d03 CVE-2019-9075.patch +c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be34df4954dbf02feb5232ebbecc596277fc2fe63673ed347c CVE-2019-9077.patch +9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42 CVE-2019-12972.patch +c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f CVE-2019-14250.patch" diff --git a/system/binutils/CVE-2019-12972.patch b/system/binutils/CVE-2019-12972.patch new file mode 100644 index 000000000..82b41c014 --- /dev/null +++ b/system/binutils/CVE-2019-12972.patch @@ -0,0 +1,33 @@ +From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Fri, 21 Jun 2019 11:51:38 +0930 +Subject: [PATCH] PR24689, string table corruption + +The testcase in the PR had a e_shstrndx section of type SHT_GROUP. +hdr->contents were initialized by setup_group rather than being read +from the file, thus last byte was not zero and string dereference ran +off the end of the buffer. + + PR 24689 + * elfcode.h (elf_object_p): Check type of e_shstrndx section. +--- + bfd/elfcode.h | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index a0487b0..5180f79 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -754,7 +754,8 @@ elf_object_p (bfd *abfd) + /* A further sanity check. */ + if (i_ehdrp->e_shnum != 0) + { +- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)) ++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd) ++ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB) + { + /* PR 2257: + We used to just goto got_wrong_format_error here +-- +2.9.3 + diff --git a/system/binutils/CVE-2019-14250.patch b/system/binutils/CVE-2019-14250.patch new file mode 100644 index 000000000..fedc4fa7f --- /dev/null +++ b/system/binutils/CVE-2019-14250.patch @@ -0,0 +1,25 @@ +Author: marxin +Date: Tue Jul 23 07:33:32 2019 UTC +https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=273718 + +libiberty: Check zero value shstrndx in simple-object-elf.c + +--- trunk/libiberty/simple-object-elf.c 2019/07/23 07:31:50 273717 ++++ trunk/libiberty/simple-object-elf.c 2019/07/23 07:33:32 273718 +@@ -548,7 +548,15 @@ + XDELETE (eor); + return NULL; + } +- ++ ++ if (eor->shstrndx == 0) ++ { ++ *errmsg = "invalid ELF shstrndx == 0"; ++ *err = 0; ++ XDELETE (eor); ++ return NULL; ++ } ++ + return (void *) eor; + } + diff --git a/system/binutils/CVE-2019-9070-and-9071.patch b/system/binutils/CVE-2019-9070-and-9071.patch new file mode 100644 index 000000000..5f401d147 --- /dev/null +++ b/system/binutils/CVE-2019-9070-and-9071.patch @@ -0,0 +1,128 @@ +Author: nickc +Date: Wed Apr 10 14:44:47 2019 UTC +https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=270258 + +Fix a stack exhaustion bug in libiberty's demangler when decoding a +pathalogically constructed mangled name. + +PR 89394 +* cp-demangle.c (cplus_demangle_fill_name): Reject negative +lengths. +(d_count_templates_scopes): Replace num_templates and num_scopes +parameters with a struct d_print_info pointer parameter. Adjust +body of the function accordingly. Add recursion counter and check +that the recursion limit is not reached. +(d_print_init): Pass dpi parameter to d_count_templates_scopes. +Reset recursion counter afterwards, unless the recursion limit was +reached. + +--- trunk/libiberty/cp-demangle.c 2019/04/10 14:39:59 270257 ++++ trunk/libiberty/cp-demangle.c 2019/04/10 14:44:47 270258 +@@ -861,7 +861,7 @@ + int + cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len) + { +- if (p == NULL || s == NULL || len == 0) ++ if (p == NULL || s == NULL || len <= 0) + return 0; + p->d_printing = 0; + p->type = DEMANGLE_COMPONENT_NAME; +@@ -4061,7 +4061,7 @@ + are larger than the actual numbers encountered. */ + + static void +-d_count_templates_scopes (int *num_templates, int *num_scopes, ++d_count_templates_scopes (struct d_print_info *dpi, + const struct demangle_component *dc) + { + if (dc == NULL) +@@ -4081,13 +4081,13 @@ + break; + + case DEMANGLE_COMPONENT_TEMPLATE: +- (*num_templates)++; ++ dpi->num_copy_templates++; + goto recurse_left_right; + + case DEMANGLE_COMPONENT_REFERENCE: + case DEMANGLE_COMPONENT_RVALUE_REFERENCE: + if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM) +- (*num_scopes)++; ++ dpi->num_saved_scopes++; + goto recurse_left_right; + + case DEMANGLE_COMPONENT_QUAL_NAME: +@@ -4152,42 +4152,42 @@ + case DEMANGLE_COMPONENT_TAGGED_NAME: + case DEMANGLE_COMPONENT_CLONE: + recurse_left_right: +- d_count_templates_scopes (num_templates, num_scopes, +- d_left (dc)); +- d_count_templates_scopes (num_templates, num_scopes, +- d_right (dc)); ++ /* PR 89394 - Check for too much recursion. */ ++ if (dpi->recursion > DEMANGLE_RECURSION_LIMIT) ++ /* FIXME: There ought to be a way to report to the ++ user that the recursion limit has been reached. */ ++ return; ++ ++ ++ dpi->recursion; ++ d_count_templates_scopes (dpi, d_left (dc)); ++ d_count_templates_scopes (dpi, d_right (dc)); ++ -- dpi->recursion; + break; + + case DEMANGLE_COMPONENT_CTOR: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_ctor.name); ++ d_count_templates_scopes (dpi, dc->u.s_ctor.name); + break; + + case DEMANGLE_COMPONENT_DTOR: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_dtor.name); ++ d_count_templates_scopes (dpi, dc->u.s_dtor.name); + break; + + case DEMANGLE_COMPONENT_EXTENDED_OPERATOR: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_extended_operator.name); ++ d_count_templates_scopes (dpi, dc->u.s_extended_operator.name); + break; + + case DEMANGLE_COMPONENT_FIXED_TYPE: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_fixed.length); ++ d_count_templates_scopes (dpi, dc->u.s_fixed.length); + break; + + case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS: + case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS: +- d_count_templates_scopes (num_templates, num_scopes, +- d_left (dc)); ++ d_count_templates_scopes (dpi, d_left (dc)); + break; + + case DEMANGLE_COMPONENT_LAMBDA: + case DEMANGLE_COMPONENT_DEFAULT_ARG: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_unary_num.sub); ++ d_count_templates_scopes (dpi, dc->u.s_unary_num.sub); + break; + } + } +@@ -4222,8 +4222,12 @@ + dpi->next_copy_template = 0; + dpi->num_copy_templates = 0; + +- d_count_templates_scopes (&dpi->num_copy_templates, +- &dpi->num_saved_scopes, dc); ++ d_count_templates_scopes (dpi, dc); ++ /* If we did not reach the recursion limit, then reset the ++ current recursion value back to 0, so that we can print ++ the templates. */ ++ if (dpi->recursion < DEMANGLE_RECURSION_LIMIT) ++ dpi->recursion = 0; + dpi->num_copy_templates *= dpi->num_saved_scopes; + + dpi->current_template = NULL; diff --git a/system/binutils/CVE-2019-9073.patch b/system/binutils/CVE-2019-9073.patch new file mode 100644 index 000000000..9ea45707b --- /dev/null +++ b/system/binutils/CVE-2019-9073.patch @@ -0,0 +1,31 @@ +From 7d272a55caebfc26ab2e15d1e9439bac978b9bb7 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 20 Feb 2019 12:06:31 +1030 +Subject: [PATCH] PR24233, Out of memory + + PR 24233 + * objdump.c (dump_bfd_private_header): Print warning if + bfd_print_private_bfd_data returns false. +--- + binutils/ChangeLog | 6 ++++++ + binutils/objdump.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index 8725390..7d0c6a4 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -3178,7 +3178,9 @@ dump_bfd_header (bfd *abfd) + static void + dump_bfd_private_header (bfd *abfd) + { +- bfd_print_private_bfd_data (abfd, stdout); ++ if (!bfd_print_private_bfd_data (abfd, stdout)) ++ non_fatal (_("warning: private headers incomplete: %s"), ++ bfd_errmsg (bfd_get_error ())); + } + + static void +-- +2.9.3 + diff --git a/system/binutils/CVE-2019-9074.patch b/system/binutils/CVE-2019-9074.patch new file mode 100644 index 000000000..74b6c2040 --- /dev/null +++ b/system/binutils/CVE-2019-9074.patch @@ -0,0 +1,49 @@ +From 179f2db0d9c397d7dd8a59907b84208b79f7f48c Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Tue, 19 Feb 2019 22:48:44 +1030 +Subject: [PATCH] PR24235, Read memory violation in pei-x86_64.c + + PR 24235 + * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks + attempting to prevent read past end of section. +--- + bfd/pei-x86_64.c | 9 ++++----- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c +index ff1093c..7e75104 100644 +--- a/bfd/pei-x86_64.c ++++ b/bfd/pei-x86_64.c +@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section) + /* virt_size might be zero for objects. */ + if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0) + { +- stop = (datasize / onaline) * onaline; ++ stop = datasize; + virt_size_is_zero = TRUE; + } + else if (datasize < stop) +@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section) + _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"), + pdata_section->name, (unsigned long) datasize, + (unsigned long) stop); +- /* Be sure not to read passed datasize. */ +- stop = datasize / onaline; ++ /* Be sure not to read past datasize. */ ++ stop = datasize; + } + + /* Display functions table. */ +@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section) + altent += imagebase; + + if (altent >= pdata_vma +- && (altent + PDATA_ROW_SIZE <= pdata_vma +- + pei_section_data (abfd, pdata_section)->virt_size)) ++ && altent - pdata_vma + PDATA_ROW_SIZE <= stop) + { + pex64_get_runtime_function + (abfd, &arf, &pdata[altent - pdata_vma]); +-- +2.9.3 + diff --git a/system/binutils/CVE-2019-9075.patch b/system/binutils/CVE-2019-9075.patch new file mode 100644 index 000000000..0084d3368 --- /dev/null +++ b/system/binutils/CVE-2019-9075.patch @@ -0,0 +1,96 @@ +From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 20 Feb 2019 08:21:24 +1030 +Subject: [PATCH] PR24236, Heap buffer overflow in + _bfd_archive_64_bit_slurp_armap + + PR 24236 + * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding + sentinel NUL to string buffer nearer to loop where it is used. + Don't go past sentinel when scanning strings, and don't write + NUL again. + * archive.c (do_slurp_coff_armap): Simplify string handling to + archive64.c style. +--- + bfd/archive.c | 17 +++++++---------- + bfd/archive64.c | 10 +++++----- + 3 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/bfd/archive.c b/bfd/archive.c +index d2d9b72..68a92a3 100644 +--- a/bfd/archive.c ++++ b/bfd/archive.c +@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd) + int *raw_armap, *rawptr; + struct artdata *ardata = bfd_ardata (abfd); + char *stringbase; ++ char *stringend; + bfd_size_type stringsize; + bfd_size_type parsed_size; + carsym *carsyms; +@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd) + } + + /* OK, build the carsyms. */ +- for (i = 0; i < nsymz && stringsize > 0; i++) ++ stringend = stringbase + stringsize; ++ *stringend = 0; ++ for (i = 0; i < nsymz; i++) + { +- bfd_size_type len; +- + rawptr = raw_armap + i; + carsyms->file_offset = swap ((bfd_byte *) rawptr); + carsyms->name = stringbase; +- /* PR 17512: file: 4a1d50c1. */ +- len = strnlen (stringbase, stringsize); +- if (len < stringsize) +- len ++; +- stringbase += len; +- stringsize -= len; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + carsyms++; + } +- *stringbase = 0; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); +diff --git a/bfd/archive64.c b/bfd/archive64.c +index 312bf82..42f6ed9 100644 +--- a/bfd/archive64.c ++++ b/bfd/archive64.c +@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) + return FALSE; + carsyms = ardata->symdefs; + stringbase = ((char *) ardata->symdefs) + carsym_size; +- stringbase[stringsize] = 0; +- stringend = stringbase + stringsize; + + raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); + if (raw_armap == NULL) +@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) + goto release_raw_armap; + } + ++ stringend = stringbase + stringsize; ++ *stringend = 0; + for (i = 0; i < nsymz; i++) + { + carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); + carsyms->name = stringbase; +- if (stringbase < stringend) +- stringbase += strlen (stringbase) + 1; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + ++carsyms; + } +- *stringbase = '\0'; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); +-- +2.9.3 + diff --git a/system/binutils/CVE-2019-9077.patch b/system/binutils/CVE-2019-9077.patch new file mode 100644 index 000000000..de044e387 --- /dev/null +++ b/system/binutils/CVE-2019-9077.patch @@ -0,0 +1,33 @@ +From 7fc0c668f2aceb8582d74db1ad2528e2bba8a921 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Wed, 20 Feb 2019 17:03:47 +0000 +Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS + option section using readelf. + + PR 24243 + * readelf.c (process_mips_specific): Check for an options section + that is too small to even contain a single option. +--- + binutils/readelf.c | 6 ++++++ + 2 files changed, 9 insertions(+) + +diff --git a/binutils/readelf.c b/binutils/readelf.c +index 54d165e..20ebacc 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -16187,6 +16187,12 @@ process_mips_specific (Filedata * filedata) + error (_("No MIPS_OPTIONS header found\n")); + return FALSE; + } ++ /* PR 24243 */ ++ if (sect->sh_size < sizeof (* eopt)) ++ { ++ error (_("The MIPS options section is too small.\n")); ++ return FALSE; ++ } + + eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1, + sect->sh_size, _("options")); +-- +2.9.3 + -- cgit v1.2.3-60-g2f50