pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/devel/binutils binutils: add upstream fixes for CVE-20...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/c87101cf5b64
branches:  trunk
changeset: 444421:c87101cf5b64
user:      fcambus <fcambus%pkgsrc.org@localhost>
date:      Thu Jan 07 09:47:47 2021 +0000

description:
binutils: add upstream fixes for CVE-2020-35448.

>From upstream commit log:

PR26574, heap buffer overflow in _bfd_elf_slurp_secondary_reloc_section

A horribly fuzzed object with section headers inside the ELF header.
Disallow that, and crazy reloc sizes.

        PR 26574
        * elfcode.h (elf_object_p): Sanity check section header offset.
        * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
        sh_entsize.

diffstat:

 devel/binutils/Makefile                    |   4 +-
 devel/binutils/distinfo                    |   4 ++-
 devel/binutils/patches/patch-bfd_elf.c     |  21 ++++++++++++++
 devel/binutils/patches/patch-bfd_elfcode.h |  45 ++++++++++++++++++++++++++++++
 4 files changed, 71 insertions(+), 3 deletions(-)

diffs (104 lines):

diff -r 0c5dd695cf0d -r c87101cf5b64 devel/binutils/Makefile
--- a/devel/binutils/Makefile   Thu Jan 07 09:18:31 2021 +0000
+++ b/devel/binutils/Makefile   Thu Jan 07 09:47:47 2021 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.93 2020/12/20 22:41:31 fcambus Exp $
+# $NetBSD: Makefile,v 1.94 2021/01/07 09:47:47 fcambus Exp $
 
 DISTNAME=      binutils-2.35.1
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GNU:=binutils/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 0c5dd695cf0d -r c87101cf5b64 devel/binutils/distinfo
--- a/devel/binutils/distinfo   Thu Jan 07 09:18:31 2021 +0000
+++ b/devel/binutils/distinfo   Thu Jan 07 09:47:47 2021 +0000
@@ -1,10 +1,12 @@
-$NetBSD: distinfo,v 1.38 2020/12/20 19:07:05 fcambus Exp $
+$NetBSD: distinfo,v 1.39 2021/01/07 09:47:47 fcambus Exp $
 
 SHA1 (binutils-2.35.1.tar.bz2) = df4eb943bf65df4bbbd0a001efcc98113423c5dd
 RMD160 (binutils-2.35.1.tar.bz2) = ed8ad923db716388b83b0234d41abc6beb01c9d6
 SHA512 (binutils-2.35.1.tar.bz2) = 2828cca9664ae172d6be5f1869f4c7cd39b63a4340c9a5d7c18f30fa06d4ff391394704720872f32f786053f14b27dcafd63c46db7984a8f6ec822f266bb2541
 Size (binutils-2.35.1.tar.bz2) = 32892584 bytes
 SHA1 (patch-bfd_cache.c) = e2d96bad350552eacdffa83532f9dc9e15ee9be9
+SHA1 (patch-bfd_elf.c) = afaea1633f3b7e31c3dc12a0fded5862f6de0dc5
+SHA1 (patch-bfd_elfcode.h) = db9bfcd489a1160609444bb03c3d08b92d3af8cb
 SHA1 (patch-gold_Makefile.in) = e01d973f9625a1653851f796c123efec37102fbd
 SHA1 (patch-gold_options.h) = 65a4cdb67cb4bef6a1891ca66a5fc80c5493c24e
 SHA1 (patch-gold_system.h) = 9b4130b5315763daa66e0a91a8be6d1df0d10344
diff -r 0c5dd695cf0d -r c87101cf5b64 devel/binutils/patches/patch-bfd_elf.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/binutils/patches/patch-bfd_elf.c    Thu Jan 07 09:47:47 2021 +0000
@@ -0,0 +1,21 @@
+$NetBSD: patch-bfd_elf.c,v 1.1 2021/01/07 09:47:47 fcambus Exp $
+
+Upstream fix for CVE-2020-35448.
+
+       PR 26574
+       * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
+       sh_entsize.
+
+--- bfd/elf.c.orig     2020-09-03 14:59:14.000000000 +0000
++++ bfd/elf.c
+@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (
+       Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
+ 
+       if (hdr->sh_type == SHT_SECONDARY_RELOC
+-        && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
++        && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
++        && (hdr->sh_entsize == ebd->s->sizeof_rel
++            || hdr->sh_entsize == ebd->s->sizeof_rela))
+       {
+         bfd_byte * native_relocs;
+         bfd_byte * native_reloc;
diff -r 0c5dd695cf0d -r c87101cf5b64 devel/binutils/patches/patch-bfd_elfcode.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/binutils/patches/patch-bfd_elfcode.h        Thu Jan 07 09:47:47 2021 +0000
@@ -0,0 +1,45 @@
+$NetBSD: patch-bfd_elfcode.h,v 1.1 2021/01/07 09:47:47 fcambus Exp $
+
+Upstream fix for CVE-2020-35448.
+
+       PR 26574
+       * elfcode.h (elf_object_p): Sanity check section header offset.
+
+--- bfd/elfcode.h.orig 2020-09-03 14:59:37.000000000 +0000
++++ bfd/elfcode.h
+@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
+ 
+   /* If this is a relocatable file and there is no section header
+      table, then we're hosed.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
++  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
+     goto got_wrong_format_error;
+ 
+   /* As a simple sanity check, verify that what BFD thinks is the
+@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
+     goto got_wrong_format_error;
+ 
+   /* Further sanity check.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
++  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
+     goto got_wrong_format_error;
+ 
+   ebd = get_elf_backend_data (abfd);
+@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
+       && ebd->elf_osabi != ELFOSABI_NONE)
+     goto got_wrong_format_error;
+ 
+-  if (i_ehdrp->e_shoff != 0)
++  if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       file_ptr where = (file_ptr) i_ehdrp->e_shoff;
+ 
+@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
+       }
+     }
+ 
+-  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
++  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       unsigned int num_sec;
+ 



Home | Main Index | Thread Index | Old Index