CVS commit: pkgsrc/devel/binutils

["Frederic Cambus" <fcambus%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   fcambus
Date:           Thu Jan  7 09:47:48 UTC 2021

Modified Files:
        pkgsrc/devel/binutils: Makefile distinfo
Added Files:
        pkgsrc/devel/binutils/patches: patch-bfd_elf.c patch-bfd_elfcode.h

Log Message:
binutils: add upstream fixes for CVE-2020-35448.

>From upstream commit log:

PR26574, heap buffer overflow in _bfd_elf_slurp_secondary_reloc_section

A horribly fuzzed object with section headers inside the ELF header.
Disallow that, and crazy reloc sizes.

        PR 26574
        * elfcode.h (elf_object_p): Sanity check section header offset.
        * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
        sh_entsize.


To generate a diff of this commit:
cvs rdiff -u -r1.93 -r1.94 pkgsrc/devel/binutils/Makefile
cvs rdiff -u -r1.38 -r1.39 pkgsrc/devel/binutils/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/binutils/patches/patch-bfd_elf.c \
    pkgsrc/devel/binutils/patches/patch-bfd_elfcode.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/binutils/Makefile
diff -u pkgsrc/devel/binutils/Makefile:1.93 pkgsrc/devel/binutils/Makefile:1.94
--- pkgsrc/devel/binutils/Makefile:1.93 Sun Dec 20 22:41:31 2020
+++ pkgsrc/devel/binutils/Makefile      Thu Jan  7 09:47:47 2021
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.93 2020/12/20 22:41:31 fcambus Exp $
+# $NetBSD: Makefile,v 1.94 2021/01/07 09:47:47 fcambus Exp $
 
 DISTNAME=      binutils-2.35.1
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GNU:=binutils/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/devel/binutils/distinfo
diff -u pkgsrc/devel/binutils/distinfo:1.38 pkgsrc/devel/binutils/distinfo:1.39
--- pkgsrc/devel/binutils/distinfo:1.38 Sun Dec 20 19:07:05 2020
+++ pkgsrc/devel/binutils/distinfo      Thu Jan  7 09:47:47 2021
@@ -1,10 +1,12 @@
-$NetBSD: distinfo,v 1.38 2020/12/20 19:07:05 fcambus Exp $
+$NetBSD: distinfo,v 1.39 2021/01/07 09:47:47 fcambus Exp $
 
 SHA1 (binutils-2.35.1.tar.bz2) = df4eb943bf65df4bbbd0a001efcc98113423c5dd
 RMD160 (binutils-2.35.1.tar.bz2) = ed8ad923db716388b83b0234d41abc6beb01c9d6
 SHA512 (binutils-2.35.1.tar.bz2) = 2828cca9664ae172d6be5f1869f4c7cd39b63a4340c9a5d7c18f30fa06d4ff391394704720872f32f786053f14b27dcafd63c46db7984a8f6ec822f266bb2541
 Size (binutils-2.35.1.tar.bz2) = 32892584 bytes
 SHA1 (patch-bfd_cache.c) = e2d96bad350552eacdffa83532f9dc9e15ee9be9
+SHA1 (patch-bfd_elf.c) = afaea1633f3b7e31c3dc12a0fded5862f6de0dc5
+SHA1 (patch-bfd_elfcode.h) = db9bfcd489a1160609444bb03c3d08b92d3af8cb
 SHA1 (patch-gold_Makefile.in) = e01d973f9625a1653851f796c123efec37102fbd
 SHA1 (patch-gold_options.h) = 65a4cdb67cb4bef6a1891ca66a5fc80c5493c24e
 SHA1 (patch-gold_system.h) = 9b4130b5315763daa66e0a91a8be6d1df0d10344

Added files:

Index: pkgsrc/devel/binutils/patches/patch-bfd_elf.c
diff -u /dev/null pkgsrc/devel/binutils/patches/patch-bfd_elf.c:1.1
--- /dev/null   Thu Jan  7 09:47:48 2021
+++ pkgsrc/devel/binutils/patches/patch-bfd_elf.c       Thu Jan  7 09:47:47 2021
@@ -0,0 +1,21 @@
+$NetBSD: patch-bfd_elf.c,v 1.1 2021/01/07 09:47:47 fcambus Exp $
+
+Upstream fix for CVE-2020-35448.
+
+       PR 26574
+       * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
+       sh_entsize.
+
+--- bfd/elf.c.orig     2020-09-03 14:59:14.000000000 +0000
++++ bfd/elf.c
+@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (
+       Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
+ 
+       if (hdr->sh_type == SHT_SECONDARY_RELOC
+-        && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
++        && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
++        && (hdr->sh_entsize == ebd->s->sizeof_rel
++            || hdr->sh_entsize == ebd->s->sizeof_rela))
+       {
+         bfd_byte * native_relocs;
+         bfd_byte * native_reloc;
Index: pkgsrc/devel/binutils/patches/patch-bfd_elfcode.h
diff -u /dev/null pkgsrc/devel/binutils/patches/patch-bfd_elfcode.h:1.1
--- /dev/null   Thu Jan  7 09:47:48 2021
+++ pkgsrc/devel/binutils/patches/patch-bfd_elfcode.h   Thu Jan  7 09:47:47 2021
@@ -0,0 +1,45 @@
+$NetBSD: patch-bfd_elfcode.h,v 1.1 2021/01/07 09:47:47 fcambus Exp $
+
+Upstream fix for CVE-2020-35448.
+
+       PR 26574
+       * elfcode.h (elf_object_p): Sanity check section header offset.
+
+--- bfd/elfcode.h.orig 2020-09-03 14:59:37.000000000 +0000
++++ bfd/elfcode.h
+@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
+ 
+   /* If this is a relocatable file and there is no section header
+      table, then we're hosed.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
++  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
+     goto got_wrong_format_error;
+ 
+   /* As a simple sanity check, verify that what BFD thinks is the
+@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
+     goto got_wrong_format_error;
+ 
+   /* Further sanity check.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
++  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
+     goto got_wrong_format_error;
+ 
+   ebd = get_elf_backend_data (abfd);
+@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
+       && ebd->elf_osabi != ELFOSABI_NONE)
+     goto got_wrong_format_error;
+ 
+-  if (i_ehdrp->e_shoff != 0)
++  if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       file_ptr where = (file_ptr) i_ehdrp->e_shoff;
+ 
+@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
+       }
+     }
+ 
+-  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
++  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       unsigned int num_sec;
+