import binutils-2.30-104.el8

2021-06-11 18:19:38 +00:00 · 2021-06-11 18:19:38 +00:00 · 6f5ec9e4fe
commit 6f5ec9e4fe
parent 408231e43d
3 changed files with 132 additions and 1 deletions
--- a/SOURCES/binutils-CVE-2020-35448.patch
+++ b/SOURCES/binutils-CVE-2020-35448.patch
@ -0,0 +1,53 @@
+diff -rup binutils.orig/bfd/elf.c binutils-2.35/bfd/elf.c
+--- binutils.orig/bfd/elf.c	2021-04-19 10:49:21.757290990 +0100
+++ binutils-2.35/bfd/elf.c	2021-04-19 10:50:28.309839285 +0100
+@@ -12534,7 +12534,9 @@ _bfd_elf_slurp_secondary_reloc_section (
+       Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
+ 
+       if (hdr->sh_type == SHT_SECONDARY_RELOC
+-	  && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
+	  && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
+	  && (hdr->sh_entsize == ebd->s->sizeof_rel
+	      || hdr->sh_entsize == ebd->s->sizeof_rela))
+ 	{
+ 	  bfd_byte * native_relocs;
+ 	  bfd_byte * native_reloc;
+diff -rup binutils.orig/bfd/elfcode.h binutils-2.35/bfd/elfcode.h
+--- binutils.orig/bfd/elfcode.h	2021-04-19 10:49:21.767290922 +0100
+++ binutils-2.35/bfd/elfcode.h	2021-04-19 10:52:22.196066303 +0100
+@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
+ 
+   /* If this is a relocatable file and there is no section header
+      table, then we're hosed.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
+     goto got_wrong_format_error;
+ 
+   /* As a simple sanity check, verify that what BFD thinks is the
+@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
+     goto got_wrong_format_error;
+ 
+   /* Further sanity check.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
+     goto got_wrong_format_error;
+ 
+   ebd = get_elf_backend_data (abfd);
+@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
+       && ebd->elf_osabi != ELFOSABI_NONE)
+     goto got_wrong_format_error;
+ 
+-  if (i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       file_ptr where = (file_ptr) i_ehdrp->e_shoff;
+ 
+@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
+ 	}
+     }
+ 
+-  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       unsigned int num_sec;
+ 
--- a/SOURCES/binutils-CVE-2021-20284.patch
+++ b/SOURCES/binutils-CVE-2021-20284.patch
@ -0,0 +1,62 @@
+diff -rup binutils.orig/bfd/elf-bfd.h binutils-2.30/bfd/elf-bfd.h
+--- binutils.orig/bfd/elf-bfd.h	2021-05-19 15:05:30.988901261 +0100
+++ binutils-2.30/bfd/elf-bfd.h	2021-05-19 15:05:55.477815716 +0100
+@@ -1487,7 +1487,7 @@ struct elf_backend_data
+   bfd_boolean (*init_secondary_reloc_section) (bfd *, Elf_Internal_Shdr *, const char *, unsigned int);
+ 
+   /* Called when after loading the normal relocs for a section.  */
+-  bfd_boolean (*slurp_secondary_relocs) (bfd *, asection *, asymbol **);
+  bfd_boolean (*slurp_secondary_relocs) (bfd *, asection *, asymbol **, bfd_boolean);
+ 
+   /* Called after writing the normal relocs for a section.  */
+   bfd_boolean (*write_secondary_relocs) (bfd *, asection *);
+@@ -2721,7 +2721,7 @@ extern bfd_vma elf32_r_sym (bfd_vma);
+ extern bfd_boolean _bfd_elf_init_secondary_reloc_section
+   (bfd *, Elf_Internal_Shdr *, const char *, unsigned int);
+ extern bfd_boolean _bfd_elf_slurp_secondary_reloc_section
+-  (bfd *, asection *, asymbol **);
+(bfd *, asection *, asymbol **, bfd_boolean);
+ extern bfd_boolean _bfd_elf_copy_special_section_fields
+   (const bfd *, bfd *, const Elf_Internal_Shdr *, Elf_Internal_Shdr *);
+ extern bfd_boolean _bfd_elf_write_secondary_reloc_section
+Only in binutils-2.30/bfd: elf-bfd.h.orig
+diff -rup binutils.orig/bfd/elf.c binutils-2.30/bfd/elf.c
+--- binutils.orig/bfd/elf.c	2021-05-19 15:05:30.989901257 +0100
+++ binutils-2.30/bfd/elf.c	2021-05-19 15:05:55.478815712 +0100
+@@ -11663,7 +11663,8 @@ _bfd_elf_init_secondary_reloc_section (b
+ bfd_boolean
+ _bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
+ 					asection * sec,
+-					asymbol ** symbols)
+					asymbol ** symbols,
+					bfd_boolean dynamic)
+ {
+   const struct elf_backend_data * const ebd = get_elf_backend_data (abfd);
+   asection * relsec;
+@@ -11728,7 +11729,10 @@ _bfd_elf_slurp_secondary_reloc_section (
+ 	      continue;
+ 	    }
+ 
+-	  symcount = bfd_get_symcount (abfd);
+         if (dynamic)
+           symcount = bfd_get_dynamic_symcount (abfd);
+         else
+           symcount = bfd_get_symcount (abfd);
+ 
+ 	  for (i = 0, internal_reloc = internal_relocs, native_reloc = native_relocs;
+ 	       i < reloc_count;
+Only in binutils-2.30/bfd: elf.c.orig
+diff -rup binutils.orig/bfd/elfcode.h binutils-2.30/bfd/elfcode.h
+--- binutils.orig/bfd/elfcode.h	2021-05-19 15:05:30.990901254 +0100
+++ binutils-2.30/bfd/elfcode.h	2021-05-19 15:07:34.098471218 +0100
+@@ -1577,7 +1577,7 @@ elf_slurp_reloc_table (bfd *abfd,
+     return FALSE;
+ 
+   if (bed->slurp_secondary_relocs != NULL
+-      && ! bed->slurp_secondary_relocs (abfd, asect, symbols))
+      && ! bed->slurp_secondary_relocs (abfd, asect, symbols, dynamic))
+     return FALSE;
+ 
+   asect->relocation = relents;
+Only in binutils-2.30/bfd: elfcode.h.orig
+Only in binutils-2.30/bfd: elfcode.h.rej
--- a/SPECS/binutils.spec
+++ b/SPECS/binutils.spec
@ -43,7 +43,7 @@
 Summary: A GNU collection of binary utilities
 Name: binutils%{?name_cross}%{?_with_debug:-debug}
 Version: 2.30
-Release: 102%{?dist}
+Release: 104%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils

@ -575,6 +575,14 @@ Patch87: binutils-mark-all-weak-aliases.patch
 # Lifetime: Fixed in 2.36
 Patch88: binutils-CVE-2021-3487.patch

+# Purpose:  Fix illegal memory access when parsing corrupt ELF files.
+# Lifetime: Fixed in 2.36
+Patch89: binutils-CVE-2020-35448.patch
+
+# Purpose: Fixed heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section.
+# Lifetime: Fixed in 2.36
+Patch90: binutils-CVE-2021-20284.patch
+
 #----------------------------------------------------------------------------

 Provides: bundled(libiberty)
@ -800,6 +808,8 @@ using libelf instead of BFD.
 %patch86 -p1
 %patch87 -p1
 %patch88 -p1
+%patch89 -p1
+%patch90 -p1

 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 # FIXME - this is no longer true.  Maybe try reinstating autotool use ?
@ -1249,6 +1259,12 @@ exit 0

 #----------------------------------------------------------------------------
 %changelog
+* Wed May 19 2021 Nick Clifton  <nickc@redhat.com> - 2.30-104
+- Fix heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section. (#1961526)
+
+* Tue May 04 2021 Nick Clifton  <nickc@redhat.com> - 2.30-103
+- Fix an illegal memory access when parsing a corrupt ELF file.  (#1953659)
+
 * Mon Apr 26 2021 Nick Clifton  <nickc@redhat.com> - 2.30-102
 - Bump NVR to allow rebuild against binutils-2.30-101.