diff options
Diffstat (limited to 'cross/cross-binutils/binutils-2.24-CVE-2014-8502.patch')
-rw-r--r-- | cross/cross-binutils/binutils-2.24-CVE-2014-8502.patch | 547 |
1 files changed, 547 insertions, 0 deletions
diff --git a/cross/cross-binutils/binutils-2.24-CVE-2014-8502.patch b/cross/cross-binutils/binutils-2.24-CVE-2014-8502.patch new file mode 100644 index 000000000..bab76c4da --- /dev/null +++ b/cross/cross-binutils/binutils-2.24-CVE-2014-8502.patch @@ -0,0 +1,547 @@ +diff --git a/bfd/elf.c b/bfd/elf.c +index c8ac826..3fcf2d8 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -1578,38 +1578,67 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + Elf_Internal_Ehdr *ehdr; + const struct elf_backend_data *bed; + const char *name; ++ bfd_boolean ret = TRUE; ++ static bfd_boolean * sections_being_created = NULL; ++ static unsigned int nesting = 0; + + if (shindex >= elf_numsections (abfd)) + return FALSE; + ++ if (++ nesting > 3) ++ { ++ /* PR17512: A corrupt ELF binary might contain a recursive group of ++ sections, each the string indicies pointing to the next in the ++ loop. Detect this here, by refusing to load a section that we are ++ already in the process of loading. We only trigger this test if ++ we have nested at least three sections deep as normal ELF binaries ++ can expect to recurse at least once. */ ++ ++ if (sections_being_created == NULL) ++ { ++ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ ++ sections_being_created = (bfd_boolean *) ++ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); ++ } ++ if (sections_being_created [shindex]) ++ { ++ (*_bfd_error_handler) ++ (_("%B: warning: loop in section dependencies detected"), abfd); ++ return FALSE; ++ } ++ sections_being_created [shindex] = TRUE; ++ } ++ + hdr = elf_elfsections (abfd)[shindex]; + ehdr = elf_elfheader (abfd); + name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, + hdr->sh_name); + if (name == NULL) +- return FALSE; ++ goto fail; + + bed = get_elf_backend_data (abfd); + switch (hdr->sh_type) + { + case SHT_NULL: + /* Inactive section. Throw it away. */ +- return TRUE; ++ goto success; + +- case SHT_PROGBITS: /* Normal section with contents. */ +- case SHT_NOBITS: /* .bss section. */ +- case SHT_HASH: /* .hash section. */ +- case SHT_NOTE: /* .note section. */ ++ case SHT_PROGBITS: /* Normal section with contents. */ ++ case SHT_NOBITS: /* .bss section. */ ++ case SHT_HASH: /* .hash section. */ ++ case SHT_NOTE: /* .note section. */ + case SHT_INIT_ARRAY: /* .init_array section. */ + case SHT_FINI_ARRAY: /* .fini_array section. */ + case SHT_PREINIT_ARRAY: /* .preinit_array section. */ + case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ + case SHT_GNU_HASH: /* .gnu.hash section. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_DYNAMIC: /* Dynamic linking information. */ + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +- return FALSE; ++ goto fail; ++ + if (hdr->sh_link > elf_numsections (abfd)) + { + /* PR 10478: Accept Solaris binaries with a sh_link +@@ -1623,11 +1652,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + break; + /* Otherwise fall through. */ + default: +- return FALSE; ++ goto fail; + } + } + else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) +- return FALSE; ++ goto fail; + else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) + { + Elf_Internal_Shdr *dynsymhdr; +@@ -1656,24 +1685,26 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + } + } + } +- break; ++ goto success; + +- case SHT_SYMTAB: /* A symbol table */ ++ case SHT_SYMTAB: /* A symbol table. */ + if (elf_onesymtab (abfd) == shindex) +- return TRUE; ++ goto success; + + if (hdr->sh_entsize != bed->s->sizeof_sym) +- return FALSE; ++ goto fail; ++ + if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) + { + if (hdr->sh_size != 0) +- return FALSE; ++ goto fail; + /* Some assemblers erroneously set sh_info to one with a + zero sh_size. ld sees this as a global symbol count + of (unsigned) -1. Fix it here. */ + hdr->sh_info = 0; +- return TRUE; ++ goto success; + } ++ + BFD_ASSERT (elf_onesymtab (abfd) == 0); + elf_onesymtab (abfd) = shindex; + elf_tdata (abfd)->symtab_hdr = *hdr; +@@ -1690,7 +1721,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + && (abfd->flags & DYNAMIC) != 0 + && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, + shindex)) +- return FALSE; ++ goto fail; + + /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we + can't read symbols without that section loaded as well. It +@@ -1716,26 +1747,29 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + break; + } + if (i != shindex) +- return bfd_section_from_shdr (abfd, i); ++ ret = bfd_section_from_shdr (abfd, i); + } +- return TRUE; ++ goto success; + +- case SHT_DYNSYM: /* A dynamic symbol table */ ++ case SHT_DYNSYM: /* A dynamic symbol table. */ + if (elf_dynsymtab (abfd) == shindex) +- return TRUE; ++ goto success; + + if (hdr->sh_entsize != bed->s->sizeof_sym) +- return FALSE; ++ goto fail; ++ + if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) + { + if (hdr->sh_size != 0) +- return FALSE; ++ goto fail; ++ + /* Some linkers erroneously set sh_info to one with a + zero sh_size. ld sees this as a global symbol count + of (unsigned) -1. Fix it here. */ + hdr->sh_info = 0; +- return TRUE; ++ goto success; + } ++ + BFD_ASSERT (elf_dynsymtab (abfd) == 0); + elf_dynsymtab (abfd) = shindex; + elf_tdata (abfd)->dynsymtab_hdr = *hdr; +@@ -1744,34 +1778,38 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + + /* Besides being a symbol table, we also treat this as a regular + section, so that objcopy can handle it. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + +- case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */ ++ case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */ + if (elf_symtab_shndx (abfd) == shindex) +- return TRUE; ++ goto success; + + BFD_ASSERT (elf_symtab_shndx (abfd) == 0); + elf_symtab_shndx (abfd) = shindex; + elf_tdata (abfd)->symtab_shndx_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; +- return TRUE; ++ goto success; + +- case SHT_STRTAB: /* A string table */ ++ case SHT_STRTAB: /* A string table. */ + if (hdr->bfd_section != NULL) +- return TRUE; ++ goto success; ++ + if (ehdr->e_shstrndx == shindex) + { + elf_tdata (abfd)->shstrtab_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; +- return TRUE; ++ goto success; + } ++ + if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) + { + symtab_strtab: + elf_tdata (abfd)->strtab_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; +- return TRUE; ++ goto success; + } ++ + if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) + { + dynsymtab_strtab: +@@ -1780,8 +1818,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + elf_elfsections (abfd)[shindex] = hdr; + /* We also treat this as a regular section, so that objcopy + can handle it. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +- shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, ++ shindex); ++ goto success; + } + + /* If the string table isn't one of the above, then treat it as a +@@ -1799,9 +1838,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + { + /* Prevent endless recursion on broken objects. */ + if (i == shindex) +- return FALSE; ++ goto fail; + if (! bfd_section_from_shdr (abfd, i)) +- return FALSE; ++ goto fail; + if (elf_onesymtab (abfd) == i) + goto symtab_strtab; + if (elf_dynsymtab (abfd) == i) +@@ -1809,7 +1848,8 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + } + } + } +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_REL: + case SHT_RELA: +@@ -1824,7 +1864,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + if (hdr->sh_entsize + != (bfd_size_type) (hdr->sh_type == SHT_REL + ? bed->s->sizeof_rel : bed->s->sizeof_rela)) +- return FALSE; ++ goto fail; + + /* Check for a bogus link to avoid crashing. */ + if (hdr->sh_link >= num_sec) +@@ -1832,8 +1872,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + ((*_bfd_error_handler) + (_("%B: invalid link %lu for reloc section %s (index %u)"), + abfd, hdr->sh_link, name, shindex)); +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +- shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, ++ shindex); ++ goto success; + } + + /* For some incomprehensible reason Oracle distributes +@@ -1874,7 +1915,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB + || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) + && ! bfd_section_from_shdr (abfd, hdr->sh_link)) +- return FALSE; ++ goto fail; + + /* If this reloc section does not use the main symbol table we + don't treat it as a reloc section. BFD can't adequately +@@ -1889,14 +1930,18 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + || hdr->sh_info >= num_sec + || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL + || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +- shindex); ++ { ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, ++ shindex); ++ goto success; ++ } + + if (! bfd_section_from_shdr (abfd, hdr->sh_info)) +- return FALSE; ++ goto fail; ++ + target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); + if (target_sect == NULL) +- return FALSE; ++ goto fail; + + esdt = elf_section_data (target_sect); + if (hdr->sh_type == SHT_RELA) +@@ -1908,7 +1953,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + amt = sizeof (*hdr2); + hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); + if (hdr2 == NULL) +- return FALSE; ++ goto fail; + *hdr2 = *hdr; + *p_hdr = hdr2; + elf_elfsections (abfd)[shindex] = hdr2; +@@ -1924,34 +1969,40 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + target_sect->use_rela_p = 1; + } + abfd->flags |= HAS_RELOC; +- return TRUE; ++ goto success; + } + + case SHT_GNU_verdef: + elf_dynverdef (abfd) = shindex; + elf_tdata (abfd)->dynverdef_hdr = *hdr; +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_GNU_versym: + if (hdr->sh_entsize != sizeof (Elf_External_Versym)) +- return FALSE; ++ goto fail; ++ + elf_dynversym (abfd) = shindex; + elf_tdata (abfd)->dynversym_hdr = *hdr; +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_GNU_verneed: + elf_dynverref (abfd) = shindex; + elf_tdata (abfd)->dynverref_hdr = *hdr; +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; + + case SHT_SHLIB: +- return TRUE; ++ goto success; + + case SHT_GROUP: + if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) +- return FALSE; ++ goto fail; ++ + if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +- return FALSE; ++ goto fail; ++ + if (hdr->contents != NULL) + { + Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; +@@ -1977,7 +2028,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + } + } + } +- break; ++ goto success; + + default: + /* Possibly an attributes section. */ +@@ -1985,14 +2036,14 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + || hdr->sh_type == bed->obj_attrs_section_type) + { + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +- return FALSE; ++ goto fail; + _bfd_elf_parse_attributes (abfd, hdr); +- return TRUE; ++ goto success; + } + + /* Check for any processor-specific section types. */ + if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) +- return TRUE; ++ goto success; + + if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) + { +@@ -2004,9 +2055,12 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + "specific section `%s' [0x%8x]"), + abfd, name, hdr->sh_type); + else +- /* Allow sections reserved for applications. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +- shindex); ++ { ++ /* Allow sections reserved for applications. */ ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, ++ shindex); ++ goto success; ++ } + } + else if (hdr->sh_type >= SHT_LOPROC + && hdr->sh_type <= SHT_HIPROC) +@@ -2027,8 +2081,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + "`%s' [0x%8x]"), + abfd, name, hdr->sh_type); + else +- /* Otherwise it should be processed. */ +- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ { ++ /* Otherwise it should be processed. */ ++ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); ++ goto success; ++ } + } + else + /* FIXME: We should handle this section. */ +@@ -2036,10 +2093,17 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + (_("%B: don't know how to handle section `%s' [0x%8x]"), + abfd, name, hdr->sh_type); + +- return FALSE; ++ goto fail; + } + +- return TRUE; ++ fail: ++ ret = FALSE; ++ success: ++ if (sections_being_created) ++ sections_being_created [shindex] = FALSE; ++ if (-- nesting == 0) ++ sections_being_created = NULL; ++ return ret; + } + + /* Return the local symbol specified by ABFD, R_SYMNDX. */ +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index 987be40..c7d6067 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -1705,7 +1705,12 @@ pe_print_edata (bfd * abfd, void * vfile) + _("\nExport Address Table -- Ordinal Base %ld\n"), + edt.base); + +- for (i = 0; i < edt.num_functions; ++i) ++ /* PR 17512: Handle corrupt PE binaries. */ ++ if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize) ++ fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), ++ (long) edt.eat_addr, ++ (long) edt.num_functions); ++ else for (i = 0; i < edt.num_functions; ++i) + { + bfd_vma eat_member = bfd_get_32 (abfd, + data + edt.eat_addr + (i * 4) - adj); +@@ -1741,7 +1746,16 @@ pe_print_edata (bfd * abfd, void * vfile) + fprintf (file, + _("\n[Ordinal/Name Pointer] Table\n")); + +- for (i = 0; i < edt.num_names; ++i) ++ /* PR 17512: Handle corrupt PE binaries. */ ++ if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize) ++ fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"), ++ (long) edt.npt_addr, ++ (long) edt.num_names); ++ else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize) ++ fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"), ++ (long) edt.ot_addr, ++ (long) edt.num_names); ++ else for (i = 0; i < edt.num_names; ++i) + { + bfd_vma name_ptr = bfd_get_32 (abfd, + data + +diff --git a/bfd/elf.c b/bfd/elf.c +index 949221f..b5fc84b 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -1580,6 +1580,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + const char *name; + bfd_boolean ret = TRUE; + static bfd_boolean * sections_being_created = NULL; ++ static bfd * sections_being_created_abfd = NULL; + static unsigned int nesting = 0; + + if (shindex >= elf_numsections (abfd)) +@@ -1592,13 +1593,19 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + loop. Detect this here, by refusing to load a section that we are + already in the process of loading. We only trigger this test if + we have nested at least three sections deep as normal ELF binaries +- can expect to recurse at least once. */ +- ++ can expect to recurse at least once. ++ ++ FIXME: It would be better if this array was attached to the bfd, ++ rather than being held in a static pointer. */ ++ ++ if (sections_being_created_abfd != abfd) ++ sections_being_created = NULL; + if (sections_being_created == NULL) + { + /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ + sections_being_created = (bfd_boolean *) + bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); ++ sections_being_created_abfd = abfd; + } + if (sections_being_created [shindex]) + { +@@ -2102,7 +2109,10 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) + if (sections_being_created) + sections_being_created [shindex] = FALSE; + if (-- nesting == 0) +- sections_being_created = NULL; ++ { ++ sections_being_created = NULL; ++ sections_being_created_abfd = abfd; ++ } + return ret; + } + +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index 6129085..1a5cb31 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -1611,6 +1611,15 @@ pe_print_edata (bfd * abfd, void * vfile) + } + } + ++ /* PR 17512: Handle corrupt PE binaries. */ ++ if (datasize < 36) ++ { ++ fprintf (file, ++ _("\nThere is an export table in %s, but it is too small (%d)\n"), ++ section->name, (int) datasize); ++ return TRUE; ++ } ++ + fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"), + section->name, (unsigned long) addr); + +-- +1.7.1 + |