binutils: CVE-2017-7299

Source: git://sourceware.org/git/binutils-gdb.git
MR: 74257
Type: Security Fix
Disposition: Backport from 'embedded-binutils-master'
ChangeID: b55df05e3d3fd21bd30edaea124135892747b1ee
Description:

Linking non-ELF file broken by PR20908 fix

PR ld/20968
PR ld/20908
   * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change.  Move
     reloc counting code later after ELF flavour test.

PR lf/20908
   * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
     when following indirect links.

Affects: <= 2.28
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: 020863d45d39a336723300138777583afb0b12c7)

Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-devtools/binutils/binutils-2.27.inc

@@ -76,6 +76,8 @@ SRC_URI = "\
      file://CVE-2017-8394_1.patch \
      file://CVE-2017-8394.patch \
      file://CVE-2017-8398.patch \
+     file://CVE-2017-7299_1.patch \
+     file://CVE-2017-7299_2.patch \
 "
 S  = "${WORKDIR}/git"
 

meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch

@@ -0,0 +1,47 @@
+commit d7f399a8de4c55eb841db6493597a587fac002de
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Fri Dec 2 17:46:26 2016 +0000
+
+    Fix seg-fault in linker when passed a corrupt binary input file.
+    
+    	PR lf/20908
+    	* elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
+    	when following indirect links.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-7299
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/elflink.c
+===================================================================
+--- git.orig/bfd/elflink.c	2017-09-20 14:15:26.337333504 +0530
++++ git/bfd/elflink.c	2017-09-20 14:20:19.000000000 +0530
+@@ -11201,6 +11201,12 @@
+ 	      asection *sec;
+ 
+ 	      sec = p->u.indirect.section;
++	      /* See PR 20908 for a reproducer.  */
++	      if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour)
++		{
++		  _bfd_error_handler (_("%B: not in ELF format"), sec->owner);
++		  goto error_return;
++		}
+ 	      esdi = elf_section_data (sec);
+ 
+ 	      /* Mark all sections which are to be included in the
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog	2017-09-20 14:20:19.000000000 +0530
++++ git/bfd/ChangeLog	2017-09-20 14:23:48.743556932 +0530
+@@ -192,6 +192,10 @@
+ 
+ 2016-12-02  Nick Clifton  <nickc@redhat.com>
+ 
++	PR lf/20908
++	* elflink.c (bfd_elf_final_link): Check for ELF flavour binaries
++	when following indirect links.
++
+ 	PR ld/20909
+ 	* aoutx.h (aout_link_add_symbols): Fix off-by-one error in check
+ 	for an illegal string offset.

meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch

@@ -0,0 +1,120 @@
+commit a961cdd5f139d3c3e09170db52bd8df7dafae13f
+Author: Alan Modra <amodra@gmail.com>
+Date:   Thu Dec 15 21:29:44 2016 +1030
+
+    Linking non-ELF file broken by PR20908 fix
+    
+    	PR ld/20968
+    	PR ld/20908
+    	* elflink.c (bfd_elf_final_link): Revert 2016-12-02 change.  Move
+    	reloc counting code later after ELF flavour test.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-7299
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/elflink.c
+===================================================================
+--- git.orig/bfd/elflink.c	2017-09-20 14:15:28.133343092 +0530
++++ git/bfd/elflink.c	2017-09-20 14:15:28.189343391 +0530
+@@ -11201,13 +11201,6 @@
+ 	      asection *sec;
+ 
+ 	      sec = p->u.indirect.section;
+-	      /* See PR 20908 for a reproducer.  */
+-	      if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour)
+-		{
+-		  _bfd_error_handler (_("%B: not in ELF format"), sec->owner);
+-		  goto error_return;
+-		}
+-	      esdi = elf_section_data (sec);
+ 
+ 	      /* Mark all sections which are to be included in the
+ 		 link.  This will normally be every section.  We need
+@@ -11218,37 +11211,18 @@
+ 	      if (sec->flags & SEC_MERGE)
+ 		merged = TRUE;
+ 
+-	      if (esdo->this_hdr.sh_type == SHT_REL
+-		  || esdo->this_hdr.sh_type == SHT_RELA)
+-		/* Some backends use reloc_count in relocation sections
+-		   to count particular types of relocs.  Of course,
+-		   reloc sections themselves can't have relocations.  */
+-		reloc_count = 0;
+-	      else if (emit_relocs)
+-		{
+-		  reloc_count = sec->reloc_count;
+-		  if (bed->elf_backend_count_additional_relocs)
+-		    {
+-		      int c;
+-		      c = (*bed->elf_backend_count_additional_relocs) (sec);
+-		      additional_reloc_count += c;
+-		    }
+-		}
+-	      else if (bed->elf_backend_count_relocs)
+-		reloc_count = (*bed->elf_backend_count_relocs) (info, sec);
+-
+ 	      if (sec->rawsize > max_contents_size)
+ 		max_contents_size = sec->rawsize;
+ 	      if (sec->size > max_contents_size)
+ 		max_contents_size = sec->size;
+ 
+-	      /* We are interested in just local symbols, not all
+-		 symbols.  */
+ 	      if (bfd_get_flavour (sec->owner) == bfd_target_elf_flavour
+ 		  && (sec->owner->flags & DYNAMIC) == 0)
+ 		{
+ 		  size_t sym_count;
+ 
++		  /* We are interested in just local symbols, not all
++		     symbols.  */
+ 		  if (elf_bad_symtab (sec->owner))
+ 		    sym_count = (elf_tdata (sec->owner)->symtab_hdr.sh_size
+ 				 / bed->s->sizeof_sym);
+@@ -11262,6 +11236,27 @@
+ 		      && elf_symtab_shndx_list (sec->owner) != NULL)
+ 		    max_sym_shndx_count = sym_count;
+ 
++		  if (esdo->this_hdr.sh_type == SHT_REL
++		      || esdo->this_hdr.sh_type == SHT_RELA)
++		    /* Some backends use reloc_count in relocation sections
++		       to count particular types of relocs.  Of course,
++		       reloc sections themselves can't have relocations.  */
++		    ;
++		  else if (emit_relocs)
++		    {
++		      reloc_count = sec->reloc_count;
++		      if (bed->elf_backend_count_additional_relocs)
++			{
++			  int c;
++			  c = (*bed->elf_backend_count_additional_relocs) (sec);
++			  additional_reloc_count += c;
++			}
++		    }
++		  else if (bed->elf_backend_count_relocs)
++		    reloc_count = (*bed->elf_backend_count_relocs) (info, sec);
++
++		  esdi = elf_section_data (sec);
++
+ 		  if ((sec->flags & SEC_RELOC) != 0)
+ 		    {
+ 		      size_t ext_size = 0;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog	2017-09-20 14:15:28.013342453 +0530
++++ git/bfd/ChangeLog	2017-09-20 14:19:06.990419395 +0530
+@@ -156,6 +156,13 @@
+        (bfd_elf_final_link): Only initialize the extended symbol index
+        section if there are extended symbol tables to list.
+ 
++2016-12-15  Alan Modra  <amodra@gmail.com>
++
++	PR ld/20968
++	PR ld/20908
++	 * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change.  Move
++	reloc counting code later after ELF flavour test.
++
+  2016-12-06  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/20931