[arch-commits] Commit in binutils/trunk (3 files)

Evangelos Foutras foutrelis at archlinux.org
Thu Mar 15 06:06:47 UTC 2018 

    Date: Thursday, March 15, 2018 @ 06:06:46
  Author: foutrelis
Revision: 319155

upgpkg: binutils 2.29.1-3

- Prevent tools such as objcopy/strip from incorrectly removing
  the PT_GNU_RELRO program segment from binaries linked with LLD
- Fix CVE-2018-7208: missing bounds check in coff_pointerize_aux()

Added:
  binutils/trunk/0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch
  binutils/trunk/0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch
Modified:
  binutils/trunk/PKGBUILD

-----------------------------------------------------------------+
 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch       |   29 ++
 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch |  145 ++++++++++
 PKGBUILD                                                        |   16 -
 3 files changed, 187 insertions(+), 3 deletions(-)

Added: 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch
===================================================================
--- 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch	                        (rev 0)
+++ 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch	2018-03-15 06:06:46 UTC (rev 319155)
@@ -0,0 +1,29 @@
+From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra at gmail.com>
+Date: Sat, 27 Jan 2018 08:19:33 +1030
+Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object
+
+	PR 22741
+	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+	range before converting to a symbol table pointer.
+---
+ bfd/coffgen.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/coffgen.c b/bfd/coffgen.c
+index b2410873d0..4f90eaddd9 100644
+--- a/bfd/coffgen.c
++++ b/bfd/coffgen.c
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
++  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
++      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+ 	table_base + auxent->u.auxent.x_sym.x_tagndx.l;
+-- 
+2.16.2
+

Added: 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch
===================================================================
--- 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch	                        (rev 0)
+++ 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch	2018-03-15 06:06:46 UTC (rev 319155)
@@ -0,0 +1,145 @@
+From 3b56a1358768563d9cf320559ebdedfb30f122dd Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra at gmail.com>
+Date: Mon, 12 Feb 2018 13:06:07 +1030
+Subject: [PATCH] PR22829, objcopy/strip removes PT_GNU_RELRO from lld binaries
+
+lld lays out the relro segment differently to GNU ld, not bothering to
+include the first few bytes of .got.plt and padding out to a page at
+the end of the segment.  This patch teaches binutils to recognize the
+different (and somewhat inferior) layout as valid.
+
+bfd/
+	PR 22829
+	* elf.c (assign_file_positions_for_non_load_sections): Rewrite
+	PT_GNU_RELRO setup.
+ld/
+	* testsuite/ld-x86-64/pr14207.d: Adjust relro p_filesz.
+
+(cherry picked from commit f2731e0c374e5323ce4cdae2bcc7b7fe22da1a6f)
+---
+ bfd/elf.c                        | 78 ++++++++++++++++++++++++++--------------
+ ld/testsuite/ld-x86-64/pr14207.d |  2 +-
+ 2 files changed, 52 insertions(+), 28 deletions(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index bbaab26918..f5a230cd77 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -5826,50 +5826,74 @@ assign_file_positions_for_non_load_sections (bfd *abfd,
+     {
+       if (p->p_type == PT_GNU_RELRO)
+ 	{
+-	  const Elf_Internal_Phdr *lp;
+-	  struct elf_segment_map *lm;
++	  bfd_vma start, end;
+ 
+ 	  if (link_info != NULL)
+ 	    {
+ 	      /* During linking the range of the RELRO segment is passed
+-		 in link_info.  */
++		 in link_info.  Note that there may be padding between
++		 relro_start and the first RELRO section.  */
++	      start = link_info->relro_start;
++	      end = link_info->relro_end;
++	    }
++	  else if (m->count != 0)
++	    {
++	      if (!m->p_size_valid)
++		abort ();
++	      start = m->sections[0]->vma;
++	      end = start + m->p_size;
++	    }
++	  else
++	    {
++	      start = 0;
++	      end = 0;
++	    }
++
++	  if (start < end)
++	    {
++	      struct elf_segment_map *lm;
++	      const Elf_Internal_Phdr *lp;
++	      unsigned int i;
++
++	      /* Find a LOAD segment containing a section in the RELRO
++		 segment.  */
+ 	      for (lm = elf_seg_map (abfd), lp = phdrs;
+ 		   lm != NULL;
+ 		   lm = lm->next, lp++)
+ 		{
+ 		  if (lp->p_type == PT_LOAD
+-		      && lp->p_vaddr < link_info->relro_end
+ 		      && lm->count != 0
+-		      && lm->sections[0]->vma >= link_info->relro_start)
++		      && lm->sections[lm->count - 1]->vma >= start
++		      && lm->sections[0]->vma < end)
+ 		    break;
+ 		}
+-
+ 	      BFD_ASSERT (lm != NULL);
+-	    }
+-	  else
+-	    {
+-	      /* Otherwise we are copying an executable or shared
+-		 library, but we need to use the same linker logic.  */
+-	      for (lp = phdrs; lp < phdrs + count; ++lp)
++
++	      /* Find the section starting the RELRO segment.  */
++	      for (i = 0; i < lm->count; i++)
+ 		{
+-		  if (lp->p_type == PT_LOAD
+-		      && lp->p_paddr == p->p_paddr)
++		  asection *s = lm->sections[i];
++		  if (s->vma >= start
++		      && s->vma < end
++		      && s->size != 0)
+ 		    break;
+ 		}
+-	    }
++	      BFD_ASSERT (i < lm->count);
++
++	      p->p_vaddr = lm->sections[i]->vma;
++	      p->p_paddr = lm->sections[i]->lma;
++	      p->p_offset = lm->sections[i]->filepos;
++	      p->p_memsz = end - p->p_vaddr;
++	      p->p_filesz = p->p_memsz;
++
++	      /* The RELRO segment typically ends a few bytes into
++		 .got.plt but other layouts are possible.  In cases
++		 where the end does not match any loaded section (for
++		 instance is in file padding), trim p_filesz back to
++		 correspond to the end of loaded section contents.  */
++	      if (p->p_filesz > lp->p_vaddr + lp->p_filesz - p->p_vaddr)
++		p->p_filesz = lp->p_vaddr + lp->p_filesz - p->p_vaddr;
+ 
+-	  if (lp < phdrs + count)
+-	    {
+-	      p->p_vaddr = lp->p_vaddr;
+-	      p->p_paddr = lp->p_paddr;
+-	      p->p_offset = lp->p_offset;
+-	      if (link_info != NULL)
+-		p->p_filesz = link_info->relro_end - lp->p_vaddr;
+-	      else if (m->p_size_valid)
+-		p->p_filesz = m->p_size;
+-	      else
+-		abort ();
+-	      p->p_memsz = p->p_filesz;
+ 	      /* Preserve the alignment and flags if they are valid. The
+ 	         gold linker generates RW/4 for the PT_GNU_RELRO section.
+ 		 It is better for objcopy/strip to honor these attributes
+diff --git a/ld/testsuite/ld-x86-64/pr14207.d b/ld/testsuite/ld-x86-64/pr14207.d
+index f6558e7cd7..41f92b8bd8 100644
+--- a/ld/testsuite/ld-x86-64/pr14207.d
++++ b/ld/testsuite/ld-x86-64/pr14207.d
+@@ -13,7 +13,7 @@ Program Headers:
+   LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x0001c8 0x0001c8 R   0x200000
+   LOAD           0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.0 0x000c.8 RW  0x200000
+   DYNAMIC        0x000b.0 0x0000000000200b.0 0x0000000000200b.0 0x0001.0 0x0001.0 RW  0x8
+-  GNU_RELRO      0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.8 0x0004.8 R   0x1
++  GNU_RELRO      0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.0 0x0004.8 R   0x1
+ 
+  Section to Segment mapping:
+   Segment Sections...
+-- 
+2.16.2
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2018-03-15 05:08:26 UTC (rev 319154)
+++ PKGBUILD	2018-03-15 06:06:46 UTC (rev 319155)
@@ -5,7 +5,7 @@
 
 pkgname=binutils
 pkgver=2.29.1
-pkgrel=2
+pkgrel=3
 pkgdesc='A set of programs to assemble and manipulate binary and object files'
 arch=(x86_64)
 url='http://www.gnu.org/software/binutils/'
@@ -20,11 +20,15 @@
 #_commit=d1a6e7195b9bb0255fa77588985b969ad8aaacf5
 #source=(git+https://sourceware.org/git/binutils-gdb.git#commit=${_commit}
 source=(https://ftp.gnu.org/gnu/binutils/binutils-$pkgver.tar.xz{,.sig}
-        0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch)
+        0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch
+        0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch
+        0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch)
 validpgpkeys=(3A24BC1E8FB409FA9F14371813FCEF89DD9E3C4F)
 md5sums=('acc9cd826edb9954ac7cecb81c727793'
          'SKIP'
-         'e4be936139ef46122cb3841881c432b2')
+         'e4be936139ef46122cb3841881c432b2'
+         '469164f3c93a0e92a697537b60c9806c'
+         '0c679b37e90fb23de60a4d28329b956a')
 
 prepare() {
   mkdir -p binutils-build
@@ -37,6 +41,12 @@
 
   # https://bugs.archlinux.org/task/55741
   git apply ../0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch
+
+  # https://sourceware.org/bugzilla/show_bug.cgi?id=22741
+  git apply ../0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch
+
+  # https://sourceware.org/bugzilla/show_bug.cgi?id=22829
+  git apply ../0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch
 }
 
 build() {

More information about the arch-commits mailing list