binutils: add upstream fixes for CVE-2020-35448. >From upstream commit log: PR26574, heap buffer overflow in _bfd_elf_slurp_secondary_reloc_section A horribly fuzzed object with section headers inside the ELF header. Disallow that, and crazy reloc sizes. PR 26574 * elfcode.h (elf_object_p): Sanity check section header offset. * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check sh_entsize.diff -r1.93 -r1.94 pkgsrc/devel/binutils/Makefile
(fcambus)
@@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.93 2020/12/20 22:41:31 fcambus Exp $ | 1 | # $NetBSD: Makefile,v 1.94 2021/01/07 09:47:47 fcambus Exp $ | |
2 | 2 | |||
3 | DISTNAME= binutils-2.35.1 | 3 | DISTNAME= binutils-2.35.1 | |
4 | PKGREVISION= 3 | 4 | PKGREVISION= 4 | |
5 | CATEGORIES= devel | 5 | CATEGORIES= devel | |
6 | MASTER_SITES= ${MASTER_SITE_GNU:=binutils/} | 6 | MASTER_SITES= ${MASTER_SITE_GNU:=binutils/} | |
7 | EXTRACT_SUFX= .tar.bz2 | 7 | EXTRACT_SUFX= .tar.bz2 | |
8 | 8 | |||
9 | MAINTAINER= fcambus@NetBSD.org | 9 | MAINTAINER= fcambus@NetBSD.org | |
10 | HOMEPAGE= https://www.gnu.org/software/binutils/ | 10 | HOMEPAGE= https://www.gnu.org/software/binutils/ | |
11 | COMMENT= GNU binary utilities | 11 | COMMENT= GNU binary utilities | |
12 | LICENSE= gnu-gpl-v2 AND gnu-gpl-v3 AND gnu-lgpl-v2 AND gnu-lgpl-v3 | 12 | LICENSE= gnu-gpl-v2 AND gnu-gpl-v3 AND gnu-lgpl-v2 AND gnu-lgpl-v3 | |
13 | 13 | |||
14 | CONFLICTS= avr-binutils<2.13.2.1nb1 | 14 | CONFLICTS= avr-binutils<2.13.2.1nb1 | |
15 | 15 | |||
16 | USE_PKGLOCALEDIR= yes | 16 | USE_PKGLOCALEDIR= yes | |
17 | REPLACE_LOCALEDIR_PATTERNS+= Make-in | 17 | REPLACE_LOCALEDIR_PATTERNS+= Make-in |
@@ -1,12 +1,14 @@ | @@ -1,12 +1,14 @@ | |||
1 | $NetBSD: distinfo,v 1.38 2020/12/20 19:07:05 fcambus Exp $ | 1 | $NetBSD: distinfo,v 1.39 2021/01/07 09:47:47 fcambus Exp $ | |
2 | 2 | |||
3 | SHA1 (binutils-2.35.1.tar.bz2) = df4eb943bf65df4bbbd0a001efcc98113423c5dd | 3 | SHA1 (binutils-2.35.1.tar.bz2) = df4eb943bf65df4bbbd0a001efcc98113423c5dd | |
4 | RMD160 (binutils-2.35.1.tar.bz2) = ed8ad923db716388b83b0234d41abc6beb01c9d6 | 4 | RMD160 (binutils-2.35.1.tar.bz2) = ed8ad923db716388b83b0234d41abc6beb01c9d6 | |
5 | SHA512 (binutils-2.35.1.tar.bz2) = 2828cca9664ae172d6be5f1869f4c7cd39b63a4340c9a5d7c18f30fa06d4ff391394704720872f32f786053f14b27dcafd63c46db7984a8f6ec822f266bb2541 | 5 | SHA512 (binutils-2.35.1.tar.bz2) = 2828cca9664ae172d6be5f1869f4c7cd39b63a4340c9a5d7c18f30fa06d4ff391394704720872f32f786053f14b27dcafd63c46db7984a8f6ec822f266bb2541 | |
6 | Size (binutils-2.35.1.tar.bz2) = 32892584 bytes | 6 | Size (binutils-2.35.1.tar.bz2) = 32892584 bytes | |
7 | SHA1 (patch-bfd_cache.c) = e2d96bad350552eacdffa83532f9dc9e15ee9be9 | 7 | SHA1 (patch-bfd_cache.c) = e2d96bad350552eacdffa83532f9dc9e15ee9be9 | |
8 | SHA1 (patch-bfd_elf.c) = afaea1633f3b7e31c3dc12a0fded5862f6de0dc5 | |||
9 | SHA1 (patch-bfd_elfcode.h) = db9bfcd489a1160609444bb03c3d08b92d3af8cb | |||
8 | SHA1 (patch-gold_Makefile.in) = e01d973f9625a1653851f796c123efec37102fbd | 10 | SHA1 (patch-gold_Makefile.in) = e01d973f9625a1653851f796c123efec37102fbd | |
9 | SHA1 (patch-gold_options.h) = 65a4cdb67cb4bef6a1891ca66a5fc80c5493c24e | 11 | SHA1 (patch-gold_options.h) = 65a4cdb67cb4bef6a1891ca66a5fc80c5493c24e | |
10 | SHA1 (patch-gold_system.h) = 9b4130b5315763daa66e0a91a8be6d1df0d10344 | 12 | SHA1 (patch-gold_system.h) = 9b4130b5315763daa66e0a91a8be6d1df0d10344 | |
11 | SHA1 (patch-gold_testsuite_Makefile.in) = 4babdbb89a989f3f1de66ad44a9603cbd9656f89 | 13 | SHA1 (patch-gold_testsuite_Makefile.in) = 4babdbb89a989f3f1de66ad44a9603cbd9656f89 | |
12 | SHA1 (patch-include_safe-ctype.h) = 66e636f8200ff5e9b4bfa0a5aee13cd072a23887 | 14 | SHA1 (patch-include_safe-ctype.h) = 66e636f8200ff5e9b4bfa0a5aee13cd072a23887 |
$NetBSD: patch-bfd_elf.c,v 1.1 2021/01/07 09:47:47 fcambus Exp $
Upstream fix for CVE-2020-35448.
PR 26574
* elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
sh_entsize.
--- bfd/elf.c.orig 2020-09-03 14:59:14.000000000 +0000
+++ bfd/elf.c
@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (
Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
if (hdr->sh_type == SHT_SECONDARY_RELOC
- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
+ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
+ && (hdr->sh_entsize == ebd->s->sizeof_rel
+ || hdr->sh_entsize == ebd->s->sizeof_rela))
{
bfd_byte * native_relocs;
bfd_byte * native_reloc;
$NetBSD: patch-bfd_elfcode.h,v 1.1 2021/01/07 09:47:47 fcambus Exp $
Upstream fix for CVE-2020-35448.
PR 26574
* elfcode.h (elf_object_p): Sanity check section header offset.
--- bfd/elfcode.h.orig 2020-09-03 14:59:37.000000000 +0000
+++ bfd/elfcode.h
@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
/* If this is a relocatable file and there is no section header
table, then we're hosed. */
- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
goto got_wrong_format_error;
/* As a simple sanity check, verify that what BFD thinks is the
@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
goto got_wrong_format_error;
/* Further sanity check. */
- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
goto got_wrong_format_error;
ebd = get_elf_backend_data (abfd);
@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
&& ebd->elf_osabi != ELFOSABI_NONE)
goto got_wrong_format_error;
- if (i_ehdrp->e_shoff != 0)
+ if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
{
file_ptr where = (file_ptr) i_ehdrp->e_shoff;
@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
}
}
- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
+ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
{
unsigned int num_sec;