binutils: fix CVE-2017-7209 in readelf

CVE: CVE-2017-7209
[BZ 21135] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21135

PR binutils/21135: Fix invalid read of section contents whilst
processing
a corrupt binary.

Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index d32ce25dd5593494afc9ecdab361212d257b7f1e..5dca05e898e0c235290bda9e914df38e1b71c1cc 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -43,6 +43,7 @@ SRC_URI = "\
      file://CVE-2017-6966.patch \
      file://CVE-2017-6969.patch \
      file://CVE-2017-6969_2.patch \
+     file://CVE-2017-7209.patch \
 "
 S  = "${WORKDIR}/git"
 

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch
new file mode 100644 (file)
index 0000000..336d72c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch
@@ -0,0 +1,63 @@
+From 6e5e9d96b5bd7dc3147db9917d6a7a20682915cc Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 15:04:37 +0000
+Subject: Fix invalid read of section contents whilst processing a corrupt
+ binary.
+
+       PR binutils/21135
+       * readelf.c (dump_section_as_bytes): Handle the case where
+       uncompress_section_contents returns false.
+
+CVE: CVE-2017-7209
+Upstream-Status: Backport[master]
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/readelf.c | 16 ++++++++++++----
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 55d2f8ba40..c4d8e60eca 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-02-13  Nick Clifton  <nickc@redhat.com>
++
++      PR binutils/21135
++      * readelf.c (dump_section_as_bytes): Handle the case where
++      uncompress_section_contents returns false.
++
+ 2017-02-20  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21156
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 7f7365dbc5..bc4e92fa81 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -12473,10 +12473,18 @@ dump_section_as_bytes (Elf_Internal_Shdr * section,
+         new_size -= 12;
+       }
+ 
+-      if (uncompressed_size
+-        && uncompress_section_contents (& start, uncompressed_size,
+-                                        & new_size))
+-      section_size = new_size;
++      if (uncompressed_size)
++      {
++        if (uncompress_section_contents (& start, uncompressed_size,
++                                         & new_size))
++          section_size = new_size;
++        else
++          {
++            error (_("Unable to decompress section %s\n"),
++                   printable_section_name (section));
++            return;
++          }
++      }
+     }
+ 
+   if (relocate)
+-- 
+2.11.0
+