diff --git a/SOURCES/binutils-CVE-2020-35448.patch b/SOURCES/binutils-CVE-2020-35448.patch new file mode 100644 index 0000000..4fab54c --- /dev/null +++ b/SOURCES/binutils-CVE-2020-35448.patch @@ -0,0 +1,53 @@ +diff -rup binutils.orig/bfd/elf.c binutils-2.35/bfd/elf.c +--- binutils.orig/bfd/elf.c 2021-04-19 10:49:21.757290990 +0100 ++++ binutils-2.35/bfd/elf.c 2021-04-19 10:50:28.309839285 +0100 +@@ -12534,7 +12534,9 @@ _bfd_elf_slurp_secondary_reloc_section ( + Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr; + + if (hdr->sh_type == SHT_SECONDARY_RELOC +- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx) ++ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx ++ && (hdr->sh_entsize == ebd->s->sizeof_rel ++ || hdr->sh_entsize == ebd->s->sizeof_rela)) + { + bfd_byte * native_relocs; + bfd_byte * native_reloc; +diff -rup binutils.orig/bfd/elfcode.h binutils-2.35/bfd/elfcode.h +--- binutils.orig/bfd/elfcode.h 2021-04-19 10:49:21.767290922 +0100 ++++ binutils-2.35/bfd/elfcode.h 2021-04-19 10:52:22.196066303 +0100 +@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd) + + /* If this is a relocatable file and there is no section header + table, then we're hosed. */ +- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL) ++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL) + goto got_wrong_format_error; + + /* As a simple sanity check, verify that what BFD thinks is the +@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd) + goto got_wrong_format_error; + + /* Further sanity check. */ +- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0) ++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0) + goto got_wrong_format_error; + + ebd = get_elf_backend_data (abfd); +@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd) + && ebd->elf_osabi != ELFOSABI_NONE) + goto got_wrong_format_error; + +- if (i_ehdrp->e_shoff != 0) ++ if (i_ehdrp->e_shoff >= sizeof (x_ehdr)) + { + file_ptr where = (file_ptr) i_ehdrp->e_shoff; + +@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd) + } + } + +- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0) ++ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr)) + { + unsigned int num_sec; + diff --git a/SOURCES/binutils-CVE-2021-20284.patch b/SOURCES/binutils-CVE-2021-20284.patch new file mode 100644 index 0000000..457b652 --- /dev/null +++ b/SOURCES/binutils-CVE-2021-20284.patch @@ -0,0 +1,62 @@ +diff -rup binutils.orig/bfd/elf-bfd.h binutils-2.30/bfd/elf-bfd.h +--- binutils.orig/bfd/elf-bfd.h 2021-05-19 15:05:30.988901261 +0100 ++++ binutils-2.30/bfd/elf-bfd.h 2021-05-19 15:05:55.477815716 +0100 +@@ -1487,7 +1487,7 @@ struct elf_backend_data + bfd_boolean (*init_secondary_reloc_section) (bfd *, Elf_Internal_Shdr *, const char *, unsigned int); + + /* Called when after loading the normal relocs for a section. */ +- bfd_boolean (*slurp_secondary_relocs) (bfd *, asection *, asymbol **); ++ bfd_boolean (*slurp_secondary_relocs) (bfd *, asection *, asymbol **, bfd_boolean); + + /* Called after writing the normal relocs for a section. */ + bfd_boolean (*write_secondary_relocs) (bfd *, asection *); +@@ -2721,7 +2721,7 @@ extern bfd_vma elf32_r_sym (bfd_vma); + extern bfd_boolean _bfd_elf_init_secondary_reloc_section + (bfd *, Elf_Internal_Shdr *, const char *, unsigned int); + extern bfd_boolean _bfd_elf_slurp_secondary_reloc_section +- (bfd *, asection *, asymbol **); ++(bfd *, asection *, asymbol **, bfd_boolean); + extern bfd_boolean _bfd_elf_copy_special_section_fields + (const bfd *, bfd *, const Elf_Internal_Shdr *, Elf_Internal_Shdr *); + extern bfd_boolean _bfd_elf_write_secondary_reloc_section +Only in binutils-2.30/bfd: elf-bfd.h.orig +diff -rup binutils.orig/bfd/elf.c binutils-2.30/bfd/elf.c +--- binutils.orig/bfd/elf.c 2021-05-19 15:05:30.989901257 +0100 ++++ binutils-2.30/bfd/elf.c 2021-05-19 15:05:55.478815712 +0100 +@@ -11663,7 +11663,8 @@ _bfd_elf_init_secondary_reloc_section (b + bfd_boolean + _bfd_elf_slurp_secondary_reloc_section (bfd * abfd, + asection * sec, +- asymbol ** symbols) ++ asymbol ** symbols, ++ bfd_boolean dynamic) + { + const struct elf_backend_data * const ebd = get_elf_backend_data (abfd); + asection * relsec; +@@ -11728,7 +11729,10 @@ _bfd_elf_slurp_secondary_reloc_section ( + continue; + } + +- symcount = bfd_get_symcount (abfd); ++ if (dynamic) ++ symcount = bfd_get_dynamic_symcount (abfd); ++ else ++ symcount = bfd_get_symcount (abfd); + + for (i = 0, internal_reloc = internal_relocs, native_reloc = native_relocs; + i < reloc_count; +Only in binutils-2.30/bfd: elf.c.orig +diff -rup binutils.orig/bfd/elfcode.h binutils-2.30/bfd/elfcode.h +--- binutils.orig/bfd/elfcode.h 2021-05-19 15:05:30.990901254 +0100 ++++ binutils-2.30/bfd/elfcode.h 2021-05-19 15:07:34.098471218 +0100 +@@ -1577,7 +1577,7 @@ elf_slurp_reloc_table (bfd *abfd, + return FALSE; + + if (bed->slurp_secondary_relocs != NULL +- && ! bed->slurp_secondary_relocs (abfd, asect, symbols)) ++ && ! bed->slurp_secondary_relocs (abfd, asect, symbols, dynamic)) + return FALSE; + + asect->relocation = relents; +Only in binutils-2.30/bfd: elfcode.h.orig +Only in binutils-2.30/bfd: elfcode.h.rej diff --git a/SPECS/binutils.spec b/SPECS/binutils.spec index 9894307..bbb3424 100644 --- a/SPECS/binutils.spec +++ b/SPECS/binutils.spec @@ -43,7 +43,7 @@ Summary: A GNU collection of binary utilities Name: binutils%{?name_cross}%{?_with_debug:-debug} Version: 2.30 -Release: 102%{?dist} +Release: 104%{?dist} License: GPLv3+ URL: https://sourceware.org/binutils @@ -575,6 +575,14 @@ Patch87: binutils-mark-all-weak-aliases.patch # Lifetime: Fixed in 2.36 Patch88: binutils-CVE-2021-3487.patch +# Purpose: Fix illegal memory access when parsing corrupt ELF files. +# Lifetime: Fixed in 2.36 +Patch89: binutils-CVE-2020-35448.patch + +# Purpose: Fixed heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section. +# Lifetime: Fixed in 2.36 +Patch90: binutils-CVE-2021-20284.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -800,6 +808,8 @@ using libelf instead of BFD. %patch86 -p1 %patch87 -p1 %patch88 -p1 +%patch89 -p1 +%patch90 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. # FIXME - this is no longer true. Maybe try reinstating autotool use ? @@ -1249,6 +1259,12 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Wed May 19 2021 Nick Clifton - 2.30-104 +- Fix heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section. (#1961526) + +* Tue May 04 2021 Nick Clifton - 2.30-103 +- Fix an illegal memory access when parsing a corrupt ELF file. (#1953659) + * Mon Apr 26 2021 Nick Clifton - 2.30-102 - Bump NVR to allow rebuild against binutils-2.30-101.