diff --git a/0002-fix-POC-CVE.patch b/0002-fix-POC-CVE.patch new file mode 100644 index 0000000000000000000000000000000000000000..4ba3a548af9b648dbbd685b5296a9ba7eb75f15d --- /dev/null +++ b/0002-fix-POC-CVE.patch @@ -0,0 +1,237 @@ +From eb82b793715e1c16f5adbee72d1346c2cefb6f6d Mon Sep 17 00:00:00 2001 +From: hanshuang +Date: Thu, 20 Apr 2023 11:12:43 +0800 +Subject: [PATCH 2/2] fix-POC-CVE + + +diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c +index 13472a11..2c437b14 100644 +--- a/bfd/elf64-x86-64.c ++++ b/bfd/elf64-x86-64.c +@@ -3296,20 +3296,39 @@ direct: + { + if (contents[roff + 5] == 0xb8) + { ++ if (roff < 3 ++ || (roff - 3 + 22) > input_section->size) ++ { ++corrupt_input: ++ info->callbacks->einfo ++ (_("%F%P: corrupt input: %pB\n"), ++ input_bfd); ++ return FALSE; ++ } + memcpy (contents + roff - 3, + "\x64\x48\x8b\x04\x25\0\0\0\0\x48\x8d\x80" + "\0\0\0\0\x66\x0f\x1f\x44\0", 22); + largepic = 1; + } + else ++ { ++ if (roff < 4 ++ || (roff - 4 + 16) > input_section->size) ++ goto corrupt_input; + memcpy (contents + roff - 4, + "\x64\x48\x8b\x04\x25\0\0\0\0\x48\x8d\x80\0\0\0", + 16); ++ } + } + else ++ { ++ if (roff < 3 ++ || (roff - 3 + 15) > input_section->size) ++ goto corrupt_input; + memcpy (contents + roff - 3, + "\x64\x8b\x04\x25\0\0\0\0\x48\x8d\x80\0\0\0", + 15); ++ } + bfd_put_32 (output_bfd, + elf_x86_64_tpoff (info, relocation), + contents + roff + 8 + largepic); +@@ -3329,7 +3348,8 @@ direct: + movl $x@tpoff, %rax. */ + + unsigned int val, type; +- ++ if (roff < 3) ++ goto corrupt_input; + type = bfd_get_8 (input_bfd, contents + roff - 3); + val = bfd_get_8 (input_bfd, contents + roff - 1); + bfd_put_8 (output_bfd, 0x48 | ((type >> 2) & 1), +@@ -3376,7 +3396,11 @@ direct: + if (roff >= 3) + val = bfd_get_8 (input_bfd, contents + roff - 3); + else +- val = 0; ++ { ++ if (roff < 2) ++ goto corrupt_input; ++ val = 0; ++ } + type = bfd_get_8 (input_bfd, contents + roff - 2); + reg = bfd_get_8 (input_bfd, contents + roff - 1); + reg >>= 3; +@@ -3384,11 +3408,19 @@ direct: + { + /* movq */ + if (val == 0x4c) ++ { ++ if (roff < 3) ++ goto corrupt_input; + bfd_put_8 (output_bfd, 0x49, + contents + roff - 3); ++ } + else if (!ABI_64_P (output_bfd) && val == 0x44) ++ { ++ if (roff < 3) ++ goto corrupt_input; + bfd_put_8 (output_bfd, 0x41, + contents + roff - 3); ++ } + bfd_put_8 (output_bfd, 0xc7, + contents + roff - 2); + bfd_put_8 (output_bfd, 0xc0 | reg, +@@ -3399,11 +3431,19 @@ direct: + /* addq/addl -> addq/addl - addressing with %rsp/%r12 + is special */ + if (val == 0x4c) ++ { ++ if (roff < 3) ++ goto corrupt_input; + bfd_put_8 (output_bfd, 0x49, + contents + roff - 3); ++ } + else if (!ABI_64_P (output_bfd) && val == 0x44) ++ { ++ if (roff < 3) ++ goto corrupt_input; + bfd_put_8 (output_bfd, 0x41, + contents + roff - 3); ++ } + bfd_put_8 (output_bfd, 0x81, + contents + roff - 2); + bfd_put_8 (output_bfd, 0xc0 | reg, +@@ -3413,11 +3453,19 @@ direct: + { + /* addq/addl -> leaq/leal */ + if (val == 0x4c) ++ { ++ if (roff < 3) ++ goto corrupt_input; + bfd_put_8 (output_bfd, 0x4d, + contents + roff - 3); ++ } + else if (!ABI_64_P (output_bfd) && val == 0x44) ++ { ++ if (roff < 3) ++ goto corrupt_input; + bfd_put_8 (output_bfd, 0x45, + contents + roff - 3); ++ } + bfd_put_8 (output_bfd, 0x8d, + contents + roff - 2); + bfd_put_8 (output_bfd, 0x80 | reg | (reg << 3), +@@ -3587,20 +3635,33 @@ direct: + { + if (contents[roff + 5] == 0xb8) + { ++ if (roff < 3 ++ || (roff - 3 + 22) > input_section->size) ++ goto corrupt_input; + memcpy (contents + roff - 3, + "\x64\x48\x8b\x04\x25\0\0\0\0\x48\x03\x05" + "\0\0\0\0\x66\x0f\x1f\x44\0", 22); + largepic = 1; + } + else ++ { ++ if (roff < 4 ++ || (roff - 4 + 16) > input_section->size) ++ goto corrupt_input; + memcpy (contents + roff - 4, + "\x64\x48\x8b\x04\x25\0\0\0\0\x48\x03\x05\0\0\0", + 16); ++ } + } + else ++ { ++ if (roff < 3 ++ || (roff - 3 + 15) > input_section->size) ++ goto corrupt_input; + memcpy (contents + roff - 3, + "\x64\x8b\x04\x25\0\0\0\0\x48\x03\x05\0\0\0", + 15); ++ } + + relocation = (htab->elf.sgot->output_section->vma + + htab->elf.sgot->output_offset + off +@@ -3629,6 +3690,8 @@ direct: + turn a leaq into a movq in the form we use it, it + suffices to change the second byte from 0x8d to + 0x8b. */ ++ if (roff < 2) ++ goto corrupt_input; + bfd_put_8 (output_bfd, 0x8b, contents + roff - 2); + + bfd_put_32 (output_bfd, +@@ -3697,28 +3760,57 @@ direct: + BFD_ASSERT (r_type == R_X86_64_TPOFF32); + if (ABI_64_P (output_bfd)) + { ++ if ((rel->r_offset + 5) >= input_section->size) ++ goto corrupt_input; + if (contents[rel->r_offset + 5] == 0xb8) ++ { ++ if (rel->r_offset < 3 ++ || (rel->r_offset - 3 + 22) > input_section->size) ++ goto corrupt_input; + memcpy (contents + rel->r_offset - 3, + "\x66\x66\x66\x66\x2e\x0f\x1f\x84\0\0\0\0\0" + "\x64\x48\x8b\x04\x25\0\0\0", 22); ++ } + else if (contents[rel->r_offset + 4] == 0xff + || contents[rel->r_offset + 4] == 0x67) ++ { ++ if (rel->r_offset < 3 ++ || (rel->r_offset - 3 + 13) > input_section->size) ++ goto corrupt_input; + memcpy (contents + rel->r_offset - 3, + "\x66\x66\x66\x66\x64\x48\x8b\x04\x25\0\0\0", + 13); ++ } + else ++ { ++ if (rel->r_offset < 3 ++ || (rel->r_offset - 3 + 12) > input_section->size) ++ goto corrupt_input; + memcpy (contents + rel->r_offset - 3, + "\x66\x66\x66\x64\x48\x8b\x04\x25\0\0\0", 12); ++ } + } + else + { ++ if ((rel->r_offset + 4) >= input_section->size) ++ goto corrupt_input; + if (contents[rel->r_offset + 4] == 0xff) ++ { ++ if (rel->r_offset < 3 ++ || (rel->r_offset - 3 + 13) > input_section->size) ++ goto corrupt_input; + memcpy (contents + rel->r_offset - 3, + "\x66\x0f\x1f\x40\x00\x64\x8b\x04\x25\0\0\0", + 13); ++ } + else ++ { ++ if (rel->r_offset < 3 ++ || (rel->r_offset - 3 + 12) > input_section->size) ++ goto corrupt_input; + memcpy (contents + rel->r_offset - 3, + "\x0f\x1f\x40\x00\x64\x8b\x04\x25\0\0\0", 12); ++ } + } + /* Skip R_X86_64_PC32, R_X86_64_PLT32, R_X86_64_GOTPCRELX + and R_X86_64_PLTOFF64. */ +-- +2.31.1 + diff --git a/binutils.spec b/binutils.spec index 95dd849fe6e8dab2dcb8090c9143080c69700340..79f716a3aefeab2fa70ad44a8373e373e85b0e16 100644 --- a/binutils.spec +++ b/binutils.spec @@ -24,7 +24,7 @@ # /usr/bin/aarch64-linux-gnu-ar # /usr/bin/aarch64-linux-gnu-as # [etc] -%define anolis_release .0.1 +%define anolis_release .0.2 %if 0%{!?binutils_target:1} @@ -634,6 +634,7 @@ Patch1000: 0001-binutils-anolis-rebrand.patch Patch1001: binutils-loongarch-support.patch Patch1002: 0001-LoongArch-Fix-wrong-line-number-in-.debug_line.patch Patch1003: binutils-LoongArch-Add-missing-opcode.patch +Patch1004: 0002-fix-POC-CVE.patch #end #---------------------------------------------------------------------------- @@ -880,6 +881,7 @@ using libelf instead of BFD. %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch1004 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. # FIXME - this is no longer true. Maybe try reinstating autotool use ? @@ -1329,6 +1331,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Fri Apr 21 2023 hanshuang - 2.30-117.0.2 +- cve: fix ld -E POC loophole + * Tue Dec 27 2022 Xue haolin - 2.30-117.0.1 - Rebrand to Anolis OS. - Add loongarch support. (lixing@loongson.cn)