diff --git a/core/binutils/0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch b/core/binutils/0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch new file mode 100644 index 000000000..24c814ece --- /dev/null +++ b/core/binutils/0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch @@ -0,0 +1,29 @@ +From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 27 Jan 2018 08:19:33 +1030 +Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object + + PR 22741 + * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in + range before converting to a symbol table pointer. +--- + bfd/coffgen.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bfd/coffgen.c b/bfd/coffgen.c +index b2410873d0..4f90eaddd9 100644 +--- a/bfd/coffgen.c ++++ b/bfd/coffgen.c +@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd, + } + /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can + generate one, so we must be careful to ignore it. */ +- if (auxent->u.auxent.x_sym.x_tagndx.l > 0) ++ if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l ++ < obj_raw_syment_count (abfd)) + { + auxent->u.auxent.x_sym.x_tagndx.p = + table_base + auxent->u.auxent.x_sym.x_tagndx.l; +-- +2.16.2 + diff --git a/core/binutils/0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch b/core/binutils/0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch new file mode 100644 index 000000000..3b73a6a3e --- /dev/null +++ b/core/binutils/0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch @@ -0,0 +1,145 @@ +From 3b56a1358768563d9cf320559ebdedfb30f122dd Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Mon, 12 Feb 2018 13:06:07 +1030 +Subject: [PATCH] PR22829, objcopy/strip removes PT_GNU_RELRO from lld binaries + +lld lays out the relro segment differently to GNU ld, not bothering to +include the first few bytes of .got.plt and padding out to a page at +the end of the segment. This patch teaches binutils to recognize the +different (and somewhat inferior) layout as valid. + +bfd/ + PR 22829 + * elf.c (assign_file_positions_for_non_load_sections): Rewrite + PT_GNU_RELRO setup. +ld/ + * testsuite/ld-x86-64/pr14207.d: Adjust relro p_filesz. + +(cherry picked from commit f2731e0c374e5323ce4cdae2bcc7b7fe22da1a6f) +--- + bfd/elf.c | 78 ++++++++++++++++++++++++++-------------- + ld/testsuite/ld-x86-64/pr14207.d | 2 +- + 2 files changed, 52 insertions(+), 28 deletions(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index bbaab26918..f5a230cd77 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -5826,50 +5826,74 @@ assign_file_positions_for_non_load_sections (bfd *abfd, + { + if (p->p_type == PT_GNU_RELRO) + { +- const Elf_Internal_Phdr *lp; +- struct elf_segment_map *lm; ++ bfd_vma start, end; + + if (link_info != NULL) + { + /* During linking the range of the RELRO segment is passed +- in link_info. */ ++ in link_info. Note that there may be padding between ++ relro_start and the first RELRO section. */ ++ start = link_info->relro_start; ++ end = link_info->relro_end; ++ } ++ else if (m->count != 0) ++ { ++ if (!m->p_size_valid) ++ abort (); ++ start = m->sections[0]->vma; ++ end = start + m->p_size; ++ } ++ else ++ { ++ start = 0; ++ end = 0; ++ } ++ ++ if (start < end) ++ { ++ struct elf_segment_map *lm; ++ const Elf_Internal_Phdr *lp; ++ unsigned int i; ++ ++ /* Find a LOAD segment containing a section in the RELRO ++ segment. */ + for (lm = elf_seg_map (abfd), lp = phdrs; + lm != NULL; + lm = lm->next, lp++) + { + if (lp->p_type == PT_LOAD +- && lp->p_vaddr < link_info->relro_end + && lm->count != 0 +- && lm->sections[0]->vma >= link_info->relro_start) ++ && lm->sections[lm->count - 1]->vma >= start ++ && lm->sections[0]->vma < end) + break; + } +- + BFD_ASSERT (lm != NULL); +- } +- else +- { +- /* Otherwise we are copying an executable or shared +- library, but we need to use the same linker logic. */ +- for (lp = phdrs; lp < phdrs + count; ++lp) ++ ++ /* Find the section starting the RELRO segment. */ ++ for (i = 0; i < lm->count; i++) + { +- if (lp->p_type == PT_LOAD +- && lp->p_paddr == p->p_paddr) ++ asection *s = lm->sections[i]; ++ if (s->vma >= start ++ && s->vma < end ++ && s->size != 0) + break; + } +- } ++ BFD_ASSERT (i < lm->count); ++ ++ p->p_vaddr = lm->sections[i]->vma; ++ p->p_paddr = lm->sections[i]->lma; ++ p->p_offset = lm->sections[i]->filepos; ++ p->p_memsz = end - p->p_vaddr; ++ p->p_filesz = p->p_memsz; ++ ++ /* The RELRO segment typically ends a few bytes into ++ .got.plt but other layouts are possible. In cases ++ where the end does not match any loaded section (for ++ instance is in file padding), trim p_filesz back to ++ correspond to the end of loaded section contents. */ ++ if (p->p_filesz > lp->p_vaddr + lp->p_filesz - p->p_vaddr) ++ p->p_filesz = lp->p_vaddr + lp->p_filesz - p->p_vaddr; + +- if (lp < phdrs + count) +- { +- p->p_vaddr = lp->p_vaddr; +- p->p_paddr = lp->p_paddr; +- p->p_offset = lp->p_offset; +- if (link_info != NULL) +- p->p_filesz = link_info->relro_end - lp->p_vaddr; +- else if (m->p_size_valid) +- p->p_filesz = m->p_size; +- else +- abort (); +- p->p_memsz = p->p_filesz; + /* Preserve the alignment and flags if they are valid. The + gold linker generates RW/4 for the PT_GNU_RELRO section. + It is better for objcopy/strip to honor these attributes +diff --git a/ld/testsuite/ld-x86-64/pr14207.d b/ld/testsuite/ld-x86-64/pr14207.d +index f6558e7cd7..41f92b8bd8 100644 +--- a/ld/testsuite/ld-x86-64/pr14207.d ++++ b/ld/testsuite/ld-x86-64/pr14207.d +@@ -13,7 +13,7 @@ Program Headers: + LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x0001c8 0x0001c8 R 0x200000 + LOAD 0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.0 0x000c.8 RW 0x200000 + DYNAMIC 0x000b.0 0x0000000000200b.0 0x0000000000200b.0 0x0001.0 0x0001.0 RW 0x8 +- GNU_RELRO 0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.8 0x0004.8 R 0x1 ++ GNU_RELRO 0x000b.8 0x0000000000200b.8 0x0000000000200b.8 0x0004.0 0x0004.8 R 0x1 + + Section to Segment mapping: + Segment Sections... +-- +2.16.2 + diff --git a/core/binutils/PKGBUILD b/core/binutils/PKGBUILD index c1be66652..e7f9a5790 100644 --- a/core/binutils/PKGBUILD +++ b/core/binutils/PKGBUILD @@ -12,7 +12,7 @@ noautobuild=1 pkgname=binutils pkgver=2.29.1 -pkgrel=2 +pkgrel=3 pkgdesc='A set of programs to assemble and manipulate binary and object files' arch=(x86_64) url='http://www.gnu.org/software/binutils/' @@ -25,11 +25,15 @@ options=(staticlibs !distcc !ccache) #_commit=d1a6e7195b9bb0255fa77588985b969ad8aaacf5 #source=(git+https://sourceware.org/git/binutils-gdb.git#commit=${_commit} source=(https://ftp.gnu.org/gnu/binutils/binutils-$pkgver.tar.xz{,.sig} - 0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch) + 0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch + 0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch + 0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch) validpgpkeys=(3A24BC1E8FB409FA9F14371813FCEF89DD9E3C4F) md5sums=('acc9cd826edb9954ac7cecb81c727793' 'SKIP' - 'e4be936139ef46122cb3841881c432b2') + 'e4be936139ef46122cb3841881c432b2' + '469164f3c93a0e92a697537b60c9806c' + '0c679b37e90fb23de60a4d28329b956a') prepare() { mkdir -p binutils-build @@ -42,6 +46,12 @@ prepare() { # https://bugs.archlinux.org/task/55741 git apply ../0001-x86-64_Dont_pass_output_bfd_to_info-callbacks-minfo.patch + + # https://sourceware.org/bugzilla/show_bug.cgi?id=22741 + git apply ../0001-PR22741-objcopy-segfault-on-fuzzed-COFF-object.patch + + # https://sourceware.org/bugzilla/show_bug.cgi?id=22829 + git apply ../0001-PR22829-objcopy-strip-removes-PT_GNU_RELRO-from-lld-.patch } build() {