summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2021-08-26 16:22:00 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-09-01 16:27:09 +0100
commitb06370cc2dd3b82f6eaaa1449b28b07629cf959d (patch)
tree3e28c1dc49b7d1162ceabb7ea3b9ea7a2b41d01f
parent50204d091bfbe42fca0a3e970529c558ec139b2d (diff)
downloadpoky-b06370cc2dd3b82f6eaaa1449b28b07629cf959d.tar.gz
binutils: Security fix for CVE-2020-16593
Source: https://sourceware.org/git/binutils-gdb.git MR: 112801 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729 ChangeID: 470b309f4859eecdcc837add2bf756484ad94ee5 Description: Fixed up for 2.34 context (From OE-Core rev: bcaa13d8888416b01f0f590d9dab2bd736d1e8a8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.34.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch204
2 files changed, 205 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 1c1118df54..6104bec591 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -49,5 +49,6 @@ SRC_URI = "\
49 file://CVE-2021-20197.patch \ 49 file://CVE-2021-20197.patch \
50 file://CVE-2021-3487.patch \ 50 file://CVE-2021-3487.patch \
51 file://CVE-2021-3549.patch \ 51 file://CVE-2021-3549.patch \
52 file://CVE-2020-16593.patch \
52" 53"
53S = "${WORKDIR}/git" 54S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
new file mode 100644
index 0000000000..cbe4a50507
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
@@ -0,0 +1,204 @@
1From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 16 Apr 2020 17:49:38 +0930
4Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols
5
6 PR 25827
7 * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
8 strdup(0).
9
10Upstream-Status: Backport
11https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
12CVE: CVE-2020-16593
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15
16Index: git/bfd/dwarf2.c
17===================================================================
18--- git.orig/bfd/dwarf2.c
19+++ git/bfd/dwarf2.c
20@@ -295,12 +295,12 @@ struct comp_unit
21 /* This data structure holds the information of an abbrev. */
22 struct abbrev_info
23 {
24- unsigned int number; /* Number identifying abbrev. */
25- enum dwarf_tag tag; /* DWARF tag. */
26- int has_children; /* Boolean. */
27- unsigned int num_attrs; /* Number of attributes. */
28- struct attr_abbrev *attrs; /* An array of attribute descriptions. */
29- struct abbrev_info *next; /* Next in chain. */
30+ unsigned int number; /* Number identifying abbrev. */
31+ enum dwarf_tag tag; /* DWARF tag. */
32+ bfd_boolean has_children; /* TRUE if the abbrev has children. */
33+ unsigned int num_attrs; /* Number of attributes. */
34+ struct attr_abbrev * attrs; /* An array of attribute descriptions. */
35+ struct abbrev_info * next; /* Next in chain. */
36 };
37
38 struct attr_abbrev
39@@ -1487,6 +1487,8 @@ struct varinfo
40 {
41 /* Pointer to previous variable in list of all variables */
42 struct varinfo *prev_var;
43+ /* The offset of the varinfo from the start of the unit. */
44+ bfd_uint64_t unit_offset;
45 /* Source location file name */
46 char *file;
47 /* Source location line number */
48@@ -1497,7 +1499,7 @@ struct varinfo
49 /* Where the symbol is defined */
50 asection *sec;
51 /* Is this a stack variable? */
52- unsigned int stack: 1;
53+ bfd_boolean stack;
54 };
55
56 /* Return TRUE if NEW_LINE should sort after LINE. */
57@@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct
58 struct varinfo* each;
59
60 for (each = unit->variable_table; each; each = each->prev_var)
61- if (each->stack == 0
62+ if (! each->stack
63 && each->file != NULL
64 && each->name != NULL
65 && each->addr == addr
66@@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit,
67 return TRUE;
68 }
69
70+static struct varinfo *
71+lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table)
72+{
73+ while (table)
74+ {
75+ if (table->unit_offset == offset)
76+ return table;
77+ table = table->prev_var;
78+ }
79+
80+ return NULL;
81+}
82+
83+
84 /* DWARF2 Compilation unit functions. */
85
86 /* Scan over each die in a comp. unit looking for functions to add
87@@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit
88 bfd_vma low_pc = 0;
89 bfd_vma high_pc = 0;
90 bfd_boolean high_pc_relative = FALSE;
91+ bfd_uint64_t current_offset;
92+
93+ current_offset = info_ptr - unit->info_ptr_unit;
94
95 /* PR 17512: file: 9f405d9d. */
96 if (info_ptr >= info_ptr_end)
97@@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit
98 goto fail;
99 }
100
101- var = NULL;
102 if (abbrev->tag == DW_TAG_subprogram
103 || abbrev->tag == DW_TAG_entry_point
104 || abbrev->tag == DW_TAG_inlined_subroutine)
105 {
106 bfd_size_type amt = sizeof (struct funcinfo);
107+
108+ var = NULL;
109 func = (struct funcinfo *) bfd_zalloc (abfd, amt);
110 if (func == NULL)
111 goto fail;
112@@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit
113 if (var == NULL)
114 goto fail;
115 var->tag = abbrev->tag;
116- var->stack = 1;
117+ var->stack = TRUE;
118 var->prev_var = unit->variable_table;
119 unit->variable_table = var;
120+ var->unit_offset = current_offset;
121 /* PR 18205: Missing debug information can cause this
122 var to be attached to an already cached unit. */
123 }
124-
125+ else
126+ var = NULL;
127 /* No inline function in scope at this nesting level. */
128 nested_funcs[nesting_level].func = 0;
129 }
130@@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit
131 {
132 switch (attr.name)
133 {
134+ case DW_AT_specification:
135+ if (attr.u.val)
136+ {
137+ struct varinfo * spec_var;
138+
139+ spec_var = lookup_var_by_offset (attr.u.val,
140+ unit->variable_table);
141+ if (spec_var == NULL)
142+ {
143+ _bfd_error_handler (_("DWARF error: could not find "
144+ "variable specification "
145+ "at offset %lx"),
146+ (unsigned long) attr.u.val);
147+ break;
148+ }
149+
150+ if (var->name == NULL)
151+ var->name = spec_var->name;
152+ if (var->file == NULL && spec_var->file != NULL)
153+ var->file = strdup (spec_var->file);
154+ if (var->line == 0)
155+ var->line = spec_var->line;
156+ if (var->sec == NULL)
157+ var->sec = spec_var->sec;
158+ }
159+ break;
160+
161 case DW_AT_name:
162 if (is_str_attr (attr.form))
163 var->name = attr.u.str;
164@@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit
165
166 case DW_AT_external:
167 if (attr.u.val != 0)
168- var->stack = 0;
169+ var->stack = FALSE;
170 break;
171
172 case DW_AT_location:
173@@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit
174 if (attr.u.blk->data != NULL
175 && *attr.u.blk->data == DW_OP_addr)
176 {
177- var->stack = 0;
178+ var->stack = FALSE;
179
180 /* Verify that DW_OP_addr is the only opcode in the
181 location, in which case the block size will be 1
182@@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug
183 each_var = each_var->prev_var)
184 {
185 /* Skip stack vars and vars with no files or names. */
186- if (each_var->stack == 0
187+ if (! each_var->stack
188 && each_var->file != NULL
189 && each_var->name != NULL)
190 /* There is no need to copy name string into hash table as
191Index: git/bfd/ChangeLog
192===================================================================
193--- git.orig/bfd/ChangeLog
194+++ git/bfd/ChangeLog
195@@ -1,3 +1,9 @@
196+2020-04-16 Alan Modra <amodra@gmail.com>
197+
198+ PR 25827
199+ * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
200+ strdup(0).
201+
202 2020-02-19 H.J. Lu <hongjiu.lu@intel.com>
203
204 PR binutils/25355