diff options
author | Armin Kuster <akuster@mvista.com> | 2021-08-26 16:22:00 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-09-01 16:27:09 +0100 |
commit | b06370cc2dd3b82f6eaaa1449b28b07629cf959d (patch) | |
tree | 3e28c1dc49b7d1162ceabb7ea3b9ea7a2b41d01f | |
parent | 50204d091bfbe42fca0a3e970529c558ec139b2d (diff) | |
download | poky-b06370cc2dd3b82f6eaaa1449b28b07629cf959d.tar.gz |
binutils: Security fix for CVE-2020-16593
Source: https://sourceware.org/git/binutils-gdb.git
MR: 112801
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
ChangeID: 470b309f4859eecdcc837add2bf756484ad94ee5
Description:
Fixed up for 2.34 context
(From OE-Core rev: bcaa13d8888416b01f0f590d9dab2bd736d1e8a8)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.34.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch | 204 |
2 files changed, 205 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 1c1118df54..6104bec591 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc | |||
@@ -49,5 +49,6 @@ SRC_URI = "\ | |||
49 | file://CVE-2021-20197.patch \ | 49 | file://CVE-2021-20197.patch \ |
50 | file://CVE-2021-3487.patch \ | 50 | file://CVE-2021-3487.patch \ |
51 | file://CVE-2021-3549.patch \ | 51 | file://CVE-2021-3549.patch \ |
52 | file://CVE-2020-16593.patch \ | ||
52 | " | 53 | " |
53 | S = "${WORKDIR}/git" | 54 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch new file mode 100644 index 0000000000..cbe4a50507 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch | |||
@@ -0,0 +1,204 @@ | |||
1 | From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Thu, 16 Apr 2020 17:49:38 +0930 | ||
4 | Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols | ||
5 | |||
6 | PR 25827 | ||
7 | * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't | ||
8 | strdup(0). | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729 | ||
12 | CVE: CVE-2020-16593 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | |||
15 | |||
16 | Index: git/bfd/dwarf2.c | ||
17 | =================================================================== | ||
18 | --- git.orig/bfd/dwarf2.c | ||
19 | +++ git/bfd/dwarf2.c | ||
20 | @@ -295,12 +295,12 @@ struct comp_unit | ||
21 | /* This data structure holds the information of an abbrev. */ | ||
22 | struct abbrev_info | ||
23 | { | ||
24 | - unsigned int number; /* Number identifying abbrev. */ | ||
25 | - enum dwarf_tag tag; /* DWARF tag. */ | ||
26 | - int has_children; /* Boolean. */ | ||
27 | - unsigned int num_attrs; /* Number of attributes. */ | ||
28 | - struct attr_abbrev *attrs; /* An array of attribute descriptions. */ | ||
29 | - struct abbrev_info *next; /* Next in chain. */ | ||
30 | + unsigned int number; /* Number identifying abbrev. */ | ||
31 | + enum dwarf_tag tag; /* DWARF tag. */ | ||
32 | + bfd_boolean has_children; /* TRUE if the abbrev has children. */ | ||
33 | + unsigned int num_attrs; /* Number of attributes. */ | ||
34 | + struct attr_abbrev * attrs; /* An array of attribute descriptions. */ | ||
35 | + struct abbrev_info * next; /* Next in chain. */ | ||
36 | }; | ||
37 | |||
38 | struct attr_abbrev | ||
39 | @@ -1487,6 +1487,8 @@ struct varinfo | ||
40 | { | ||
41 | /* Pointer to previous variable in list of all variables */ | ||
42 | struct varinfo *prev_var; | ||
43 | + /* The offset of the varinfo from the start of the unit. */ | ||
44 | + bfd_uint64_t unit_offset; | ||
45 | /* Source location file name */ | ||
46 | char *file; | ||
47 | /* Source location line number */ | ||
48 | @@ -1497,7 +1499,7 @@ struct varinfo | ||
49 | /* Where the symbol is defined */ | ||
50 | asection *sec; | ||
51 | /* Is this a stack variable? */ | ||
52 | - unsigned int stack: 1; | ||
53 | + bfd_boolean stack; | ||
54 | }; | ||
55 | |||
56 | /* Return TRUE if NEW_LINE should sort after LINE. */ | ||
57 | @@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct | ||
58 | struct varinfo* each; | ||
59 | |||
60 | for (each = unit->variable_table; each; each = each->prev_var) | ||
61 | - if (each->stack == 0 | ||
62 | + if (! each->stack | ||
63 | && each->file != NULL | ||
64 | && each->name != NULL | ||
65 | && each->addr == addr | ||
66 | @@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit, | ||
67 | return TRUE; | ||
68 | } | ||
69 | |||
70 | +static struct varinfo * | ||
71 | +lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table) | ||
72 | +{ | ||
73 | + while (table) | ||
74 | + { | ||
75 | + if (table->unit_offset == offset) | ||
76 | + return table; | ||
77 | + table = table->prev_var; | ||
78 | + } | ||
79 | + | ||
80 | + return NULL; | ||
81 | +} | ||
82 | + | ||
83 | + | ||
84 | /* DWARF2 Compilation unit functions. */ | ||
85 | |||
86 | /* Scan over each die in a comp. unit looking for functions to add | ||
87 | @@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit | ||
88 | bfd_vma low_pc = 0; | ||
89 | bfd_vma high_pc = 0; | ||
90 | bfd_boolean high_pc_relative = FALSE; | ||
91 | + bfd_uint64_t current_offset; | ||
92 | + | ||
93 | + current_offset = info_ptr - unit->info_ptr_unit; | ||
94 | |||
95 | /* PR 17512: file: 9f405d9d. */ | ||
96 | if (info_ptr >= info_ptr_end) | ||
97 | @@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit | ||
98 | goto fail; | ||
99 | } | ||
100 | |||
101 | - var = NULL; | ||
102 | if (abbrev->tag == DW_TAG_subprogram | ||
103 | || abbrev->tag == DW_TAG_entry_point | ||
104 | || abbrev->tag == DW_TAG_inlined_subroutine) | ||
105 | { | ||
106 | bfd_size_type amt = sizeof (struct funcinfo); | ||
107 | + | ||
108 | + var = NULL; | ||
109 | func = (struct funcinfo *) bfd_zalloc (abfd, amt); | ||
110 | if (func == NULL) | ||
111 | goto fail; | ||
112 | @@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit | ||
113 | if (var == NULL) | ||
114 | goto fail; | ||
115 | var->tag = abbrev->tag; | ||
116 | - var->stack = 1; | ||
117 | + var->stack = TRUE; | ||
118 | var->prev_var = unit->variable_table; | ||
119 | unit->variable_table = var; | ||
120 | + var->unit_offset = current_offset; | ||
121 | /* PR 18205: Missing debug information can cause this | ||
122 | var to be attached to an already cached unit. */ | ||
123 | } | ||
124 | - | ||
125 | + else | ||
126 | + var = NULL; | ||
127 | /* No inline function in scope at this nesting level. */ | ||
128 | nested_funcs[nesting_level].func = 0; | ||
129 | } | ||
130 | @@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit | ||
131 | { | ||
132 | switch (attr.name) | ||
133 | { | ||
134 | + case DW_AT_specification: | ||
135 | + if (attr.u.val) | ||
136 | + { | ||
137 | + struct varinfo * spec_var; | ||
138 | + | ||
139 | + spec_var = lookup_var_by_offset (attr.u.val, | ||
140 | + unit->variable_table); | ||
141 | + if (spec_var == NULL) | ||
142 | + { | ||
143 | + _bfd_error_handler (_("DWARF error: could not find " | ||
144 | + "variable specification " | ||
145 | + "at offset %lx"), | ||
146 | + (unsigned long) attr.u.val); | ||
147 | + break; | ||
148 | + } | ||
149 | + | ||
150 | + if (var->name == NULL) | ||
151 | + var->name = spec_var->name; | ||
152 | + if (var->file == NULL && spec_var->file != NULL) | ||
153 | + var->file = strdup (spec_var->file); | ||
154 | + if (var->line == 0) | ||
155 | + var->line = spec_var->line; | ||
156 | + if (var->sec == NULL) | ||
157 | + var->sec = spec_var->sec; | ||
158 | + } | ||
159 | + break; | ||
160 | + | ||
161 | case DW_AT_name: | ||
162 | if (is_str_attr (attr.form)) | ||
163 | var->name = attr.u.str; | ||
164 | @@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit | ||
165 | |||
166 | case DW_AT_external: | ||
167 | if (attr.u.val != 0) | ||
168 | - var->stack = 0; | ||
169 | + var->stack = FALSE; | ||
170 | break; | ||
171 | |||
172 | case DW_AT_location: | ||
173 | @@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit | ||
174 | if (attr.u.blk->data != NULL | ||
175 | && *attr.u.blk->data == DW_OP_addr) | ||
176 | { | ||
177 | - var->stack = 0; | ||
178 | + var->stack = FALSE; | ||
179 | |||
180 | /* Verify that DW_OP_addr is the only opcode in the | ||
181 | location, in which case the block size will be 1 | ||
182 | @@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug | ||
183 | each_var = each_var->prev_var) | ||
184 | { | ||
185 | /* Skip stack vars and vars with no files or names. */ | ||
186 | - if (each_var->stack == 0 | ||
187 | + if (! each_var->stack | ||
188 | && each_var->file != NULL | ||
189 | && each_var->name != NULL) | ||
190 | /* There is no need to copy name string into hash table as | ||
191 | Index: git/bfd/ChangeLog | ||
192 | =================================================================== | ||
193 | --- git.orig/bfd/ChangeLog | ||
194 | +++ git/bfd/ChangeLog | ||
195 | @@ -1,3 +1,9 @@ | ||
196 | +2020-04-16 Alan Modra <amodra@gmail.com> | ||
197 | + | ||
198 | + PR 25827 | ||
199 | + * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't | ||
200 | + strdup(0). | ||
201 | + | ||
202 | 2020-02-19 H.J. Lu <hongjiu.lu@intel.com> | ||
203 | |||
204 | PR binutils/25355 | ||