diff options
author | Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> | 2022-02-09 19:08:41 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-02-23 23:43:42 +0000 |
commit | d9a3341394949347936a1af6fc3451ff5d8652e3 (patch) | |
tree | 23e674fca0e19af0ef129b1a0f683459b2ce028b | |
parent | ea8e23b4826882602f4d18ca88752e5313cff7e2 (diff) | |
download | poky-d9a3341394949347936a1af6fc3451ff5d8652e3.tar.gz |
binutils: Fix CVE-2021-45078
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
(From OE-Core rev: be665a2279795c522cb3e3e700ea747efd885f95)
(From OE-Core rev: 9793eac0988f10ec2e4cbe0e4fc494ff4dd29585)
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 823d25f5218836fb4298482366fbc5d05d822907)
Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.34.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch | 257 |
2 files changed, 258 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 903b9d7b01..6a55de2d45 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc | |||
@@ -51,5 +51,6 @@ SRC_URI = "\ | |||
51 | file://CVE-2021-3487.patch \ | 51 | file://CVE-2021-3487.patch \ |
52 | file://CVE-2021-3549.patch \ | 52 | file://CVE-2021-3549.patch \ |
53 | file://CVE-2020-16593.patch \ | 53 | file://CVE-2020-16593.patch \ |
54 | file://0001-CVE-2021-45078.patch \ | ||
54 | " | 55 | " |
55 | S = "${WORKDIR}/git" | 56 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch new file mode 100644 index 0000000000..2af82477ac --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch | |||
@@ -0,0 +1,257 @@ | |||
1 | From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Wed, 15 Dec 2021 11:48:42 +1030 | ||
4 | Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type | ||
5 | |||
6 | PR 28694 | ||
7 | * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned. | ||
8 | Negate typenum earlier, simplifying bounds checking. Correct | ||
9 | off-by-one indexing. Adjust switch cases. | ||
10 | |||
11 | |||
12 | CVE: CVE-2021-45078 | ||
13 | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02] | ||
14 | |||
15 | Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> | ||
16 | Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> | ||
17 | Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> | ||
18 | --- | ||
19 | binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------ | ||
20 | 1 file changed, 43 insertions(+), 44 deletions(-) | ||
21 | |||
22 | |||
23 | diff --git a/binutils/stabs.c b/binutils/stabs.c | ||
24 | index 274bfb0e7fa..83ee3ea5fa4 100644 | ||
25 | --- a/binutils/stabs.c | ||
26 | +++ b/binutils/stabs.c | ||
27 | @@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *); | ||
28 | static bfd_boolean stab_record_type | ||
29 | (void *, struct stab_handle *, const int *, debug_type); | ||
30 | static debug_type stab_xcoff_builtin_type | ||
31 | - (void *, struct stab_handle *, int); | ||
32 | + (void *, struct stab_handle *, unsigned int); | ||
33 | static debug_type stab_find_tagged_type | ||
34 | (void *, struct stab_handle *, const char *, int, enum debug_type_kind); | ||
35 | static debug_type *stab_demangle_argtypes | ||
36 | @@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info, | ||
37 | |||
38 | static debug_type | ||
39 | stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, | ||
40 | - int typenum) | ||
41 | + unsigned int typenum) | ||
42 | { | ||
43 | debug_type rettype; | ||
44 | const char *name; | ||
45 | |||
46 | - if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT) | ||
47 | + typenum = -typenum - 1; | ||
48 | + if (typenum >= XCOFF_TYPE_COUNT) | ||
49 | { | ||
50 | - fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum); | ||
51 | + fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1); | ||
52 | return DEBUG_TYPE_NULL; | ||
53 | } | ||
54 | - if (info->xcoff_types[-typenum] != NULL) | ||
55 | - return info->xcoff_types[-typenum]; | ||
56 | + if (info->xcoff_types[typenum] != NULL) | ||
57 | + return info->xcoff_types[typenum]; | ||
58 | |||
59 | - switch (-typenum) | ||
60 | + switch (typenum) | ||
61 | { | ||
62 | - case 1: | ||
63 | + case 0: | ||
64 | /* The size of this and all the other types are fixed, defined | ||
65 | by the debugging format. */ | ||
66 | name = "int"; | ||
67 | rettype = debug_make_int_type (dhandle, 4, FALSE); | ||
68 | break; | ||
69 | - case 2: | ||
70 | + case 1: | ||
71 | name = "char"; | ||
72 | rettype = debug_make_int_type (dhandle, 1, FALSE); | ||
73 | break; | ||
74 | - case 3: | ||
75 | + case 2: | ||
76 | name = "short"; | ||
77 | rettype = debug_make_int_type (dhandle, 2, FALSE); | ||
78 | break; | ||
79 | - case 4: | ||
80 | + case 3: | ||
81 | name = "long"; | ||
82 | rettype = debug_make_int_type (dhandle, 4, FALSE); | ||
83 | break; | ||
84 | - case 5: | ||
85 | + case 4: | ||
86 | name = "unsigned char"; | ||
87 | rettype = debug_make_int_type (dhandle, 1, TRUE); | ||
88 | break; | ||
89 | - case 6: | ||
90 | + case 5: | ||
91 | name = "signed char"; | ||
92 | rettype = debug_make_int_type (dhandle, 1, FALSE); | ||
93 | break; | ||
94 | - case 7: | ||
95 | + case 6: | ||
96 | name = "unsigned short"; | ||
97 | rettype = debug_make_int_type (dhandle, 2, TRUE); | ||
98 | break; | ||
99 | - case 8: | ||
100 | + case 7: | ||
101 | name = "unsigned int"; | ||
102 | rettype = debug_make_int_type (dhandle, 4, TRUE); | ||
103 | break; | ||
104 | - case 9: | ||
105 | + case 8: | ||
106 | name = "unsigned"; | ||
107 | rettype = debug_make_int_type (dhandle, 4, TRUE); | ||
108 | break; | ||
109 | - case 10: | ||
110 | + case 9: | ||
111 | name = "unsigned long"; | ||
112 | rettype = debug_make_int_type (dhandle, 4, TRUE); | ||
113 | break; | ||
114 | - case 11: | ||
115 | + case 10: | ||
116 | name = "void"; | ||
117 | rettype = debug_make_void_type (dhandle); | ||
118 | break; | ||
119 | - case 12: | ||
120 | + case 11: | ||
121 | /* IEEE single precision (32 bit). */ | ||
122 | name = "float"; | ||
123 | rettype = debug_make_float_type (dhandle, 4); | ||
124 | break; | ||
125 | - case 13: | ||
126 | + case 12: | ||
127 | /* IEEE double precision (64 bit). */ | ||
128 | name = "double"; | ||
129 | rettype = debug_make_float_type (dhandle, 8); | ||
130 | break; | ||
131 | - case 14: | ||
132 | + case 13: | ||
133 | /* This is an IEEE double on the RS/6000, and different machines | ||
134 | with different sizes for "long double" should use different | ||
135 | negative type numbers. See stabs.texinfo. */ | ||
136 | name = "long double"; | ||
137 | rettype = debug_make_float_type (dhandle, 8); | ||
138 | break; | ||
139 | - case 15: | ||
140 | + case 14: | ||
141 | name = "integer"; | ||
142 | rettype = debug_make_int_type (dhandle, 4, FALSE); | ||
143 | break; | ||
144 | - case 16: | ||
145 | + case 15: | ||
146 | name = "boolean"; | ||
147 | rettype = debug_make_bool_type (dhandle, 4); | ||
148 | break; | ||
149 | - case 17: | ||
150 | + case 16: | ||
151 | name = "short real"; | ||
152 | rettype = debug_make_float_type (dhandle, 4); | ||
153 | break; | ||
154 | - case 18: | ||
155 | + case 17: | ||
156 | name = "real"; | ||
157 | rettype = debug_make_float_type (dhandle, 8); | ||
158 | break; | ||
159 | - case 19: | ||
160 | + case 18: | ||
161 | /* FIXME */ | ||
162 | name = "stringptr"; | ||
163 | rettype = NULL; | ||
164 | break; | ||
165 | - case 20: | ||
166 | + case 19: | ||
167 | /* FIXME */ | ||
168 | name = "character"; | ||
169 | rettype = debug_make_int_type (dhandle, 1, TRUE); | ||
170 | break; | ||
171 | - case 21: | ||
172 | + case 20: | ||
173 | name = "logical*1"; | ||
174 | rettype = debug_make_bool_type (dhandle, 1); | ||
175 | break; | ||
176 | - case 22: | ||
177 | + case 21: | ||
178 | name = "logical*2"; | ||
179 | rettype = debug_make_bool_type (dhandle, 2); | ||
180 | break; | ||
181 | - case 23: | ||
182 | + case 22: | ||
183 | name = "logical*4"; | ||
184 | rettype = debug_make_bool_type (dhandle, 4); | ||
185 | break; | ||
186 | - case 24: | ||
187 | + case 23: | ||
188 | name = "logical"; | ||
189 | rettype = debug_make_bool_type (dhandle, 4); | ||
190 | break; | ||
191 | - case 25: | ||
192 | + case 24: | ||
193 | /* Complex type consisting of two IEEE single precision values. */ | ||
194 | name = "complex"; | ||
195 | rettype = debug_make_complex_type (dhandle, 8); | ||
196 | break; | ||
197 | - case 26: | ||
198 | + case 25: | ||
199 | /* Complex type consisting of two IEEE double precision values. */ | ||
200 | name = "double complex"; | ||
201 | rettype = debug_make_complex_type (dhandle, 16); | ||
202 | break; | ||
203 | - case 27: | ||
204 | + case 26: | ||
205 | name = "integer*1"; | ||
206 | rettype = debug_make_int_type (dhandle, 1, FALSE); | ||
207 | break; | ||
208 | - case 28: | ||
209 | + case 27: | ||
210 | name = "integer*2"; | ||
211 | rettype = debug_make_int_type (dhandle, 2, FALSE); | ||
212 | break; | ||
213 | - case 29: | ||
214 | + case 28: | ||
215 | name = "integer*4"; | ||
216 | rettype = debug_make_int_type (dhandle, 4, FALSE); | ||
217 | break; | ||
218 | - case 30: | ||
219 | + case 29: | ||
220 | /* FIXME */ | ||
221 | name = "wchar"; | ||
222 | rettype = debug_make_int_type (dhandle, 2, FALSE); | ||
223 | break; | ||
224 | - case 31: | ||
225 | + case 30: | ||
226 | name = "long long"; | ||
227 | rettype = debug_make_int_type (dhandle, 8, FALSE); | ||
228 | break; | ||
229 | - case 32: | ||
230 | + case 31: | ||
231 | name = "unsigned long long"; | ||
232 | rettype = debug_make_int_type (dhandle, 8, TRUE); | ||
233 | break; | ||
234 | - case 33: | ||
235 | + case 32: | ||
236 | name = "logical*8"; | ||
237 | rettype = debug_make_bool_type (dhandle, 8); | ||
238 | break; | ||
239 | - case 34: | ||
240 | + case 33: | ||
241 | name = "integer*8"; | ||
242 | rettype = debug_make_int_type (dhandle, 8, FALSE); | ||
243 | break; | ||
244 | @@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, | ||
245 | } | ||
246 | |||
247 | rettype = debug_name_type (dhandle, name, rettype); | ||
248 | - | ||
249 | - info->xcoff_types[-typenum] = rettype; | ||
250 | - | ||
251 | + info->xcoff_types[typenum] = rettype; | ||
252 | return rettype; | ||
253 | } | ||
254 | |||
255 | -- | ||
256 | 2.27.0 | ||
257 | |||