summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSundeep KOKKONDA <sundeep.kokkonda@gmail.com>2022-02-09 19:08:41 +0530
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-02-23 23:43:42 +0000
commitd9a3341394949347936a1af6fc3451ff5d8652e3 (patch)
tree23e674fca0e19af0ef129b1a0f683459b2ce028b
parentea8e23b4826882602f4d18ca88752e5313cff7e2 (diff)
downloadpoky-d9a3341394949347936a1af6fc3451ff5d8652e3.tar.gz
binutils: Fix CVE-2021-45078
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02] (From OE-Core rev: be665a2279795c522cb3e3e700ea747efd885f95) (From OE-Core rev: 9793eac0988f10ec2e4cbe0e4fc494ff4dd29585) Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 823d25f5218836fb4298482366fbc5d05d822907) Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.34.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch257
2 files changed, 258 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 903b9d7b01..6a55de2d45 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -51,5 +51,6 @@ SRC_URI = "\
51 file://CVE-2021-3487.patch \ 51 file://CVE-2021-3487.patch \
52 file://CVE-2021-3549.patch \ 52 file://CVE-2021-3549.patch \
53 file://CVE-2020-16593.patch \ 53 file://CVE-2020-16593.patch \
54 file://0001-CVE-2021-45078.patch \
54" 55"
55S = "${WORKDIR}/git" 56S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
new file mode 100644
index 0000000000..2af82477ac
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
@@ -0,0 +1,257 @@
1From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Wed, 15 Dec 2021 11:48:42 +1030
4Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type
5
6 PR 28694
7 * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
8 Negate typenum earlier, simplifying bounds checking. Correct
9 off-by-one indexing. Adjust switch cases.
10
11
12CVE: CVE-2021-45078
13Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
14
15Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
16Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
17Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
18---
19 binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------
20 1 file changed, 43 insertions(+), 44 deletions(-)
21
22
23diff --git a/binutils/stabs.c b/binutils/stabs.c
24index 274bfb0e7fa..83ee3ea5fa4 100644
25--- a/binutils/stabs.c
26+++ b/binutils/stabs.c
27@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *);
28 static bfd_boolean stab_record_type
29 (void *, struct stab_handle *, const int *, debug_type);
30 static debug_type stab_xcoff_builtin_type
31- (void *, struct stab_handle *, int);
32+ (void *, struct stab_handle *, unsigned int);
33 static debug_type stab_find_tagged_type
34 (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
35 static debug_type *stab_demangle_argtypes
36@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info,
37
38 static debug_type
39 stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
40- int typenum)
41+ unsigned int typenum)
42 {
43 debug_type rettype;
44 const char *name;
45
46- if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
47+ typenum = -typenum - 1;
48+ if (typenum >= XCOFF_TYPE_COUNT)
49 {
50- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
51+ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
52 return DEBUG_TYPE_NULL;
53 }
54- if (info->xcoff_types[-typenum] != NULL)
55- return info->xcoff_types[-typenum];
56+ if (info->xcoff_types[typenum] != NULL)
57+ return info->xcoff_types[typenum];
58
59- switch (-typenum)
60+ switch (typenum)
61 {
62- case 1:
63+ case 0:
64 /* The size of this and all the other types are fixed, defined
65 by the debugging format. */
66 name = "int";
67 rettype = debug_make_int_type (dhandle, 4, FALSE);
68 break;
69- case 2:
70+ case 1:
71 name = "char";
72 rettype = debug_make_int_type (dhandle, 1, FALSE);
73 break;
74- case 3:
75+ case 2:
76 name = "short";
77 rettype = debug_make_int_type (dhandle, 2, FALSE);
78 break;
79- case 4:
80+ case 3:
81 name = "long";
82 rettype = debug_make_int_type (dhandle, 4, FALSE);
83 break;
84- case 5:
85+ case 4:
86 name = "unsigned char";
87 rettype = debug_make_int_type (dhandle, 1, TRUE);
88 break;
89- case 6:
90+ case 5:
91 name = "signed char";
92 rettype = debug_make_int_type (dhandle, 1, FALSE);
93 break;
94- case 7:
95+ case 6:
96 name = "unsigned short";
97 rettype = debug_make_int_type (dhandle, 2, TRUE);
98 break;
99- case 8:
100+ case 7:
101 name = "unsigned int";
102 rettype = debug_make_int_type (dhandle, 4, TRUE);
103 break;
104- case 9:
105+ case 8:
106 name = "unsigned";
107 rettype = debug_make_int_type (dhandle, 4, TRUE);
108 break;
109- case 10:
110+ case 9:
111 name = "unsigned long";
112 rettype = debug_make_int_type (dhandle, 4, TRUE);
113 break;
114- case 11:
115+ case 10:
116 name = "void";
117 rettype = debug_make_void_type (dhandle);
118 break;
119- case 12:
120+ case 11:
121 /* IEEE single precision (32 bit). */
122 name = "float";
123 rettype = debug_make_float_type (dhandle, 4);
124 break;
125- case 13:
126+ case 12:
127 /* IEEE double precision (64 bit). */
128 name = "double";
129 rettype = debug_make_float_type (dhandle, 8);
130 break;
131- case 14:
132+ case 13:
133 /* This is an IEEE double on the RS/6000, and different machines
134 with different sizes for "long double" should use different
135 negative type numbers. See stabs.texinfo. */
136 name = "long double";
137 rettype = debug_make_float_type (dhandle, 8);
138 break;
139- case 15:
140+ case 14:
141 name = "integer";
142 rettype = debug_make_int_type (dhandle, 4, FALSE);
143 break;
144- case 16:
145+ case 15:
146 name = "boolean";
147 rettype = debug_make_bool_type (dhandle, 4);
148 break;
149- case 17:
150+ case 16:
151 name = "short real";
152 rettype = debug_make_float_type (dhandle, 4);
153 break;
154- case 18:
155+ case 17:
156 name = "real";
157 rettype = debug_make_float_type (dhandle, 8);
158 break;
159- case 19:
160+ case 18:
161 /* FIXME */
162 name = "stringptr";
163 rettype = NULL;
164 break;
165- case 20:
166+ case 19:
167 /* FIXME */
168 name = "character";
169 rettype = debug_make_int_type (dhandle, 1, TRUE);
170 break;
171- case 21:
172+ case 20:
173 name = "logical*1";
174 rettype = debug_make_bool_type (dhandle, 1);
175 break;
176- case 22:
177+ case 21:
178 name = "logical*2";
179 rettype = debug_make_bool_type (dhandle, 2);
180 break;
181- case 23:
182+ case 22:
183 name = "logical*4";
184 rettype = debug_make_bool_type (dhandle, 4);
185 break;
186- case 24:
187+ case 23:
188 name = "logical";
189 rettype = debug_make_bool_type (dhandle, 4);
190 break;
191- case 25:
192+ case 24:
193 /* Complex type consisting of two IEEE single precision values. */
194 name = "complex";
195 rettype = debug_make_complex_type (dhandle, 8);
196 break;
197- case 26:
198+ case 25:
199 /* Complex type consisting of two IEEE double precision values. */
200 name = "double complex";
201 rettype = debug_make_complex_type (dhandle, 16);
202 break;
203- case 27:
204+ case 26:
205 name = "integer*1";
206 rettype = debug_make_int_type (dhandle, 1, FALSE);
207 break;
208- case 28:
209+ case 27:
210 name = "integer*2";
211 rettype = debug_make_int_type (dhandle, 2, FALSE);
212 break;
213- case 29:
214+ case 28:
215 name = "integer*4";
216 rettype = debug_make_int_type (dhandle, 4, FALSE);
217 break;
218- case 30:
219+ case 29:
220 /* FIXME */
221 name = "wchar";
222 rettype = debug_make_int_type (dhandle, 2, FALSE);
223 break;
224- case 31:
225+ case 30:
226 name = "long long";
227 rettype = debug_make_int_type (dhandle, 8, FALSE);
228 break;
229- case 32:
230+ case 31:
231 name = "unsigned long long";
232 rettype = debug_make_int_type (dhandle, 8, TRUE);
233 break;
234- case 33:
235+ case 32:
236 name = "logical*8";
237 rettype = debug_make_bool_type (dhandle, 8);
238 break;
239- case 34:
240+ case 33:
241 name = "integer*8";
242 rettype = debug_make_int_type (dhandle, 8, FALSE);
243 break;
244@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
245 }
246
247 rettype = debug_name_type (dhandle, name, rettype);
248-
249- info->xcoff_types[-typenum] = rettype;
250-
251+ info->xcoff_types[typenum] = rettype;
252 return rettype;
253 }
254
255--
2562.27.0
257