diff options
author | Vinay Kumar <vinay.m.engg@gmail.com> | 2021-04-29 04:30:46 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-05-06 08:41:26 +0100 |
commit | f628b052f6c4a957472f2520adfb4b816ef83d95 (patch) | |
tree | 65957e1ae714328c275b399ff775ae10c3fffdfe | |
parent | 71d07cdebc20ff2de0adead311ca151592bd4354 (diff) | |
download | poky-f628b052f6c4a957472f2520adfb4b816ef83d95.tar.gz |
binutils: Fix CVE-2021-20197
Source: git://sourceware.org/git/binutils-gdb.git
Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=26945
Backported upstream commit d3edaa91d4cf7202ec14342410194841e2f67f12 to
binutils-2.36 source along with commit id dependencies
(8e03235147a9e774d3ba084e93c2da1aa94d1cec and 8b69e61d4be276bb862698aaafddc3e779d23c8f).
(From OE-Core rev: 395812c345cb510471e264c6f5bb83eed61d79df)
Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.36.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch | 388 |
2 files changed, 389 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc b/meta/recipes-devtools/binutils/binutils-2.36.inc index beddf601fd..66080dfcee 100644 --- a/meta/recipes-devtools/binutils/binutils-2.36.inc +++ b/meta/recipes-devtools/binutils/binutils-2.36.inc | |||
@@ -36,5 +36,6 @@ SRC_URI = "\ | |||
36 | file://0015-sync-with-OE-libtool-changes.patch \ | 36 | file://0015-sync-with-OE-libtool-changes.patch \ |
37 | file://0016-Check-for-clang-before-checking-gcc-version.patch \ | 37 | file://0016-Check-for-clang-before-checking-gcc-version.patch \ |
38 | file://0017-Add-support-for-the-DW_FORM_strx-forms-to-the-BFD-li.patch \ | 38 | file://0017-Add-support-for-the-DW_FORM_strx-forms-to-the-BFD-li.patch \ |
39 | file://CVE-2021-20197.patch \ | ||
39 | " | 40 | " |
40 | S = "${WORKDIR}/git" | 41 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch new file mode 100644 index 0000000000..d6117b65a4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch | |||
@@ -0,0 +1,388 @@ | |||
1 | From d3edaa91d4cf7202ec14342410194841e2f67f12 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Fri, 26 Feb 2021 11:30:32 +1030 | ||
4 | Subject: [PATCH] Reinstate various pieces backed out from smart_rename changes | ||
5 | |||
6 | In the interests of a stable release various last minute smart_rename | ||
7 | patches were backed out of the 2.36 branch. The main reason to | ||
8 | reinstate some of those backed out changes here is to make necessary | ||
9 | followup fixes to commit 8e03235147a9 simple cherry-picks from | ||
10 | mainline. A secondary reason is that ar -M support isn't fixed for | ||
11 | pr26945 without this patch. | ||
12 | |||
13 | PR 26945 | ||
14 | * ar.c: Don't include libbfd.h. | ||
15 | (write_archive): Replace xmalloc+strcpy with xstrdup. | ||
16 | * arsup.c (temp_name, real_ofd): New static variables. | ||
17 | (ar_open): Use make_tempname and bfd_fdopenw. | ||
18 | (ar_save): Adjust to suit ar_open changes. | ||
19 | * objcopy.c: Don't include libbfd.h. | ||
20 | * rename.c: Rename and reorder variables. | ||
21 | |||
22 | (cherry picked from commit 95b91a043aeaeb546d2fea556d84a2de1e917770) | ||
23 | |||
24 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d3edaa91d4cf7202ec14342410194841e2f67f12] | ||
25 | CVE: CVE-2021-20197 | ||
26 | Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> | ||
27 | --- | ||
28 | binutils/ar.c | 6 +- | ||
29 | binutils/arsup.c | 37 ++++++++---- | ||
30 | binutils/bucomm.h | 3 +- | ||
31 | binutils/objcopy.c | 9 +-- | ||
32 | binutils/rename.c | 148 +++++++++++---------------------------------- | ||
33 | 5 files changed, 67 insertions(+), 136 deletions(-) | ||
34 | |||
35 | diff --git a/binutils/ar.c b/binutils/ar.c | ||
36 | index 45a34e3a6cf..44df48c5c67 100644 | ||
37 | --- a/binutils/ar.c | ||
38 | +++ b/binutils/ar.c | ||
39 | @@ -25,7 +25,6 @@ | ||
40 | |||
41 | #include "sysdep.h" | ||
42 | #include "bfd.h" | ||
43 | -#include "libbfd.h" | ||
44 | #include "libiberty.h" | ||
45 | #include "progress.h" | ||
46 | #include "getopt.h" | ||
47 | @@ -1255,8 +1254,7 @@ write_archive (bfd *iarch) | ||
48 | bfd *contents_head = iarch->archive_next; | ||
49 | int ofd = -1; | ||
50 | |||
51 | - old_name = (char *) xmalloc (strlen (bfd_get_filename (iarch)) + 1); | ||
52 | - strcpy (old_name, bfd_get_filename (iarch)); | ||
53 | + old_name = xstrdup (bfd_get_filename (iarch)); | ||
54 | new_name = make_tempname (old_name, &ofd); | ||
55 | |||
56 | if (new_name == NULL) | ||
57 | @@ -1308,7 +1306,7 @@ write_archive (bfd *iarch) | ||
58 | /* We don't care if this fails; we might be creating the archive. */ | ||
59 | bfd_close (iarch); | ||
60 | |||
61 | - if (smart_rename (new_name, old_name, 0) != 0) | ||
62 | + if (smart_rename (new_name, old_name, NULL) != 0) | ||
63 | xexit (1); | ||
64 | free (old_name); | ||
65 | free (new_name); | ||
66 | diff --git a/binutils/arsup.c b/binutils/arsup.c | ||
67 | index 5403a0c5d74..f7ce8f0bc82 100644 | ||
68 | --- a/binutils/arsup.c | ||
69 | +++ b/binutils/arsup.c | ||
70 | @@ -42,6 +42,8 @@ extern int deterministic; | ||
71 | |||
72 | static bfd *obfd; | ||
73 | static char *real_name; | ||
74 | +static char *temp_name; | ||
75 | +static int real_ofd; | ||
76 | static FILE *outfile; | ||
77 | |||
78 | static void | ||
79 | @@ -149,27 +151,24 @@ maybequit (void) | ||
80 | void | ||
81 | ar_open (char *name, int t) | ||
82 | { | ||
83 | - char *tname; | ||
84 | - const char *bname = lbasename (name); | ||
85 | - real_name = name; | ||
86 | + real_name = xstrdup (name); | ||
87 | + temp_name = make_tempname (real_name, &real_ofd); | ||
88 | |||
89 | - /* Prepend tmp- to the beginning, to avoid file-name clashes after | ||
90 | - truncation on filesystems with limited namespaces (DOS). */ | ||
91 | - if (asprintf (&tname, "%.*stmp-%s", (int) (bname - name), name, bname) == -1) | ||
92 | + if (temp_name == NULL) | ||
93 | { | ||
94 | - fprintf (stderr, _("%s: Can't allocate memory for temp name (%s)\n"), | ||
95 | + fprintf (stderr, _("%s: Can't open temporary file (%s)\n"), | ||
96 | program_name, strerror(errno)); | ||
97 | maybequit (); | ||
98 | return; | ||
99 | } | ||
100 | |||
101 | - obfd = bfd_openw (tname, NULL); | ||
102 | + obfd = bfd_fdopenw (temp_name, NULL, real_ofd); | ||
103 | |||
104 | if (!obfd) | ||
105 | { | ||
106 | fprintf (stderr, | ||
107 | _("%s: Can't open output archive %s\n"), | ||
108 | - program_name, tname); | ||
109 | + program_name, temp_name); | ||
110 | |||
111 | maybequit (); | ||
112 | } | ||
113 | @@ -344,16 +343,30 @@ ar_save (void) | ||
114 | } | ||
115 | else | ||
116 | { | ||
117 | - char *ofilename = xstrdup (bfd_get_filename (obfd)); | ||
118 | + struct stat target_stat; | ||
119 | |||
120 | if (deterministic > 0) | ||
121 | obfd->flags |= BFD_DETERMINISTIC_OUTPUT; | ||
122 | |||
123 | bfd_close (obfd); | ||
124 | |||
125 | - smart_rename (ofilename, real_name, 0); | ||
126 | + if (stat (real_name, &target_stat) != 0) | ||
127 | + { | ||
128 | + /* The temp file created in ar_open has mode 0600 as per mkstemp. | ||
129 | + Create the real empty output file here so smart_rename will | ||
130 | + update the mode according to the process umask. */ | ||
131 | + obfd = bfd_openw (real_name, NULL); | ||
132 | + if (obfd != NULL) | ||
133 | + { | ||
134 | + bfd_set_format (obfd, bfd_archive); | ||
135 | + bfd_close (obfd); | ||
136 | + } | ||
137 | + } | ||
138 | + | ||
139 | + smart_rename (temp_name, real_name, NULL); | ||
140 | obfd = 0; | ||
141 | - free (ofilename); | ||
142 | + free (temp_name); | ||
143 | + free (real_name); | ||
144 | } | ||
145 | } | ||
146 | |||
147 | diff --git a/binutils/bucomm.h b/binutils/bucomm.h | ||
148 | index 91f6a5b228f..aa7e33d8cd1 100644 | ||
149 | --- a/binutils/bucomm.h | ||
150 | +++ b/binutils/bucomm.h | ||
151 | @@ -71,7 +71,8 @@ extern void print_version (const char *); | ||
152 | /* In rename.c. */ | ||
153 | extern void set_times (const char *, const struct stat *); | ||
154 | |||
155 | -extern int smart_rename (const char *, const char *, int); | ||
156 | +extern int smart_rename (const char *, const char *, struct stat *); | ||
157 | + | ||
158 | |||
159 | /* In libiberty. */ | ||
160 | void *xmalloc (size_t); | ||
161 | diff --git a/binutils/objcopy.c b/binutils/objcopy.c | ||
162 | index eab3b6db585..73aa8bc2514 100644 | ||
163 | --- a/binutils/objcopy.c | ||
164 | +++ b/binutils/objcopy.c | ||
165 | @@ -20,7 +20,6 @@ | ||
166 | |||
167 | #include "sysdep.h" | ||
168 | #include "bfd.h" | ||
169 | -#include "libbfd.h" | ||
170 | #include "progress.h" | ||
171 | #include "getopt.h" | ||
172 | #include "libiberty.h" | ||
173 | @@ -4861,12 +4860,10 @@ strip_main (int argc, char *argv[]) | ||
174 | output_target, NULL); | ||
175 | if (status == 0) | ||
176 | { | ||
177 | - if (preserve_dates) | ||
178 | - set_times (tmpname, &statbuf); | ||
179 | if (output_file != tmpname) | ||
180 | status = (smart_rename (tmpname, | ||
181 | output_file ? output_file : argv[i], | ||
182 | - preserve_dates) != 0); | ||
183 | + preserve_dates ? &statbuf : NULL) != 0); | ||
184 | if (status == 0) | ||
185 | status = hold_status; | ||
186 | } | ||
187 | @@ -5931,11 +5928,9 @@ copy_main (int argc, char *argv[]) | ||
188 | output_target, input_arch); | ||
189 | if (status == 0) | ||
190 | { | ||
191 | - if (preserve_dates) | ||
192 | - set_times (tmpname, &statbuf); | ||
193 | if (tmpname != output_filename) | ||
194 | status = (smart_rename (tmpname, input_filename, | ||
195 | - preserve_dates) != 0); | ||
196 | + preserve_dates ? &statbuf : NULL) != 0); | ||
197 | } | ||
198 | else | ||
199 | unlink_if_ordinary (tmpname); | ||
200 | diff --git a/binutils/rename.c b/binutils/rename.c | ||
201 | index 65ad5bf52c4..72a9323d72c 100644 | ||
202 | --- a/binutils/rename.c | ||
203 | +++ b/binutils/rename.c | ||
204 | @@ -24,14 +24,9 @@ | ||
205 | |||
206 | #ifdef HAVE_GOOD_UTIME_H | ||
207 | #include <utime.h> | ||
208 | -#else /* ! HAVE_GOOD_UTIME_H */ | ||
209 | -#ifdef HAVE_UTIMES | ||
210 | +#elif defined HAVE_UTIMES | ||
211 | #include <sys/time.h> | ||
212 | -#endif /* HAVE_UTIMES */ | ||
213 | -#endif /* ! HAVE_GOOD_UTIME_H */ | ||
214 | - | ||
215 | -#if ! defined (_WIN32) || defined (__CYGWIN32__) | ||
216 | -static int simple_copy (const char *, const char *); | ||
217 | +#endif | ||
218 | |||
219 | /* The number of bytes to copy at once. */ | ||
220 | #define COPY_BUF 8192 | ||
221 | @@ -82,7 +77,6 @@ simple_copy (const char *from, const char *to) | ||
222 | } | ||
223 | return 0; | ||
224 | } | ||
225 | -#endif /* __CYGWIN32__ or not _WIN32 */ | ||
226 | |||
227 | /* Set the times of the file DESTINATION to be the same as those in | ||
228 | STATBUF. */ | ||
229 | @@ -91,122 +85,52 @@ void | ||
230 | set_times (const char *destination, const struct stat *statbuf) | ||
231 | { | ||
232 | int result; | ||
233 | - | ||
234 | - { | ||
235 | #ifdef HAVE_GOOD_UTIME_H | ||
236 | - struct utimbuf tb; | ||
237 | - | ||
238 | - tb.actime = statbuf->st_atime; | ||
239 | - tb.modtime = statbuf->st_mtime; | ||
240 | - result = utime (destination, &tb); | ||
241 | -#else /* ! HAVE_GOOD_UTIME_H */ | ||
242 | -#ifndef HAVE_UTIMES | ||
243 | - long tb[2]; | ||
244 | - | ||
245 | - tb[0] = statbuf->st_atime; | ||
246 | - tb[1] = statbuf->st_mtime; | ||
247 | - result = utime (destination, tb); | ||
248 | -#else /* HAVE_UTIMES */ | ||
249 | - struct timeval tv[2]; | ||
250 | - | ||
251 | - tv[0].tv_sec = statbuf->st_atime; | ||
252 | - tv[0].tv_usec = 0; | ||
253 | - tv[1].tv_sec = statbuf->st_mtime; | ||
254 | - tv[1].tv_usec = 0; | ||
255 | - result = utimes (destination, tv); | ||
256 | -#endif /* HAVE_UTIMES */ | ||
257 | -#endif /* ! HAVE_GOOD_UTIME_H */ | ||
258 | - } | ||
259 | + struct utimbuf tb; | ||
260 | + | ||
261 | + tb.actime = statbuf->st_atime; | ||
262 | + tb.modtime = statbuf->st_mtime; | ||
263 | + result = utime (destination, &tb); | ||
264 | +#elif defined HAVE_UTIMES | ||
265 | + struct timeval tv[2]; | ||
266 | + | ||
267 | + tv[0].tv_sec = statbuf->st_atime; | ||
268 | + tv[0].tv_usec = 0; | ||
269 | + tv[1].tv_sec = statbuf->st_mtime; | ||
270 | + tv[1].tv_usec = 0; | ||
271 | + result = utimes (destination, tv); | ||
272 | +#else | ||
273 | + long tb[2]; | ||
274 | + | ||
275 | + tb[0] = statbuf->st_atime; | ||
276 | + tb[1] = statbuf->st_mtime; | ||
277 | + result = utime (destination, tb); | ||
278 | +#endif | ||
279 | |||
280 | if (result != 0) | ||
281 | non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno)); | ||
282 | } | ||
283 | |||
284 | -#ifndef S_ISLNK | ||
285 | -#ifdef S_IFLNK | ||
286 | -#define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK) | ||
287 | -#else | ||
288 | -#define S_ISLNK(m) 0 | ||
289 | -#define lstat stat | ||
290 | -#endif | ||
291 | -#endif | ||
292 | - | ||
293 | -/* Rename FROM to TO, copying if TO is a link. | ||
294 | - Return 0 if ok, -1 if error. */ | ||
295 | +/* Copy FROM to TO. TARGET_STAT has the file status that, if non-NULL, | ||
296 | + is used to fix up timestamps. Return 0 if ok, -1 if error. | ||
297 | + At one time this function renamed files, but file permissions are | ||
298 | + tricky to update given the number of different schemes used by | ||
299 | + various systems. So now we just copy. */ | ||
300 | |||
301 | int | ||
302 | -smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNUSED) | ||
303 | +smart_rename (const char *from, const char *to, | ||
304 | + struct stat *target_stat) | ||
305 | { | ||
306 | - bfd_boolean exists; | ||
307 | - struct stat s; | ||
308 | - int ret = 0; | ||
309 | - | ||
310 | - exists = lstat (to, &s) == 0; | ||
311 | - | ||
312 | -#if defined (_WIN32) && !defined (__CYGWIN32__) | ||
313 | - /* Win32, unlike unix, will not erase `to' in `rename(from, to)' but | ||
314 | - fail instead. Also, chown is not present. */ | ||
315 | + int ret; | ||
316 | |||
317 | - if (exists) | ||
318 | - remove (to); | ||
319 | - | ||
320 | - ret = rename (from, to); | ||
321 | + ret = simple_copy (from, to); | ||
322 | if (ret != 0) | ||
323 | - { | ||
324 | - /* We have to clean up here. */ | ||
325 | - non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); | ||
326 | - unlink (from); | ||
327 | - } | ||
328 | -#else | ||
329 | - /* Use rename only if TO is not a symbolic link and has | ||
330 | - only one hard link, and we have permission to write to it. */ | ||
331 | - if (! exists | ||
332 | - || (!S_ISLNK (s.st_mode) | ||
333 | - && S_ISREG (s.st_mode) | ||
334 | - && (s.st_mode & S_IWUSR) | ||
335 | - && s.st_nlink == 1) | ||
336 | - ) | ||
337 | - { | ||
338 | - ret = rename (from, to); | ||
339 | - if (ret == 0) | ||
340 | - { | ||
341 | - if (exists) | ||
342 | - { | ||
343 | - /* Try to preserve the permission bits and ownership of | ||
344 | - TO. First get the mode right except for the setuid | ||
345 | - bit. Then change the ownership. Then fix the setuid | ||
346 | - bit. We do the chmod before the chown because if the | ||
347 | - chown succeeds, and we are a normal user, we won't be | ||
348 | - able to do the chmod afterward. We don't bother to | ||
349 | - fix the setuid bit first because that might introduce | ||
350 | - a fleeting security problem, and because the chown | ||
351 | - will clear the setuid bit anyhow. We only fix the | ||
352 | - setuid bit if the chown succeeds, because we don't | ||
353 | - want to introduce an unexpected setuid file owned by | ||
354 | - the user running objcopy. */ | ||
355 | - chmod (to, s.st_mode & 0777); | ||
356 | - if (chown (to, s.st_uid, s.st_gid) >= 0) | ||
357 | - chmod (to, s.st_mode & 07777); | ||
358 | - } | ||
359 | - } | ||
360 | - else | ||
361 | - { | ||
362 | - /* We have to clean up here. */ | ||
363 | - non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); | ||
364 | - unlink (from); | ||
365 | - } | ||
366 | - } | ||
367 | - else | ||
368 | - { | ||
369 | - ret = simple_copy (from, to); | ||
370 | - if (ret != 0) | ||
371 | - non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno)); | ||
372 | + non_fatal (_("unable to copy file '%s'; reason: %s"), | ||
373 | + to, strerror (errno)); | ||
374 | |||
375 | - if (preserve_dates) | ||
376 | - set_times (to, &s); | ||
377 | - unlink (from); | ||
378 | - } | ||
379 | -#endif /* _WIN32 && !__CYGWIN32__ */ | ||
380 | + if (target_stat != NULL) | ||
381 | + set_times (to, target_stat); | ||
382 | + unlink (from); | ||
383 | |||
384 | return ret; | ||
385 | } | ||
386 | -- | ||
387 | 2.17.1 | ||
388 | |||