binutils: fix CVE-2020-16592/16598

fix CVE-2020-16592 & CVE-2020-16598 removed changes to Changelog in patch file (From OE-Core rev: 02870c7fbaaa1c3869ecb439f5c58fcf40a533be) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-12-14 18:52:54 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-12-18 14:20:20 +0000
commit: e79ccaa277d8a67429e5b5693236e2c98e395f24 (patch)
tree: 40009013ed769a45715e9e798afb3cecaa61e4ca /meta/recipes-devtools/binutils
parent: 2ccfb319b5e019d7c5f8283bcd0e40805ff27abb (diff)
download: poky-e79ccaa277d8a67429e5b5693236e2c98e395f24.tar.gz
3 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index b5f5a1c69a..f557fe970c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -44,5 +44,7 @@ SRC_URI = "\
     file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
     file://CVE-2020-0551.patch \
     file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
+     file://CVE-2020-16592.patch \
+     file://CVE-2020-16598.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
new file mode 100644
index 0000000000..f5f9ccdd53
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
@@ -0,0 +1,61 @@
+From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Apr 2020 18:58:11 +0930
+Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup
+        PR 25823
+        * peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
+        pointer into strings that may be freed for section name, always
+        allocate a new string.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a]
+CVE: CVE-2020-16592
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ bfd/peXXigen.c | 20 ++++++++++----------
+ 1 files changed, 10 insertions(+), 10 deletions(-)
+ 
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index b9eeb775d9b..8aa5914acd9 100644
+--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
+@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1)
+          int unused_section_number = 0;
+          asection *sec;
+          flagword flags;
+         size_t name_len;
+         char *sec_name;
+ 
+          for (sec = abfd->sections; sec; sec = sec->next)
+            if (unused_section_number <= sec->target_index)
+              unused_section_number = sec->target_index + 1;
+ 
+-         if (name == namebuf)
+         name_len = strlen (name) + 1;
+         sec_name = bfd_alloc (abfd, name_len);
+         if (sec_name == NULL)
+            {
+-             name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1);
+-             if (name == NULL)
+-               {
+-                 _bfd_error_handler (_("%pB: out of memory creating name for empty section"),
+-                                     abfd);
+-                 return;
+-               }
+-             strcpy ((char *) name, namebuf);
+             _bfd_error_handler (_("%pB: out of memory creating name "
+                                   "for empty section"), abfd);
+             return;
+            }
+         memcpy (sec_name, name, name_len);
+ 
+          flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD;
+-         sec = bfd_make_section_anyway_with_flags (abfd, name, flags);
+         sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags);
+          if (sec == NULL)
+            {
+              _bfd_error_handler (_("%pB: unable to create fake empty section"),
+-- 
+2.27.0
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
new file mode 100644
index 0000000000..52bd925c97
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
@@ -0,0 +1,32 @@
+From ca3f923f82a079dcf441419f4a50a50f8b4b33c2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Apr 2020 10:38:16 +0930
+Subject: [PATCH] PR25840, Null pointer dereference in objdump
+        PR 25840
+        * debug.c (debug_class_type_samep): Don't segfault on NULL type.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2]
+CVE: CVE-2020-16598
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ binutils/debug.c   | 2 ++
+ 1 files changed, 2 insertions(+)
+diff --git a/binutils/debug.c b/binutils/debug.c
+index 022fa4edffb..5470e155edc 100644
+--- a/binutils/debug.c
+++ b/binutils/debug.c
+@@ -3277,6 +3277,8 @@ debug_class_type_samep (struct debug_handle *info, struct debug_type_s *t1,
+              names, since that sometimes fails in the presence of
+              typedefs and we really don't care.  */
+          if (strcmp (f1->name, f2->name) != 0
+             || f1->type == NULL
+             || f2->type == NULL
+              || ! debug_type_samep (info,
+                                     debug_get_real_type ((void *) info,
+                                                          f1->type, NULL),
+-- 
+2.27.0
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-12-14 18:52:54 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-12-18 14:20:20 +0000
commit	e79ccaa277d8a67429e5b5693236e2c98e395f24 (patch)
tree	40009013ed769a45715e9e798afb3cecaa61e4ca /meta/recipes-devtools/binutils
parent	2ccfb319b5e019d7c5f8283bcd0e40805ff27abb (diff)
download	poky-e79ccaa277d8a67429e5b5693236e2c98e395f24.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index b5f5a1c69a..f557fe970c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -44,5 +44,7 @@ SRC_URI = "\
44	file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \	44	file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
45	file://CVE-2020-0551.patch \	45	file://CVE-2020-0551.patch \
46	file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \	46	file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
		47	file://CVE-2020-16592.patch \
		48	file://CVE-2020-16598.patch \
47	"	49	"
48	S = "${WORKDIR}/git"	50	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch new file mode 100644 index 0000000000..f5f9ccdd53 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
@@ -0,0 +1,61 @@
		1	From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Wed, 15 Apr 2020 18:58:11 +0930
		4	Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup
		5
		6	PR 25823
		7	* peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
		8	pointer into strings that may be freed for section name, always
		9	allocate a new string.
		10
		11	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a]
		12	CVE: CVE-2020-16592
		13	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		14
		15	---
		16	bfd/peXXigen.c \| 20 ++++++++++----------
		17	1 files changed, 10 insertions(+), 10 deletions(-)
		18
		19	diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
		20	index b9eeb775d9b..8aa5914acd9 100644
		21	--- a/bfd/peXXigen.c
		22	+++ b/bfd/peXXigen.c
		23	@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1)
		24	int unused_section_number = 0;
		25	asection *sec;
		26	flagword flags;
		27	+ size_t name_len;
		28	+ char *sec_name;
		29
		30	for (sec = abfd->sections; sec; sec = sec->next)
		31	if (unused_section_number <= sec->target_index)
		32	unused_section_number = sec->target_index + 1;
		33
		34	- if (name == namebuf)
		35	+ name_len = strlen (name) + 1;
		36	+ sec_name = bfd_alloc (abfd, name_len);
		37	+ if (sec_name == NULL)
		38	{
		39	- name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1);
		40	- if (name == NULL)
		41	- {
		42	- _bfd_error_handler (_("%pB: out of memory creating name for empty section"),
		43	- abfd);
		44	- return;
		45	- }
		46	- strcpy ((char *) name, namebuf);
		47	+ _bfd_error_handler (_("%pB: out of memory creating name "
		48	+ "for empty section"), abfd);
		49	+ return;
		50	}
		51	+ memcpy (sec_name, name, name_len);
		52
		53	flags = SEC_HAS_CONTENTS \| SEC_ALLOC \| SEC_DATA \| SEC_LOAD;
		54	- sec = bfd_make_section_anyway_with_flags (abfd, name, flags);
		55	+ sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags);
		56	if (sec == NULL)
		57	{
		58	_bfd_error_handler (_("%pB: unable to create fake empty section"),
		59	--
		60	2.27.0
		61


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch new file mode 100644 index 0000000000..52bd925c97 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
@@ -0,0 +1,32 @@
		1	From ca3f923f82a079dcf441419f4a50a50f8b4b33c2 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Fri, 17 Apr 2020 10:38:16 +0930
		4	Subject: [PATCH] PR25840, Null pointer dereference in objdump
		5
		6	PR 25840
		7	* debug.c (debug_class_type_samep): Don't segfault on NULL type.
		8
		9	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2]
		10	CVE: CVE-2020-16598
		11	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		12
		13	---
		14	binutils/debug.c \| 2 ++
		15	1 files changed, 2 insertions(+)
		16
		17	diff --git a/binutils/debug.c b/binutils/debug.c
		18	index 022fa4edffb..5470e155edc 100644
		19	--- a/binutils/debug.c
		20	+++ b/binutils/debug.c
		21	@@ -3277,6 +3277,8 @@ debug_class_type_samep (struct debug_handle info, struct debug_type_s t1,
		22	names, since that sometimes fails in the presence of
		23	typedefs and we really don't care. */
		24	if (strcmp (f1->name, f2->name) != 0
		25	+ \|\| f1->type == NULL
		26	+ \|\| f2->type == NULL
		27	\|\| ! debug_type_samep (info,
		28	debug_get_real_type ((void *) info,
		29	f1->type, NULL),
		30	--
		31	2.27.0
		32