summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils
diff options
context:
space:
mode:
authorRichard Purdie <richard.purdie@linuxfoundation.org>2022-02-06 20:58:40 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-02-07 10:08:59 +0000
commit1dfa8537a3ede339f0cf18ef41cf08059f4c2c6c (patch)
tree6ca8bae7b4d7845c6037acc56cac035f08a4b04b /meta/recipes-devtools/binutils
parent2ef6fddc9832d3d8c4b789e0a29b3dfd3bf6634e (diff)
downloadpoky-1dfa8537a3ede339f0cf18ef41cf08059f4c2c6c.tar.gz
binutils: Add fix for CVE-2021-45078
Backport a fix for CVE-2021-45078. (From OE-Core rev: f3128fd1b2e5cbf3683dc69eabc56fbc0bd0e7d5) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils')
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.37.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch247
2 files changed, 248 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.37.inc b/meta/recipes-devtools/binutils/binutils-2.37.inc
index 043f7f8235..bc6eef0fbb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.37.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.37.inc
@@ -34,5 +34,6 @@ SRC_URI = "\
34 file://0017-bfd-Close-the-file-descriptor-if-there-is-no-archive.patch \ 34 file://0017-bfd-Close-the-file-descriptor-if-there-is-no-archive.patch \
35 file://0001-elf-Discard-input-.note.gnu.build-id-sections.patch \ 35 file://0001-elf-Discard-input-.note.gnu.build-id-sections.patch \
36 file://0001-CVE-2021-42574.patch \ 36 file://0001-CVE-2021-42574.patch \
37 file://161e87d12167b1e36193385485c1f6ce92f74f02.patch \
37" 38"
38S = "${WORKDIR}/git" 39S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch b/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch
new file mode 100644
index 0000000000..8a655af06c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch
@@ -0,0 +1,247 @@
1From: Alan Modra <amodra@gmail.com>
2Date: Wed, 15 Dec 2021 01:18:42 +0000 (+1030)
3Subject: PR28694, Out-of-bounds write in stab_xcoff_builtin_type
4CVE: CVE-2021-45078
5
6Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=161e87d12167b1e36193385485c1f6ce92f74f02]
7
8PR28694, Out-of-bounds write in stab_xcoff_builtin_type
9
10 PR 28694
11 * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
12 Negate typenum earlier, simplifying bounds checking. Correct
13 off-by-one indexing. Adjust switch cases.
14---
15
16diff --git a/binutils/stabs.c b/binutils/stabs.c
17index 274bfb0e7fa..83ee3ea5fa4 100644
18--- a/binutils/stabs.c
19+++ b/binutils/stabs.c
20@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *);
21 static bool stab_record_type
22 (void *, struct stab_handle *, const int *, debug_type);
23 static debug_type stab_xcoff_builtin_type
24- (void *, struct stab_handle *, int);
25+ (void *, struct stab_handle *, unsigned int);
26 static debug_type stab_find_tagged_type
27 (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
28 static debug_type *stab_demangle_argtypes
29@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info,
30
31 static debug_type
32 stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
33- int typenum)
34+ unsigned int typenum)
35 {
36 debug_type rettype;
37 const char *name;
38
39- if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
40+ typenum = -typenum - 1;
41+ if (typenum >= XCOFF_TYPE_COUNT)
42 {
43- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
44+ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
45 return DEBUG_TYPE_NULL;
46 }
47- if (info->xcoff_types[-typenum] != NULL)
48- return info->xcoff_types[-typenum];
49+ if (info->xcoff_types[typenum] != NULL)
50+ return info->xcoff_types[typenum];
51
52- switch (-typenum)
53+ switch (typenum)
54 {
55- case 1:
56+ case 0:
57 /* The size of this and all the other types are fixed, defined
58 by the debugging format. */
59 name = "int";
60 rettype = debug_make_int_type (dhandle, 4, false);
61 break;
62- case 2:
63+ case 1:
64 name = "char";
65 rettype = debug_make_int_type (dhandle, 1, false);
66 break;
67- case 3:
68+ case 2:
69 name = "short";
70 rettype = debug_make_int_type (dhandle, 2, false);
71 break;
72- case 4:
73+ case 3:
74 name = "long";
75 rettype = debug_make_int_type (dhandle, 4, false);
76 break;
77- case 5:
78+ case 4:
79 name = "unsigned char";
80 rettype = debug_make_int_type (dhandle, 1, true);
81 break;
82- case 6:
83+ case 5:
84 name = "signed char";
85 rettype = debug_make_int_type (dhandle, 1, false);
86 break;
87- case 7:
88+ case 6:
89 name = "unsigned short";
90 rettype = debug_make_int_type (dhandle, 2, true);
91 break;
92- case 8:
93+ case 7:
94 name = "unsigned int";
95 rettype = debug_make_int_type (dhandle, 4, true);
96 break;
97- case 9:
98+ case 8:
99 name = "unsigned";
100 rettype = debug_make_int_type (dhandle, 4, true);
101 break;
102- case 10:
103+ case 9:
104 name = "unsigned long";
105 rettype = debug_make_int_type (dhandle, 4, true);
106 break;
107- case 11:
108+ case 10:
109 name = "void";
110 rettype = debug_make_void_type (dhandle);
111 break;
112- case 12:
113+ case 11:
114 /* IEEE single precision (32 bit). */
115 name = "float";
116 rettype = debug_make_float_type (dhandle, 4);
117 break;
118- case 13:
119+ case 12:
120 /* IEEE double precision (64 bit). */
121 name = "double";
122 rettype = debug_make_float_type (dhandle, 8);
123 break;
124- case 14:
125+ case 13:
126 /* This is an IEEE double on the RS/6000, and different machines
127 with different sizes for "long double" should use different
128 negative type numbers. See stabs.texinfo. */
129 name = "long double";
130 rettype = debug_make_float_type (dhandle, 8);
131 break;
132- case 15:
133+ case 14:
134 name = "integer";
135 rettype = debug_make_int_type (dhandle, 4, false);
136 break;
137- case 16:
138+ case 15:
139 name = "boolean";
140 rettype = debug_make_bool_type (dhandle, 4);
141 break;
142- case 17:
143+ case 16:
144 name = "short real";
145 rettype = debug_make_float_type (dhandle, 4);
146 break;
147- case 18:
148+ case 17:
149 name = "real";
150 rettype = debug_make_float_type (dhandle, 8);
151 break;
152- case 19:
153+ case 18:
154 /* FIXME */
155 name = "stringptr";
156 rettype = NULL;
157 break;
158- case 20:
159+ case 19:
160 /* FIXME */
161 name = "character";
162 rettype = debug_make_int_type (dhandle, 1, true);
163 break;
164- case 21:
165+ case 20:
166 name = "logical*1";
167 rettype = debug_make_bool_type (dhandle, 1);
168 break;
169- case 22:
170+ case 21:
171 name = "logical*2";
172 rettype = debug_make_bool_type (dhandle, 2);
173 break;
174- case 23:
175+ case 22:
176 name = "logical*4";
177 rettype = debug_make_bool_type (dhandle, 4);
178 break;
179- case 24:
180+ case 23:
181 name = "logical";
182 rettype = debug_make_bool_type (dhandle, 4);
183 break;
184- case 25:
185+ case 24:
186 /* Complex type consisting of two IEEE single precision values. */
187 name = "complex";
188 rettype = debug_make_complex_type (dhandle, 8);
189 break;
190- case 26:
191+ case 25:
192 /* Complex type consisting of two IEEE double precision values. */
193 name = "double complex";
194 rettype = debug_make_complex_type (dhandle, 16);
195 break;
196- case 27:
197+ case 26:
198 name = "integer*1";
199 rettype = debug_make_int_type (dhandle, 1, false);
200 break;
201- case 28:
202+ case 27:
203 name = "integer*2";
204 rettype = debug_make_int_type (dhandle, 2, false);
205 break;
206- case 29:
207+ case 28:
208 name = "integer*4";
209 rettype = debug_make_int_type (dhandle, 4, false);
210 break;
211- case 30:
212+ case 29:
213 /* FIXME */
214 name = "wchar";
215 rettype = debug_make_int_type (dhandle, 2, false);
216 break;
217- case 31:
218+ case 30:
219 name = "long long";
220 rettype = debug_make_int_type (dhandle, 8, false);
221 break;
222- case 32:
223+ case 31:
224 name = "unsigned long long";
225 rettype = debug_make_int_type (dhandle, 8, true);
226 break;
227- case 33:
228+ case 32:
229 name = "logical*8";
230 rettype = debug_make_bool_type (dhandle, 8);
231 break;
232- case 34:
233+ case 33:
234 name = "integer*8";
235 rettype = debug_make_int_type (dhandle, 8, false);
236 break;
237@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
238 }
239
240 rettype = debug_name_type (dhandle, name, rettype);
241-
242- info->xcoff_types[-typenum] = rettype;
243-
244+ info->xcoff_types[typenum] = rettype;
245 return rettype;
246 }
247