diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2021-05-07 22:58:49 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-05-13 22:10:06 +0100 |
commit | 416eef4a0715d9ce429d0e814fa02ed37d2580d4 (patch) | |
tree | d90e30a88201c2bf212d4c2aceb7682601aa7ccc /meta/recipes-devtools | |
parent | 9f7559aa4f6e519e88ed5ee431edba76a4267204 (diff) | |
download | poky-416eef4a0715d9ce429d0e814fa02ed37d2580d4.tar.gz |
binutils: fix CVE-2021-3487
drop changes to changelog file in the patch so it can be backport.
(From OE-Core rev: c955d1fc332b8c0a931ffa4a068844981406ae8a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.34.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch | 83 |
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index a586faf5ab..3e10279b1d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc | |||
@@ -47,5 +47,6 @@ SRC_URI = "\ | |||
47 | file://CVE-2020-16592.patch \ | 47 | file://CVE-2020-16592.patch \ |
48 | file://CVE-2020-16598.patch \ | 48 | file://CVE-2020-16598.patch \ |
49 | file://CVE-2021-20197.patch \ | 49 | file://CVE-2021-20197.patch \ |
50 | file://CVE-2021-3487.patch \ | ||
50 | " | 51 | " |
51 | S = "${WORKDIR}/git" | 52 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch new file mode 100644 index 0000000000..1502d03f43 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Thu, 26 Nov 2020 17:08:33 +0000 | ||
4 | Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt | ||
5 | DWARF debug sections. | ||
6 | |||
7 | PR 26946 | ||
8 | * dwarf2.c (read_section): Check for debug sections with excessive | ||
9 | sizes. | ||
10 | |||
11 | |||
12 | Upstream-Status: Backport [ | ||
13 | https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24 | ||
14 | ] | ||
15 | CVE: CVE-2021-3487 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | |||
18 | --- | ||
19 | bfd/dwarf2.c | 25 +++++++++++++++++++------ | ||
20 | 1 files changed, 25 insertions(+), 6 deletions(-) | ||
21 | |||
22 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c | ||
23 | index 977bf43a6a1..8bbfc81d3e7 100644 | ||
24 | --- a/bfd/dwarf2.c | ||
25 | +++ b/bfd/dwarf2.c | ||
26 | @@ -531,22 +531,24 @@ read_section (bfd * abfd, | ||
27 | bfd_byte ** section_buffer, | ||
28 | bfd_size_type * section_size) | ||
29 | { | ||
30 | - asection *msec; | ||
31 | const char *section_name = sec->uncompressed_name; | ||
32 | bfd_byte *contents = *section_buffer; | ||
33 | - bfd_size_type amt; | ||
34 | |||
35 | /* The section may have already been read. */ | ||
36 | if (contents == NULL) | ||
37 | { | ||
38 | + bfd_size_type amt; | ||
39 | + asection *msec; | ||
40 | + ufile_ptr filesize; | ||
41 | + | ||
42 | msec = bfd_get_section_by_name (abfd, section_name); | ||
43 | - if (! msec) | ||
44 | + if (msec == NULL) | ||
45 | { | ||
46 | section_name = sec->compressed_name; | ||
47 | if (section_name != NULL) | ||
48 | msec = bfd_get_section_by_name (abfd, section_name); | ||
49 | } | ||
50 | - if (! msec) | ||
51 | + if (msec == NULL) | ||
52 | { | ||
53 | _bfd_error_handler (_("DWARF error: can't find %s section."), | ||
54 | sec->uncompressed_name); | ||
55 | @@ -554,12 +556,23 @@ read_section (bfd * abfd, | ||
56 | return FALSE; | ||
57 | } | ||
58 | |||
59 | - *section_size = msec->rawsize ? msec->rawsize : msec->size; | ||
60 | + amt = bfd_get_section_limit_octets (abfd, msec); | ||
61 | + filesize = bfd_get_file_size (abfd); | ||
62 | + if (amt >= filesize) | ||
63 | + { | ||
64 | + /* PR 26946 */ | ||
65 | + _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"), | ||
66 | + section_name, (long) amt, (long) filesize); | ||
67 | + bfd_set_error (bfd_error_bad_value); | ||
68 | + return FALSE; | ||
69 | + } | ||
70 | + *section_size = amt; | ||
71 | /* Paranoia - alloc one extra so that we can make sure a string | ||
72 | section is NUL terminated. */ | ||
73 | - amt = *section_size + 1; | ||
74 | + amt += 1; | ||
75 | if (amt == 0) | ||
76 | { | ||
77 | + /* Paranoia - this should never happen. */ | ||
78 | bfd_set_error (bfd_error_no_memory); | ||
79 | return FALSE; | ||
80 | } | ||
81 | -- | ||
82 | 2.27.0 | ||
83 | |||