binutils: Fix CVE-2020-35448

Fix related to a buffer overflow in bfd library CVE Details https://nvd.nist.gov/vuln/detail/CVE-2020-35448 Upstream Tracking https://sourceware.org/bugzilla/show_bug.cgi?id=26574 Patch from Upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; h=8642dafaef21aa6747cec01df1977e9c52eb4679 (From OE-Core rev: f097519cb5d2acc65674f3a1d4c1c716cd2e75ca) Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cb83312131f6c4f69d89d639085e07ea1f53167e) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Fan Yu <yifan.yu@windriver.com> 2021-01-15 12:41:29 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-01-27 09:32:45 +0000
commit: 5251cbb92ad75018ae9ec801fdea9265dd57ea86 (patch)
tree: 48f2bd42c62807897c5a04ea04ca4dc43bdf95be /meta/recipes-devtools
parent: 38d5c5e7fd87efb441a99e69ed7b4760a8b082c7 (diff)
download: poky-5251cbb92ad75018ae9ec801fdea9265dd57ea86.tar.gz
2 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
index c92cb75543..775af2b8f2 100644
--- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
@@ -43,5 +43,6 @@ SRC_URI = "\
     file://0016-Check-for-clang-before-checking-gcc-version.patch \
     file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \
     file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \
+     file://CVE-2020-35448.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
new file mode 100644
index 0000000000..3bc64776e5
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
@@ -0,0 +1,85 @@
+From 6caa41daeb7aa17c400b7300fb78d207cf064d70 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 4 Sep 2020 19:19:18 +0930
+Subject: [PATCH] PR26574, heap buffer overflow in
+ _bfd_elf_slurp_secondary_reloc_section
+A horribly fuzzed object with section headers inside the ELF header.
+Disallow that, and crazy reloc sizes.
+        PR 26574
+        * elfcode.h (elf_object_p): Sanity check section header offset.
+        * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
+        sh_entsize.
+Upstream-Status: Backport
+CVE: CVE-2020-35448
+Reference to upstream patch:
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
+    h=8642dafaef21aa6747cec01df1977e9c52eb4679
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ bfd/elf.c     | 4 +++-
+ bfd/elfcode.h | 8 ++++----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+diff --git a/bfd/elf.c b/bfd/elf.c
+index fe375e7346..9f29166399 100644
+--- a/bfd/elf.c
+++ b/bfd/elf.c
+@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
+       Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
+ 
+       if (hdr->sh_type == SHT_SECONDARY_RELOC
+-         && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
+         && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
+         && (hdr->sh_entsize == ebd->s->sizeof_rel
+             || hdr->sh_entsize == ebd->s->sizeof_rela))
+        {
+          bfd_byte * native_relocs;
+          bfd_byte * native_reloc;
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index f4a7829f27..54ef890637 100644
+--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
+@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
+ 
+   /* If this is a relocatable file and there is no section header
+      table, then we're hosed.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
+     goto got_wrong_format_error;
+ 
+   /* As a simple sanity check, verify that what BFD thinks is the
+@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
+     goto got_wrong_format_error;
+ 
+   /* Further sanity check.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
+     goto got_wrong_format_error;
+ 
+   ebd = get_elf_backend_data (abfd);
+@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
+       && ebd->elf_osabi != ELFOSABI_NONE)
+     goto got_wrong_format_error;
+ 
+-  if (i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       file_ptr where = (file_ptr) i_ehdrp->e_shoff;
+ 
+@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
+        }
+     }
+ 
+-  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       unsigned int num_sec;
+ 
+-- 
+2.29.2
author	Yi Fan Yu <yifan.yu@windriver.com>	2021-01-15 12:41:29 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-01-27 09:32:45 +0000
commit	5251cbb92ad75018ae9ec801fdea9265dd57ea86 (patch)
tree	48f2bd42c62807897c5a04ea04ca4dc43bdf95be /meta/recipes-devtools
parent	38d5c5e7fd87efb441a99e69ed7b4760a8b082c7 (diff)
download	poky-5251cbb92ad75018ae9ec801fdea9265dd57ea86.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc index c92cb75543..775af2b8f2 100644 --- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
@@ -43,5 +43,6 @@ SRC_URI = "\
43	file://0016-Check-for-clang-before-checking-gcc-version.patch \	43	file://0016-Check-for-clang-before-checking-gcc-version.patch \
44	file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \	44	file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \
45	file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \	45	file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \
		46	file://CVE-2020-35448.patch \
46	"	47	"
47	S = "${WORKDIR}/git"	48	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch new file mode 100644 index 0000000000..3bc64776e5 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
@@ -0,0 +1,85 @@
		1	From 6caa41daeb7aa17c400b7300fb78d207cf064d70 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Fri, 4 Sep 2020 19:19:18 +0930
		4	Subject: [PATCH] PR26574, heap buffer overflow in
		5	_bfd_elf_slurp_secondary_reloc_section
		6
		7	A horribly fuzzed object with section headers inside the ELF header.
		8	Disallow that, and crazy reloc sizes.
		9
		10	PR 26574
		11	* elfcode.h (elf_object_p): Sanity check section header offset.
		12	* elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
		13	sh_entsize.
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2020-35448
		17
		18	Reference to upstream patch:
		19	https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
		20	h=8642dafaef21aa6747cec01df1977e9c52eb4679
		21
		22	Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
		23	---
		24	bfd/elf.c \| 4 +++-
		25	bfd/elfcode.h \| 8 ++++----
		26	2 files changed, 7 insertions(+), 5 deletions(-)
		27
		28	diff --git a/bfd/elf.c b/bfd/elf.c
		29	index fe375e7346..9f29166399 100644
		30	--- a/bfd/elf.c
		31	+++ b/bfd/elf.c
		32	@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
		33	Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
		34
		35	if (hdr->sh_type == SHT_SECONDARY_RELOC
		36	- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
		37	+ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
		38	+ && (hdr->sh_entsize == ebd->s->sizeof_rel
		39	+ \|\| hdr->sh_entsize == ebd->s->sizeof_rela))
		40	{
		41	bfd_byte * native_relocs;
		42	bfd_byte * native_reloc;
		43	diff --git a/bfd/elfcode.h b/bfd/elfcode.h
		44	index f4a7829f27..54ef890637 100644
		45	--- a/bfd/elfcode.h
		46	+++ b/bfd/elfcode.h
		47	@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
		48
		49	/* If this is a relocatable file and there is no section header
		50	table, then we're hosed. */
		51	- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
		52	+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
		53	goto got_wrong_format_error;
		54
		55	/* As a simple sanity check, verify that what BFD thinks is the
		56	@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
		57	goto got_wrong_format_error;
		58
		59	/* Further sanity check. */
		60	- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
		61	+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
		62	goto got_wrong_format_error;
		63
		64	ebd = get_elf_backend_data (abfd);
		65	@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
		66	&& ebd->elf_osabi != ELFOSABI_NONE)
		67	goto got_wrong_format_error;
		68
		69	- if (i_ehdrp->e_shoff != 0)
		70	+ if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
		71	{
		72	file_ptr where = (file_ptr) i_ehdrp->e_shoff;
		73
		74	@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
		75	}
		76	}
		77
		78	- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
		79	+ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
		80	{
		81	unsigned int num_sec;
		82
		83	--
		84	2.29.2
		85