2 files changed, 205 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 1c1118df54..6104bec591 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -49,5 +49,6 @@ SRC_URI = "\
     file://CVE-2021-20197.patch \
     file://CVE-2021-3487.patch \
     file://CVE-2021-3549.patch \
+     file://CVE-2020-16593.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
new file mode 100644
index 0000000000..cbe4a50507
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
@@ -0,0 +1,204 @@
+From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 16 Apr 2020 17:49:38 +0930
+Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols
+    PR 25827
+    * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines.  Don't
+    strdup(0).
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
+CVE: CVE-2020-16593 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
+@@ -295,12 +295,12 @@ struct comp_unit
+ /* This data structure holds the information of an abbrev.  */
+ struct abbrev_info
+ {
+-  unsigned int number;         /* Number identifying abbrev.  */
+-  enum dwarf_tag tag;          /* DWARF tag.  */
+-  int has_children;            /* Boolean.  */
+-  unsigned int num_attrs;      /* Number of attributes.  */
+-  struct attr_abbrev *attrs;   /* An array of attribute descriptions.  */
+-  struct abbrev_info *next;    /* Next in chain.  */
+  unsigned int         number;     /* Number identifying abbrev.  */
+  enum dwarf_tag       tag;        /* DWARF tag.  */
+  bfd_boolean          has_children;   /* TRUE if the abbrev has children.  */
+  unsigned int         num_attrs;  /* Number of attributes.  */
+  struct attr_abbrev * attrs;      /* An array of attribute descriptions.  */
+  struct abbrev_info * next;       /* Next in chain.  */
+ };
+ 
+ struct attr_abbrev
+@@ -1487,6 +1487,8 @@ struct varinfo
+ {
+   /* Pointer to previous variable in list of all variables */
+   struct varinfo *prev_var;
+  /* The offset of the varinfo from the start of the unit.  */
+  bfd_uint64_t unit_offset;
+   /* Source location file name */
+   char *file;
+   /* Source location line number */
+@@ -1497,7 +1499,7 @@ struct varinfo
+   /* Where the symbol is defined */
+   asection *sec;
+   /* Is this a stack variable? */
+-  unsigned int stack: 1;
+  bfd_boolean stack;
+ };
+ 
+ /* Return TRUE if NEW_LINE should sort after LINE.  */
+@@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct
+   struct varinfo* each;
+ 
+   for (each = unit->variable_table; each; each = each->prev_var)
+-    if (each->stack == 0
+    if (! each->stack
+        && each->file != NULL
+        && each->name != NULL
+        && each->addr == addr
+@@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit,
+   return TRUE;
+ }
+ 
+static struct varinfo *
+lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table)
+{
+  while (table)
+    {
+      if (table->unit_offset == offset)
+   return table;
+      table = table->prev_var;
+    }
+
+  return NULL;
+}
+
+
+ /* DWARF2 Compilation unit functions.  */
+ 
+ /* Scan over each die in a comp. unit looking for functions to add
+@@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit
+       bfd_vma low_pc = 0;
+       bfd_vma high_pc = 0;
+       bfd_boolean high_pc_relative = FALSE;
+      bfd_uint64_t current_offset;
+       
+      current_offset = info_ptr - unit->info_ptr_unit;
+ 
+       /* PR 17512: file: 9f405d9d.  */
+       if (info_ptr >= info_ptr_end)
+@@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit
+          goto fail;
+        }
+ 
+-      var = NULL;
+       if (abbrev->tag == DW_TAG_subprogram
+          || abbrev->tag == DW_TAG_entry_point
+          || abbrev->tag == DW_TAG_inlined_subroutine)
+        {
+          bfd_size_type amt = sizeof (struct funcinfo);
+
+      var = NULL;
+          func = (struct funcinfo *) bfd_zalloc (abfd, amt);
+          if (func == NULL)
+            goto fail;
+@@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit
+              if (var == NULL)
+                goto fail;
+              var->tag = abbrev->tag;
+-             var->stack = 1;
+             var->stack = TRUE;
+              var->prev_var = unit->variable_table;
+              unit->variable_table = var;
+          var->unit_offset = current_offset;
+              /* PR 18205: Missing debug information can cause this
+                 var to be attached to an already cached unit.  */
+            }
+-
+         else
+           var = NULL;
+          /* No inline function in scope at this nesting level.  */
+          nested_funcs[nesting_level].func = 0;
+        }
+@@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit
+            {
+              switch (attr.name)
+                {
+       case DW_AT_specification:
+         if (attr.u.val)
+           {
+             struct varinfo * spec_var;
+
+             spec_var = lookup_var_by_offset (attr.u.val,
+                              unit->variable_table);
+             if (spec_var == NULL)
+           {
+             _bfd_error_handler (_("DWARF error: could not find "
+                       "variable specification "
+                       "at offset %lx"),
+                         (unsigned long) attr.u.val);
+             break;
+           }
+
+             if (var->name == NULL)
+           var->name = spec_var->name;
+             if (var->file == NULL && spec_var->file != NULL)
+           var->file = strdup (spec_var->file);
+             if (var->line == 0)
+           var->line = spec_var->line;
+             if (var->sec == NULL)
+           var->sec = spec_var->sec;
+           }
+         break;
+
+                case DW_AT_name:
+                  if (is_str_attr (attr.form))
+                    var->name = attr.u.str;
+@@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit
+ 
+                case DW_AT_external:
+                  if (attr.u.val != 0)
+-                   var->stack = 0;
+                   var->stack = FALSE;
+                  break;
+ 
+                case DW_AT_location:
+@@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit
+                      if (attr.u.blk->data != NULL
+                          && *attr.u.blk->data == DW_OP_addr)
+                        {
+-                         var->stack = 0;
+                         var->stack = FALSE;
+ 
+                          /* Verify that DW_OP_addr is the only opcode in the
+                             location, in which case the block size will be 1
+@@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug
+        each_var = each_var->prev_var)
+     {
+       /* Skip stack vars and vars with no files or names.  */
+-      if (each_var->stack == 0
+      if (! each_var->stack
+          && each_var->file != NULL
+          && each_var->name != NULL)
+        /* There is no need to copy name string into hash table as
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
+2020-04-16  Alan Modra  <amodra@gmail.com>
+
+       PR 25827
+       * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines.  Don't
+       strdup(0).
+
+ 2020-02-19  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        PR binutils/25355

diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 1c1118df54..6104bec591 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -49,5 +49,6 @@ SRC_URI = "\
49	file://CVE-2021-20197.patch \	49	file://CVE-2021-20197.patch \
50	file://CVE-2021-3487.patch \	50	file://CVE-2021-3487.patch \
51	file://CVE-2021-3549.patch \	51	file://CVE-2021-3549.patch \
		52	file://CVE-2020-16593.patch \
52	"	53	"
53	S = "${WORKDIR}/git"	54	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch new file mode 100644 index 0000000000..cbe4a50507 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
@@ -0,0 +1,204 @@
		1	From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Thu, 16 Apr 2020 17:49:38 +0930
		4	Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols
		5
		6	PR 25827
		7	* dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
		8	strdup(0).
		9
		10	Upstream-Status: Backport
		11	https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
		12	CVE: CVE-2020-16593
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15
		16	Index: git/bfd/dwarf2.c
		17	===================================================================
		18	--- git.orig/bfd/dwarf2.c
		19	+++ git/bfd/dwarf2.c
		20	@@ -295,12 +295,12 @@ struct comp_unit
		21	/* This data structure holds the information of an abbrev. */
		22	struct abbrev_info
		23	{
		24	- unsigned int number; /* Number identifying abbrev. */
		25	- enum dwarf_tag tag; /* DWARF tag. */
		26	- int has_children; /* Boolean. */
		27	- unsigned int num_attrs; /* Number of attributes. */
		28	- struct attr_abbrev attrs; / An array of attribute descriptions. */
		29	- struct abbrev_info next; / Next in chain. */
		30	+ unsigned int number; /* Number identifying abbrev. */
		31	+ enum dwarf_tag tag; /* DWARF tag. */
		32	+ bfd_boolean has_children; /* TRUE if the abbrev has children. */
		33	+ unsigned int num_attrs; /* Number of attributes. */
		34	+ struct attr_abbrev * attrs; /* An array of attribute descriptions. */
		35	+ struct abbrev_info * next; /* Next in chain. */
		36	};
		37
		38	struct attr_abbrev
		39	@@ -1487,6 +1487,8 @@ struct varinfo
		40	{
		41	/* Pointer to previous variable in list of all variables */
		42	struct varinfo *prev_var;
		43	+ /* The offset of the varinfo from the start of the unit. */
		44	+ bfd_uint64_t unit_offset;
		45	/* Source location file name */
		46	char *file;
		47	/* Source location line number */
		48	@@ -1497,7 +1499,7 @@ struct varinfo
		49	/* Where the symbol is defined */
		50	asection *sec;
		51	/* Is this a stack variable? */
		52	- unsigned int stack: 1;
		53	+ bfd_boolean stack;
		54	};
		55
		56	/* Return TRUE if NEW_LINE should sort after LINE. */
		57	@@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct
		58	struct varinfo* each;
		59
		60	for (each = unit->variable_table; each; each = each->prev_var)
		61	- if (each->stack == 0
		62	+ if (! each->stack
		63	&& each->file != NULL
		64	&& each->name != NULL
		65	&& each->addr == addr
		66	@@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit,
		67	return TRUE;
		68	}
		69
		70	+static struct varinfo *
		71	+lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table)
		72	+{
		73	+ while (table)
		74	+ {
		75	+ if (table->unit_offset == offset)
		76	+ return table;
		77	+ table = table->prev_var;
		78	+ }
		79	+
		80	+ return NULL;
		81	+}
		82	+
		83	+
		84	/* DWARF2 Compilation unit functions. */
		85
		86	/* Scan over each die in a comp. unit looking for functions to add
		87	@@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit
		88	bfd_vma low_pc = 0;
		89	bfd_vma high_pc = 0;
		90	bfd_boolean high_pc_relative = FALSE;
		91	+ bfd_uint64_t current_offset;
		92	+
		93	+ current_offset = info_ptr - unit->info_ptr_unit;
		94
		95	/* PR 17512: file: 9f405d9d. */
		96	if (info_ptr >= info_ptr_end)
		97	@@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit
		98	goto fail;
		99	}
		100
		101	- var = NULL;
		102	if (abbrev->tag == DW_TAG_subprogram
		103	\|\| abbrev->tag == DW_TAG_entry_point
		104	\|\| abbrev->tag == DW_TAG_inlined_subroutine)
		105	{
		106	bfd_size_type amt = sizeof (struct funcinfo);
		107	+
		108	+ var = NULL;
		109	func = (struct funcinfo *) bfd_zalloc (abfd, amt);
		110	if (func == NULL)
		111	goto fail;
		112	@@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit
		113	if (var == NULL)
		114	goto fail;
		115	var->tag = abbrev->tag;
		116	- var->stack = 1;
		117	+ var->stack = TRUE;
		118	var->prev_var = unit->variable_table;
		119	unit->variable_table = var;
		120	+ var->unit_offset = current_offset;
		121	/* PR 18205: Missing debug information can cause this
		122	var to be attached to an already cached unit. */
		123	}
		124	-
		125	+ else
		126	+ var = NULL;
		127	/* No inline function in scope at this nesting level. */
		128	nested_funcs[nesting_level].func = 0;
		129	}
		130	@@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit
		131	{
		132	switch (attr.name)
		133	{
		134	+ case DW_AT_specification:
		135	+ if (attr.u.val)
		136	+ {
		137	+ struct varinfo * spec_var;
		138	+
		139	+ spec_var = lookup_var_by_offset (attr.u.val,
		140	+ unit->variable_table);
		141	+ if (spec_var == NULL)
		142	+ {
		143	+ _bfd_error_handler (_("DWARF error: could not find "
		144	+ "variable specification "
		145	+ "at offset %lx"),
		146	+ (unsigned long) attr.u.val);
		147	+ break;
		148	+ }
		149	+
		150	+ if (var->name == NULL)
		151	+ var->name = spec_var->name;
		152	+ if (var->file == NULL && spec_var->file != NULL)
		153	+ var->file = strdup (spec_var->file);
		154	+ if (var->line == 0)
		155	+ var->line = spec_var->line;
		156	+ if (var->sec == NULL)
		157	+ var->sec = spec_var->sec;
		158	+ }
		159	+ break;
		160	+
		161	case DW_AT_name:
		162	if (is_str_attr (attr.form))
		163	var->name = attr.u.str;
		164	@@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit
		165
		166	case DW_AT_external:
		167	if (attr.u.val != 0)
		168	- var->stack = 0;
		169	+ var->stack = FALSE;
		170	break;
		171
		172	case DW_AT_location:
		173	@@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit
		174	if (attr.u.blk->data != NULL
		175	&& *attr.u.blk->data == DW_OP_addr)
		176	{
		177	- var->stack = 0;
		178	+ var->stack = FALSE;
		179
		180	/* Verify that DW_OP_addr is the only opcode in the
		181	location, in which case the block size will be 1
		182	@@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug
		183	each_var = each_var->prev_var)
		184	{
		185	/* Skip stack vars and vars with no files or names. */
		186	- if (each_var->stack == 0
		187	+ if (! each_var->stack
		188	&& each_var->file != NULL
		189	&& each_var->name != NULL)
		190	/* There is no need to copy name string into hash table as
		191	Index: git/bfd/ChangeLog
		192	===================================================================
		193	--- git.orig/bfd/ChangeLog
		194	+++ git/bfd/ChangeLog
		195	@@ -1,3 +1,9 @@
		196	+2020-04-16 Alan Modra <amodra@gmail.com>
		197	+
		198	+ PR 25827
		199	+ * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
		200	+ strdup(0).
		201	+
		202	2020-02-19 H.J. Lu <hongjiu.lu@intel.com>
		203
		204	PR binutils/25355