2 files changed, 248 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.37.inc b/meta/recipes-devtools/binutils/binutils-2.37.inc
index 043f7f8235..bc6eef0fbb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.37.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.37.inc
@@ -34,5 +34,6 @@ SRC_URI = "\
     file://0017-bfd-Close-the-file-descriptor-if-there-is-no-archive.patch \
     file://0001-elf-Discard-input-.note.gnu.build-id-sections.patch \
     file://0001-CVE-2021-42574.patch \
+     file://161e87d12167b1e36193385485c1f6ce92f74f02.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch b/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch
new file mode 100644
index 0000000000..8a655af06c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch
@@ -0,0 +1,247 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Dec 2021 01:18:42 +0000 (+1030)
+Subject: PR28694, Out-of-bounds write in stab_xcoff_builtin_type
+CVE: CVE-2021-45078
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=161e87d12167b1e36193385485c1f6ce92f74f02]
+PR28694, Out-of-bounds write in stab_xcoff_builtin_type
+        PR 28694
+        * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
+        Negate typenum earlier, simplifying bounds checking.  Correct
+        off-by-one indexing.  Adjust switch cases.
+---
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 274bfb0e7fa..83ee3ea5fa4 100644
+--- a/binutils/stabs.c
+++ b/binutils/stabs.c
+@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *);
+ static bool stab_record_type
+   (void *, struct stab_handle *, const int *, debug_type);
+ static debug_type stab_xcoff_builtin_type
+-  (void *, struct stab_handle *, int);
+  (void *, struct stab_handle *, unsigned int);
+ static debug_type stab_find_tagged_type
+   (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
+ static debug_type *stab_demangle_argtypes
+@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info,
+ 
+ static debug_type
+ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+-                        int typenum)
+                        unsigned int typenum)
+ {
+   debug_type rettype;
+   const char *name;
+ 
+-  if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
+  typenum = -typenum - 1;
+  if (typenum >= XCOFF_TYPE_COUNT)
+     {
+-      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
+      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
+       return DEBUG_TYPE_NULL;
+     }
+-  if (info->xcoff_types[-typenum] != NULL)
+-    return info->xcoff_types[-typenum];
+  if (info->xcoff_types[typenum] != NULL)
+    return info->xcoff_types[typenum];
+ 
+-  switch (-typenum)
+  switch (typenum)
+     {
+-    case 1:
+    case 0:
+       /* The size of this and all the other types are fixed, defined
+         by the debugging format.  */
+       name = "int";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 2:
+    case 1:
+       name = "char";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 3:
+    case 2:
+       name = "short";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 4:
+    case 3:
+       name = "long";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 5:
+    case 4:
+       name = "unsigned char";
+       rettype = debug_make_int_type (dhandle, 1, true);
+       break;
+-    case 6:
+    case 5:
+       name = "signed char";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 7:
+    case 6:
+       name = "unsigned short";
+       rettype = debug_make_int_type (dhandle, 2, true);
+       break;
+-    case 8:
+    case 7:
+       name = "unsigned int";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 9:
+    case 8:
+       name = "unsigned";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 10:
+    case 9:
+       name = "unsigned long";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 11:
+    case 10:
+       name = "void";
+       rettype = debug_make_void_type (dhandle);
+       break;
+-    case 12:
+    case 11:
+       /* IEEE single precision (32 bit).  */
+       name = "float";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 13:
+    case 12:
+       /* IEEE double precision (64 bit).  */
+       name = "double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 14:
+    case 13:
+       /* This is an IEEE double on the RS/6000, and different machines
+         with different sizes for "long double" should use different
+         negative type numbers.  See stabs.texinfo.  */
+       name = "long double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 15:
+    case 14:
+       name = "integer";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 16:
+    case 15:
+       name = "boolean";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 17:
+    case 16:
+       name = "short real";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 18:
+    case 17:
+       name = "real";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 19:
+    case 18:
+       /* FIXME */
+       name = "stringptr";
+       rettype = NULL;
+       break;
+-    case 20:
+    case 19:
+       /* FIXME */
+       name = "character";
+       rettype = debug_make_int_type (dhandle, 1, true);
+       break;
+-    case 21:
+    case 20:
+       name = "logical*1";
+       rettype = debug_make_bool_type (dhandle, 1);
+       break;
+-    case 22:
+    case 21:
+       name = "logical*2";
+       rettype = debug_make_bool_type (dhandle, 2);
+       break;
+-    case 23:
+    case 22:
+       name = "logical*4";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 24:
+    case 23:
+       name = "logical";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 25:
+    case 24:
+       /* Complex type consisting of two IEEE single precision values.  */
+       name = "complex";
+       rettype = debug_make_complex_type (dhandle, 8);
+       break;
+-    case 26:
+    case 25:
+       /* Complex type consisting of two IEEE double precision values.  */
+       name = "double complex";
+       rettype = debug_make_complex_type (dhandle, 16);
+       break;
+-    case 27:
+    case 26:
+       name = "integer*1";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 28:
+    case 27:
+       name = "integer*2";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 29:
+    case 28:
+       name = "integer*4";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 30:
+    case 29:
+       /* FIXME */
+       name = "wchar";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 31:
+    case 30:
+       name = "long long";
+       rettype = debug_make_int_type (dhandle, 8, false);
+       break;
+-    case 32:
+    case 31:
+       name = "unsigned long long";
+       rettype = debug_make_int_type (dhandle, 8, true);
+       break;
+-    case 33:
+    case 32:
+       name = "logical*8";
+       rettype = debug_make_bool_type (dhandle, 8);
+       break;
+-    case 34:
+    case 33:
+       name = "integer*8";
+       rettype = debug_make_int_type (dhandle, 8, false);
+       break;
+@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+     }
+ 
+   rettype = debug_name_type (dhandle, name, rettype);
+-
+-  info->xcoff_types[-typenum] = rettype;
+-
+  info->xcoff_types[typenum] = rettype;
+   return rettype;
+ }
+

diff --git a/meta/recipes-devtools/binutils/binutils-2.37.inc b/meta/recipes-devtools/binutils/binutils-2.37.inc index 043f7f8235..bc6eef0fbb 100644 --- a/meta/recipes-devtools/binutils/binutils-2.37.inc +++ b/meta/recipes-devtools/binutils/binutils-2.37.inc
@@ -34,5 +34,6 @@ SRC_URI = "\
34	file://0017-bfd-Close-the-file-descriptor-if-there-is-no-archive.patch \	34	file://0017-bfd-Close-the-file-descriptor-if-there-is-no-archive.patch \
35	file://0001-elf-Discard-input-.note.gnu.build-id-sections.patch \	35	file://0001-elf-Discard-input-.note.gnu.build-id-sections.patch \
36	file://0001-CVE-2021-42574.patch \	36	file://0001-CVE-2021-42574.patch \
		37	file://161e87d12167b1e36193385485c1f6ce92f74f02.patch \
37	"	38	"
38	S = "${WORKDIR}/git"	39	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch b/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch new file mode 100644 index 0000000000..8a655af06c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/161e87d12167b1e36193385485c1f6ce92f74f02.patch
@@ -0,0 +1,247 @@
		1	From: Alan Modra <amodra@gmail.com>
		2	Date: Wed, 15 Dec 2021 01:18:42 +0000 (+1030)
		3	Subject: PR28694, Out-of-bounds write in stab_xcoff_builtin_type
		4	CVE: CVE-2021-45078
		5
		6	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=161e87d12167b1e36193385485c1f6ce92f74f02]
		7
		8	PR28694, Out-of-bounds write in stab_xcoff_builtin_type
		9
		10	PR 28694
		11	* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
		12	Negate typenum earlier, simplifying bounds checking. Correct
		13	off-by-one indexing. Adjust switch cases.
		14	---
		15
		16	diff --git a/binutils/stabs.c b/binutils/stabs.c
		17	index 274bfb0e7fa..83ee3ea5fa4 100644
		18	--- a/binutils/stabs.c
		19	+++ b/binutils/stabs.c
		20	@@ -202,7 +202,7 @@ static debug_type stab_find_type (void , struct stab_handle , const int *);
		21	static bool stab_record_type
		22	(void , struct stab_handle , const int *, debug_type);
		23	static debug_type stab_xcoff_builtin_type
		24	- (void , struct stab_handle , int);
		25	+ (void , struct stab_handle , unsigned int);
		26	static debug_type stab_find_tagged_type
		27	(void , struct stab_handle , const char *, int, enum debug_type_kind);
		28	static debug_type *stab_demangle_argtypes
		29	@@ -3496,166 +3496,167 @@ stab_record_type (void dhandle ATTRIBUTE_UNUSED, struct stab_handle info,
		30
		31	static debug_type
		32	stab_xcoff_builtin_type (void dhandle, struct stab_handle info,
		33	- int typenum)
		34	+ unsigned int typenum)
		35	{
		36	debug_type rettype;
		37	const char *name;
		38
		39	- if (typenum >= 0 \|\| typenum < -XCOFF_TYPE_COUNT)
		40	+ typenum = -typenum - 1;
		41	+ if (typenum >= XCOFF_TYPE_COUNT)
		42	{
		43	- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
		44	+ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
		45	return DEBUG_TYPE_NULL;
		46	}
		47	- if (info->xcoff_types[-typenum] != NULL)
		48	- return info->xcoff_types[-typenum];
		49	+ if (info->xcoff_types[typenum] != NULL)
		50	+ return info->xcoff_types[typenum];
		51
		52	- switch (-typenum)
		53	+ switch (typenum)
		54	{
		55	- case 1:
		56	+ case 0:
		57	/* The size of this and all the other types are fixed, defined
		58	by the debugging format. */
		59	name = "int";
		60	rettype = debug_make_int_type (dhandle, 4, false);
		61	break;
		62	- case 2:
		63	+ case 1:
		64	name = "char";
		65	rettype = debug_make_int_type (dhandle, 1, false);
		66	break;
		67	- case 3:
		68	+ case 2:
		69	name = "short";
		70	rettype = debug_make_int_type (dhandle, 2, false);
		71	break;
		72	- case 4:
		73	+ case 3:
		74	name = "long";
		75	rettype = debug_make_int_type (dhandle, 4, false);
		76	break;
		77	- case 5:
		78	+ case 4:
		79	name = "unsigned char";
		80	rettype = debug_make_int_type (dhandle, 1, true);
		81	break;
		82	- case 6:
		83	+ case 5:
		84	name = "signed char";
		85	rettype = debug_make_int_type (dhandle, 1, false);
		86	break;
		87	- case 7:
		88	+ case 6:
		89	name = "unsigned short";
		90	rettype = debug_make_int_type (dhandle, 2, true);
		91	break;
		92	- case 8:
		93	+ case 7:
		94	name = "unsigned int";
		95	rettype = debug_make_int_type (dhandle, 4, true);
		96	break;
		97	- case 9:
		98	+ case 8:
		99	name = "unsigned";
		100	rettype = debug_make_int_type (dhandle, 4, true);
		101	break;
		102	- case 10:
		103	+ case 9:
		104	name = "unsigned long";
		105	rettype = debug_make_int_type (dhandle, 4, true);
		106	break;
		107	- case 11:
		108	+ case 10:
		109	name = "void";
		110	rettype = debug_make_void_type (dhandle);
		111	break;
		112	- case 12:
		113	+ case 11:
		114	/* IEEE single precision (32 bit). */
		115	name = "float";
		116	rettype = debug_make_float_type (dhandle, 4);
		117	break;
		118	- case 13:
		119	+ case 12:
		120	/* IEEE double precision (64 bit). */
		121	name = "double";
		122	rettype = debug_make_float_type (dhandle, 8);
		123	break;
		124	- case 14:
		125	+ case 13:
		126	/* This is an IEEE double on the RS/6000, and different machines
		127	with different sizes for "long double" should use different
		128	negative type numbers. See stabs.texinfo. */
		129	name = "long double";
		130	rettype = debug_make_float_type (dhandle, 8);
		131	break;
		132	- case 15:
		133	+ case 14:
		134	name = "integer";
		135	rettype = debug_make_int_type (dhandle, 4, false);
		136	break;
		137	- case 16:
		138	+ case 15:
		139	name = "boolean";
		140	rettype = debug_make_bool_type (dhandle, 4);
		141	break;
		142	- case 17:
		143	+ case 16:
		144	name = "short real";
		145	rettype = debug_make_float_type (dhandle, 4);
		146	break;
		147	- case 18:
		148	+ case 17:
		149	name = "real";
		150	rettype = debug_make_float_type (dhandle, 8);
		151	break;
		152	- case 19:
		153	+ case 18:
		154	/* FIXME */
		155	name = "stringptr";
		156	rettype = NULL;
		157	break;
		158	- case 20:
		159	+ case 19:
		160	/* FIXME */
		161	name = "character";
		162	rettype = debug_make_int_type (dhandle, 1, true);
		163	break;
		164	- case 21:
		165	+ case 20:
		166	name = "logical*1";
		167	rettype = debug_make_bool_type (dhandle, 1);
		168	break;
		169	- case 22:
		170	+ case 21:
		171	name = "logical*2";
		172	rettype = debug_make_bool_type (dhandle, 2);
		173	break;
		174	- case 23:
		175	+ case 22:
		176	name = "logical*4";
		177	rettype = debug_make_bool_type (dhandle, 4);
		178	break;
		179	- case 24:
		180	+ case 23:
		181	name = "logical";
		182	rettype = debug_make_bool_type (dhandle, 4);
		183	break;
		184	- case 25:
		185	+ case 24:
		186	/* Complex type consisting of two IEEE single precision values. */
		187	name = "complex";
		188	rettype = debug_make_complex_type (dhandle, 8);
		189	break;
		190	- case 26:
		191	+ case 25:
		192	/* Complex type consisting of two IEEE double precision values. */
		193	name = "double complex";
		194	rettype = debug_make_complex_type (dhandle, 16);
		195	break;
		196	- case 27:
		197	+ case 26:
		198	name = "integer*1";
		199	rettype = debug_make_int_type (dhandle, 1, false);
		200	break;
		201	- case 28:
		202	+ case 27:
		203	name = "integer*2";
		204	rettype = debug_make_int_type (dhandle, 2, false);
		205	break;
		206	- case 29:
		207	+ case 28:
		208	name = "integer*4";
		209	rettype = debug_make_int_type (dhandle, 4, false);
		210	break;
		211	- case 30:
		212	+ case 29:
		213	/* FIXME */
		214	name = "wchar";
		215	rettype = debug_make_int_type (dhandle, 2, false);
		216	break;
		217	- case 31:
		218	+ case 30:
		219	name = "long long";
		220	rettype = debug_make_int_type (dhandle, 8, false);
		221	break;
		222	- case 32:
		223	+ case 31:
		224	name = "unsigned long long";
		225	rettype = debug_make_int_type (dhandle, 8, true);
		226	break;
		227	- case 33:
		228	+ case 32:
		229	name = "logical*8";
		230	rettype = debug_make_bool_type (dhandle, 8);
		231	break;
		232	- case 34:
		233	+ case 33:
		234	name = "integer*8";
		235	rettype = debug_make_int_type (dhandle, 8, false);
		236	break;
		237	@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void dhandle, struct stab_handle info,
		238	}
		239
		240	rettype = debug_name_type (dhandle, name, rettype);
		241	-
		242	- info->xcoff_types[-typenum] = rettype;
		243	-
		244	+ info->xcoff_types[typenum] = rettype;
		245	return rettype;
		246	}
		247