1 files changed, 255 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
new file mode 100644
index 0000000000..f118e2599b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
@@ -0,0 +1,255 @@
+From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Dec 2021 11:48:42 +1030
+Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type
+        PR 28694
+        * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
+        Negate typenum earlier, simplifying bounds checking.  Correct
+        off-by-one indexing.  Adjust switch cases.
+CVE: CVE-2021-45078
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
+Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
+---
+ binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------
+ 1 file changed, 43 insertions(+), 44 deletions(-)
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 274bfb0e7fa..83ee3ea5fa4 100644
+--- a/binutils/stabs.c
+++ b/binutils/stabs.c
+@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *);
+ static bfd_boolean stab_record_type
+   (void *, struct stab_handle *, const int *, debug_type);
+ static debug_type stab_xcoff_builtin_type
+-  (void *, struct stab_handle *, int);
+  (void *, struct stab_handle *, unsigned int);
+ static debug_type stab_find_tagged_type
+   (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
+ static debug_type *stab_demangle_argtypes
+@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info,
+ 
+ static debug_type
+ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+-                        int typenum)
+                        unsigned int typenum)
+ {
+   debug_type rettype;
+   const char *name;
+ 
+-  if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
+  typenum = -typenum - 1;
+  if (typenum >= XCOFF_TYPE_COUNT)
+     {
+-      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
+      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
+       return DEBUG_TYPE_NULL;
+     }
+-  if (info->xcoff_types[-typenum] != NULL)
+-    return info->xcoff_types[-typenum];
+  if (info->xcoff_types[typenum] != NULL)
+    return info->xcoff_types[typenum];
+ 
+-  switch (-typenum)
+  switch (typenum)
+     {
+-    case 1:
+    case 0:
+       /* The size of this and all the other types are fixed, defined
+         by the debugging format.  */
+       name = "int";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 2:
+    case 1:
+       name = "char";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 3:
+    case 2:
+       name = "short";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 4:
+    case 3:
+       name = "long";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 5:
+    case 4:
+       name = "unsigned char";
+       rettype = debug_make_int_type (dhandle, 1, TRUE);
+       break;
+-    case 6:
+    case 5:
+       name = "signed char";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 7:
+    case 6:
+       name = "unsigned short";
+       rettype = debug_make_int_type (dhandle, 2, TRUE);
+       break;
+-    case 8:
+    case 7:
+       name = "unsigned int";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 9:
+    case 8:
+       name = "unsigned";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 10:
+    case 9:
+       name = "unsigned long";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 11:
+    case 10:
+       name = "void";
+       rettype = debug_make_void_type (dhandle);
+       break;
+-    case 12:
+    case 11:
+       /* IEEE single precision (32 bit).  */
+       name = "float";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 13:
+    case 12:
+       /* IEEE double precision (64 bit).  */
+       name = "double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 14:
+    case 13:
+       /* This is an IEEE double on the RS/6000, and different machines
+         with different sizes for "long double" should use different
+         negative type numbers.  See stabs.texinfo.  */
+       name = "long double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 15:
+    case 14:
+       name = "integer";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 16:
+    case 15:
+       name = "boolean";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 17:
+    case 16:
+       name = "short real";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 18:
+    case 17:
+       name = "real";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 19:
+    case 18:
+       /* FIXME */
+       name = "stringptr";
+       rettype = NULL;
+       break;
+-    case 20:
+    case 19:
+       /* FIXME */
+       name = "character";
+       rettype = debug_make_int_type (dhandle, 1, TRUE);
+       break;
+-    case 21:
+    case 20:
+       name = "logical*1";
+       rettype = debug_make_bool_type (dhandle, 1);
+       break;
+-    case 22:
+    case 21:
+       name = "logical*2";
+       rettype = debug_make_bool_type (dhandle, 2);
+       break;
+-    case 23:
+    case 22:
+       name = "logical*4";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 24:
+    case 23:
+       name = "logical";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 25:
+    case 24:
+       /* Complex type consisting of two IEEE single precision values.  */
+       name = "complex";
+       rettype = debug_make_complex_type (dhandle, 8);
+       break;
+-    case 26:
+    case 25:
+       /* Complex type consisting of two IEEE double precision values.  */
+       name = "double complex";
+       rettype = debug_make_complex_type (dhandle, 16);
+       break;
+-    case 27:
+    case 26:
+       name = "integer*1";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 28:
+    case 27:
+       name = "integer*2";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 29:
+    case 28:
+       name = "integer*4";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 30:
+    case 29:
+       /* FIXME */
+       name = "wchar";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 31:
+    case 30:
+       name = "long long";
+       rettype = debug_make_int_type (dhandle, 8, FALSE);
+       break;
+-    case 32:
+    case 31:
+       name = "unsigned long long";
+       rettype = debug_make_int_type (dhandle, 8, TRUE);
+       break;
+-    case 33:
+    case 32:
+       name = "logical*8";
+       rettype = debug_make_bool_type (dhandle, 8);
+       break;
+-    case 34:
+    case 33:
+       name = "integer*8";
+       rettype = debug_make_int_type (dhandle, 8, FALSE);
+       break;
+@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+     }
+ 
+   rettype = debug_name_type (dhandle, name, rettype);
+-
+-  info->xcoff_types[-typenum] = rettype;
+-
+  info->xcoff_types[typenum] = rettype;
+   return rettype;
+ }
+ 
+-- 
+2.27.0

diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch new file mode 100644 index 0000000000..f118e2599b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
@@ -0,0 +1,255 @@
	1	From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Wed, 15 Dec 2021 11:48:42 +1030
	4	Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type
	5
	6	PR 28694
	7	* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
	8	Negate typenum earlier, simplifying bounds checking. Correct
	9	off-by-one indexing. Adjust switch cases.
	10
	11
	12	CVE: CVE-2021-45078
	13	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
	14
	15	Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
	16	---
	17	binutils/stabs.c \| 87 ++++++++++++++++++++++++------------------------
	18	1 file changed, 43 insertions(+), 44 deletions(-)
	19
	20
	21	diff --git a/binutils/stabs.c b/binutils/stabs.c
	22	index 274bfb0e7fa..83ee3ea5fa4 100644
	23	--- a/binutils/stabs.c
	24	+++ b/binutils/stabs.c
	25	@@ -202,7 +202,7 @@ static debug_type stab_find_type (void , struct stab_handle , const int *);
	26	static bfd_boolean stab_record_type
	27	(void , struct stab_handle , const int *, debug_type);
	28	static debug_type stab_xcoff_builtin_type
	29	- (void , struct stab_handle , int);
	30	+ (void , struct stab_handle , unsigned int);
	31	static debug_type stab_find_tagged_type
	32	(void , struct stab_handle , const char *, int, enum debug_type_kind);
	33	static debug_type *stab_demangle_argtypes
	34	@@ -3496,166 +3496,167 @@ stab_record_type (void dhandle ATTRIBUTE_UNUSED, struct stab_handle info,
	35
	36	static debug_type
	37	stab_xcoff_builtin_type (void dhandle, struct stab_handle info,
	38	- int typenum)
	39	+ unsigned int typenum)
	40	{
	41	debug_type rettype;
	42	const char *name;
	43
	44	- if (typenum >= 0 \|\| typenum < -XCOFF_TYPE_COUNT)
	45	+ typenum = -typenum - 1;
	46	+ if (typenum >= XCOFF_TYPE_COUNT)
	47	{
	48	- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
	49	+ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
	50	return DEBUG_TYPE_NULL;
	51	}
	52	- if (info->xcoff_types[-typenum] != NULL)
	53	- return info->xcoff_types[-typenum];
	54	+ if (info->xcoff_types[typenum] != NULL)
	55	+ return info->xcoff_types[typenum];
	56
	57	- switch (-typenum)
	58	+ switch (typenum)
	59	{
	60	- case 1:
	61	+ case 0:
	62	/* The size of this and all the other types are fixed, defined
	63	by the debugging format. */
	64	name = "int";
	65	rettype = debug_make_int_type (dhandle, 4, FALSE);
	66	break;
	67	- case 2:
	68	+ case 1:
	69	name = "char";
	70	rettype = debug_make_int_type (dhandle, 1, FALSE);
	71	break;
	72	- case 3:
	73	+ case 2:
	74	name = "short";
	75	rettype = debug_make_int_type (dhandle, 2, FALSE);
	76	break;
	77	- case 4:
	78	+ case 3:
	79	name = "long";
	80	rettype = debug_make_int_type (dhandle, 4, FALSE);
	81	break;
	82	- case 5:
	83	+ case 4:
	84	name = "unsigned char";
	85	rettype = debug_make_int_type (dhandle, 1, TRUE);
	86	break;
	87	- case 6:
	88	+ case 5:
	89	name = "signed char";
	90	rettype = debug_make_int_type (dhandle, 1, FALSE);
	91	break;
	92	- case 7:
	93	+ case 6:
	94	name = "unsigned short";
	95	rettype = debug_make_int_type (dhandle, 2, TRUE);
	96	break;
	97	- case 8:
	98	+ case 7:
	99	name = "unsigned int";
	100	rettype = debug_make_int_type (dhandle, 4, TRUE);
	101	break;
	102	- case 9:
	103	+ case 8:
	104	name = "unsigned";
	105	rettype = debug_make_int_type (dhandle, 4, TRUE);
	106	break;
	107	- case 10:
	108	+ case 9:
	109	name = "unsigned long";
	110	rettype = debug_make_int_type (dhandle, 4, TRUE);
	111	break;
	112	- case 11:
	113	+ case 10:
	114	name = "void";
	115	rettype = debug_make_void_type (dhandle);
	116	break;
	117	- case 12:
	118	+ case 11:
	119	/* IEEE single precision (32 bit). */
	120	name = "float";
	121	rettype = debug_make_float_type (dhandle, 4);
	122	break;
	123	- case 13:
	124	+ case 12:
	125	/* IEEE double precision (64 bit). */
	126	name = "double";
	127	rettype = debug_make_float_type (dhandle, 8);
	128	break;
	129	- case 14:
	130	+ case 13:
	131	/* This is an IEEE double on the RS/6000, and different machines
	132	with different sizes for "long double" should use different
	133	negative type numbers. See stabs.texinfo. */
	134	name = "long double";
	135	rettype = debug_make_float_type (dhandle, 8);
	136	break;
	137	- case 15:
	138	+ case 14:
	139	name = "integer";
	140	rettype = debug_make_int_type (dhandle, 4, FALSE);
	141	break;
	142	- case 16:
	143	+ case 15:
	144	name = "boolean";
	145	rettype = debug_make_bool_type (dhandle, 4);
	146	break;
	147	- case 17:
	148	+ case 16:
	149	name = "short real";
	150	rettype = debug_make_float_type (dhandle, 4);
	151	break;
	152	- case 18:
	153	+ case 17:
	154	name = "real";
	155	rettype = debug_make_float_type (dhandle, 8);
	156	break;
	157	- case 19:
	158	+ case 18:
	159	/* FIXME */
	160	name = "stringptr";
	161	rettype = NULL;
	162	break;
	163	- case 20:
	164	+ case 19:
	165	/* FIXME */
	166	name = "character";
	167	rettype = debug_make_int_type (dhandle, 1, TRUE);
	168	break;
	169	- case 21:
	170	+ case 20:
	171	name = "logical*1";
	172	rettype = debug_make_bool_type (dhandle, 1);
	173	break;
	174	- case 22:
	175	+ case 21:
	176	name = "logical*2";
	177	rettype = debug_make_bool_type (dhandle, 2);
	178	break;
	179	- case 23:
	180	+ case 22:
	181	name = "logical*4";
	182	rettype = debug_make_bool_type (dhandle, 4);
	183	break;
	184	- case 24:
	185	+ case 23:
	186	name = "logical";
	187	rettype = debug_make_bool_type (dhandle, 4);
	188	break;
	189	- case 25:
	190	+ case 24:
	191	/* Complex type consisting of two IEEE single precision values. */
	192	name = "complex";
	193	rettype = debug_make_complex_type (dhandle, 8);
	194	break;
	195	- case 26:
	196	+ case 25:
	197	/* Complex type consisting of two IEEE double precision values. */
	198	name = "double complex";
	199	rettype = debug_make_complex_type (dhandle, 16);
	200	break;
	201	- case 27:
	202	+ case 26:
	203	name = "integer*1";
	204	rettype = debug_make_int_type (dhandle, 1, FALSE);
	205	break;
	206	- case 28:
	207	+ case 27:
	208	name = "integer*2";
	209	rettype = debug_make_int_type (dhandle, 2, FALSE);
	210	break;
	211	- case 29:
	212	+ case 28:
	213	name = "integer*4";
	214	rettype = debug_make_int_type (dhandle, 4, FALSE);
	215	break;
	216	- case 30:
	217	+ case 29:
	218	/* FIXME */
	219	name = "wchar";
	220	rettype = debug_make_int_type (dhandle, 2, FALSE);
	221	break;
	222	- case 31:
	223	+ case 30:
	224	name = "long long";
	225	rettype = debug_make_int_type (dhandle, 8, FALSE);
	226	break;
	227	- case 32:
	228	+ case 31:
	229	name = "unsigned long long";
	230	rettype = debug_make_int_type (dhandle, 8, TRUE);
	231	break;
	232	- case 33:
	233	+ case 32:
	234	name = "logical*8";
	235	rettype = debug_make_bool_type (dhandle, 8);
	236	break;
	237	- case 34:
	238	+ case 33:
	239	name = "integer*8";
	240	rettype = debug_make_int_type (dhandle, 8, FALSE);
	241	break;
	242	@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void dhandle, struct stab_handle info,
	243	}
	244
	245	rettype = debug_name_type (dhandle, name, rettype);
	246	-
	247	- info->xcoff_types[-typenum] = rettype;
	248	-
	249	+ info->xcoff_types[typenum] = rettype;
	250	return rettype;
	251	}
	252
	253	--
	254	2.27.0
	255