diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch new file mode 100644 index 0000000000..1502d03f43 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Thu, 26 Nov 2020 17:08:33 +0000 | ||
4 | Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt | ||
5 | DWARF debug sections. | ||
6 | |||
7 | PR 26946 | ||
8 | * dwarf2.c (read_section): Check for debug sections with excessive | ||
9 | sizes. | ||
10 | |||
11 | |||
12 | Upstream-Status: Backport [ | ||
13 | https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24 | ||
14 | ] | ||
15 | CVE: CVE-2021-3487 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | |||
18 | --- | ||
19 | bfd/dwarf2.c | 25 +++++++++++++++++++------ | ||
20 | 1 files changed, 25 insertions(+), 6 deletions(-) | ||
21 | |||
22 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c | ||
23 | index 977bf43a6a1..8bbfc81d3e7 100644 | ||
24 | --- a/bfd/dwarf2.c | ||
25 | +++ b/bfd/dwarf2.c | ||
26 | @@ -531,22 +531,24 @@ read_section (bfd * abfd, | ||
27 | bfd_byte ** section_buffer, | ||
28 | bfd_size_type * section_size) | ||
29 | { | ||
30 | - asection *msec; | ||
31 | const char *section_name = sec->uncompressed_name; | ||
32 | bfd_byte *contents = *section_buffer; | ||
33 | - bfd_size_type amt; | ||
34 | |||
35 | /* The section may have already been read. */ | ||
36 | if (contents == NULL) | ||
37 | { | ||
38 | + bfd_size_type amt; | ||
39 | + asection *msec; | ||
40 | + ufile_ptr filesize; | ||
41 | + | ||
42 | msec = bfd_get_section_by_name (abfd, section_name); | ||
43 | - if (! msec) | ||
44 | + if (msec == NULL) | ||
45 | { | ||
46 | section_name = sec->compressed_name; | ||
47 | if (section_name != NULL) | ||
48 | msec = bfd_get_section_by_name (abfd, section_name); | ||
49 | } | ||
50 | - if (! msec) | ||
51 | + if (msec == NULL) | ||
52 | { | ||
53 | _bfd_error_handler (_("DWARF error: can't find %s section."), | ||
54 | sec->uncompressed_name); | ||
55 | @@ -554,12 +556,23 @@ read_section (bfd * abfd, | ||
56 | return FALSE; | ||
57 | } | ||
58 | |||
59 | - *section_size = msec->rawsize ? msec->rawsize : msec->size; | ||
60 | + amt = bfd_get_section_limit_octets (abfd, msec); | ||
61 | + filesize = bfd_get_file_size (abfd); | ||
62 | + if (amt >= filesize) | ||
63 | + { | ||
64 | + /* PR 26946 */ | ||
65 | + _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"), | ||
66 | + section_name, (long) amt, (long) filesize); | ||
67 | + bfd_set_error (bfd_error_bad_value); | ||
68 | + return FALSE; | ||
69 | + } | ||
70 | + *section_size = amt; | ||
71 | /* Paranoia - alloc one extra so that we can make sure a string | ||
72 | section is NUL terminated. */ | ||
73 | - amt = *section_size + 1; | ||
74 | + amt += 1; | ||
75 | if (amt == 0) | ||
76 | { | ||
77 | + /* Paranoia - this should never happen. */ | ||
78 | bfd_set_error (bfd_error_no_memory); | ||
79 | return FALSE; | ||
80 | } | ||
81 | -- | ||
82 | 2.27.0 | ||
83 | |||