1 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
new file mode 100644
index 0000000000..1502d03f43
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
@@ -0,0 +1,83 @@
+From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 26 Nov 2020 17:08:33 +0000
+Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
+ DWARF debug sections.
+        PR 26946
+        * dwarf2.c (read_section): Check for debug sections with excessive
+        sizes.
+Upstream-Status: Backport [
+https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24
+]
+CVE: CVE-2021-3487
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ bfd/dwarf2.c  | 25 +++++++++++++++++++------
+ 1 files changed, 25 insertions(+), 6 deletions(-)
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 977bf43a6a1..8bbfc81d3e7 100644
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -531,22 +531,24 @@ read_section (bfd *             abfd,
+              bfd_byte **     section_buffer,
+              bfd_size_type * section_size)
+ {
+-  asection *msec;
+   const char *section_name = sec->uncompressed_name;
+   bfd_byte *contents = *section_buffer;
+-  bfd_size_type amt;
+ 
+   /* The section may have already been read.  */
+   if (contents == NULL)
+     {
+      bfd_size_type amt;
+      asection *msec;
+      ufile_ptr filesize;
+
+       msec = bfd_get_section_by_name (abfd, section_name);
+-      if (! msec)
+      if (msec == NULL)
+        {
+          section_name = sec->compressed_name;
+          if (section_name != NULL)
+            msec = bfd_get_section_by_name (abfd, section_name);
+        }
+-      if (! msec)
+      if (msec == NULL)
+        {
+          _bfd_error_handler (_("DWARF error: can't find %s section."),
+                              sec->uncompressed_name);
+@@ -554,12 +556,23 @@ read_section (bfd *             abfd,
+          return FALSE;
+        }
+ 
+-      *section_size = msec->rawsize ? msec->rawsize : msec->size;
+      amt = bfd_get_section_limit_octets (abfd, msec);
+      filesize = bfd_get_file_size (abfd);
+      if (amt >= filesize)
+       {
+         /* PR 26946 */
+         _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
+                             section_name, (long) amt, (long) filesize);
+         bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+       }
+      *section_size = amt;
+       /* Paranoia - alloc one extra so that we can make sure a string
+         section is NUL terminated.  */
+-      amt = *section_size + 1;
+      amt += 1;
+       if (amt == 0)
+        {
+         /* Paranoia - this should never happen.  */
+          bfd_set_error (bfd_error_no_memory);
+          return FALSE;
+        }
+-- 
+2.27.0

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch new file mode 100644 index 0000000000..1502d03f43 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
@@ -0,0 +1,83 @@
	1	From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001
	2	From: Nick Clifton <nickc@redhat.com>
	3	Date: Thu, 26 Nov 2020 17:08:33 +0000
	4	Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
	5	DWARF debug sections.
	6
	7	PR 26946
	8	* dwarf2.c (read_section): Check for debug sections with excessive
	9	sizes.
	10
	11
	12	Upstream-Status: Backport [
	13	https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24
	14	]
	15	CVE: CVE-2021-3487
	16	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	17
	18	---
	19	bfd/dwarf2.c \| 25 +++++++++++++++++++------
	20	1 files changed, 25 insertions(+), 6 deletions(-)
	21
	22	diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
	23	index 977bf43a6a1..8bbfc81d3e7 100644
	24	--- a/bfd/dwarf2.c
	25	+++ b/bfd/dwarf2.c
	26	@@ -531,22 +531,24 @@ read_section (bfd * abfd,
	27	bfd_byte ** section_buffer,
	28	bfd_size_type * section_size)
	29	{
	30	- asection *msec;
	31	const char *section_name = sec->uncompressed_name;
	32	bfd_byte contents = section_buffer;
	33	- bfd_size_type amt;
	34
	35	/* The section may have already been read. */
	36	if (contents == NULL)
	37	{
	38	+ bfd_size_type amt;
	39	+ asection *msec;
	40	+ ufile_ptr filesize;
	41	+
	42	msec = bfd_get_section_by_name (abfd, section_name);
	43	- if (! msec)
	44	+ if (msec == NULL)
	45	{
	46	section_name = sec->compressed_name;
	47	if (section_name != NULL)
	48	msec = bfd_get_section_by_name (abfd, section_name);
	49	}
	50	- if (! msec)
	51	+ if (msec == NULL)
	52	{
	53	_bfd_error_handler (_("DWARF error: can't find %s section."),
	54	sec->uncompressed_name);
	55	@@ -554,12 +556,23 @@ read_section (bfd * abfd,
	56	return FALSE;
	57	}
	58
	59	- *section_size = msec->rawsize ? msec->rawsize : msec->size;
	60	+ amt = bfd_get_section_limit_octets (abfd, msec);
	61	+ filesize = bfd_get_file_size (abfd);
	62	+ if (amt >= filesize)
	63	+ {
	64	+ /* PR 26946 */
	65	+ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
	66	+ section_name, (long) amt, (long) filesize);
	67	+ bfd_set_error (bfd_error_bad_value);
	68	+ return FALSE;
	69	+ }
	70	+ *section_size = amt;
	71	/* Paranoia - alloc one extra so that we can make sure a string
	72	section is NUL terminated. */
	73	- amt = *section_size + 1;
	74	+ amt += 1;
	75	if (amt == 0)
	76	{
	77	+ /* Paranoia - this should never happen. */
	78	bfd_set_error (bfd_error_no_memory);
	79	return FALSE;
	80	}
	81	--
	82	2.27.0
	83