1 files changed, 183 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
new file mode 100644
index 0000000000..5f56dd7696
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,183 @@
+From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 11 Feb 2021 16:56:42 +1030
+Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
+Adds missing sanity checks for avr device info note, to avoid
+potential buffer overflows.  Uses bfd_malloc_and_get_section for
+sanity checking section size.
+        PR 27290
+        PR 27293
+        PR 27295
+        * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
+        Use bfd_malloc_and_get_section.
+        (elf32_avr_get_note_desc): Formatting.  Return descsz.  Sanity
+        check namesz.  Return NULL if descsz is too small.  Ensure
+        string table is terminated.
+        (elf32_avr_get_device_info): Formatting.  Add note_size param.
+        Sanity check note.
+        (elf32_avr_dump_mem_usage): Adjust to suit.
+Upstream-Status: Backport
+CVE: CVE-2021-3549
+Signed-of-by: Armin Kuster <akuster@mvista.com>
+---
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 1e9a96c9bb6..02e5019204e 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -1,3 +1,17 @@
+2021-02-11  Alan Modra  <amodra@gmail.com>
+
+          PR 27290
+          PR 27293
+          PR 27295
+          * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
+          Use bfd_malloc_and_get_section.
+          (elf32_avr_get_note_desc): Formatting.  Return descsz.  Sanity
+          check namesz.  Return NULL if descsz is too small.  Ensure
+          string table is terminated.
+          (elf32_avr_get_device_info): Formatting.  Add note_size param.
+          Sanity check note.
+          (elf32_avr_dump_mem_usage): Adjust to suit.
+
+ 2020-03-25  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        * ar.c (main): Update bfd_plugin_set_program_name call.
+diff --git a/binutils/od-elf32_avr.c b/binutils/od-elf32_avr.c
+index 5ec99957fe9..1d32bce918e 100644
+--- a/binutils/od-elf32_avr.c
+++ b/binutils/od-elf32_avr.c
+@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
+   return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
+ }
+ 
+-static char*
+static char *
+ elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size)
+ {
+   asection *section;
+  bfd_byte *contents;
+ 
+-  if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
+  section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
+  if (section == NULL)
+     return NULL;
+ 
+-  *size = bfd_section_size (section);
+-  char *contents = (char *) xmalloc (*size);
+-  bfd_get_section_contents (abfd, section, contents, 0, *size);
+  if (!bfd_malloc_and_get_section (abfd, section, &contents))
+    {
+      free (contents);
+      contents = NULL;
+    }
+ 
+-  return contents;
+  *size = bfd_section_size (section);
+  return (char *) contents;
+ }
+ 
+-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
+-        bfd_size_type size)
+static char *
+elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size,
+                        bfd_size_type *descsz)
+ {
+   Elf_External_Note *xnp = (Elf_External_Note *) contents;
+   Elf_Internal_Note in;
+@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
+   if (in.namesz > contents - in.namedata + size)
+     return NULL;
+ 
+  if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0)
+    return NULL;
+
+   in.descsz = bfd_get_32 (abfd, xnp->descsz);
+   in.descdata = in.namedata + align_power (in.namesz, 2);
+-  if (in.descsz != 0
+-        && (in.descdata >= contents + size
+-            || in.descsz > contents - in.descdata + size))
+  if (in.descsz < 6 * sizeof (uint32_t)
+      || in.descdata >= contents + size
+      || in.descsz > contents - in.descdata + size)
+     return NULL;
+ 
+-  if (strcmp (in.namedata, "AVR") != 0)
+-    return NULL;
+  /* If the note has a string table, ensure it is 0 terminated.  */
+  if (in.descsz > 8 * sizeof (uint32_t))
+    in.descdata[in.descsz - 1] = 0;
+ 
+  *descsz = in.descsz;
+   return in.descdata;
+ }
+ 
+ static void
+ elf32_avr_get_device_info (bfd *abfd, char *description,
+-        deviceinfo *device)
+                          bfd_size_type desc_size, deviceinfo *device)
+ {
+   if (description == NULL)
+     return;
+ 
+   const bfd_size_type memory_sizes = 6;
+ 
+-  memcpy (device, description, memory_sizes * sizeof(uint32_t));
+-  device->name = NULL;
+  memcpy (device, description, memory_sizes * sizeof (uint32_t));
+  desc_size -= memory_sizes * sizeof (uint32_t);
+  if (desc_size < 8)
+    return;
+ 
+-  uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
+  uint32_t *stroffset_table = (uint32_t *) description + memory_sizes;
+   bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
+-  char *str_table = ((char *) stroffset_table) + stroffset_table_size;
+ 
+   /* If the only content is the size itself, there's nothing in the table */
+-  if (stroffset_table_size == 4)
+  if (stroffset_table_size < 8)
+     return;
+  if (desc_size <= stroffset_table_size)
+    return;
+  desc_size -= stroffset_table_size;
+ 
+   /* First entry is the device name index. */
+   uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
+  if (device_name_index >= desc_size)
+    return;
+ 
+  char *str_table = (char *) stroffset_table + stroffset_table_size;
+   device->name = str_table + device_name_index;
+ }
+ 
+@@ -183,7 +201,7 @@ static void
+ elf32_avr_dump_mem_usage (bfd *abfd)
+ {
+   char *description = NULL;
+-  bfd_size_type note_section_size = 0;
+  bfd_size_type sec_size, desc_size;
+ 
+   deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
+   device.name = "Unknown";
+@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
+   bfd_size_type text_usage = 0;
+   bfd_size_type eeprom_usage = 0;
+ 
+-  char *contents = elf32_avr_get_note_section_contents (abfd,
+-    &note_section_size);
+  char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
+ 
+   if (contents != NULL)
+     {
+-      description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
+-      elf32_avr_get_device_info (abfd, description, &device);
+      description = elf32_avr_get_note_desc (abfd, contents, sec_size,
+                                            &desc_size);
+      elf32_avr_get_device_info (abfd, description, desc_size, &device);
+     }
+ 
+   elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch new file mode 100644 index 0000000000..5f56dd7696 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,183 @@
	1	From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Thu, 11 Feb 2021 16:56:42 +1030
	4	Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
	5
	6	Adds missing sanity checks for avr device info note, to avoid
	7	potential buffer overflows. Uses bfd_malloc_and_get_section for
	8	sanity checking section size.
	9
	10	PR 27290
	11	PR 27293
	12	PR 27295
	13	* od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
	14	Use bfd_malloc_and_get_section.
	15	(elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
	16	check namesz. Return NULL if descsz is too small. Ensure
	17	string table is terminated.
	18	(elf32_avr_get_device_info): Formatting. Add note_size param.
	19	Sanity check note.
	20	(elf32_avr_dump_mem_usage): Adjust to suit.
	21
	22	Upstream-Status: Backport
	23	CVE: CVE-2021-3549
	24	Signed-of-by: Armin Kuster <akuster@mvista.com>
	25
	26	---
	27	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
	28	index 1e9a96c9bb6..02e5019204e 100644
	29	--- a/binutils/ChangeLog
	30	+++ b/binutils/ChangeLog
	31	@@ -1,3 +1,17 @@
	32	+2021-02-11 Alan Modra <amodra@gmail.com>
	33	+
	34	+ PR 27290
	35	+ PR 27293
	36	+ PR 27295
	37	+ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
	38	+ Use bfd_malloc_and_get_section.
	39	+ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
	40	+ check namesz. Return NULL if descsz is too small. Ensure
	41	+ string table is terminated.
	42	+ (elf32_avr_get_device_info): Formatting. Add note_size param.
	43	+ Sanity check note.
	44	+ (elf32_avr_dump_mem_usage): Adjust to suit.
	45	+
	46	2020-03-25 H.J. Lu <hongjiu.lu@intel.com>
	47
	48	* ar.c (main): Update bfd_plugin_set_program_name call.
	49	diff --git a/binutils/od-elf32_avr.c b/binutils/od-elf32_avr.c
	50	index 5ec99957fe9..1d32bce918e 100644
	51	--- a/binutils/od-elf32_avr.c
	52	+++ b/binutils/od-elf32_avr.c
	53	@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
	54	return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
	55	}
	56
	57	-static char*
	58	+static char *
	59	elf32_avr_get_note_section_contents (bfd abfd, bfd_size_type size)
	60	{
	61	asection *section;
	62	+ bfd_byte *contents;
	63
	64	- if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
	65	+ section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
	66	+ if (section == NULL)
	67	return NULL;
	68
	69	- *size = bfd_section_size (section);
	70	- char contents = (char ) xmalloc (*size);
	71	- bfd_get_section_contents (abfd, section, contents, 0, *size);
	72	+ if (!bfd_malloc_and_get_section (abfd, section, &contents))
	73	+ {
	74	+ free (contents);
	75	+ contents = NULL;
	76	+ }
	77
	78	- return contents;
	79	+ *size = bfd_section_size (section);
	80	+ return (char *) contents;
	81	}
	82
	83	-static char* elf32_avr_get_note_desc (bfd abfd, char contents,
	84	- bfd_size_type size)
	85	+static char *
	86	+elf32_avr_get_note_desc (bfd abfd, char contents, bfd_size_type size,
	87	+ bfd_size_type *descsz)
	88	{
	89	Elf_External_Note xnp = (Elf_External_Note ) contents;
	90	Elf_Internal_Note in;
	91	@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bfd abfd, char contents,
	92	if (in.namesz > contents - in.namedata + size)
	93	return NULL;
	94
	95	+ if (in.namesz != 4 \|\| strcmp (in.namedata, "AVR") != 0)
	96	+ return NULL;
	97	+
	98	in.descsz = bfd_get_32 (abfd, xnp->descsz);
	99	in.descdata = in.namedata + align_power (in.namesz, 2);
	100	- if (in.descsz != 0
	101	- && (in.descdata >= contents + size
	102	- \|\| in.descsz > contents - in.descdata + size))
	103	+ if (in.descsz < 6 * sizeof (uint32_t)
	104	+ \|\| in.descdata >= contents + size
	105	+ \|\| in.descsz > contents - in.descdata + size)
	106	return NULL;
	107
	108	- if (strcmp (in.namedata, "AVR") != 0)
	109	- return NULL;
	110	+ /* If the note has a string table, ensure it is 0 terminated. */
	111	+ if (in.descsz > 8 * sizeof (uint32_t))
	112	+ in.descdata[in.descsz - 1] = 0;
	113
	114	+ *descsz = in.descsz;
	115	return in.descdata;
	116	}
	117
	118	static void
	119	elf32_avr_get_device_info (bfd abfd, char description,
	120	- deviceinfo *device)
	121	+ bfd_size_type desc_size, deviceinfo *device)
	122	{
	123	if (description == NULL)
	124	return;
	125
	126	const bfd_size_type memory_sizes = 6;
	127
	128	- memcpy (device, description, memory_sizes * sizeof(uint32_t));
	129	- device->name = NULL;
	130	+ memcpy (device, description, memory_sizes * sizeof (uint32_t));
	131	+ desc_size -= memory_sizes * sizeof (uint32_t);
	132	+ if (desc_size < 8)
	133	+ return;
	134
	135	- uint32_t stroffset_table = ((uint32_t ) description) + memory_sizes;
	136	+ uint32_t stroffset_table = (uint32_t ) description + memory_sizes;
	137	bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
	138	- char str_table = ((char ) stroffset_table) + stroffset_table_size;
	139
	140	/* If the only content is the size itself, there's nothing in the table */
	141	- if (stroffset_table_size == 4)
	142	+ if (stroffset_table_size < 8)
	143	return;
	144	+ if (desc_size <= stroffset_table_size)
	145	+ return;
	146	+ desc_size -= stroffset_table_size;
	147
	148	/* First entry is the device name index. */
	149	uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
	150	+ if (device_name_index >= desc_size)
	151	+ return;
	152
	153	+ char str_table = (char ) stroffset_table + stroffset_table_size;
	154	device->name = str_table + device_name_index;
	155	}
	156
	157	@@ -183,7 +201,7 @@ static void
	158	elf32_avr_dump_mem_usage (bfd *abfd)
	159	{
	160	char *description = NULL;
	161	- bfd_size_type note_section_size = 0;
	162	+ bfd_size_type sec_size, desc_size;
	163
	164	deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
	165	device.name = "Unknown";
	166	@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
	167	bfd_size_type text_usage = 0;
	168	bfd_size_type eeprom_usage = 0;
	169
	170	- char *contents = elf32_avr_get_note_section_contents (abfd,
	171	- &note_section_size);
	172	+ char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
	173
	174	if (contents != NULL)
	175	{
	176	- description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
	177	- elf32_avr_get_device_info (abfd, description, &device);
	178	+ description = elf32_avr_get_note_desc (abfd, contents, sec_size,
	179	+ &desc_size);
	180	+ elf32_avr_get_device_info (abfd, description, desc_size, &device);
	181	}
	182
	183	elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,