diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils')
17 files changed, 2362 insertions, 13 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch new file mode 100644 index 0000000000..2af82477ac --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch | |||
@@ -0,0 +1,257 @@ | |||
1 | From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Wed, 15 Dec 2021 11:48:42 +1030 | ||
4 | Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type | ||
5 | |||
6 | PR 28694 | ||
7 | * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned. | ||
8 | Negate typenum earlier, simplifying bounds checking. Correct | ||
9 | off-by-one indexing. Adjust switch cases. | ||
10 | |||
11 | |||
12 | CVE: CVE-2021-45078 | ||
13 | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02] | ||
14 | |||
15 | Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> | ||
16 | Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> | ||
17 | Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> | ||
18 | --- | ||
19 | binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------ | ||
20 | 1 file changed, 43 insertions(+), 44 deletions(-) | ||
21 | |||
22 | |||
23 | diff --git a/binutils/stabs.c b/binutils/stabs.c | ||
24 | index 274bfb0e7fa..83ee3ea5fa4 100644 | ||
25 | --- a/binutils/stabs.c | ||
26 | +++ b/binutils/stabs.c | ||
27 | @@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *); | ||
28 | static bfd_boolean stab_record_type | ||
29 | (void *, struct stab_handle *, const int *, debug_type); | ||
30 | static debug_type stab_xcoff_builtin_type | ||
31 | - (void *, struct stab_handle *, int); | ||
32 | + (void *, struct stab_handle *, unsigned int); | ||
33 | static debug_type stab_find_tagged_type | ||
34 | (void *, struct stab_handle *, const char *, int, enum debug_type_kind); | ||
35 | static debug_type *stab_demangle_argtypes | ||
36 | @@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info, | ||
37 | |||
38 | static debug_type | ||
39 | stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, | ||
40 | - int typenum) | ||
41 | + unsigned int typenum) | ||
42 | { | ||
43 | debug_type rettype; | ||
44 | const char *name; | ||
45 | |||
46 | - if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT) | ||
47 | + typenum = -typenum - 1; | ||
48 | + if (typenum >= XCOFF_TYPE_COUNT) | ||
49 | { | ||
50 | - fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum); | ||
51 | + fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1); | ||
52 | return DEBUG_TYPE_NULL; | ||
53 | } | ||
54 | - if (info->xcoff_types[-typenum] != NULL) | ||
55 | - return info->xcoff_types[-typenum]; | ||
56 | + if (info->xcoff_types[typenum] != NULL) | ||
57 | + return info->xcoff_types[typenum]; | ||
58 | |||
59 | - switch (-typenum) | ||
60 | + switch (typenum) | ||
61 | { | ||
62 | - case 1: | ||
63 | + case 0: | ||
64 | /* The size of this and all the other types are fixed, defined | ||
65 | by the debugging format. */ | ||
66 | name = "int"; | ||
67 | rettype = debug_make_int_type (dhandle, 4, FALSE); | ||
68 | break; | ||
69 | - case 2: | ||
70 | + case 1: | ||
71 | name = "char"; | ||
72 | rettype = debug_make_int_type (dhandle, 1, FALSE); | ||
73 | break; | ||
74 | - case 3: | ||
75 | + case 2: | ||
76 | name = "short"; | ||
77 | rettype = debug_make_int_type (dhandle, 2, FALSE); | ||
78 | break; | ||
79 | - case 4: | ||
80 | + case 3: | ||
81 | name = "long"; | ||
82 | rettype = debug_make_int_type (dhandle, 4, FALSE); | ||
83 | break; | ||
84 | - case 5: | ||
85 | + case 4: | ||
86 | name = "unsigned char"; | ||
87 | rettype = debug_make_int_type (dhandle, 1, TRUE); | ||
88 | break; | ||
89 | - case 6: | ||
90 | + case 5: | ||
91 | name = "signed char"; | ||
92 | rettype = debug_make_int_type (dhandle, 1, FALSE); | ||
93 | break; | ||
94 | - case 7: | ||
95 | + case 6: | ||
96 | name = "unsigned short"; | ||
97 | rettype = debug_make_int_type (dhandle, 2, TRUE); | ||
98 | break; | ||
99 | - case 8: | ||
100 | + case 7: | ||
101 | name = "unsigned int"; | ||
102 | rettype = debug_make_int_type (dhandle, 4, TRUE); | ||
103 | break; | ||
104 | - case 9: | ||
105 | + case 8: | ||
106 | name = "unsigned"; | ||
107 | rettype = debug_make_int_type (dhandle, 4, TRUE); | ||
108 | break; | ||
109 | - case 10: | ||
110 | + case 9: | ||
111 | name = "unsigned long"; | ||
112 | rettype = debug_make_int_type (dhandle, 4, TRUE); | ||
113 | break; | ||
114 | - case 11: | ||
115 | + case 10: | ||
116 | name = "void"; | ||
117 | rettype = debug_make_void_type (dhandle); | ||
118 | break; | ||
119 | - case 12: | ||
120 | + case 11: | ||
121 | /* IEEE single precision (32 bit). */ | ||
122 | name = "float"; | ||
123 | rettype = debug_make_float_type (dhandle, 4); | ||
124 | break; | ||
125 | - case 13: | ||
126 | + case 12: | ||
127 | /* IEEE double precision (64 bit). */ | ||
128 | name = "double"; | ||
129 | rettype = debug_make_float_type (dhandle, 8); | ||
130 | break; | ||
131 | - case 14: | ||
132 | + case 13: | ||
133 | /* This is an IEEE double on the RS/6000, and different machines | ||
134 | with different sizes for "long double" should use different | ||
135 | negative type numbers. See stabs.texinfo. */ | ||
136 | name = "long double"; | ||
137 | rettype = debug_make_float_type (dhandle, 8); | ||
138 | break; | ||
139 | - case 15: | ||
140 | + case 14: | ||
141 | name = "integer"; | ||
142 | rettype = debug_make_int_type (dhandle, 4, FALSE); | ||
143 | break; | ||
144 | - case 16: | ||
145 | + case 15: | ||
146 | name = "boolean"; | ||
147 | rettype = debug_make_bool_type (dhandle, 4); | ||
148 | break; | ||
149 | - case 17: | ||
150 | + case 16: | ||
151 | name = "short real"; | ||
152 | rettype = debug_make_float_type (dhandle, 4); | ||
153 | break; | ||
154 | - case 18: | ||
155 | + case 17: | ||
156 | name = "real"; | ||
157 | rettype = debug_make_float_type (dhandle, 8); | ||
158 | break; | ||
159 | - case 19: | ||
160 | + case 18: | ||
161 | /* FIXME */ | ||
162 | name = "stringptr"; | ||
163 | rettype = NULL; | ||
164 | break; | ||
165 | - case 20: | ||
166 | + case 19: | ||
167 | /* FIXME */ | ||
168 | name = "character"; | ||
169 | rettype = debug_make_int_type (dhandle, 1, TRUE); | ||
170 | break; | ||
171 | - case 21: | ||
172 | + case 20: | ||
173 | name = "logical*1"; | ||
174 | rettype = debug_make_bool_type (dhandle, 1); | ||
175 | break; | ||
176 | - case 22: | ||
177 | + case 21: | ||
178 | name = "logical*2"; | ||
179 | rettype = debug_make_bool_type (dhandle, 2); | ||
180 | break; | ||
181 | - case 23: | ||
182 | + case 22: | ||
183 | name = "logical*4"; | ||
184 | rettype = debug_make_bool_type (dhandle, 4); | ||
185 | break; | ||
186 | - case 24: | ||
187 | + case 23: | ||
188 | name = "logical"; | ||
189 | rettype = debug_make_bool_type (dhandle, 4); | ||
190 | break; | ||
191 | - case 25: | ||
192 | + case 24: | ||
193 | /* Complex type consisting of two IEEE single precision values. */ | ||
194 | name = "complex"; | ||
195 | rettype = debug_make_complex_type (dhandle, 8); | ||
196 | break; | ||
197 | - case 26: | ||
198 | + case 25: | ||
199 | /* Complex type consisting of two IEEE double precision values. */ | ||
200 | name = "double complex"; | ||
201 | rettype = debug_make_complex_type (dhandle, 16); | ||
202 | break; | ||
203 | - case 27: | ||
204 | + case 26: | ||
205 | name = "integer*1"; | ||
206 | rettype = debug_make_int_type (dhandle, 1, FALSE); | ||
207 | break; | ||
208 | - case 28: | ||
209 | + case 27: | ||
210 | name = "integer*2"; | ||
211 | rettype = debug_make_int_type (dhandle, 2, FALSE); | ||
212 | break; | ||
213 | - case 29: | ||
214 | + case 28: | ||
215 | name = "integer*4"; | ||
216 | rettype = debug_make_int_type (dhandle, 4, FALSE); | ||
217 | break; | ||
218 | - case 30: | ||
219 | + case 29: | ||
220 | /* FIXME */ | ||
221 | name = "wchar"; | ||
222 | rettype = debug_make_int_type (dhandle, 2, FALSE); | ||
223 | break; | ||
224 | - case 31: | ||
225 | + case 30: | ||
226 | name = "long long"; | ||
227 | rettype = debug_make_int_type (dhandle, 8, FALSE); | ||
228 | break; | ||
229 | - case 32: | ||
230 | + case 31: | ||
231 | name = "unsigned long long"; | ||
232 | rettype = debug_make_int_type (dhandle, 8, TRUE); | ||
233 | break; | ||
234 | - case 33: | ||
235 | + case 32: | ||
236 | name = "logical*8"; | ||
237 | rettype = debug_make_bool_type (dhandle, 8); | ||
238 | break; | ||
239 | - case 34: | ||
240 | + case 33: | ||
241 | name = "integer*8"; | ||
242 | rettype = debug_make_int_type (dhandle, 8, FALSE); | ||
243 | break; | ||
244 | @@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, | ||
245 | } | ||
246 | |||
247 | rettype = debug_name_type (dhandle, name, rettype); | ||
248 | - | ||
249 | - info->xcoff_types[-typenum] = rettype; | ||
250 | - | ||
251 | + info->xcoff_types[typenum] = rettype; | ||
252 | return rettype; | ||
253 | } | ||
254 | |||
255 | -- | ||
256 | 2.27.0 | ||
257 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch index 11a8110d40..88cce49e46 100644 --- a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch +++ b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7b24f81e04c9d00d96de7dbd250beade6d2c6e44 Mon Sep 17 00:00:00 2001 | 1 | From 12b658c0fe5771d16067baef933b7f34ed455def Mon Sep 17 00:00:00 2001 |
2 | From: Khem Raj <raj.khem@gmail.com> | 2 | From: Khem Raj <raj.khem@gmail.com> |
3 | Date: Fri, 15 Jan 2016 06:31:09 +0000 | 3 | Date: Fri, 15 Jan 2016 06:31:09 +0000 |
4 | Subject: [PATCH] warn for uses of system directories when cross linking | 4 | Subject: [PATCH] warn for uses of system directories when cross linking |
@@ -59,8 +59,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> | |||
59 | ld/ldfile.c | 17 +++++++++++++++++ | 59 | ld/ldfile.c | 17 +++++++++++++++++ |
60 | ld/ldlex.h | 2 ++ | 60 | ld/ldlex.h | 2 ++ |
61 | ld/ldmain.c | 2 ++ | 61 | ld/ldmain.c | 2 ++ |
62 | ld/lexsup.c | 15 +++++++++++++++ | 62 | ld/lexsup.c | 16 ++++++++++++++++ |
63 | 9 files changed, 85 insertions(+) | 63 | 9 files changed, 86 insertions(+) |
64 | 64 | ||
65 | diff --git a/ld/config.in b/ld/config.in | 65 | diff --git a/ld/config.in b/ld/config.in |
66 | index d93c9b0830..5da2742bea 100644 | 66 | index d93c9b0830..5da2742bea 100644 |
@@ -77,10 +77,10 @@ index d93c9b0830..5da2742bea 100644 | |||
77 | #undef EXTRA_SHLIB_EXTENSION | 77 | #undef EXTRA_SHLIB_EXTENSION |
78 | 78 | ||
79 | diff --git a/ld/configure b/ld/configure | 79 | diff --git a/ld/configure b/ld/configure |
80 | index 811134a503..f8c17c19ae 100755 | 80 | index f432f4637d..a9da3c115e 100755 |
81 | --- a/ld/configure | 81 | --- a/ld/configure |
82 | +++ b/ld/configure | 82 | +++ b/ld/configure |
83 | @@ -826,6 +826,7 @@ with_lib_path | 83 | @@ -830,6 +830,7 @@ with_lib_path |
84 | enable_targets | 84 | enable_targets |
85 | enable_64_bit_bfd | 85 | enable_64_bit_bfd |
86 | with_sysroot | 86 | with_sysroot |
@@ -88,7 +88,7 @@ index 811134a503..f8c17c19ae 100755 | |||
88 | enable_gold | 88 | enable_gold |
89 | enable_got | 89 | enable_got |
90 | enable_compressed_debug_sections | 90 | enable_compressed_debug_sections |
91 | @@ -1491,6 +1492,8 @@ Optional Features: | 91 | @@ -1495,6 +1496,8 @@ Optional Features: |
92 | --disable-largefile omit support for large files | 92 | --disable-largefile omit support for large files |
93 | --enable-targets alternative target configurations | 93 | --enable-targets alternative target configurations |
94 | --enable-64-bit-bfd 64-bit support (on hosts with narrower word sizes) | 94 | --enable-64-bit-bfd 64-bit support (on hosts with narrower word sizes) |
@@ -97,7 +97,7 @@ index 811134a503..f8c17c19ae 100755 | |||
97 | --enable-gold[=ARG] build gold [ARG={default,yes,no}] | 97 | --enable-gold[=ARG] build gold [ARG={default,yes,no}] |
98 | --enable-got=<type> GOT handling scheme (target, single, negative, | 98 | --enable-got=<type> GOT handling scheme (target, single, negative, |
99 | multigot) | 99 | multigot) |
100 | @@ -15788,6 +15791,19 @@ fi | 100 | @@ -16624,6 +16627,19 @@ fi |
101 | 101 | ||
102 | 102 | ||
103 | 103 | ||
@@ -222,10 +222,10 @@ index 5287f19a7f..55096e4fc9 100644 | |||
222 | 222 | ||
223 | /* The initial parser states. */ | 223 | /* The initial parser states. */ |
224 | diff --git a/ld/ldmain.c b/ld/ldmain.c | 224 | diff --git a/ld/ldmain.c b/ld/ldmain.c |
225 | index da1ad17763..12d0b07d8a 100644 | 225 | index c4af10f4e9..95b56b2d2d 100644 |
226 | --- a/ld/ldmain.c | 226 | --- a/ld/ldmain.c |
227 | +++ b/ld/ldmain.c | 227 | +++ b/ld/ldmain.c |
228 | @@ -274,6 +274,8 @@ main (int argc, char **argv) | 228 | @@ -273,6 +273,8 @@ main (int argc, char **argv) |
229 | command_line.warn_mismatch = TRUE; | 229 | command_line.warn_mismatch = TRUE; |
230 | command_line.warn_search_mismatch = TRUE; | 230 | command_line.warn_search_mismatch = TRUE; |
231 | command_line.check_section_addresses = -1; | 231 | command_line.check_section_addresses = -1; |
@@ -235,7 +235,7 @@ index da1ad17763..12d0b07d8a 100644 | |||
235 | /* We initialize DEMANGLING based on the environment variable | 235 | /* We initialize DEMANGLING based on the environment variable |
236 | COLLECT_NO_DEMANGLE. The gcc collect2 program will demangle the | 236 | COLLECT_NO_DEMANGLE. The gcc collect2 program will demangle the |
237 | diff --git a/ld/lexsup.c b/ld/lexsup.c | 237 | diff --git a/ld/lexsup.c b/ld/lexsup.c |
238 | index 3d15cc491d..0e8b4f2b7a 100644 | 238 | index 3d15cc491d..6478821443 100644 |
239 | --- a/ld/lexsup.c | 239 | --- a/ld/lexsup.c |
240 | +++ b/ld/lexsup.c | 240 | +++ b/ld/lexsup.c |
241 | @@ -550,6 +550,14 @@ static const struct ld_option ld_options[] = | 241 | @@ -550,6 +550,14 @@ static const struct ld_option ld_options[] = |
@@ -253,10 +253,10 @@ index 3d15cc491d..0e8b4f2b7a 100644 | |||
253 | }; | 253 | }; |
254 | 254 | ||
255 | #define OPTION_COUNT ARRAY_SIZE (ld_options) | 255 | #define OPTION_COUNT ARRAY_SIZE (ld_options) |
256 | @@ -1603,6 +1611,13 @@ parse_args (unsigned argc, char **argv) | 256 | @@ -1604,6 +1612,14 @@ parse_args (unsigned argc, char **argv) |
257 | |||
258 | case OPTION_PRINT_MAP_DISCARDED: | 257 | case OPTION_PRINT_MAP_DISCARDED: |
259 | config.print_map_discarded = TRUE; | 258 | config.print_map_discarded = TRUE; |
259 | break; | ||
260 | + | 260 | + |
261 | + case OPTION_NO_POISON_SYSTEM_DIRECTORIES: | 261 | + case OPTION_NO_POISON_SYSTEM_DIRECTORIES: |
262 | + command_line.poison_system_directories = FALSE; | 262 | + command_line.poison_system_directories = FALSE; |
@@ -264,6 +264,6 @@ index 3d15cc491d..0e8b4f2b7a 100644 | |||
264 | + | 264 | + |
265 | + case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES: | 265 | + case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES: |
266 | + command_line.error_poison_system_directories = TRUE; | 266 | + command_line.error_poison_system_directories = TRUE; |
267 | break; | 267 | + break; |
268 | } | 268 | } |
269 | } | 269 | } |
diff --git a/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch new file mode 100644 index 0000000000..dc1e09d46b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From bf2252dca8c76e4c1f1c2dbf98dab7ffc9f5e5af Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Sat, 29 Aug 2020 08:03:15 +0100 | ||
4 | Subject: [PATCH] Include members in the variable table used when resolving | ||
5 | DW_AT_specification tags. | ||
6 | |||
7 | PR 26520 | ||
8 | * dwarf2.c (scan_unit_for_symbols): Add member entries to the | ||
9 | variable table. | ||
10 | |||
11 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6f04d55f681149a69102a73937d0987719c3f16] | ||
12 | --- | ||
13 | bfd/dwarf2.c | 3 ++- | ||
14 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c | ||
17 | index dd3568a8532..ef2f6a3c63c 100644 | ||
18 | --- a/bfd/dwarf2.c | ||
19 | +++ b/bfd/dwarf2.c | ||
20 | @@ -3248,7 +3248,8 @@ scan_unit_for_symbols (struct comp_unit *unit) | ||
21 | else | ||
22 | { | ||
23 | func = NULL; | ||
24 | - if (abbrev->tag == DW_TAG_variable) | ||
25 | + if (abbrev->tag == DW_TAG_variable | ||
26 | + || abbrev->tag == DW_TAG_member) | ||
27 | { | ||
28 | bfd_size_type amt = sizeof (struct varinfo); | ||
29 | var = (struct varinfo *) bfd_zalloc (abfd, amt); | ||
30 | -- | ||
31 | 2.34.1 | ||
32 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch new file mode 100644 index 0000000000..c7c7829261 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch | |||
@@ -0,0 +1,204 @@ | |||
1 | From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Thu, 16 Apr 2020 17:49:38 +0930 | ||
4 | Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols | ||
5 | |||
6 | PR 25827 | ||
7 | * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't | ||
8 | strdup(0). | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729 | ||
12 | CVE: CVE-2020-16593 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | |||
15 | |||
16 | Index: git/bfd/dwarf2.c | ||
17 | =================================================================== | ||
18 | --- git.orig/bfd/dwarf2.c | ||
19 | +++ git/bfd/dwarf2.c | ||
20 | @@ -295,12 +295,12 @@ struct comp_unit | ||
21 | /* This data structure holds the information of an abbrev. */ | ||
22 | struct abbrev_info | ||
23 | { | ||
24 | - unsigned int number; /* Number identifying abbrev. */ | ||
25 | - enum dwarf_tag tag; /* DWARF tag. */ | ||
26 | - int has_children; /* Boolean. */ | ||
27 | - unsigned int num_attrs; /* Number of attributes. */ | ||
28 | - struct attr_abbrev *attrs; /* An array of attribute descriptions. */ | ||
29 | - struct abbrev_info *next; /* Next in chain. */ | ||
30 | + unsigned int number; /* Number identifying abbrev. */ | ||
31 | + enum dwarf_tag tag; /* DWARF tag. */ | ||
32 | + bfd_boolean has_children; /* TRUE if the abbrev has children. */ | ||
33 | + unsigned int num_attrs; /* Number of attributes. */ | ||
34 | + struct attr_abbrev * attrs; /* An array of attribute descriptions. */ | ||
35 | + struct abbrev_info * next; /* Next in chain. */ | ||
36 | }; | ||
37 | |||
38 | struct attr_abbrev | ||
39 | @@ -1487,6 +1487,8 @@ struct varinfo | ||
40 | { | ||
41 | /* Pointer to previous variable in list of all variables */ | ||
42 | struct varinfo *prev_var; | ||
43 | + /* The offset of the varinfo from the start of the unit. */ | ||
44 | + bfd_uint64_t unit_offset; | ||
45 | /* Source location file name */ | ||
46 | char *file; | ||
47 | /* Source location line number */ | ||
48 | @@ -1497,7 +1499,7 @@ struct varinfo | ||
49 | /* Where the symbol is defined */ | ||
50 | asection *sec; | ||
51 | /* Is this a stack variable? */ | ||
52 | - unsigned int stack: 1; | ||
53 | + bfd_boolean stack; | ||
54 | }; | ||
55 | |||
56 | /* Return TRUE if NEW_LINE should sort after LINE. */ | ||
57 | @@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct | ||
58 | struct varinfo* each; | ||
59 | |||
60 | for (each = unit->variable_table; each; each = each->prev_var) | ||
61 | - if (each->stack == 0 | ||
62 | + if (! each->stack | ||
63 | && each->file != NULL | ||
64 | && each->name != NULL | ||
65 | && each->addr == addr | ||
66 | @@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit, | ||
67 | return TRUE; | ||
68 | } | ||
69 | |||
70 | +static struct varinfo * | ||
71 | +lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table) | ||
72 | +{ | ||
73 | + while (table) | ||
74 | + { | ||
75 | + if (table->unit_offset == offset) | ||
76 | + return table; | ||
77 | + table = table->prev_var; | ||
78 | + } | ||
79 | + | ||
80 | + return NULL; | ||
81 | +} | ||
82 | + | ||
83 | + | ||
84 | /* DWARF2 Compilation unit functions. */ | ||
85 | |||
86 | /* Scan over each die in a comp. unit looking for functions to add | ||
87 | @@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit | ||
88 | bfd_vma low_pc = 0; | ||
89 | bfd_vma high_pc = 0; | ||
90 | bfd_boolean high_pc_relative = FALSE; | ||
91 | + bfd_uint64_t current_offset; | ||
92 | + | ||
93 | + current_offset = info_ptr - unit->info_ptr_unit; | ||
94 | |||
95 | /* PR 17512: file: 9f405d9d. */ | ||
96 | if (info_ptr >= info_ptr_end) | ||
97 | @@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit | ||
98 | goto fail; | ||
99 | } | ||
100 | |||
101 | - var = NULL; | ||
102 | if (abbrev->tag == DW_TAG_subprogram | ||
103 | || abbrev->tag == DW_TAG_entry_point | ||
104 | || abbrev->tag == DW_TAG_inlined_subroutine) | ||
105 | { | ||
106 | bfd_size_type amt = sizeof (struct funcinfo); | ||
107 | + | ||
108 | + var = NULL; | ||
109 | func = (struct funcinfo *) bfd_zalloc (abfd, amt); | ||
110 | if (func == NULL) | ||
111 | goto fail; | ||
112 | @@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit | ||
113 | if (var == NULL) | ||
114 | goto fail; | ||
115 | var->tag = abbrev->tag; | ||
116 | - var->stack = 1; | ||
117 | + var->stack = TRUE; | ||
118 | var->prev_var = unit->variable_table; | ||
119 | unit->variable_table = var; | ||
120 | + var->unit_offset = current_offset; | ||
121 | /* PR 18205: Missing debug information can cause this | ||
122 | var to be attached to an already cached unit. */ | ||
123 | } | ||
124 | - | ||
125 | + else | ||
126 | + var = NULL; | ||
127 | /* No inline function in scope at this nesting level. */ | ||
128 | nested_funcs[nesting_level].func = 0; | ||
129 | } | ||
130 | @@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit | ||
131 | { | ||
132 | switch (attr.name) | ||
133 | { | ||
134 | + case DW_AT_specification: | ||
135 | + if (attr.u.val) | ||
136 | + { | ||
137 | + struct varinfo * spec_var; | ||
138 | + | ||
139 | + spec_var = lookup_var_by_offset (attr.u.val, | ||
140 | + unit->variable_table); | ||
141 | + if (spec_var == NULL) | ||
142 | + { | ||
143 | + _bfd_error_handler (_("DWARF error: could not find " | ||
144 | + "variable specification " | ||
145 | + "at offset %lx"), | ||
146 | + (unsigned long) attr.u.val); | ||
147 | + break; | ||
148 | + } | ||
149 | + | ||
150 | + if (var->name == NULL) | ||
151 | + var->name = spec_var->name; | ||
152 | + if (var->file == NULL && spec_var->file != NULL) | ||
153 | + var->file = strdup (spec_var->file); | ||
154 | + if (var->line == 0) | ||
155 | + var->line = spec_var->line; | ||
156 | + if (var->sec == NULL) | ||
157 | + var->sec = spec_var->sec; | ||
158 | + } | ||
159 | + break; | ||
160 | + | ||
161 | case DW_AT_name: | ||
162 | if (is_str_attr (attr.form)) | ||
163 | var->name = attr.u.str; | ||
164 | @@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit | ||
165 | |||
166 | case DW_AT_external: | ||
167 | if (attr.u.val != 0) | ||
168 | - var->stack = 0; | ||
169 | + var->stack = FALSE; | ||
170 | break; | ||
171 | |||
172 | case DW_AT_location: | ||
173 | @@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit | ||
174 | if (attr.u.blk->data != NULL | ||
175 | && *attr.u.blk->data == DW_OP_addr) | ||
176 | { | ||
177 | - var->stack = 0; | ||
178 | + var->stack = FALSE; | ||
179 | |||
180 | /* Verify that DW_OP_addr is the only opcode in the | ||
181 | location, in which case the block size will be 1 | ||
182 | @@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug | ||
183 | each_var = each_var->prev_var) | ||
184 | { | ||
185 | /* Skip stack vars and vars with no files or names. */ | ||
186 | - if (each_var->stack == 0 | ||
187 | + if (! each_var->stack | ||
188 | && each_var->file != NULL | ||
189 | && each_var->name != NULL) | ||
190 | /* There is no need to copy name string into hash table as | ||
191 | Index: git/bfd/ChangeLog | ||
192 | =================================================================== | ||
193 | --- git.orig/bfd/ChangeLog | ||
194 | +++ git/bfd/ChangeLog | ||
195 | @@ -1,3 +1,9 @@ | ||
196 | +2020-04-16 Alan Modra <amodra@gmail.com> | ||
197 | + | ||
198 | + PR 25827 | ||
199 | + * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't | ||
200 | + strdup(0). | ||
201 | + | ||
202 | 2021-05-03 Alan Modra <amodra@gmail.com> | ||
203 | |||
204 | PR 27755 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch new file mode 100644 index 0000000000..423814f98d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch | |||
@@ -0,0 +1,572 @@ | |||
1 | From d3edaa91d4cf7202ec14342410194841e2f67f12 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Fri, 26 Feb 2021 11:30:32 +1030 | ||
4 | Subject: [PATCH v2] Reinstate various pieces backed out from smart_rename changes | ||
5 | |||
6 | In the interests of a stable release various last minute smart_rename | ||
7 | patches were backed out of the 2.36 branch. The main reason to | ||
8 | reinstate some of those backed out changes here is to make necessary | ||
9 | followup fixes to commit 8e03235147a9 simple cherry-picks from | ||
10 | mainline. A secondary reason is that ar -M support isn't fixed for | ||
11 | pr26945 without this patch. | ||
12 | |||
13 | PR 26945 | ||
14 | * ar.c: Don't include libbfd.h. | ||
15 | (write_archive): Replace xmalloc+strcpy with xstrdup. | ||
16 | * arsup.c (temp_name, real_ofd): New static variables. | ||
17 | (ar_open): Use make_tempname and bfd_fdopenw. | ||
18 | (ar_save): Adjust to suit ar_open changes. | ||
19 | * objcopy.c: Don't include libbfd.h. | ||
20 | * rename.c: Rename and reorder variables. | ||
21 | |||
22 | (cherry picked from commit 95b91a043aeaeb546d2fea556d84a2de1e917770) | ||
23 | |||
24 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d3edaa91d4cf7202ec14342410194841e2f67f12] | ||
25 | CVE: CVE-2021-20197 | ||
26 | Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> | ||
27 | --- | ||
28 | bfd/bfd-in2.h | 2 + | ||
29 | bfd/opncls.c | 33 ++++++++++ | ||
30 | binutils/ar.c | 15 +++-- | ||
31 | binutils/arsup.c | 37 ++++++++---- | ||
32 | binutils/bucomm.c | 4 +- | ||
33 | binutils/bucomm.h | 5 +- | ||
34 | binutils/objcopy.c | 37 +++++++----- | ||
35 | binutils/rename.c | 148 +++++++++++---------------------------------- | ||
36 | 8 files changed, 133 insertions(+), 148 deletions(-) | ||
37 | |||
38 | diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h | ||
39 | index 2e453c50c18..e53f54a8ab7 100644 | ||
40 | --- a/bfd/bfd-in2.h | ||
41 | +++ b/bfd/bfd-in2.h | ||
42 | @@ -588,6 +588,8 @@ bfd *bfd_openr (const char *filename, const char *target); | ||
43 | |||
44 | bfd *bfd_fdopenr (const char *filename, const char *target, int fd); | ||
45 | |||
46 | +bfd *bfd_fdopenw (const char *filename, const char *target, int fd); | ||
47 | + | ||
48 | bfd *bfd_openstreamr (const char * filename, const char * target, | ||
49 | void * stream); | ||
50 | |||
51 | diff --git a/bfd/opncls.c b/bfd/opncls.c | ||
52 | index a03ad51c8fa..f9da97ed710 100644 | ||
53 | --- a/bfd/opncls.c | ||
54 | +++ b/bfd/opncls.c | ||
55 | @@ -370,6 +370,39 @@ bfd_fdopenr (const char *filename, const char *target, int fd) | ||
56 | return bfd_fopen (filename, target, mode, fd); | ||
57 | } | ||
58 | |||
59 | +/* | ||
60 | +FUNCTION | ||
61 | + bfd_fdopenw | ||
62 | + | ||
63 | +SYNOPSIS | ||
64 | + bfd *bfd_fdopenw (const char *filename, const char *target, int fd); | ||
65 | + | ||
66 | +DESCRIPTION | ||
67 | + <<bfd_fdopenw>> is exactly like <<bfd_fdopenr>> with the exception that | ||
68 | + the resulting BFD is suitable for output. | ||
69 | +*/ | ||
70 | + | ||
71 | +bfd * | ||
72 | +bfd_fdopenw (const char *filename, const char *target, int fd) | ||
73 | +{ | ||
74 | + bfd *out = bfd_fdopenr (filename, target, fd); | ||
75 | + | ||
76 | + if (out != NULL) | ||
77 | + { | ||
78 | + if (!bfd_write_p (out)) | ||
79 | + { | ||
80 | + close (fd); | ||
81 | + _bfd_delete_bfd (out); | ||
82 | + out = NULL; | ||
83 | + bfd_set_error (bfd_error_invalid_operation); | ||
84 | + } | ||
85 | + else | ||
86 | + out->direction = write_direction; | ||
87 | + } | ||
88 | + | ||
89 | + return out; | ||
90 | +} | ||
91 | + | ||
92 | /* | ||
93 | FUNCTION | ||
94 | bfd_openstreamr | ||
95 | diff --git a/binutils/ar.c b/binutils/ar.c | ||
96 | index 1057db9980e..c33a11e0d70 100644 | ||
97 | --- a/binutils/ar.c | ||
98 | +++ b/binutils/ar.c | ||
99 | @@ -1195,20 +1195,23 @@ write_archive (bfd *iarch) | ||
100 | bfd *obfd; | ||
101 | char *old_name, *new_name; | ||
102 | bfd *contents_head = iarch->archive_next; | ||
103 | + int ofd = -1; | ||
104 | |||
105 | - old_name = (char *) xmalloc (strlen (bfd_get_filename (iarch)) + 1); | ||
106 | - strcpy (old_name, bfd_get_filename (iarch)); | ||
107 | - new_name = make_tempname (old_name); | ||
108 | + old_name = xstrdup (bfd_get_filename (iarch)); | ||
109 | + new_name = make_tempname (old_name, &ofd); | ||
110 | |||
111 | if (new_name == NULL) | ||
112 | bfd_fatal (_("could not create temporary file whilst writing archive")); | ||
113 | |||
114 | output_filename = new_name; | ||
115 | |||
116 | - obfd = bfd_openw (new_name, bfd_get_target (iarch)); | ||
117 | + obfd = bfd_fdopenw (new_name, bfd_get_target (iarch), ofd); | ||
118 | |||
119 | if (obfd == NULL) | ||
120 | - bfd_fatal (old_name); | ||
121 | + { | ||
122 | + close (ofd); | ||
123 | + bfd_fatal (old_name); | ||
124 | + } | ||
125 | |||
126 | output_bfd = obfd; | ||
127 | |||
128 | @@ -1246,7 +1249,7 @@ write_archive (bfd *iarch) | ||
129 | /* We don't care if this fails; we might be creating the archive. */ | ||
130 | bfd_close (iarch); | ||
131 | |||
132 | - if (smart_rename (new_name, old_name, 0) != 0) | ||
133 | + if (smart_rename (new_name, old_name, NULL) != 0) | ||
134 | xexit (1); | ||
135 | free (old_name); | ||
136 | free (new_name); | ||
137 | diff --git a/binutils/arsup.c b/binutils/arsup.c | ||
138 | index 00967c972cd..b8ae4f7ec1a 100644 | ||
139 | --- a/binutils/arsup.c | ||
140 | +++ b/binutils/arsup.c | ||
141 | @@ -42,6 +42,8 @@ extern int deterministic; | ||
142 | |||
143 | static bfd *obfd; | ||
144 | static char *real_name; | ||
145 | +static char *temp_name; | ||
146 | +static int real_ofd; | ||
147 | static FILE *outfile; | ||
148 | |||
149 | static void | ||
150 | @@ -149,27 +151,24 @@ maybequit (void) | ||
151 | void | ||
152 | ar_open (char *name, int t) | ||
153 | { | ||
154 | - char *tname; | ||
155 | - const char *bname = lbasename (name); | ||
156 | - real_name = name; | ||
157 | + real_name = xstrdup (name); | ||
158 | + temp_name = make_tempname (real_name, &real_ofd); | ||
159 | |||
160 | - /* Prepend tmp- to the beginning, to avoid file-name clashes after | ||
161 | - truncation on filesystems with limited namespaces (DOS). */ | ||
162 | - if (asprintf (&tname, "%.*stmp-%s", (int) (bname - name), name, bname) == -1) | ||
163 | + if (temp_name == NULL) | ||
164 | { | ||
165 | - fprintf (stderr, _("%s: Can't allocate memory for temp name (%s)\n"), | ||
166 | + fprintf (stderr, _("%s: Can't open temporary file (%s)\n"), | ||
167 | program_name, strerror(errno)); | ||
168 | maybequit (); | ||
169 | return; | ||
170 | } | ||
171 | |||
172 | - obfd = bfd_openw (tname, NULL); | ||
173 | + obfd = bfd_fdopenw (temp_name, NULL, real_ofd); | ||
174 | |||
175 | if (!obfd) | ||
176 | { | ||
177 | fprintf (stderr, | ||
178 | _("%s: Can't open output archive %s\n"), | ||
179 | - program_name, tname); | ||
180 | + program_name, temp_name); | ||
181 | |||
182 | maybequit (); | ||
183 | } | ||
184 | @@ -344,16 +343,30 @@ ar_save (void) | ||
185 | } | ||
186 | else | ||
187 | { | ||
188 | - char *ofilename = xstrdup (bfd_get_filename (obfd)); | ||
189 | + struct stat target_stat; | ||
190 | |||
191 | if (deterministic > 0) | ||
192 | obfd->flags |= BFD_DETERMINISTIC_OUTPUT; | ||
193 | |||
194 | bfd_close (obfd); | ||
195 | |||
196 | - smart_rename (ofilename, real_name, 0); | ||
197 | + if (stat (real_name, &target_stat) != 0) | ||
198 | + { | ||
199 | + /* The temp file created in ar_open has mode 0600 as per mkstemp. | ||
200 | + Create the real empty output file here so smart_rename will | ||
201 | + update the mode according to the process umask. */ | ||
202 | + obfd = bfd_openw (real_name, NULL); | ||
203 | + if (obfd != NULL) | ||
204 | + { | ||
205 | + bfd_set_format (obfd, bfd_archive); | ||
206 | + bfd_close (obfd); | ||
207 | + } | ||
208 | + } | ||
209 | + | ||
210 | + smart_rename (temp_name, real_name, NULL); | ||
211 | obfd = 0; | ||
212 | - free (ofilename); | ||
213 | + free (temp_name); | ||
214 | + free (real_name); | ||
215 | } | ||
216 | } | ||
217 | |||
218 | diff --git a/binutils/bucomm.c b/binutils/bucomm.c | ||
219 | index 9e6a02843e6..53244201f89 100644 | ||
220 | --- a/binutils/bucomm.c | ||
221 | +++ b/binutils/bucomm.c | ||
222 | @@ -532,7 +532,7 @@ template_in_dir (const char *path) | ||
223 | as FILENAME. */ | ||
224 | |||
225 | char * | ||
226 | -make_tempname (const char *filename) | ||
227 | +make_tempname (const char *filename, int *ofd) | ||
228 | { | ||
229 | char *tmpname = template_in_dir (filename); | ||
230 | int fd; | ||
231 | @@ -550,7 +550,7 @@ make_tempname (const char *filename) | ||
232 | free (tmpname); | ||
233 | return NULL; | ||
234 | } | ||
235 | - close (fd); | ||
236 | + *ofd = fd; | ||
237 | return tmpname; | ||
238 | } | ||
239 | |||
240 | diff --git a/binutils/bucomm.h b/binutils/bucomm.h | ||
241 | index d8318343f78..2b164e0af68 100644 | ||
242 | --- a/binutils/bucomm.h | ||
243 | +++ b/binutils/bucomm.h | ||
244 | @@ -51,7 +51,7 @@ int display_info (void); | ||
245 | |||
246 | void print_arelt_descr (FILE *, bfd *, bfd_boolean, bfd_boolean); | ||
247 | |||
248 | -char *make_tempname (const char *); | ||
249 | +char *make_tempname (const char *, int *); | ||
250 | char *make_tempdir (const char *); | ||
251 | |||
252 | bfd_vma parse_vma (const char *, const char *); | ||
253 | @@ -71,7 +71,8 @@ extern void print_version (const char *); | ||
254 | /* In rename.c. */ | ||
255 | extern void set_times (const char *, const struct stat *); | ||
256 | |||
257 | -extern int smart_rename (const char *, const char *, int); | ||
258 | +extern int smart_rename (const char *, const char *, struct stat *); | ||
259 | + | ||
260 | |||
261 | /* In libiberty. */ | ||
262 | void *xmalloc (size_t); | ||
263 | diff --git a/binutils/objcopy.c b/binutils/objcopy.c | ||
264 | index 212e25144e6..5ccbd926610 100644 | ||
265 | --- a/binutils/objcopy.c | ||
266 | +++ b/binutils/objcopy.c | ||
267 | @@ -3682,7 +3682,7 @@ set_long_section_mode (bfd *output_bfd, bfd *input_bfd, enum long_section_name_h | ||
268 | /* The top-level control. */ | ||
269 | |||
270 | static void | ||
271 | -copy_file (const char *input_filename, const char *output_filename, | ||
272 | +copy_file (const char *input_filename, const char *output_filename, int ofd, | ||
273 | const char *input_target, const char *output_target, | ||
274 | const bfd_arch_info_type *input_arch) | ||
275 | { | ||
276 | @@ -3757,9 +3757,14 @@ copy_file (const char *input_filename, const char *output_filename, | ||
277 | else | ||
278 | force_output_target = TRUE; | ||
279 | |||
280 | - obfd = bfd_openw (output_filename, output_target); | ||
281 | + if (ofd >= 0) | ||
282 | + obfd = bfd_fdopenw (output_filename, output_target, ofd); | ||
283 | + else | ||
284 | + obfd = bfd_openw (output_filename, output_target); | ||
285 | + | ||
286 | if (obfd == NULL) | ||
287 | { | ||
288 | + close (ofd); | ||
289 | bfd_nonfatal_message (output_filename, NULL, NULL, NULL); | ||
290 | status = 1; | ||
291 | return; | ||
292 | @@ -3787,13 +3792,19 @@ copy_file (const char *input_filename, const char *output_filename, | ||
293 | if (output_target == NULL) | ||
294 | output_target = bfd_get_target (ibfd); | ||
295 | |||
296 | - obfd = bfd_openw (output_filename, output_target); | ||
297 | + if (ofd >= 0) | ||
298 | + obfd = bfd_fdopenw (output_filename, output_target, ofd); | ||
299 | + else | ||
300 | + obfd = bfd_openw (output_filename, output_target); | ||
301 | + | ||
302 | if (obfd == NULL) | ||
303 | { | ||
304 | + close (ofd); | ||
305 | bfd_nonfatal_message (output_filename, NULL, NULL, NULL); | ||
306 | status = 1; | ||
307 | return; | ||
308 | } | ||
309 | + | ||
310 | /* This is a no-op on non-Coff targets. */ | ||
311 | set_long_section_mode (obfd, ibfd, long_section_names); | ||
312 | |||
313 | @@ -4746,6 +4757,7 @@ strip_main (int argc, char *argv[]) | ||
314 | int hold_status = status; | ||
315 | struct stat statbuf; | ||
316 | char *tmpname; | ||
317 | + int tmpfd = -1; | ||
318 | |||
319 | if (get_file_size (argv[i]) < 1) | ||
320 | { | ||
321 | @@ -4760,7 +4772,7 @@ strip_main (int argc, char *argv[]) | ||
322 | |||
323 | if (output_file == NULL | ||
324 | || filename_cmp (argv[i], output_file) == 0) | ||
325 | - tmpname = make_tempname (argv[i]); | ||
326 | + tmpname = make_tempname (argv[i], &tmpfd); | ||
327 | else | ||
328 | tmpname = output_file; | ||
329 | |||
330 | @@ -4773,15 +4785,13 @@ strip_main (int argc, char *argv[]) | ||
331 | } | ||
332 | |||
333 | status = 0; | ||
334 | - copy_file (argv[i], tmpname, input_target, output_target, NULL); | ||
335 | + copy_file (argv[i], tmpname, tmpfd, input_target, output_target, NULL); | ||
336 | if (status == 0) | ||
337 | { | ||
338 | - if (preserve_dates) | ||
339 | - set_times (tmpname, &statbuf); | ||
340 | if (output_file != tmpname) | ||
341 | status = (smart_rename (tmpname, | ||
342 | output_file ? output_file : argv[i], | ||
343 | - preserve_dates) != 0); | ||
344 | + preserve_dates ? &statbuf : NULL) != 0); | ||
345 | if (status == 0) | ||
346 | status = hold_status; | ||
347 | } | ||
348 | @@ -4993,7 +5003,7 @@ copy_main (int argc, char *argv[]) | ||
349 | bfd_boolean formats_info = FALSE; | ||
350 | bfd_boolean use_globalize = FALSE; | ||
351 | bfd_boolean use_keep_global = FALSE; | ||
352 | - int c; | ||
353 | + int c, tmpfd = -1; | ||
354 | struct stat statbuf; | ||
355 | const bfd_arch_info_type *input_arch = NULL; | ||
356 | |||
357 | @@ -5839,7 +5849,7 @@ copy_main (int argc, char *argv[]) | ||
358 | are the same, then create a temp and rename the result into the input. */ | ||
359 | if (output_filename == NULL | ||
360 | || filename_cmp (input_filename, output_filename) == 0) | ||
361 | - tmpname = make_tempname (input_filename); | ||
362 | + tmpname = make_tempname (input_filename, &tmpfd); | ||
363 | else | ||
364 | tmpname = output_filename; | ||
365 | |||
366 | @@ -5847,14 +5857,13 @@ copy_main (int argc, char *argv[]) | ||
367 | fatal (_("warning: could not create temporary file whilst copying '%s', (error: %s)"), | ||
368 | input_filename, strerror (errno)); | ||
369 | |||
370 | - copy_file (input_filename, tmpname, input_target, output_target, input_arch); | ||
371 | + copy_file (input_filename, tmpname, tmpfd, input_target, output_target, | ||
372 | + input_arch); | ||
373 | if (status == 0) | ||
374 | { | ||
375 | - if (preserve_dates) | ||
376 | - set_times (tmpname, &statbuf); | ||
377 | if (tmpname != output_filename) | ||
378 | status = (smart_rename (tmpname, input_filename, | ||
379 | - preserve_dates) != 0); | ||
380 | + preserve_dates ? &statbuf : NULL) != 0); | ||
381 | } | ||
382 | else | ||
383 | unlink_if_ordinary (tmpname); | ||
384 | diff --git a/binutils/rename.c b/binutils/rename.c | ||
385 | index bf3b68d0462..07d44d0f314 100644 | ||
386 | --- a/binutils/rename.c | ||
387 | +++ b/binutils/rename.c | ||
388 | @@ -24,14 +24,9 @@ | ||
389 | |||
390 | #ifdef HAVE_GOOD_UTIME_H | ||
391 | #include <utime.h> | ||
392 | -#else /* ! HAVE_GOOD_UTIME_H */ | ||
393 | -#ifdef HAVE_UTIMES | ||
394 | +#elif defined HAVE_UTIMES | ||
395 | #include <sys/time.h> | ||
396 | -#endif /* HAVE_UTIMES */ | ||
397 | -#endif /* ! HAVE_GOOD_UTIME_H */ | ||
398 | - | ||
399 | -#if ! defined (_WIN32) || defined (__CYGWIN32__) | ||
400 | -static int simple_copy (const char *, const char *); | ||
401 | +#endif | ||
402 | |||
403 | /* The number of bytes to copy at once. */ | ||
404 | #define COPY_BUF 8192 | ||
405 | @@ -82,7 +77,6 @@ simple_copy (const char *from, const char *to) | ||
406 | } | ||
407 | return 0; | ||
408 | } | ||
409 | -#endif /* __CYGWIN32__ or not _WIN32 */ | ||
410 | |||
411 | /* Set the times of the file DESTINATION to be the same as those in | ||
412 | STATBUF. */ | ||
413 | @@ -91,122 +85,52 @@ void | ||
414 | set_times (const char *destination, const struct stat *statbuf) | ||
415 | { | ||
416 | int result; | ||
417 | - | ||
418 | - { | ||
419 | #ifdef HAVE_GOOD_UTIME_H | ||
420 | - struct utimbuf tb; | ||
421 | - | ||
422 | - tb.actime = statbuf->st_atime; | ||
423 | - tb.modtime = statbuf->st_mtime; | ||
424 | - result = utime (destination, &tb); | ||
425 | -#else /* ! HAVE_GOOD_UTIME_H */ | ||
426 | -#ifndef HAVE_UTIMES | ||
427 | - long tb[2]; | ||
428 | - | ||
429 | - tb[0] = statbuf->st_atime; | ||
430 | - tb[1] = statbuf->st_mtime; | ||
431 | - result = utime (destination, tb); | ||
432 | -#else /* HAVE_UTIMES */ | ||
433 | - struct timeval tv[2]; | ||
434 | - | ||
435 | - tv[0].tv_sec = statbuf->st_atime; | ||
436 | - tv[0].tv_usec = 0; | ||
437 | - tv[1].tv_sec = statbuf->st_mtime; | ||
438 | - tv[1].tv_usec = 0; | ||
439 | - result = utimes (destination, tv); | ||
440 | -#endif /* HAVE_UTIMES */ | ||
441 | -#endif /* ! HAVE_GOOD_UTIME_H */ | ||
442 | - } | ||
443 | + struct utimbuf tb; | ||
444 | + | ||
445 | + tb.actime = statbuf->st_atime; | ||
446 | + tb.modtime = statbuf->st_mtime; | ||
447 | + result = utime (destination, &tb); | ||
448 | +#elif defined HAVE_UTIMES | ||
449 | + struct timeval tv[2]; | ||
450 | + | ||
451 | + tv[0].tv_sec = statbuf->st_atime; | ||
452 | + tv[0].tv_usec = 0; | ||
453 | + tv[1].tv_sec = statbuf->st_mtime; | ||
454 | + tv[1].tv_usec = 0; | ||
455 | + result = utimes (destination, tv); | ||
456 | +#else | ||
457 | + long tb[2]; | ||
458 | + | ||
459 | + tb[0] = statbuf->st_atime; | ||
460 | + tb[1] = statbuf->st_mtime; | ||
461 | + result = utime (destination, tb); | ||
462 | +#endif | ||
463 | |||
464 | if (result != 0) | ||
465 | non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno)); | ||
466 | } | ||
467 | |||
468 | -#ifndef S_ISLNK | ||
469 | -#ifdef S_IFLNK | ||
470 | -#define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK) | ||
471 | -#else | ||
472 | -#define S_ISLNK(m) 0 | ||
473 | -#define lstat stat | ||
474 | -#endif | ||
475 | -#endif | ||
476 | - | ||
477 | -/* Rename FROM to TO, copying if TO is a link. | ||
478 | - Return 0 if ok, -1 if error. */ | ||
479 | +/* Copy FROM to TO. TARGET_STAT has the file status that, if non-NULL, | ||
480 | + is used to fix up timestamps. Return 0 if ok, -1 if error. | ||
481 | + At one time this function renamed files, but file permissions are | ||
482 | + tricky to update given the number of different schemes used by | ||
483 | + various systems. So now we just copy. */ | ||
484 | |||
485 | int | ||
486 | -smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNUSED) | ||
487 | +smart_rename (const char *from, const char *to, | ||
488 | + struct stat *target_stat) | ||
489 | { | ||
490 | - bfd_boolean exists; | ||
491 | - struct stat s; | ||
492 | - int ret = 0; | ||
493 | - | ||
494 | - exists = lstat (to, &s) == 0; | ||
495 | - | ||
496 | -#if defined (_WIN32) && !defined (__CYGWIN32__) | ||
497 | - /* Win32, unlike unix, will not erase `to' in `rename(from, to)' but | ||
498 | - fail instead. Also, chown is not present. */ | ||
499 | + int ret; | ||
500 | |||
501 | - if (exists) | ||
502 | - remove (to); | ||
503 | - | ||
504 | - ret = rename (from, to); | ||
505 | + ret = simple_copy (from, to); | ||
506 | if (ret != 0) | ||
507 | - { | ||
508 | - /* We have to clean up here. */ | ||
509 | - non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); | ||
510 | - unlink (from); | ||
511 | - } | ||
512 | -#else | ||
513 | - /* Use rename only if TO is not a symbolic link and has | ||
514 | - only one hard link, and we have permission to write to it. */ | ||
515 | - if (! exists | ||
516 | - || (!S_ISLNK (s.st_mode) | ||
517 | - && S_ISREG (s.st_mode) | ||
518 | - && (s.st_mode & S_IWUSR) | ||
519 | - && s.st_nlink == 1) | ||
520 | - ) | ||
521 | - { | ||
522 | - ret = rename (from, to); | ||
523 | - if (ret == 0) | ||
524 | - { | ||
525 | - if (exists) | ||
526 | - { | ||
527 | - /* Try to preserve the permission bits and ownership of | ||
528 | - TO. First get the mode right except for the setuid | ||
529 | - bit. Then change the ownership. Then fix the setuid | ||
530 | - bit. We do the chmod before the chown because if the | ||
531 | - chown succeeds, and we are a normal user, we won't be | ||
532 | - able to do the chmod afterward. We don't bother to | ||
533 | - fix the setuid bit first because that might introduce | ||
534 | - a fleeting security problem, and because the chown | ||
535 | - will clear the setuid bit anyhow. We only fix the | ||
536 | - setuid bit if the chown succeeds, because we don't | ||
537 | - want to introduce an unexpected setuid file owned by | ||
538 | - the user running objcopy. */ | ||
539 | - chmod (to, s.st_mode & 0777); | ||
540 | - if (chown (to, s.st_uid, s.st_gid) >= 0) | ||
541 | - chmod (to, s.st_mode & 07777); | ||
542 | - } | ||
543 | - } | ||
544 | - else | ||
545 | - { | ||
546 | - /* We have to clean up here. */ | ||
547 | - non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); | ||
548 | - unlink (from); | ||
549 | - } | ||
550 | - } | ||
551 | - else | ||
552 | - { | ||
553 | - ret = simple_copy (from, to); | ||
554 | - if (ret != 0) | ||
555 | - non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno)); | ||
556 | + non_fatal (_("unable to copy file '%s'; reason: %s"), | ||
557 | + to, strerror (errno)); | ||
558 | |||
559 | - if (preserve_dates) | ||
560 | - set_times (to, &s); | ||
561 | - unlink (from); | ||
562 | - } | ||
563 | -#endif /* _WIN32 && !__CYGWIN32__ */ | ||
564 | + if (target_stat != NULL) | ||
565 | + set_times (to, target_stat); | ||
566 | + unlink (from); | ||
567 | |||
568 | return ret; | ||
569 | } | ||
570 | -- | ||
571 | 2.17.1 | ||
572 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch new file mode 100644 index 0000000000..1502d03f43 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Thu, 26 Nov 2020 17:08:33 +0000 | ||
4 | Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt | ||
5 | DWARF debug sections. | ||
6 | |||
7 | PR 26946 | ||
8 | * dwarf2.c (read_section): Check for debug sections with excessive | ||
9 | sizes. | ||
10 | |||
11 | |||
12 | Upstream-Status: Backport [ | ||
13 | https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24 | ||
14 | ] | ||
15 | CVE: CVE-2021-3487 | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | |||
18 | --- | ||
19 | bfd/dwarf2.c | 25 +++++++++++++++++++------ | ||
20 | 1 files changed, 25 insertions(+), 6 deletions(-) | ||
21 | |||
22 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c | ||
23 | index 977bf43a6a1..8bbfc81d3e7 100644 | ||
24 | --- a/bfd/dwarf2.c | ||
25 | +++ b/bfd/dwarf2.c | ||
26 | @@ -531,22 +531,24 @@ read_section (bfd * abfd, | ||
27 | bfd_byte ** section_buffer, | ||
28 | bfd_size_type * section_size) | ||
29 | { | ||
30 | - asection *msec; | ||
31 | const char *section_name = sec->uncompressed_name; | ||
32 | bfd_byte *contents = *section_buffer; | ||
33 | - bfd_size_type amt; | ||
34 | |||
35 | /* The section may have already been read. */ | ||
36 | if (contents == NULL) | ||
37 | { | ||
38 | + bfd_size_type amt; | ||
39 | + asection *msec; | ||
40 | + ufile_ptr filesize; | ||
41 | + | ||
42 | msec = bfd_get_section_by_name (abfd, section_name); | ||
43 | - if (! msec) | ||
44 | + if (msec == NULL) | ||
45 | { | ||
46 | section_name = sec->compressed_name; | ||
47 | if (section_name != NULL) | ||
48 | msec = bfd_get_section_by_name (abfd, section_name); | ||
49 | } | ||
50 | - if (! msec) | ||
51 | + if (msec == NULL) | ||
52 | { | ||
53 | _bfd_error_handler (_("DWARF error: can't find %s section."), | ||
54 | sec->uncompressed_name); | ||
55 | @@ -554,12 +556,23 @@ read_section (bfd * abfd, | ||
56 | return FALSE; | ||
57 | } | ||
58 | |||
59 | - *section_size = msec->rawsize ? msec->rawsize : msec->size; | ||
60 | + amt = bfd_get_section_limit_octets (abfd, msec); | ||
61 | + filesize = bfd_get_file_size (abfd); | ||
62 | + if (amt >= filesize) | ||
63 | + { | ||
64 | + /* PR 26946 */ | ||
65 | + _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"), | ||
66 | + section_name, (long) amt, (long) filesize); | ||
67 | + bfd_set_error (bfd_error_bad_value); | ||
68 | + return FALSE; | ||
69 | + } | ||
70 | + *section_size = amt; | ||
71 | /* Paranoia - alloc one extra so that we can make sure a string | ||
72 | section is NUL terminated. */ | ||
73 | - amt = *section_size + 1; | ||
74 | + amt += 1; | ||
75 | if (amt == 0) | ||
76 | { | ||
77 | + /* Paranoia - this should never happen. */ | ||
78 | bfd_set_error (bfd_error_no_memory); | ||
79 | return FALSE; | ||
80 | } | ||
81 | -- | ||
82 | 2.27.0 | ||
83 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch new file mode 100644 index 0000000000..5f56dd7696 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch | |||
@@ -0,0 +1,183 @@ | |||
1 | From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Thu, 11 Feb 2021 16:56:42 +1030 | ||
4 | Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes | ||
5 | |||
6 | Adds missing sanity checks for avr device info note, to avoid | ||
7 | potential buffer overflows. Uses bfd_malloc_and_get_section for | ||
8 | sanity checking section size. | ||
9 | |||
10 | PR 27290 | ||
11 | PR 27293 | ||
12 | PR 27295 | ||
13 | * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting. | ||
14 | Use bfd_malloc_and_get_section. | ||
15 | (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity | ||
16 | check namesz. Return NULL if descsz is too small. Ensure | ||
17 | string table is terminated. | ||
18 | (elf32_avr_get_device_info): Formatting. Add note_size param. | ||
19 | Sanity check note. | ||
20 | (elf32_avr_dump_mem_usage): Adjust to suit. | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | CVE: CVE-2021-3549 | ||
24 | Signed-of-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog | ||
28 | index 1e9a96c9bb6..02e5019204e 100644 | ||
29 | --- a/binutils/ChangeLog | ||
30 | +++ b/binutils/ChangeLog | ||
31 | @@ -1,3 +1,17 @@ | ||
32 | +2021-02-11 Alan Modra <amodra@gmail.com> | ||
33 | + | ||
34 | + PR 27290 | ||
35 | + PR 27293 | ||
36 | + PR 27295 | ||
37 | + * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting. | ||
38 | + Use bfd_malloc_and_get_section. | ||
39 | + (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity | ||
40 | + check namesz. Return NULL if descsz is too small. Ensure | ||
41 | + string table is terminated. | ||
42 | + (elf32_avr_get_device_info): Formatting. Add note_size param. | ||
43 | + Sanity check note. | ||
44 | + (elf32_avr_dump_mem_usage): Adjust to suit. | ||
45 | + | ||
46 | 2020-03-25 H.J. Lu <hongjiu.lu@intel.com> | ||
47 | |||
48 | * ar.c (main): Update bfd_plugin_set_program_name call. | ||
49 | diff --git a/binutils/od-elf32_avr.c b/binutils/od-elf32_avr.c | ||
50 | index 5ec99957fe9..1d32bce918e 100644 | ||
51 | --- a/binutils/od-elf32_avr.c | ||
52 | +++ b/binutils/od-elf32_avr.c | ||
53 | @@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd) | ||
54 | return bfd_get_flavour (abfd) == bfd_target_elf_flavour; | ||
55 | } | ||
56 | |||
57 | -static char* | ||
58 | +static char * | ||
59 | elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size) | ||
60 | { | ||
61 | asection *section; | ||
62 | + bfd_byte *contents; | ||
63 | |||
64 | - if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL) | ||
65 | + section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo"); | ||
66 | + if (section == NULL) | ||
67 | return NULL; | ||
68 | |||
69 | - *size = bfd_section_size (section); | ||
70 | - char *contents = (char *) xmalloc (*size); | ||
71 | - bfd_get_section_contents (abfd, section, contents, 0, *size); | ||
72 | + if (!bfd_malloc_and_get_section (abfd, section, &contents)) | ||
73 | + { | ||
74 | + free (contents); | ||
75 | + contents = NULL; | ||
76 | + } | ||
77 | |||
78 | - return contents; | ||
79 | + *size = bfd_section_size (section); | ||
80 | + return (char *) contents; | ||
81 | } | ||
82 | |||
83 | -static char* elf32_avr_get_note_desc (bfd *abfd, char *contents, | ||
84 | - bfd_size_type size) | ||
85 | +static char * | ||
86 | +elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size, | ||
87 | + bfd_size_type *descsz) | ||
88 | { | ||
89 | Elf_External_Note *xnp = (Elf_External_Note *) contents; | ||
90 | Elf_Internal_Note in; | ||
91 | @@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bfd *abfd, char *contents, | ||
92 | if (in.namesz > contents - in.namedata + size) | ||
93 | return NULL; | ||
94 | |||
95 | + if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0) | ||
96 | + return NULL; | ||
97 | + | ||
98 | in.descsz = bfd_get_32 (abfd, xnp->descsz); | ||
99 | in.descdata = in.namedata + align_power (in.namesz, 2); | ||
100 | - if (in.descsz != 0 | ||
101 | - && (in.descdata >= contents + size | ||
102 | - || in.descsz > contents - in.descdata + size)) | ||
103 | + if (in.descsz < 6 * sizeof (uint32_t) | ||
104 | + || in.descdata >= contents + size | ||
105 | + || in.descsz > contents - in.descdata + size) | ||
106 | return NULL; | ||
107 | |||
108 | - if (strcmp (in.namedata, "AVR") != 0) | ||
109 | - return NULL; | ||
110 | + /* If the note has a string table, ensure it is 0 terminated. */ | ||
111 | + if (in.descsz > 8 * sizeof (uint32_t)) | ||
112 | + in.descdata[in.descsz - 1] = 0; | ||
113 | |||
114 | + *descsz = in.descsz; | ||
115 | return in.descdata; | ||
116 | } | ||
117 | |||
118 | static void | ||
119 | elf32_avr_get_device_info (bfd *abfd, char *description, | ||
120 | - deviceinfo *device) | ||
121 | + bfd_size_type desc_size, deviceinfo *device) | ||
122 | { | ||
123 | if (description == NULL) | ||
124 | return; | ||
125 | |||
126 | const bfd_size_type memory_sizes = 6; | ||
127 | |||
128 | - memcpy (device, description, memory_sizes * sizeof(uint32_t)); | ||
129 | - device->name = NULL; | ||
130 | + memcpy (device, description, memory_sizes * sizeof (uint32_t)); | ||
131 | + desc_size -= memory_sizes * sizeof (uint32_t); | ||
132 | + if (desc_size < 8) | ||
133 | + return; | ||
134 | |||
135 | - uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes; | ||
136 | + uint32_t *stroffset_table = (uint32_t *) description + memory_sizes; | ||
137 | bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table); | ||
138 | - char *str_table = ((char *) stroffset_table) + stroffset_table_size; | ||
139 | |||
140 | /* If the only content is the size itself, there's nothing in the table */ | ||
141 | - if (stroffset_table_size == 4) | ||
142 | + if (stroffset_table_size < 8) | ||
143 | return; | ||
144 | + if (desc_size <= stroffset_table_size) | ||
145 | + return; | ||
146 | + desc_size -= stroffset_table_size; | ||
147 | |||
148 | /* First entry is the device name index. */ | ||
149 | uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1); | ||
150 | + if (device_name_index >= desc_size) | ||
151 | + return; | ||
152 | |||
153 | + char *str_table = (char *) stroffset_table + stroffset_table_size; | ||
154 | device->name = str_table + device_name_index; | ||
155 | } | ||
156 | |||
157 | @@ -183,7 +201,7 @@ static void | ||
158 | elf32_avr_dump_mem_usage (bfd *abfd) | ||
159 | { | ||
160 | char *description = NULL; | ||
161 | - bfd_size_type note_section_size = 0; | ||
162 | + bfd_size_type sec_size, desc_size; | ||
163 | |||
164 | deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL }; | ||
165 | device.name = "Unknown"; | ||
166 | @@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd) | ||
167 | bfd_size_type text_usage = 0; | ||
168 | bfd_size_type eeprom_usage = 0; | ||
169 | |||
170 | - char *contents = elf32_avr_get_note_section_contents (abfd, | ||
171 | - ¬e_section_size); | ||
172 | + char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size); | ||
173 | |||
174 | if (contents != NULL) | ||
175 | { | ||
176 | - description = elf32_avr_get_note_desc (abfd, contents, note_section_size); | ||
177 | - elf32_avr_get_device_info (abfd, description, &device); | ||
178 | + description = elf32_avr_get_note_desc (abfd, contents, sec_size, | ||
179 | + &desc_size); | ||
180 | + elf32_avr_get_device_info (abfd, description, desc_size, &device); | ||
181 | } | ||
182 | |||
183 | elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage, | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch new file mode 100644 index 0000000000..2addf5139e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 46322722ad40ac1a75672ae0f62f4969195f1368 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Thu, 20 Jan 2022 13:58:38 +1030 | ||
4 | Subject: [PATCH] PR28753, buffer overflow in read_section_stabs_debugging_info | ||
5 | |||
6 | PR 28753 | ||
7 | * rddbg.c (read_section_stabs_debugging_info): Don't read past | ||
8 | end of section when concatentating stab strings. | ||
9 | |||
10 | CVE: CVE-2021-46174 | ||
11 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cad4d6b91e97] | ||
12 | |||
13 | (cherry picked from commit 085b299b71721e15f5c5c5344dc3e4e4536dadba) | ||
14 | (cherry picked from commit cad4d6b91e97b6962807d33c04ed7e7797788438) | ||
15 | Signed-off-by: poojitha adireddy <pooadire@cisco.com> | ||
16 | --- | ||
17 | binutils/rddbg.c | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/binutils/rddbg.c b/binutils/rddbg.c | ||
21 | index 72e934055b5..5e76d94a3c4 100644 | ||
22 | --- a/binutils/rddbg.c | ||
23 | +++ b/binutils/rddbg.c | ||
24 | @@ -207,7 +207,7 @@ read_section_stabs_debugging_info (bfd *abfd, asymbol **syms, long symcount, | ||
25 | an attempt to read the byte before 'strings' would occur. */ | ||
26 | while ((len = strlen (s)) > 0 | ||
27 | && s[len - 1] == '\\' | ||
28 | - && stab + 12 < stabs + stabsize) | ||
29 | + && stab + 16 <= stabs + stabsize) | ||
30 | { | ||
31 | char *p; | ||
32 | |||
33 | -- | ||
34 | 2.23.1 | ||
35 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch new file mode 100644 index 0000000000..102d65f8a6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Sat, 13 Aug 2022 15:32:47 +0930 | ||
4 | Subject: [PATCH] PR29482 - strip: heap-buffer-overflow | ||
5 | |||
6 | PR 29482 | ||
7 | * coffcode.h (coff_set_section_contents): Sanity check _LIB. | ||
8 | |||
9 | CVE: CVE-2022-38533 | ||
10 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797] | ||
11 | |||
12 | Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> | ||
13 | |||
14 | --- | ||
15 | bfd/coffcode.h | 7 +++++-- | ||
16 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/bfd/coffcode.h b/bfd/coffcode.h | ||
19 | index dec2e9c6370..75c18d88602 100644 | ||
20 | --- a/bfd/coffcode.h | ||
21 | +++ b/bfd/coffcode.h | ||
22 | @@ -4170,10 +4170,13 @@ coff_set_section_contents (bfd * abfd, | ||
23 | |||
24 | rec = (bfd_byte *) location; | ||
25 | recend = rec + count; | ||
26 | - while (rec < recend) | ||
27 | + while (recend - rec >= 4) | ||
28 | { | ||
29 | + size_t len = bfd_get_32 (abfd, rec); | ||
30 | + if (len == 0 || len > (size_t) (recend - rec) / 4) | ||
31 | + break; | ||
32 | + rec += len * 4; | ||
33 | ++section->lma; | ||
34 | - rec += bfd_get_32 (abfd, rec) * 4; | ||
35 | } | ||
36 | |||
37 | BFD_ASSERT (rec == recend); | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch new file mode 100644 index 0000000000..ddb564bc8c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Fri, 17 Jun 2022 09:00:41 +0930 | ||
4 | Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg | ||
5 | |||
6 | PR 29254 | ||
7 | * stabs.c (stab_demangle_v3_arg): Free dt on failure path. | ||
8 | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb] | ||
9 | CVE: CVE-2022-47007 | ||
10 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
11 | Comment: Patch refreshed based on codebase. | ||
12 | --- | ||
13 | binutils/stabs.c | 5 ++++- | ||
14 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/binutils/stabs.c b/binutils/stabs.c | ||
17 | index 2b5241637c1..796ff85b86a 100644 | ||
18 | --- a/binutils/stabs.c | ||
19 | +++ b/binutils/stabs.c | ||
20 | @@ -5476,7 +5476,10 @@ | ||
21 | dc->u.s_binary.right, | ||
22 | &varargs); | ||
23 | if (pargs == NULL) | ||
24 | - return NULL; | ||
25 | + { | ||
26 | + free (dt); | ||
27 | + return NULL; | ||
28 | + } | ||
29 | |||
30 | return debug_make_function_type (dhandle, dt, pargs, varargs); | ||
31 | } | ||
32 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch new file mode 100644 index 0000000000..9527390ccf --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Fri, 17 Jun 2022 09:13:38 +0930 | ||
4 | Subject: [PATCH] PR29255, memory leak in make_tempdir | ||
5 | |||
6 | PR 29255 | ||
7 | * bucomm.c (make_tempdir, make_tempname): Free template on all | ||
8 | failure paths. | ||
9 | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682] | ||
10 | CVE: CVE-2022-47008 | ||
11 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
12 | Comment: Patch refreshed based on codebase. | ||
13 | --- | ||
14 | binutils/bucomm.c | 20 +++++++++++--------- | ||
15 | 1 file changed, 11 insertions(+), 9 deletions(-) | ||
16 | |||
17 | diff --git a/binutils/bucomm.c b/binutils/bucomm.c | ||
18 | index fdc2209df9c..4395cb9f7f5 100644 | ||
19 | --- a/binutils/bucomm.c | ||
20 | +++ b/binutils/bucomm.c | ||
21 | @@ -542,8 +542,9 @@ | ||
22 | #else | ||
23 | tmpname = mktemp (tmpname); | ||
24 | if (tmpname == NULL) | ||
25 | - return NULL; | ||
26 | - fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600); | ||
27 | + fd = -1; | ||
28 | + else | ||
29 | + fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600); | ||
30 | #endif | ||
31 | if (fd == -1) | ||
32 | { | ||
33 | @@ -561,22 +562,23 @@ | ||
34 | make_tempdir (const char *filename) | ||
35 | { | ||
36 | char *tmpname = template_in_dir (filename); | ||
37 | + char *ret; | ||
38 | |||
39 | #ifdef HAVE_MKDTEMP | ||
40 | - return mkdtemp (tmpname); | ||
41 | + ret = mkdtemp (tmpname); | ||
42 | #else | ||
43 | - tmpname = mktemp (tmpname); | ||
44 | - if (tmpname == NULL) | ||
45 | - return NULL; | ||
46 | + ret = mktemp (tmpname); | ||
47 | #if defined (_WIN32) && !defined (__CYGWIN32__) | ||
48 | if (mkdir (tmpname) != 0) | ||
49 | - return NULL; | ||
50 | + ret = NULL; | ||
51 | #else | ||
52 | if (mkdir (tmpname, 0700) != 0) | ||
53 | - return NULL; | ||
54 | + ret = NULL; | ||
55 | #endif | ||
56 | - return tmpname; | ||
57 | #endif | ||
58 | + if (ret == NULL) | ||
59 | + free (tmpname); | ||
60 | + return ret; | ||
61 | } | ||
62 | |||
63 | /* Parse a string into a VMA, with a fatal error if it can't be | ||
64 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch new file mode 100644 index 0000000000..d831ed4756 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Mon, 20 Jun 2022 10:39:31 +0930 | ||
4 | Subject: [PATCH] PR29262, memory leak in pr_function_type | ||
5 | |||
6 | PR 29262 | ||
7 | * prdbg.c (pr_function_type): Free "s" on failure path. | ||
8 | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab] | ||
9 | CVE: CVE-2022-47010 | ||
10 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
11 | Comment: Patch refreshed based on codebase. | ||
12 | --- | ||
13 | binutils/prdbg.c | 7 ++----- | ||
14 | 1 file changed, 2 insertions(+), 5 deletions(-) | ||
15 | |||
16 | diff --git a/binutils/prdbg.c b/binutils/prdbg.c | ||
17 | index c1e41628d26..bb42a5b6c2d 100644 | ||
18 | --- a/binutils/prdbg.c | ||
19 | +++ b/binutils/prdbg.c | ||
20 | @@ -778,12 +778,9 @@ | ||
21 | |||
22 | strcat (s, ")"); | ||
23 | |||
24 | - if (! substitute_type (info, s)) | ||
25 | - return FALSE; | ||
26 | - | ||
27 | + bfd_boolean ret = substitute_type (info, s); | ||
28 | free (s); | ||
29 | - | ||
30 | - return TRUE; | ||
31 | + return ret; | ||
32 | } | ||
33 | |||
34 | /* Turn the top type on the stack into a reference to that type. */ | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch new file mode 100644 index 0000000000..250756bd38 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Mon, 20 Jun 2022 10:39:13 +0930 | ||
4 | Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields | ||
5 | |||
6 | PR 29261 | ||
7 | * stabs.c (parse_stab_struct_fields): Free "fields" on failure path. | ||
8 | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35] | ||
9 | CVE: CVE-2022-47011 | ||
10 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
11 | Comment: Patch refreshed based on codebase. | ||
12 | --- | ||
13 | binutils/stabs.c | 5 ++++- | ||
14 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/binutils/stabs.c b/binutils/stabs.c | ||
17 | index 796ff85b86a..bf3f578cbcc 100644 | ||
18 | --- a/binutils/stabs.c | ||
19 | +++ b/binutils/stabs.c | ||
20 | @@ -2368,7 +2368,10 @@ | ||
21 | |||
22 | if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c, | ||
23 | staticsp, p_end)) | ||
24 | - return FALSE; | ||
25 | + { | ||
26 | + free (fields); | ||
27 | + return FALSE; | ||
28 | + } | ||
29 | |||
30 | ++c; | ||
31 | } | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch new file mode 100644 index 0000000000..101a4cdb4e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 3d3af4ba39e892b1c544d667ca241846bc3df386 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Sun, 4 Dec 2022 22:15:40 +1030 | ||
4 | Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols | ||
5 | |||
6 | Fixes a fuzzed object file problem where plt relocs were manipulated | ||
7 | in such a way that two synthetic symbols were generated at the same | ||
8 | plt location. Won't occur in real object files. | ||
9 | |||
10 | PR 29846 | ||
11 | PR 20337 | ||
12 | * objdump.c (compare_symbols): Test symbol flags to exclude | ||
13 | section and synthetic symbols before attempting to check flavour. | ||
14 | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386] | ||
15 | CVE: CVE-2022-47695 | ||
16 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
17 | Comment: Patch refreshed based on codebase. | ||
18 | --- | ||
19 | binutils/objdump.c | 23 ++++++++++------------- | ||
20 | 1 file changed, 10 insertions(+), 13 deletions(-) | ||
21 | |||
22 | diff --git a/binutils/objdump.c b/binutils/objdump.c | ||
23 | index e8481b2d928..d95c8b68bf0 100644 | ||
24 | --- a/binutils/objdump.c | ||
25 | +++ b/binutils/objdump.c | ||
26 | @@ -935,20 +935,17 @@ | ||
27 | return 1; | ||
28 | } | ||
29 | |||
30 | - if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour | ||
31 | + /* Sort larger size ELF symbols before smaller. See PR20337. */ | ||
32 | + bfd_vma asz = 0; | ||
33 | + if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 | ||
34 | + && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour) | ||
35 | + asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; | ||
36 | + bfd_vma bsz = 0; | ||
37 | + if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 | ||
38 | && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour) | ||
39 | - { | ||
40 | - bfd_vma asz, bsz; | ||
41 | - | ||
42 | - asz = 0; | ||
43 | - if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) | ||
44 | - asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; | ||
45 | - bsz = 0; | ||
46 | - if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) | ||
47 | - bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; | ||
48 | - if (asz != bsz) | ||
49 | - return asz > bsz ? -1 : 1; | ||
50 | - } | ||
51 | + bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; | ||
52 | + if (asz != bsz) | ||
53 | + return asz > bsz ? -1 : 1; | ||
54 | |||
55 | /* Symbols that start with '.' might be section names, so sort them | ||
56 | after symbols that don't start with '.'. */ | ||
57 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch new file mode 100644 index 0000000000..f41c02a02b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Wed, 21 Dec 2022 11:51:23 +0000 | ||
4 | Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of | ||
5 | memory when parsing a corrupt ELF file. | ||
6 | |||
7 | PR 29924 | ||
8 | * objdump.c (load_specific_debug_section): Check for excessively | ||
9 | large sections. | ||
10 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd] | ||
11 | CVE: CVE-2022-48063 | ||
12 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
13 | Comment: Patch refreshed based on codebase. | ||
14 | --- | ||
15 | binutils/ChangeLog | 6 ++++++ | ||
16 | binutils/objdump.c | 4 +++- | ||
17 | 2 files changed, 9 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog | ||
20 | index e7f918d3f65..020e09f3700 100644 | ||
21 | --- a/binutils/ChangeLog | ||
22 | +++ b/binutils/ChangeLog | ||
23 | @@ -1,3 +1,9 @@ | ||
24 | +2022-12-21 Nick Clifton <nickc@redhat.com> | ||
25 | + | ||
26 | + PR 29924 | ||
27 | + * objdump.c (load_specific_debug_section): Check for excessively | ||
28 | + large sections. | ||
29 | + | ||
30 | 2021-02-11 Alan Modra <amodra@gmail.com> | ||
31 | |||
32 | PR 27290 | ||
33 | |||
34 | diff --git a/binutils/objdump.c b/binutils/objdump.c | ||
35 | index d51abbe3858..2eb02de0e76 100644 | ||
36 | --- a/binutils/objdump.c | ||
37 | +++ b/binutils/objdump.c | ||
38 | @@ -3479,7 +3479,9 @@ | ||
39 | section->size = bfd_section_size (sec); | ||
40 | /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */ | ||
41 | alloced = amt = section->size + 1; | ||
42 | - if (alloced != amt || alloced == 0) | ||
43 | + if (alloced != amt | ||
44 | + || alloced == 0 | ||
45 | + || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd))) | ||
46 | { | ||
47 | section->start = NULL; | ||
48 | free_debug_section (debug); | ||
49 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch new file mode 100644 index 0000000000..732ea43210 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch | |||
@@ -0,0 +1,530 @@ | |||
1 | CVE: CVE-2023-25584 | ||
2 | Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 ] | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | [Ubuntu note: this is backport of the original patch, no major changes just | ||
6 | fix this patch for this release] | ||
7 | From 77c225bdeb410cf60da804879ad41622f5f1aa44 Mon Sep 17 00:00:00 2001 | ||
8 | From: Alan Modra <amodra@gmail.com> | ||
9 | Date: Mon, 12 Dec 2022 18:28:49 +1030 | ||
10 | Subject: [PATCH] Lack of bounds checking in vms-alpha.c parse_module | ||
11 | |||
12 | PR 29873 | ||
13 | PR 29874 | ||
14 | PR 29875 | ||
15 | PR 29876 | ||
16 | PR 29877 | ||
17 | PR 29878 | ||
18 | PR 29879 | ||
19 | PR 29880 | ||
20 | PR 29881 | ||
21 | PR 29882 | ||
22 | PR 29883 | ||
23 | PR 29884 | ||
24 | PR 29885 | ||
25 | PR 29886 | ||
26 | PR 29887 | ||
27 | PR 29888 | ||
28 | PR 29889 | ||
29 | PR 29890 | ||
30 | PR 29891 | ||
31 | * vms-alpha.c (parse_module): Make length param bfd_size_type. | ||
32 | Delete length == -1 checks. Sanity check record_length. | ||
33 | Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. | ||
34 | Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements | ||
35 | before accessing. | ||
36 | (build_module_list): Pass dst_section size to parse_module. | ||
37 | --- | ||
38 | bfd/vms-alpha.c | 213 ++++++++++++++++++++++++++++++++++++++---------- | ||
39 | 1 file changed, 168 insertions(+), 45 deletions(-) | ||
40 | |||
41 | --- binutils-2.34.orig/bfd/vms-alpha.c | ||
42 | +++ binutils-2.34/bfd/vms-alpha.c | ||
43 | @@ -4267,7 +4267,7 @@ new_module (bfd *abfd) | ||
44 | |||
45 | static void | ||
46 | parse_module (bfd *abfd, struct module *module, unsigned char *ptr, | ||
47 | - int length) | ||
48 | + bfd_size_type length) | ||
49 | { | ||
50 | unsigned char *maxptr = ptr + length; | ||
51 | unsigned char *src_ptr, *pcl_ptr; | ||
52 | @@ -4284,7 +4284,7 @@ parse_module (bfd *abfd, struct module * | ||
53 | curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo)); | ||
54 | module->line_table = curr_line; | ||
55 | |||
56 | - while (length == -1 || ptr < maxptr) | ||
57 | + while (ptr < maxptr) | ||
58 | { | ||
59 | /* The first byte is not counted in the recorded length. */ | ||
60 | int rec_length = bfd_getl16 (ptr) + 1; | ||
61 | @@ -4292,15 +4292,19 @@ parse_module (bfd *abfd, struct module * | ||
62 | |||
63 | vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type)); | ||
64 | |||
65 | - if (length == -1 && rec_type == DST__K_MODEND) | ||
66 | + if (rec_length > maxptr - ptr) | ||
67 | + break; | ||
68 | + if (rec_type == DST__K_MODEND) | ||
69 | break; | ||
70 | |||
71 | switch (rec_type) | ||
72 | { | ||
73 | case DST__K_MODBEG: | ||
74 | + if (rec_length <= DST_S_B_MODBEG_NAME) | ||
75 | + break; | ||
76 | module->name | ||
77 | = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME, | ||
78 | - maxptr - (ptr + DST_S_B_MODBEG_NAME)); | ||
79 | + rec_length - DST_S_B_MODBEG_NAME); | ||
80 | |||
81 | curr_pc = 0; | ||
82 | prev_pc = 0; | ||
83 | @@ -4314,11 +4318,13 @@ parse_module (bfd *abfd, struct module * | ||
84 | break; | ||
85 | |||
86 | case DST__K_RTNBEG: | ||
87 | + if (rec_length <= DST_S_B_RTNBEG_NAME) | ||
88 | + break; | ||
89 | funcinfo = (struct funcinfo *) | ||
90 | bfd_zalloc (abfd, sizeof (struct funcinfo)); | ||
91 | funcinfo->name | ||
92 | = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, | ||
93 | - maxptr - (ptr + DST_S_B_RTNBEG_NAME)); | ||
94 | + rec_length - DST_S_B_RTNBEG_NAME); | ||
95 | funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS); | ||
96 | funcinfo->next = module->func_table; | ||
97 | module->func_table = funcinfo; | ||
98 | @@ -4328,6 +4334,8 @@ parse_module (bfd *abfd, struct module * | ||
99 | break; | ||
100 | |||
101 | case DST__K_RTNEND: | ||
102 | + if (rec_length < DST_S_L_RTNEND_SIZE + 4) | ||
103 | + break; | ||
104 | module->func_table->high = module->func_table->low | ||
105 | + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1; | ||
106 | |||
107 | @@ -4358,13 +4366,66 @@ parse_module (bfd *abfd, struct module * | ||
108 | |||
109 | vms_debug2 ((3, "source info\n")); | ||
110 | |||
111 | - while (src_ptr < ptr + rec_length) | ||
112 | + while (src_ptr - ptr < rec_length) | ||
113 | { | ||
114 | int cmd = src_ptr[0], cmd_length, data; | ||
115 | |||
116 | switch (cmd) | ||
117 | { | ||
118 | case DST__K_SRC_DECLFILE: | ||
119 | + if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length) | ||
120 | + cmd_length = 0x10000; | ||
121 | + else | ||
122 | + cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; | ||
123 | + break; | ||
124 | + | ||
125 | + case DST__K_SRC_DEFLINES_B: | ||
126 | + cmd_length = 2; | ||
127 | + break; | ||
128 | + | ||
129 | + case DST__K_SRC_DEFLINES_W: | ||
130 | + cmd_length = 3; | ||
131 | + break; | ||
132 | + | ||
133 | + case DST__K_SRC_INCRLNUM_B: | ||
134 | + cmd_length = 2; | ||
135 | + break; | ||
136 | + | ||
137 | + case DST__K_SRC_SETFILE: | ||
138 | + cmd_length = 3; | ||
139 | + break; | ||
140 | + | ||
141 | + case DST__K_SRC_SETLNUM_L: | ||
142 | + cmd_length = 5; | ||
143 | + break; | ||
144 | + | ||
145 | + case DST__K_SRC_SETLNUM_W: | ||
146 | + cmd_length = 3; | ||
147 | + break; | ||
148 | + | ||
149 | + case DST__K_SRC_SETREC_L: | ||
150 | + cmd_length = 5; | ||
151 | + break; | ||
152 | + | ||
153 | + case DST__K_SRC_SETREC_W: | ||
154 | + cmd_length = 3; | ||
155 | + break; | ||
156 | + | ||
157 | + case DST__K_SRC_FORMFEED: | ||
158 | + cmd_length = 1; | ||
159 | + break; | ||
160 | + | ||
161 | + default: | ||
162 | + cmd_length = 2; | ||
163 | + break; | ||
164 | + } | ||
165 | + | ||
166 | + if (src_ptr - ptr + cmd_length > rec_length) | ||
167 | + break; | ||
168 | + | ||
169 | + switch (cmd) | ||
170 | + { | ||
171 | + case DST__K_SRC_DECLFILE: | ||
172 | { | ||
173 | unsigned int fileid | ||
174 | = bfd_getl16 (src_ptr + DST_S_W_SRC_DF_FILEID); | ||
175 | @@ -4384,7 +4445,6 @@ parse_module (bfd *abfd, struct module * | ||
176 | |||
177 | module->file_table [fileid].name = filename; | ||
178 | module->file_table [fileid].srec = 1; | ||
179 | - cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; | ||
180 | vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n", | ||
181 | fileid, module->file_table [fileid].name)); | ||
182 | } | ||
183 | @@ -4401,7 +4461,6 @@ parse_module (bfd *abfd, struct module * | ||
184 | srec->sfile = curr_srec->sfile; | ||
185 | curr_srec->next = srec; | ||
186 | curr_srec = srec; | ||
187 | - cmd_length = 2; | ||
188 | vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data)); | ||
189 | break; | ||
190 | |||
191 | @@ -4416,14 +4475,12 @@ parse_module (bfd *abfd, struct module * | ||
192 | srec->sfile = curr_srec->sfile; | ||
193 | curr_srec->next = srec; | ||
194 | curr_srec = srec; | ||
195 | - cmd_length = 3; | ||
196 | vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data)); | ||
197 | break; | ||
198 | |||
199 | case DST__K_SRC_INCRLNUM_B: | ||
200 | data = src_ptr[DST_S_B_SRC_UNSBYTE]; | ||
201 | curr_srec->line += data; | ||
202 | - cmd_length = 2; | ||
203 | vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data)); | ||
204 | break; | ||
205 | |||
206 | @@ -4431,21 +4488,18 @@ parse_module (bfd *abfd, struct module * | ||
207 | data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); | ||
208 | curr_srec->sfile = data; | ||
209 | curr_srec->srec = module->file_table[data].srec; | ||
210 | - cmd_length = 3; | ||
211 | vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data)); | ||
212 | break; | ||
213 | |||
214 | case DST__K_SRC_SETLNUM_L: | ||
215 | data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); | ||
216 | curr_srec->line = data; | ||
217 | - cmd_length = 5; | ||
218 | vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data)); | ||
219 | break; | ||
220 | |||
221 | case DST__K_SRC_SETLNUM_W: | ||
222 | data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); | ||
223 | curr_srec->line = data; | ||
224 | - cmd_length = 3; | ||
225 | vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data)); | ||
226 | break; | ||
227 | |||
228 | @@ -4453,7 +4507,6 @@ parse_module (bfd *abfd, struct module * | ||
229 | data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); | ||
230 | curr_srec->srec = data; | ||
231 | module->file_table[curr_srec->sfile].srec = data; | ||
232 | - cmd_length = 5; | ||
233 | vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data)); | ||
234 | break; | ||
235 | |||
236 | @@ -4461,19 +4514,16 @@ parse_module (bfd *abfd, struct module * | ||
237 | data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); | ||
238 | curr_srec->srec = data; | ||
239 | module->file_table[curr_srec->sfile].srec = data; | ||
240 | - cmd_length = 3; | ||
241 | vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data)); | ||
242 | break; | ||
243 | |||
244 | case DST__K_SRC_FORMFEED: | ||
245 | - cmd_length = 1; | ||
246 | vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n")); | ||
247 | break; | ||
248 | |||
249 | default: | ||
250 | _bfd_error_handler (_("unknown source command %d"), | ||
251 | cmd); | ||
252 | - cmd_length = 2; | ||
253 | break; | ||
254 | } | ||
255 | |||
256 | @@ -4486,7 +4536,7 @@ parse_module (bfd *abfd, struct module * | ||
257 | |||
258 | vms_debug2 ((3, "line info\n")); | ||
259 | |||
260 | - while (pcl_ptr < ptr + rec_length) | ||
261 | + while (pcl_ptr - ptr < rec_length) | ||
262 | { | ||
263 | /* The command byte is signed so we must sign-extend it. */ | ||
264 | int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data; | ||
265 | @@ -4494,10 +4544,106 @@ parse_module (bfd *abfd, struct module * | ||
266 | switch (cmd) | ||
267 | { | ||
268 | case DST__K_DELTA_PC_W: | ||
269 | + cmd_length = 3; | ||
270 | + break; | ||
271 | + | ||
272 | + case DST__K_DELTA_PC_L: | ||
273 | + cmd_length = 5; | ||
274 | + break; | ||
275 | + | ||
276 | + case DST__K_INCR_LINUM: | ||
277 | + cmd_length = 2; | ||
278 | + break; | ||
279 | + | ||
280 | + case DST__K_INCR_LINUM_W: | ||
281 | + cmd_length = 3; | ||
282 | + break; | ||
283 | + | ||
284 | + case DST__K_INCR_LINUM_L: | ||
285 | + cmd_length = 5; | ||
286 | + break; | ||
287 | + | ||
288 | + case DST__K_SET_LINUM_INCR: | ||
289 | + cmd_length = 2; | ||
290 | + break; | ||
291 | + | ||
292 | + case DST__K_SET_LINUM_INCR_W: | ||
293 | + cmd_length = 3; | ||
294 | + break; | ||
295 | + | ||
296 | + case DST__K_RESET_LINUM_INCR: | ||
297 | + cmd_length = 1; | ||
298 | + break; | ||
299 | + | ||
300 | + case DST__K_BEG_STMT_MODE: | ||
301 | + cmd_length = 1; | ||
302 | + break; | ||
303 | + | ||
304 | + case DST__K_END_STMT_MODE: | ||
305 | + cmd_length = 1; | ||
306 | + break; | ||
307 | + | ||
308 | + case DST__K_SET_LINUM_B: | ||
309 | + cmd_length = 2; | ||
310 | + break; | ||
311 | + | ||
312 | + case DST__K_SET_LINUM: | ||
313 | + cmd_length = 3; | ||
314 | + break; | ||
315 | + | ||
316 | + case DST__K_SET_LINUM_L: | ||
317 | + cmd_length = 5; | ||
318 | + break; | ||
319 | + | ||
320 | + case DST__K_SET_PC: | ||
321 | + cmd_length = 2; | ||
322 | + break; | ||
323 | + | ||
324 | + case DST__K_SET_PC_W: | ||
325 | + cmd_length = 3; | ||
326 | + break; | ||
327 | + | ||
328 | + case DST__K_SET_PC_L: | ||
329 | + cmd_length = 5; | ||
330 | + break; | ||
331 | + | ||
332 | + case DST__K_SET_STMTNUM: | ||
333 | + cmd_length = 2; | ||
334 | + break; | ||
335 | + | ||
336 | + case DST__K_TERM: | ||
337 | + cmd_length = 2; | ||
338 | + break; | ||
339 | + | ||
340 | + case DST__K_TERM_W: | ||
341 | + cmd_length = 3; | ||
342 | + break; | ||
343 | + | ||
344 | + case DST__K_TERM_L: | ||
345 | + cmd_length = 5; | ||
346 | + break; | ||
347 | + | ||
348 | + case DST__K_SET_ABS_PC: | ||
349 | + cmd_length = 5; | ||
350 | + break; | ||
351 | + | ||
352 | + default: | ||
353 | + if (cmd <= 0) | ||
354 | + cmd_length = 1; | ||
355 | + else | ||
356 | + cmd_length = 2; | ||
357 | + break; | ||
358 | + } | ||
359 | + | ||
360 | + if (pcl_ptr - ptr + cmd_length > rec_length) | ||
361 | + break; | ||
362 | + | ||
363 | + switch (cmd) | ||
364 | + { | ||
365 | + case DST__K_DELTA_PC_W: | ||
366 | data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); | ||
367 | curr_pc += data; | ||
368 | curr_linenum += 1; | ||
369 | - cmd_length = 3; | ||
370 | vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data)); | ||
371 | break; | ||
372 | |||
373 | @@ -4505,131 +4651,111 @@ parse_module (bfd *abfd, struct module * | ||
374 | data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); | ||
375 | curr_pc += data; | ||
376 | curr_linenum += 1; | ||
377 | - cmd_length = 5; | ||
378 | vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data)); | ||
379 | break; | ||
380 | |||
381 | case DST__K_INCR_LINUM: | ||
382 | data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; | ||
383 | curr_linenum += data; | ||
384 | - cmd_length = 2; | ||
385 | vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data)); | ||
386 | break; | ||
387 | |||
388 | case DST__K_INCR_LINUM_W: | ||
389 | data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); | ||
390 | curr_linenum += data; | ||
391 | - cmd_length = 3; | ||
392 | vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data)); | ||
393 | break; | ||
394 | |||
395 | case DST__K_INCR_LINUM_L: | ||
396 | data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); | ||
397 | curr_linenum += data; | ||
398 | - cmd_length = 5; | ||
399 | vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data)); | ||
400 | break; | ||
401 | |||
402 | case DST__K_SET_LINUM_INCR: | ||
403 | _bfd_error_handler | ||
404 | (_("%s not implemented"), "DST__K_SET_LINUM_INCR"); | ||
405 | - cmd_length = 2; | ||
406 | break; | ||
407 | |||
408 | case DST__K_SET_LINUM_INCR_W: | ||
409 | _bfd_error_handler | ||
410 | (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W"); | ||
411 | - cmd_length = 3; | ||
412 | break; | ||
413 | |||
414 | case DST__K_RESET_LINUM_INCR: | ||
415 | _bfd_error_handler | ||
416 | (_("%s not implemented"), "DST__K_RESET_LINUM_INCR"); | ||
417 | - cmd_length = 1; | ||
418 | break; | ||
419 | |||
420 | case DST__K_BEG_STMT_MODE: | ||
421 | _bfd_error_handler | ||
422 | (_("%s not implemented"), "DST__K_BEG_STMT_MODE"); | ||
423 | - cmd_length = 1; | ||
424 | break; | ||
425 | |||
426 | case DST__K_END_STMT_MODE: | ||
427 | _bfd_error_handler | ||
428 | (_("%s not implemented"), "DST__K_END_STMT_MODE"); | ||
429 | - cmd_length = 1; | ||
430 | break; | ||
431 | |||
432 | case DST__K_SET_LINUM_B: | ||
433 | data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; | ||
434 | curr_linenum = data; | ||
435 | - cmd_length = 2; | ||
436 | vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data)); | ||
437 | break; | ||
438 | |||
439 | case DST__K_SET_LINUM: | ||
440 | data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); | ||
441 | curr_linenum = data; | ||
442 | - cmd_length = 3; | ||
443 | vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data)); | ||
444 | break; | ||
445 | |||
446 | case DST__K_SET_LINUM_L: | ||
447 | data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); | ||
448 | curr_linenum = data; | ||
449 | - cmd_length = 5; | ||
450 | vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data)); | ||
451 | break; | ||
452 | |||
453 | case DST__K_SET_PC: | ||
454 | _bfd_error_handler | ||
455 | (_("%s not implemented"), "DST__K_SET_PC"); | ||
456 | - cmd_length = 2; | ||
457 | break; | ||
458 | |||
459 | case DST__K_SET_PC_W: | ||
460 | _bfd_error_handler | ||
461 | (_("%s not implemented"), "DST__K_SET_PC_W"); | ||
462 | - cmd_length = 3; | ||
463 | break; | ||
464 | |||
465 | case DST__K_SET_PC_L: | ||
466 | _bfd_error_handler | ||
467 | (_("%s not implemented"), "DST__K_SET_PC_L"); | ||
468 | - cmd_length = 5; | ||
469 | break; | ||
470 | |||
471 | case DST__K_SET_STMTNUM: | ||
472 | _bfd_error_handler | ||
473 | (_("%s not implemented"), "DST__K_SET_STMTNUM"); | ||
474 | - cmd_length = 2; | ||
475 | break; | ||
476 | |||
477 | case DST__K_TERM: | ||
478 | data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; | ||
479 | curr_pc += data; | ||
480 | - cmd_length = 2; | ||
481 | vms_debug2 ((4, "DST__K_TERM: %d\n", data)); | ||
482 | break; | ||
483 | |||
484 | case DST__K_TERM_W: | ||
485 | data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); | ||
486 | curr_pc += data; | ||
487 | - cmd_length = 3; | ||
488 | vms_debug2 ((4, "DST__K_TERM_W: %d\n", data)); | ||
489 | break; | ||
490 | |||
491 | case DST__K_TERM_L: | ||
492 | data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); | ||
493 | curr_pc += data; | ||
494 | - cmd_length = 5; | ||
495 | vms_debug2 ((4, "DST__K_TERM_L: %d\n", data)); | ||
496 | break; | ||
497 | |||
498 | case DST__K_SET_ABS_PC: | ||
499 | data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); | ||
500 | curr_pc = data; | ||
501 | - cmd_length = 5; | ||
502 | vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data)); | ||
503 | break; | ||
504 | |||
505 | @@ -4638,15 +4764,11 @@ parse_module (bfd *abfd, struct module * | ||
506 | { | ||
507 | curr_pc -= cmd; | ||
508 | curr_linenum += 1; | ||
509 | - cmd_length = 1; | ||
510 | vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n", | ||
511 | (unsigned long)curr_pc, curr_linenum)); | ||
512 | } | ||
513 | else | ||
514 | - { | ||
515 | - _bfd_error_handler (_("unknown line command %d"), cmd); | ||
516 | - cmd_length = 2; | ||
517 | - } | ||
518 | + _bfd_error_handler (_("unknown line command %d"), cmd); | ||
519 | break; | ||
520 | } | ||
521 | |||
522 | @@ -4778,7 +4900,7 @@ build_module_list (bfd *abfd) | ||
523 | return NULL; | ||
524 | |||
525 | module = new_module (abfd); | ||
526 | - parse_module (abfd, module, PRIV (dst_section)->contents, -1); | ||
527 | + parse_module (abfd, module, PRIV (dst_section)->contents, PRIV (dst_section)->size); | ||
528 | list = module; | ||
529 | } | ||
530 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch new file mode 100644 index 0000000000..aa5ce5f3ff --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch | |||
@@ -0,0 +1,149 @@ | |||
1 | From d12f8998d2d086f0a6606589e5aedb7147e6f2f1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Fri, 14 Oct 2022 10:30:21 +1030 | ||
4 | Subject: [PATCH] PR29677, Field `the_bfd` of `asymbol` is uninitialised | ||
5 | |||
6 | Besides not initialising the_bfd of synthetic symbols, counting | ||
7 | symbols when sizing didn't match symbols created if there were any | ||
8 | dynsyms named "". We don't want synthetic symbols without names | ||
9 | anyway, so get rid of them. Also, simplify and correct sanity checks. | ||
10 | |||
11 | PR 29677 | ||
12 | * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite. | ||
13 | --- | ||
14 | Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] | ||
15 | CVE: CVE-2023-25588 | ||
16 | CVE: CVE-2022-47696 | ||
17 | |||
18 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
19 | Signed-off-by: poojitha adireddy <pooadire@cisco.com> | ||
20 | |||
21 | bfd/mach-o.c | 72 ++++++++++++++++++++++------------------------------ | ||
22 | 1 file changed, 31 insertions(+), 41 deletions(-) | ||
23 | |||
24 | diff --git a/bfd/mach-o.c b/bfd/mach-o.c | ||
25 | index acb35e7f0c6..5279343768c 100644 | ||
26 | --- a/bfd/mach-o.c | ||
27 | +++ b/bfd/mach-o.c | ||
28 | @@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, | ||
29 | bfd_mach_o_symtab_command *symtab = mdata->symtab; | ||
30 | asymbol *s; | ||
31 | char * s_start; | ||
32 | - char * s_end; | ||
33 | unsigned long count, i, j, n; | ||
34 | size_t size; | ||
35 | char *names; | ||
36 | - char *nul_name; | ||
37 | const char stub [] = "$stub"; | ||
38 | |||
39 | *ret = NULL; | ||
40 | @@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, | ||
41 | /* We need to allocate a bfd symbol for every indirect symbol and to | ||
42 | allocate the memory for its name. */ | ||
43 | count = dysymtab->nindirectsyms; | ||
44 | - size = count * sizeof (asymbol) + 1; | ||
45 | - | ||
46 | + size = 0; | ||
47 | for (j = 0; j < count; j++) | ||
48 | { | ||
49 | - const char * strng; | ||
50 | unsigned int isym = dysymtab->indirect_syms[j]; | ||
51 | + const char *str; | ||
52 | |||
53 | /* Some indirect symbols are anonymous. */ | ||
54 | - if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name)) | ||
55 | - /* PR 17512: file: f5b8eeba. */ | ||
56 | - size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub); | ||
57 | + if (isym < symtab->nsyms | ||
58 | + && (str = symtab->symbols[isym].symbol.name) != NULL) | ||
59 | + { | ||
60 | + /* PR 17512: file: f5b8eeba. */ | ||
61 | + size += strnlen (str, symtab->strsize - (str - symtab->strtab)); | ||
62 | + size += sizeof (stub); | ||
63 | + } | ||
64 | } | ||
65 | |||
66 | - s_start = bfd_malloc (size); | ||
67 | + s_start = bfd_malloc (size + count * sizeof (asymbol)); | ||
68 | s = *ret = (asymbol *) s_start; | ||
69 | if (s == NULL) | ||
70 | return -1; | ||
71 | names = (char *) (s + count); | ||
72 | - nul_name = names; | ||
73 | - *names++ = 0; | ||
74 | - s_end = s_start + size; | ||
75 | |||
76 | n = 0; | ||
77 | for (i = 0; i < mdata->nsects; i++) | ||
78 | @@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, | ||
79 | entry_size = bfd_mach_o_section_get_entry_size (abfd, sec); | ||
80 | |||
81 | /* PR 17512: file: 08e15eec. */ | ||
82 | - if (first >= count || last >= count || first > last) | ||
83 | + if (first >= count || last > count || first > last) | ||
84 | goto fail; | ||
85 | |||
86 | for (j = first; j < last; j++) | ||
87 | { | ||
88 | unsigned int isym = dysymtab->indirect_syms[j]; | ||
89 | - | ||
90 | - /* PR 17512: file: 04d64d9b. */ | ||
91 | - if (((char *) s) + sizeof (* s) > s_end) | ||
92 | - goto fail; | ||
93 | - | ||
94 | - s->flags = BSF_GLOBAL | BSF_SYNTHETIC; | ||
95 | - s->section = sec->bfdsection; | ||
96 | - s->value = addr - sec->addr; | ||
97 | - s->udata.p = NULL; | ||
98 | + const char *str; | ||
99 | + size_t len; | ||
100 | |||
101 | if (isym < symtab->nsyms | ||
102 | - && symtab->symbols[isym].symbol.name) | ||
103 | + && (str = symtab->symbols[isym].symbol.name) != NULL) | ||
104 | { | ||
105 | - const char *sym = symtab->symbols[isym].symbol.name; | ||
106 | - size_t len; | ||
107 | - | ||
108 | - s->name = names; | ||
109 | - len = strlen (sym); | ||
110 | - /* PR 17512: file: 47dfd4d2. */ | ||
111 | - if (names + len >= s_end) | ||
112 | + /* PR 17512: file: 04d64d9b. */ | ||
113 | + if (n >= count) | ||
114 | goto fail; | ||
115 | - memcpy (names, sym, len); | ||
116 | - names += len; | ||
117 | - /* PR 17512: file: 18f340a4. */ | ||
118 | - if (names + sizeof (stub) >= s_end) | ||
119 | + len = strnlen (str, symtab->strsize - (str - symtab->strtab)); | ||
120 | + /* PR 17512: file: 47dfd4d2, 18f340a4. */ | ||
121 | + if (size < len + sizeof (stub)) | ||
122 | goto fail; | ||
123 | - memcpy (names, stub, sizeof (stub)); | ||
124 | - names += sizeof (stub); | ||
125 | + memcpy (names, str, len); | ||
126 | + memcpy (names + len, stub, sizeof (stub)); | ||
127 | + s->name = names; | ||
128 | + names += len + sizeof (stub); | ||
129 | + size -= len + sizeof (stub); | ||
130 | + s->the_bfd = symtab->symbols[isym].symbol.the_bfd; | ||
131 | + s->flags = BSF_GLOBAL | BSF_SYNTHETIC; | ||
132 | + s->section = sec->bfdsection; | ||
133 | + s->value = addr - sec->addr; | ||
134 | + s->udata.p = NULL; | ||
135 | + s++; | ||
136 | + n++; | ||
137 | } | ||
138 | - else | ||
139 | - s->name = nul_name; | ||
140 | - | ||
141 | addr += entry_size; | ||
142 | - s++; | ||
143 | - n++; | ||
144 | } | ||
145 | break; | ||
146 | default: | ||
147 | -- | ||
148 | 2.39.3 | ||
149 | |||