summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils/binutils
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils')
-rw-r--r--meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch257
-rw-r--r--meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch26
-rw-r--r--meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch32
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch204
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch572
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch83
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch183
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch35
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch37
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch32
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch64
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch34
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch31
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch57
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch49
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch530
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch149
17 files changed, 2362 insertions, 13 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
new file mode 100644
index 0000000000..2af82477ac
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
@@ -0,0 +1,257 @@
1From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Wed, 15 Dec 2021 11:48:42 +1030
4Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type
5
6 PR 28694
7 * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
8 Negate typenum earlier, simplifying bounds checking. Correct
9 off-by-one indexing. Adjust switch cases.
10
11
12CVE: CVE-2021-45078
13Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
14
15Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
16Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
17Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
18---
19 binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------
20 1 file changed, 43 insertions(+), 44 deletions(-)
21
22
23diff --git a/binutils/stabs.c b/binutils/stabs.c
24index 274bfb0e7fa..83ee3ea5fa4 100644
25--- a/binutils/stabs.c
26+++ b/binutils/stabs.c
27@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *);
28 static bfd_boolean stab_record_type
29 (void *, struct stab_handle *, const int *, debug_type);
30 static debug_type stab_xcoff_builtin_type
31- (void *, struct stab_handle *, int);
32+ (void *, struct stab_handle *, unsigned int);
33 static debug_type stab_find_tagged_type
34 (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
35 static debug_type *stab_demangle_argtypes
36@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info,
37
38 static debug_type
39 stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
40- int typenum)
41+ unsigned int typenum)
42 {
43 debug_type rettype;
44 const char *name;
45
46- if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
47+ typenum = -typenum - 1;
48+ if (typenum >= XCOFF_TYPE_COUNT)
49 {
50- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
51+ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
52 return DEBUG_TYPE_NULL;
53 }
54- if (info->xcoff_types[-typenum] != NULL)
55- return info->xcoff_types[-typenum];
56+ if (info->xcoff_types[typenum] != NULL)
57+ return info->xcoff_types[typenum];
58
59- switch (-typenum)
60+ switch (typenum)
61 {
62- case 1:
63+ case 0:
64 /* The size of this and all the other types are fixed, defined
65 by the debugging format. */
66 name = "int";
67 rettype = debug_make_int_type (dhandle, 4, FALSE);
68 break;
69- case 2:
70+ case 1:
71 name = "char";
72 rettype = debug_make_int_type (dhandle, 1, FALSE);
73 break;
74- case 3:
75+ case 2:
76 name = "short";
77 rettype = debug_make_int_type (dhandle, 2, FALSE);
78 break;
79- case 4:
80+ case 3:
81 name = "long";
82 rettype = debug_make_int_type (dhandle, 4, FALSE);
83 break;
84- case 5:
85+ case 4:
86 name = "unsigned char";
87 rettype = debug_make_int_type (dhandle, 1, TRUE);
88 break;
89- case 6:
90+ case 5:
91 name = "signed char";
92 rettype = debug_make_int_type (dhandle, 1, FALSE);
93 break;
94- case 7:
95+ case 6:
96 name = "unsigned short";
97 rettype = debug_make_int_type (dhandle, 2, TRUE);
98 break;
99- case 8:
100+ case 7:
101 name = "unsigned int";
102 rettype = debug_make_int_type (dhandle, 4, TRUE);
103 break;
104- case 9:
105+ case 8:
106 name = "unsigned";
107 rettype = debug_make_int_type (dhandle, 4, TRUE);
108 break;
109- case 10:
110+ case 9:
111 name = "unsigned long";
112 rettype = debug_make_int_type (dhandle, 4, TRUE);
113 break;
114- case 11:
115+ case 10:
116 name = "void";
117 rettype = debug_make_void_type (dhandle);
118 break;
119- case 12:
120+ case 11:
121 /* IEEE single precision (32 bit). */
122 name = "float";
123 rettype = debug_make_float_type (dhandle, 4);
124 break;
125- case 13:
126+ case 12:
127 /* IEEE double precision (64 bit). */
128 name = "double";
129 rettype = debug_make_float_type (dhandle, 8);
130 break;
131- case 14:
132+ case 13:
133 /* This is an IEEE double on the RS/6000, and different machines
134 with different sizes for "long double" should use different
135 negative type numbers. See stabs.texinfo. */
136 name = "long double";
137 rettype = debug_make_float_type (dhandle, 8);
138 break;
139- case 15:
140+ case 14:
141 name = "integer";
142 rettype = debug_make_int_type (dhandle, 4, FALSE);
143 break;
144- case 16:
145+ case 15:
146 name = "boolean";
147 rettype = debug_make_bool_type (dhandle, 4);
148 break;
149- case 17:
150+ case 16:
151 name = "short real";
152 rettype = debug_make_float_type (dhandle, 4);
153 break;
154- case 18:
155+ case 17:
156 name = "real";
157 rettype = debug_make_float_type (dhandle, 8);
158 break;
159- case 19:
160+ case 18:
161 /* FIXME */
162 name = "stringptr";
163 rettype = NULL;
164 break;
165- case 20:
166+ case 19:
167 /* FIXME */
168 name = "character";
169 rettype = debug_make_int_type (dhandle, 1, TRUE);
170 break;
171- case 21:
172+ case 20:
173 name = "logical*1";
174 rettype = debug_make_bool_type (dhandle, 1);
175 break;
176- case 22:
177+ case 21:
178 name = "logical*2";
179 rettype = debug_make_bool_type (dhandle, 2);
180 break;
181- case 23:
182+ case 22:
183 name = "logical*4";
184 rettype = debug_make_bool_type (dhandle, 4);
185 break;
186- case 24:
187+ case 23:
188 name = "logical";
189 rettype = debug_make_bool_type (dhandle, 4);
190 break;
191- case 25:
192+ case 24:
193 /* Complex type consisting of two IEEE single precision values. */
194 name = "complex";
195 rettype = debug_make_complex_type (dhandle, 8);
196 break;
197- case 26:
198+ case 25:
199 /* Complex type consisting of two IEEE double precision values. */
200 name = "double complex";
201 rettype = debug_make_complex_type (dhandle, 16);
202 break;
203- case 27:
204+ case 26:
205 name = "integer*1";
206 rettype = debug_make_int_type (dhandle, 1, FALSE);
207 break;
208- case 28:
209+ case 27:
210 name = "integer*2";
211 rettype = debug_make_int_type (dhandle, 2, FALSE);
212 break;
213- case 29:
214+ case 28:
215 name = "integer*4";
216 rettype = debug_make_int_type (dhandle, 4, FALSE);
217 break;
218- case 30:
219+ case 29:
220 /* FIXME */
221 name = "wchar";
222 rettype = debug_make_int_type (dhandle, 2, FALSE);
223 break;
224- case 31:
225+ case 30:
226 name = "long long";
227 rettype = debug_make_int_type (dhandle, 8, FALSE);
228 break;
229- case 32:
230+ case 31:
231 name = "unsigned long long";
232 rettype = debug_make_int_type (dhandle, 8, TRUE);
233 break;
234- case 33:
235+ case 32:
236 name = "logical*8";
237 rettype = debug_make_bool_type (dhandle, 8);
238 break;
239- case 34:
240+ case 33:
241 name = "integer*8";
242 rettype = debug_make_int_type (dhandle, 8, FALSE);
243 break;
244@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
245 }
246
247 rettype = debug_name_type (dhandle, name, rettype);
248-
249- info->xcoff_types[-typenum] = rettype;
250-
251+ info->xcoff_types[typenum] = rettype;
252 return rettype;
253 }
254
255--
2562.27.0
257
diff --git a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
index 11a8110d40..88cce49e46 100644
--- a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
+++ b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
@@ -1,4 +1,4 @@
1From 7b24f81e04c9d00d96de7dbd250beade6d2c6e44 Mon Sep 17 00:00:00 2001 1From 12b658c0fe5771d16067baef933b7f34ed455def Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com> 2From: Khem Raj <raj.khem@gmail.com>
3Date: Fri, 15 Jan 2016 06:31:09 +0000 3Date: Fri, 15 Jan 2016 06:31:09 +0000
4Subject: [PATCH] warn for uses of system directories when cross linking 4Subject: [PATCH] warn for uses of system directories when cross linking
@@ -59,8 +59,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
59 ld/ldfile.c | 17 +++++++++++++++++ 59 ld/ldfile.c | 17 +++++++++++++++++
60 ld/ldlex.h | 2 ++ 60 ld/ldlex.h | 2 ++
61 ld/ldmain.c | 2 ++ 61 ld/ldmain.c | 2 ++
62 ld/lexsup.c | 15 +++++++++++++++ 62 ld/lexsup.c | 16 ++++++++++++++++
63 9 files changed, 85 insertions(+) 63 9 files changed, 86 insertions(+)
64 64
65diff --git a/ld/config.in b/ld/config.in 65diff --git a/ld/config.in b/ld/config.in
66index d93c9b0830..5da2742bea 100644 66index d93c9b0830..5da2742bea 100644
@@ -77,10 +77,10 @@ index d93c9b0830..5da2742bea 100644
77 #undef EXTRA_SHLIB_EXTENSION 77 #undef EXTRA_SHLIB_EXTENSION
78 78
79diff --git a/ld/configure b/ld/configure 79diff --git a/ld/configure b/ld/configure
80index 811134a503..f8c17c19ae 100755 80index f432f4637d..a9da3c115e 100755
81--- a/ld/configure 81--- a/ld/configure
82+++ b/ld/configure 82+++ b/ld/configure
83@@ -826,6 +826,7 @@ with_lib_path 83@@ -830,6 +830,7 @@ with_lib_path
84 enable_targets 84 enable_targets
85 enable_64_bit_bfd 85 enable_64_bit_bfd
86 with_sysroot 86 with_sysroot
@@ -88,7 +88,7 @@ index 811134a503..f8c17c19ae 100755
88 enable_gold 88 enable_gold
89 enable_got 89 enable_got
90 enable_compressed_debug_sections 90 enable_compressed_debug_sections
91@@ -1491,6 +1492,8 @@ Optional Features: 91@@ -1495,6 +1496,8 @@ Optional Features:
92 --disable-largefile omit support for large files 92 --disable-largefile omit support for large files
93 --enable-targets alternative target configurations 93 --enable-targets alternative target configurations
94 --enable-64-bit-bfd 64-bit support (on hosts with narrower word sizes) 94 --enable-64-bit-bfd 64-bit support (on hosts with narrower word sizes)
@@ -97,7 +97,7 @@ index 811134a503..f8c17c19ae 100755
97 --enable-gold[=ARG] build gold [ARG={default,yes,no}] 97 --enable-gold[=ARG] build gold [ARG={default,yes,no}]
98 --enable-got=<type> GOT handling scheme (target, single, negative, 98 --enable-got=<type> GOT handling scheme (target, single, negative,
99 multigot) 99 multigot)
100@@ -15788,6 +15791,19 @@ fi 100@@ -16624,6 +16627,19 @@ fi
101 101
102 102
103 103
@@ -222,10 +222,10 @@ index 5287f19a7f..55096e4fc9 100644
222 222
223 /* The initial parser states. */ 223 /* The initial parser states. */
224diff --git a/ld/ldmain.c b/ld/ldmain.c 224diff --git a/ld/ldmain.c b/ld/ldmain.c
225index da1ad17763..12d0b07d8a 100644 225index c4af10f4e9..95b56b2d2d 100644
226--- a/ld/ldmain.c 226--- a/ld/ldmain.c
227+++ b/ld/ldmain.c 227+++ b/ld/ldmain.c
228@@ -274,6 +274,8 @@ main (int argc, char **argv) 228@@ -273,6 +273,8 @@ main (int argc, char **argv)
229 command_line.warn_mismatch = TRUE; 229 command_line.warn_mismatch = TRUE;
230 command_line.warn_search_mismatch = TRUE; 230 command_line.warn_search_mismatch = TRUE;
231 command_line.check_section_addresses = -1; 231 command_line.check_section_addresses = -1;
@@ -235,7 +235,7 @@ index da1ad17763..12d0b07d8a 100644
235 /* We initialize DEMANGLING based on the environment variable 235 /* We initialize DEMANGLING based on the environment variable
236 COLLECT_NO_DEMANGLE. The gcc collect2 program will demangle the 236 COLLECT_NO_DEMANGLE. The gcc collect2 program will demangle the
237diff --git a/ld/lexsup.c b/ld/lexsup.c 237diff --git a/ld/lexsup.c b/ld/lexsup.c
238index 3d15cc491d..0e8b4f2b7a 100644 238index 3d15cc491d..6478821443 100644
239--- a/ld/lexsup.c 239--- a/ld/lexsup.c
240+++ b/ld/lexsup.c 240+++ b/ld/lexsup.c
241@@ -550,6 +550,14 @@ static const struct ld_option ld_options[] = 241@@ -550,6 +550,14 @@ static const struct ld_option ld_options[] =
@@ -253,10 +253,10 @@ index 3d15cc491d..0e8b4f2b7a 100644
253 }; 253 };
254 254
255 #define OPTION_COUNT ARRAY_SIZE (ld_options) 255 #define OPTION_COUNT ARRAY_SIZE (ld_options)
256@@ -1603,6 +1611,13 @@ parse_args (unsigned argc, char **argv) 256@@ -1604,6 +1612,14 @@ parse_args (unsigned argc, char **argv)
257
258 case OPTION_PRINT_MAP_DISCARDED: 257 case OPTION_PRINT_MAP_DISCARDED:
259 config.print_map_discarded = TRUE; 258 config.print_map_discarded = TRUE;
259 break;
260+ 260+
261+ case OPTION_NO_POISON_SYSTEM_DIRECTORIES: 261+ case OPTION_NO_POISON_SYSTEM_DIRECTORIES:
262+ command_line.poison_system_directories = FALSE; 262+ command_line.poison_system_directories = FALSE;
@@ -264,6 +264,6 @@ index 3d15cc491d..0e8b4f2b7a 100644
264+ 264+
265+ case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES: 265+ case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
266+ command_line.error_poison_system_directories = TRUE; 266+ command_line.error_poison_system_directories = TRUE;
267 break; 267+ break;
268 } 268 }
269 } 269 }
diff --git a/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch
new file mode 100644
index 0000000000..dc1e09d46b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch
@@ -0,0 +1,32 @@
1From bf2252dca8c76e4c1f1c2dbf98dab7ffc9f5e5af Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Sat, 29 Aug 2020 08:03:15 +0100
4Subject: [PATCH] Include members in the variable table used when resolving
5 DW_AT_specification tags.
6
7 PR 26520
8 * dwarf2.c (scan_unit_for_symbols): Add member entries to the
9 variable table.
10
11Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6f04d55f681149a69102a73937d0987719c3f16]
12---
13 bfd/dwarf2.c | 3 ++-
14 1 file changed, 2 insertions(+), 1 deletion(-)
15
16diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
17index dd3568a8532..ef2f6a3c63c 100644
18--- a/bfd/dwarf2.c
19+++ b/bfd/dwarf2.c
20@@ -3248,7 +3248,8 @@ scan_unit_for_symbols (struct comp_unit *unit)
21 else
22 {
23 func = NULL;
24- if (abbrev->tag == DW_TAG_variable)
25+ if (abbrev->tag == DW_TAG_variable
26+ || abbrev->tag == DW_TAG_member)
27 {
28 bfd_size_type amt = sizeof (struct varinfo);
29 var = (struct varinfo *) bfd_zalloc (abfd, amt);
30--
312.34.1
32
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
new file mode 100644
index 0000000000..c7c7829261
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
@@ -0,0 +1,204 @@
1From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 16 Apr 2020 17:49:38 +0930
4Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols
5
6 PR 25827
7 * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
8 strdup(0).
9
10Upstream-Status: Backport
11https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
12CVE: CVE-2020-16593
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15
16Index: git/bfd/dwarf2.c
17===================================================================
18--- git.orig/bfd/dwarf2.c
19+++ git/bfd/dwarf2.c
20@@ -295,12 +295,12 @@ struct comp_unit
21 /* This data structure holds the information of an abbrev. */
22 struct abbrev_info
23 {
24- unsigned int number; /* Number identifying abbrev. */
25- enum dwarf_tag tag; /* DWARF tag. */
26- int has_children; /* Boolean. */
27- unsigned int num_attrs; /* Number of attributes. */
28- struct attr_abbrev *attrs; /* An array of attribute descriptions. */
29- struct abbrev_info *next; /* Next in chain. */
30+ unsigned int number; /* Number identifying abbrev. */
31+ enum dwarf_tag tag; /* DWARF tag. */
32+ bfd_boolean has_children; /* TRUE if the abbrev has children. */
33+ unsigned int num_attrs; /* Number of attributes. */
34+ struct attr_abbrev * attrs; /* An array of attribute descriptions. */
35+ struct abbrev_info * next; /* Next in chain. */
36 };
37
38 struct attr_abbrev
39@@ -1487,6 +1487,8 @@ struct varinfo
40 {
41 /* Pointer to previous variable in list of all variables */
42 struct varinfo *prev_var;
43+ /* The offset of the varinfo from the start of the unit. */
44+ bfd_uint64_t unit_offset;
45 /* Source location file name */
46 char *file;
47 /* Source location line number */
48@@ -1497,7 +1499,7 @@ struct varinfo
49 /* Where the symbol is defined */
50 asection *sec;
51 /* Is this a stack variable? */
52- unsigned int stack: 1;
53+ bfd_boolean stack;
54 };
55
56 /* Return TRUE if NEW_LINE should sort after LINE. */
57@@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct
58 struct varinfo* each;
59
60 for (each = unit->variable_table; each; each = each->prev_var)
61- if (each->stack == 0
62+ if (! each->stack
63 && each->file != NULL
64 && each->name != NULL
65 && each->addr == addr
66@@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit,
67 return TRUE;
68 }
69
70+static struct varinfo *
71+lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table)
72+{
73+ while (table)
74+ {
75+ if (table->unit_offset == offset)
76+ return table;
77+ table = table->prev_var;
78+ }
79+
80+ return NULL;
81+}
82+
83+
84 /* DWARF2 Compilation unit functions. */
85
86 /* Scan over each die in a comp. unit looking for functions to add
87@@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit
88 bfd_vma low_pc = 0;
89 bfd_vma high_pc = 0;
90 bfd_boolean high_pc_relative = FALSE;
91+ bfd_uint64_t current_offset;
92+
93+ current_offset = info_ptr - unit->info_ptr_unit;
94
95 /* PR 17512: file: 9f405d9d. */
96 if (info_ptr >= info_ptr_end)
97@@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit
98 goto fail;
99 }
100
101- var = NULL;
102 if (abbrev->tag == DW_TAG_subprogram
103 || abbrev->tag == DW_TAG_entry_point
104 || abbrev->tag == DW_TAG_inlined_subroutine)
105 {
106 bfd_size_type amt = sizeof (struct funcinfo);
107+
108+ var = NULL;
109 func = (struct funcinfo *) bfd_zalloc (abfd, amt);
110 if (func == NULL)
111 goto fail;
112@@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit
113 if (var == NULL)
114 goto fail;
115 var->tag = abbrev->tag;
116- var->stack = 1;
117+ var->stack = TRUE;
118 var->prev_var = unit->variable_table;
119 unit->variable_table = var;
120+ var->unit_offset = current_offset;
121 /* PR 18205: Missing debug information can cause this
122 var to be attached to an already cached unit. */
123 }
124-
125+ else
126+ var = NULL;
127 /* No inline function in scope at this nesting level. */
128 nested_funcs[nesting_level].func = 0;
129 }
130@@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit
131 {
132 switch (attr.name)
133 {
134+ case DW_AT_specification:
135+ if (attr.u.val)
136+ {
137+ struct varinfo * spec_var;
138+
139+ spec_var = lookup_var_by_offset (attr.u.val,
140+ unit->variable_table);
141+ if (spec_var == NULL)
142+ {
143+ _bfd_error_handler (_("DWARF error: could not find "
144+ "variable specification "
145+ "at offset %lx"),
146+ (unsigned long) attr.u.val);
147+ break;
148+ }
149+
150+ if (var->name == NULL)
151+ var->name = spec_var->name;
152+ if (var->file == NULL && spec_var->file != NULL)
153+ var->file = strdup (spec_var->file);
154+ if (var->line == 0)
155+ var->line = spec_var->line;
156+ if (var->sec == NULL)
157+ var->sec = spec_var->sec;
158+ }
159+ break;
160+
161 case DW_AT_name:
162 if (is_str_attr (attr.form))
163 var->name = attr.u.str;
164@@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit
165
166 case DW_AT_external:
167 if (attr.u.val != 0)
168- var->stack = 0;
169+ var->stack = FALSE;
170 break;
171
172 case DW_AT_location:
173@@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit
174 if (attr.u.blk->data != NULL
175 && *attr.u.blk->data == DW_OP_addr)
176 {
177- var->stack = 0;
178+ var->stack = FALSE;
179
180 /* Verify that DW_OP_addr is the only opcode in the
181 location, in which case the block size will be 1
182@@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug
183 each_var = each_var->prev_var)
184 {
185 /* Skip stack vars and vars with no files or names. */
186- if (each_var->stack == 0
187+ if (! each_var->stack
188 && each_var->file != NULL
189 && each_var->name != NULL)
190 /* There is no need to copy name string into hash table as
191Index: git/bfd/ChangeLog
192===================================================================
193--- git.orig/bfd/ChangeLog
194+++ git/bfd/ChangeLog
195@@ -1,3 +1,9 @@
196+2020-04-16 Alan Modra <amodra@gmail.com>
197+
198+ PR 25827
199+ * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
200+ strdup(0).
201+
202 2021-05-03 Alan Modra <amodra@gmail.com>
203
204 PR 27755
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch
new file mode 100644
index 0000000000..423814f98d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch
@@ -0,0 +1,572 @@
1From d3edaa91d4cf7202ec14342410194841e2f67f12 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 26 Feb 2021 11:30:32 +1030
4Subject: [PATCH v2] Reinstate various pieces backed out from smart_rename changes
5
6In the interests of a stable release various last minute smart_rename
7patches were backed out of the 2.36 branch. The main reason to
8reinstate some of those backed out changes here is to make necessary
9followup fixes to commit 8e03235147a9 simple cherry-picks from
10mainline. A secondary reason is that ar -M support isn't fixed for
11pr26945 without this patch.
12
13 PR 26945
14 * ar.c: Don't include libbfd.h.
15 (write_archive): Replace xmalloc+strcpy with xstrdup.
16 * arsup.c (temp_name, real_ofd): New static variables.
17 (ar_open): Use make_tempname and bfd_fdopenw.
18 (ar_save): Adjust to suit ar_open changes.
19 * objcopy.c: Don't include libbfd.h.
20 * rename.c: Rename and reorder variables.
21
22(cherry picked from commit 95b91a043aeaeb546d2fea556d84a2de1e917770)
23
24Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d3edaa91d4cf7202ec14342410194841e2f67f12]
25CVE: CVE-2021-20197
26Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
27---
28 bfd/bfd-in2.h | 2 +
29 bfd/opncls.c | 33 ++++++++++
30 binutils/ar.c | 15 +++--
31 binutils/arsup.c | 37 ++++++++----
32 binutils/bucomm.c | 4 +-
33 binutils/bucomm.h | 5 +-
34 binutils/objcopy.c | 37 +++++++-----
35 binutils/rename.c | 148 +++++++++++----------------------------------
36 8 files changed, 133 insertions(+), 148 deletions(-)
37
38diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h
39index 2e453c50c18..e53f54a8ab7 100644
40--- a/bfd/bfd-in2.h
41+++ b/bfd/bfd-in2.h
42@@ -588,6 +588,8 @@ bfd *bfd_openr (const char *filename, const char *target);
43
44 bfd *bfd_fdopenr (const char *filename, const char *target, int fd);
45
46+bfd *bfd_fdopenw (const char *filename, const char *target, int fd);
47+
48 bfd *bfd_openstreamr (const char * filename, const char * target,
49 void * stream);
50
51diff --git a/bfd/opncls.c b/bfd/opncls.c
52index a03ad51c8fa..f9da97ed710 100644
53--- a/bfd/opncls.c
54+++ b/bfd/opncls.c
55@@ -370,6 +370,39 @@ bfd_fdopenr (const char *filename, const char *target, int fd)
56 return bfd_fopen (filename, target, mode, fd);
57 }
58
59+/*
60+FUNCTION
61+ bfd_fdopenw
62+
63+SYNOPSIS
64+ bfd *bfd_fdopenw (const char *filename, const char *target, int fd);
65+
66+DESCRIPTION
67+ <<bfd_fdopenw>> is exactly like <<bfd_fdopenr>> with the exception that
68+ the resulting BFD is suitable for output.
69+*/
70+
71+bfd *
72+bfd_fdopenw (const char *filename, const char *target, int fd)
73+{
74+ bfd *out = bfd_fdopenr (filename, target, fd);
75+
76+ if (out != NULL)
77+ {
78+ if (!bfd_write_p (out))
79+ {
80+ close (fd);
81+ _bfd_delete_bfd (out);
82+ out = NULL;
83+ bfd_set_error (bfd_error_invalid_operation);
84+ }
85+ else
86+ out->direction = write_direction;
87+ }
88+
89+ return out;
90+}
91+
92 /*
93 FUNCTION
94 bfd_openstreamr
95diff --git a/binutils/ar.c b/binutils/ar.c
96index 1057db9980e..c33a11e0d70 100644
97--- a/binutils/ar.c
98+++ b/binutils/ar.c
99@@ -1195,20 +1195,23 @@ write_archive (bfd *iarch)
100 bfd *obfd;
101 char *old_name, *new_name;
102 bfd *contents_head = iarch->archive_next;
103+ int ofd = -1;
104
105- old_name = (char *) xmalloc (strlen (bfd_get_filename (iarch)) + 1);
106- strcpy (old_name, bfd_get_filename (iarch));
107- new_name = make_tempname (old_name);
108+ old_name = xstrdup (bfd_get_filename (iarch));
109+ new_name = make_tempname (old_name, &ofd);
110
111 if (new_name == NULL)
112 bfd_fatal (_("could not create temporary file whilst writing archive"));
113
114 output_filename = new_name;
115
116- obfd = bfd_openw (new_name, bfd_get_target (iarch));
117+ obfd = bfd_fdopenw (new_name, bfd_get_target (iarch), ofd);
118
119 if (obfd == NULL)
120- bfd_fatal (old_name);
121+ {
122+ close (ofd);
123+ bfd_fatal (old_name);
124+ }
125
126 output_bfd = obfd;
127
128@@ -1246,7 +1249,7 @@ write_archive (bfd *iarch)
129 /* We don't care if this fails; we might be creating the archive. */
130 bfd_close (iarch);
131
132- if (smart_rename (new_name, old_name, 0) != 0)
133+ if (smart_rename (new_name, old_name, NULL) != 0)
134 xexit (1);
135 free (old_name);
136 free (new_name);
137diff --git a/binutils/arsup.c b/binutils/arsup.c
138index 00967c972cd..b8ae4f7ec1a 100644
139--- a/binutils/arsup.c
140+++ b/binutils/arsup.c
141@@ -42,6 +42,8 @@ extern int deterministic;
142
143 static bfd *obfd;
144 static char *real_name;
145+static char *temp_name;
146+static int real_ofd;
147 static FILE *outfile;
148
149 static void
150@@ -149,27 +151,24 @@ maybequit (void)
151 void
152 ar_open (char *name, int t)
153 {
154- char *tname;
155- const char *bname = lbasename (name);
156- real_name = name;
157+ real_name = xstrdup (name);
158+ temp_name = make_tempname (real_name, &real_ofd);
159
160- /* Prepend tmp- to the beginning, to avoid file-name clashes after
161- truncation on filesystems with limited namespaces (DOS). */
162- if (asprintf (&tname, "%.*stmp-%s", (int) (bname - name), name, bname) == -1)
163+ if (temp_name == NULL)
164 {
165- fprintf (stderr, _("%s: Can't allocate memory for temp name (%s)\n"),
166+ fprintf (stderr, _("%s: Can't open temporary file (%s)\n"),
167 program_name, strerror(errno));
168 maybequit ();
169 return;
170 }
171
172- obfd = bfd_openw (tname, NULL);
173+ obfd = bfd_fdopenw (temp_name, NULL, real_ofd);
174
175 if (!obfd)
176 {
177 fprintf (stderr,
178 _("%s: Can't open output archive %s\n"),
179- program_name, tname);
180+ program_name, temp_name);
181
182 maybequit ();
183 }
184@@ -344,16 +343,30 @@ ar_save (void)
185 }
186 else
187 {
188- char *ofilename = xstrdup (bfd_get_filename (obfd));
189+ struct stat target_stat;
190
191 if (deterministic > 0)
192 obfd->flags |= BFD_DETERMINISTIC_OUTPUT;
193
194 bfd_close (obfd);
195
196- smart_rename (ofilename, real_name, 0);
197+ if (stat (real_name, &target_stat) != 0)
198+ {
199+ /* The temp file created in ar_open has mode 0600 as per mkstemp.
200+ Create the real empty output file here so smart_rename will
201+ update the mode according to the process umask. */
202+ obfd = bfd_openw (real_name, NULL);
203+ if (obfd != NULL)
204+ {
205+ bfd_set_format (obfd, bfd_archive);
206+ bfd_close (obfd);
207+ }
208+ }
209+
210+ smart_rename (temp_name, real_name, NULL);
211 obfd = 0;
212- free (ofilename);
213+ free (temp_name);
214+ free (real_name);
215 }
216 }
217
218diff --git a/binutils/bucomm.c b/binutils/bucomm.c
219index 9e6a02843e6..53244201f89 100644
220--- a/binutils/bucomm.c
221+++ b/binutils/bucomm.c
222@@ -532,7 +532,7 @@ template_in_dir (const char *path)
223 as FILENAME. */
224
225 char *
226-make_tempname (const char *filename)
227+make_tempname (const char *filename, int *ofd)
228 {
229 char *tmpname = template_in_dir (filename);
230 int fd;
231@@ -550,7 +550,7 @@ make_tempname (const char *filename)
232 free (tmpname);
233 return NULL;
234 }
235- close (fd);
236+ *ofd = fd;
237 return tmpname;
238 }
239
240diff --git a/binutils/bucomm.h b/binutils/bucomm.h
241index d8318343f78..2b164e0af68 100644
242--- a/binutils/bucomm.h
243+++ b/binutils/bucomm.h
244@@ -51,7 +51,7 @@ int display_info (void);
245
246 void print_arelt_descr (FILE *, bfd *, bfd_boolean, bfd_boolean);
247
248-char *make_tempname (const char *);
249+char *make_tempname (const char *, int *);
250 char *make_tempdir (const char *);
251
252 bfd_vma parse_vma (const char *, const char *);
253@@ -71,7 +71,8 @@ extern void print_version (const char *);
254 /* In rename.c. */
255 extern void set_times (const char *, const struct stat *);
256
257-extern int smart_rename (const char *, const char *, int);
258+extern int smart_rename (const char *, const char *, struct stat *);
259+
260
261 /* In libiberty. */
262 void *xmalloc (size_t);
263diff --git a/binutils/objcopy.c b/binutils/objcopy.c
264index 212e25144e6..5ccbd926610 100644
265--- a/binutils/objcopy.c
266+++ b/binutils/objcopy.c
267@@ -3682,7 +3682,7 @@ set_long_section_mode (bfd *output_bfd, bfd *input_bfd, enum long_section_name_h
268 /* The top-level control. */
269
270 static void
271-copy_file (const char *input_filename, const char *output_filename,
272+copy_file (const char *input_filename, const char *output_filename, int ofd,
273 const char *input_target, const char *output_target,
274 const bfd_arch_info_type *input_arch)
275 {
276@@ -3757,9 +3757,14 @@ copy_file (const char *input_filename, const char *output_filename,
277 else
278 force_output_target = TRUE;
279
280- obfd = bfd_openw (output_filename, output_target);
281+ if (ofd >= 0)
282+ obfd = bfd_fdopenw (output_filename, output_target, ofd);
283+ else
284+ obfd = bfd_openw (output_filename, output_target);
285+
286 if (obfd == NULL)
287 {
288+ close (ofd);
289 bfd_nonfatal_message (output_filename, NULL, NULL, NULL);
290 status = 1;
291 return;
292@@ -3787,13 +3792,19 @@ copy_file (const char *input_filename, const char *output_filename,
293 if (output_target == NULL)
294 output_target = bfd_get_target (ibfd);
295
296- obfd = bfd_openw (output_filename, output_target);
297+ if (ofd >= 0)
298+ obfd = bfd_fdopenw (output_filename, output_target, ofd);
299+ else
300+ obfd = bfd_openw (output_filename, output_target);
301+
302 if (obfd == NULL)
303 {
304+ close (ofd);
305 bfd_nonfatal_message (output_filename, NULL, NULL, NULL);
306 status = 1;
307 return;
308 }
309+
310 /* This is a no-op on non-Coff targets. */
311 set_long_section_mode (obfd, ibfd, long_section_names);
312
313@@ -4746,6 +4757,7 @@ strip_main (int argc, char *argv[])
314 int hold_status = status;
315 struct stat statbuf;
316 char *tmpname;
317+ int tmpfd = -1;
318
319 if (get_file_size (argv[i]) < 1)
320 {
321@@ -4760,7 +4772,7 @@ strip_main (int argc, char *argv[])
322
323 if (output_file == NULL
324 || filename_cmp (argv[i], output_file) == 0)
325- tmpname = make_tempname (argv[i]);
326+ tmpname = make_tempname (argv[i], &tmpfd);
327 else
328 tmpname = output_file;
329
330@@ -4773,15 +4785,13 @@ strip_main (int argc, char *argv[])
331 }
332
333 status = 0;
334- copy_file (argv[i], tmpname, input_target, output_target, NULL);
335+ copy_file (argv[i], tmpname, tmpfd, input_target, output_target, NULL);
336 if (status == 0)
337 {
338- if (preserve_dates)
339- set_times (tmpname, &statbuf);
340 if (output_file != tmpname)
341 status = (smart_rename (tmpname,
342 output_file ? output_file : argv[i],
343- preserve_dates) != 0);
344+ preserve_dates ? &statbuf : NULL) != 0);
345 if (status == 0)
346 status = hold_status;
347 }
348@@ -4993,7 +5003,7 @@ copy_main (int argc, char *argv[])
349 bfd_boolean formats_info = FALSE;
350 bfd_boolean use_globalize = FALSE;
351 bfd_boolean use_keep_global = FALSE;
352- int c;
353+ int c, tmpfd = -1;
354 struct stat statbuf;
355 const bfd_arch_info_type *input_arch = NULL;
356
357@@ -5839,7 +5849,7 @@ copy_main (int argc, char *argv[])
358 are the same, then create a temp and rename the result into the input. */
359 if (output_filename == NULL
360 || filename_cmp (input_filename, output_filename) == 0)
361- tmpname = make_tempname (input_filename);
362+ tmpname = make_tempname (input_filename, &tmpfd);
363 else
364 tmpname = output_filename;
365
366@@ -5847,14 +5857,13 @@ copy_main (int argc, char *argv[])
367 fatal (_("warning: could not create temporary file whilst copying '%s', (error: %s)"),
368 input_filename, strerror (errno));
369
370- copy_file (input_filename, tmpname, input_target, output_target, input_arch);
371+ copy_file (input_filename, tmpname, tmpfd, input_target, output_target,
372+ input_arch);
373 if (status == 0)
374 {
375- if (preserve_dates)
376- set_times (tmpname, &statbuf);
377 if (tmpname != output_filename)
378 status = (smart_rename (tmpname, input_filename,
379- preserve_dates) != 0);
380+ preserve_dates ? &statbuf : NULL) != 0);
381 }
382 else
383 unlink_if_ordinary (tmpname);
384diff --git a/binutils/rename.c b/binutils/rename.c
385index bf3b68d0462..07d44d0f314 100644
386--- a/binutils/rename.c
387+++ b/binutils/rename.c
388@@ -24,14 +24,9 @@
389
390 #ifdef HAVE_GOOD_UTIME_H
391 #include <utime.h>
392-#else /* ! HAVE_GOOD_UTIME_H */
393-#ifdef HAVE_UTIMES
394+#elif defined HAVE_UTIMES
395 #include <sys/time.h>
396-#endif /* HAVE_UTIMES */
397-#endif /* ! HAVE_GOOD_UTIME_H */
398-
399-#if ! defined (_WIN32) || defined (__CYGWIN32__)
400-static int simple_copy (const char *, const char *);
401+#endif
402
403 /* The number of bytes to copy at once. */
404 #define COPY_BUF 8192
405@@ -82,7 +77,6 @@ simple_copy (const char *from, const char *to)
406 }
407 return 0;
408 }
409-#endif /* __CYGWIN32__ or not _WIN32 */
410
411 /* Set the times of the file DESTINATION to be the same as those in
412 STATBUF. */
413@@ -91,122 +85,52 @@ void
414 set_times (const char *destination, const struct stat *statbuf)
415 {
416 int result;
417-
418- {
419 #ifdef HAVE_GOOD_UTIME_H
420- struct utimbuf tb;
421-
422- tb.actime = statbuf->st_atime;
423- tb.modtime = statbuf->st_mtime;
424- result = utime (destination, &tb);
425-#else /* ! HAVE_GOOD_UTIME_H */
426-#ifndef HAVE_UTIMES
427- long tb[2];
428-
429- tb[0] = statbuf->st_atime;
430- tb[1] = statbuf->st_mtime;
431- result = utime (destination, tb);
432-#else /* HAVE_UTIMES */
433- struct timeval tv[2];
434-
435- tv[0].tv_sec = statbuf->st_atime;
436- tv[0].tv_usec = 0;
437- tv[1].tv_sec = statbuf->st_mtime;
438- tv[1].tv_usec = 0;
439- result = utimes (destination, tv);
440-#endif /* HAVE_UTIMES */
441-#endif /* ! HAVE_GOOD_UTIME_H */
442- }
443+ struct utimbuf tb;
444+
445+ tb.actime = statbuf->st_atime;
446+ tb.modtime = statbuf->st_mtime;
447+ result = utime (destination, &tb);
448+#elif defined HAVE_UTIMES
449+ struct timeval tv[2];
450+
451+ tv[0].tv_sec = statbuf->st_atime;
452+ tv[0].tv_usec = 0;
453+ tv[1].tv_sec = statbuf->st_mtime;
454+ tv[1].tv_usec = 0;
455+ result = utimes (destination, tv);
456+#else
457+ long tb[2];
458+
459+ tb[0] = statbuf->st_atime;
460+ tb[1] = statbuf->st_mtime;
461+ result = utime (destination, tb);
462+#endif
463
464 if (result != 0)
465 non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno));
466 }
467
468-#ifndef S_ISLNK
469-#ifdef S_IFLNK
470-#define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK)
471-#else
472-#define S_ISLNK(m) 0
473-#define lstat stat
474-#endif
475-#endif
476-
477-/* Rename FROM to TO, copying if TO is a link.
478- Return 0 if ok, -1 if error. */
479+/* Copy FROM to TO. TARGET_STAT has the file status that, if non-NULL,
480+ is used to fix up timestamps. Return 0 if ok, -1 if error.
481+ At one time this function renamed files, but file permissions are
482+ tricky to update given the number of different schemes used by
483+ various systems. So now we just copy. */
484
485 int
486-smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNUSED)
487+smart_rename (const char *from, const char *to,
488+ struct stat *target_stat)
489 {
490- bfd_boolean exists;
491- struct stat s;
492- int ret = 0;
493-
494- exists = lstat (to, &s) == 0;
495-
496-#if defined (_WIN32) && !defined (__CYGWIN32__)
497- /* Win32, unlike unix, will not erase `to' in `rename(from, to)' but
498- fail instead. Also, chown is not present. */
499+ int ret;
500
501- if (exists)
502- remove (to);
503-
504- ret = rename (from, to);
505+ ret = simple_copy (from, to);
506 if (ret != 0)
507- {
508- /* We have to clean up here. */
509- non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno));
510- unlink (from);
511- }
512-#else
513- /* Use rename only if TO is not a symbolic link and has
514- only one hard link, and we have permission to write to it. */
515- if (! exists
516- || (!S_ISLNK (s.st_mode)
517- && S_ISREG (s.st_mode)
518- && (s.st_mode & S_IWUSR)
519- && s.st_nlink == 1)
520- )
521- {
522- ret = rename (from, to);
523- if (ret == 0)
524- {
525- if (exists)
526- {
527- /* Try to preserve the permission bits and ownership of
528- TO. First get the mode right except for the setuid
529- bit. Then change the ownership. Then fix the setuid
530- bit. We do the chmod before the chown because if the
531- chown succeeds, and we are a normal user, we won't be
532- able to do the chmod afterward. We don't bother to
533- fix the setuid bit first because that might introduce
534- a fleeting security problem, and because the chown
535- will clear the setuid bit anyhow. We only fix the
536- setuid bit if the chown succeeds, because we don't
537- want to introduce an unexpected setuid file owned by
538- the user running objcopy. */
539- chmod (to, s.st_mode & 0777);
540- if (chown (to, s.st_uid, s.st_gid) >= 0)
541- chmod (to, s.st_mode & 07777);
542- }
543- }
544- else
545- {
546- /* We have to clean up here. */
547- non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno));
548- unlink (from);
549- }
550- }
551- else
552- {
553- ret = simple_copy (from, to);
554- if (ret != 0)
555- non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno));
556+ non_fatal (_("unable to copy file '%s'; reason: %s"),
557+ to, strerror (errno));
558
559- if (preserve_dates)
560- set_times (to, &s);
561- unlink (from);
562- }
563-#endif /* _WIN32 && !__CYGWIN32__ */
564+ if (target_stat != NULL)
565+ set_times (to, target_stat);
566+ unlink (from);
567
568 return ret;
569 }
570--
5712.17.1
572
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
new file mode 100644
index 0000000000..1502d03f43
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
@@ -0,0 +1,83 @@
1From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Thu, 26 Nov 2020 17:08:33 +0000
4Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
5 DWARF debug sections.
6
7 PR 26946
8 * dwarf2.c (read_section): Check for debug sections with excessive
9 sizes.
10
11
12Upstream-Status: Backport [
13https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24
14]
15CVE: CVE-2021-3487
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17
18---
19 bfd/dwarf2.c | 25 +++++++++++++++++++------
20 1 files changed, 25 insertions(+), 6 deletions(-)
21
22diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
23index 977bf43a6a1..8bbfc81d3e7 100644
24--- a/bfd/dwarf2.c
25+++ b/bfd/dwarf2.c
26@@ -531,22 +531,24 @@ read_section (bfd * abfd,
27 bfd_byte ** section_buffer,
28 bfd_size_type * section_size)
29 {
30- asection *msec;
31 const char *section_name = sec->uncompressed_name;
32 bfd_byte *contents = *section_buffer;
33- bfd_size_type amt;
34
35 /* The section may have already been read. */
36 if (contents == NULL)
37 {
38+ bfd_size_type amt;
39+ asection *msec;
40+ ufile_ptr filesize;
41+
42 msec = bfd_get_section_by_name (abfd, section_name);
43- if (! msec)
44+ if (msec == NULL)
45 {
46 section_name = sec->compressed_name;
47 if (section_name != NULL)
48 msec = bfd_get_section_by_name (abfd, section_name);
49 }
50- if (! msec)
51+ if (msec == NULL)
52 {
53 _bfd_error_handler (_("DWARF error: can't find %s section."),
54 sec->uncompressed_name);
55@@ -554,12 +556,23 @@ read_section (bfd * abfd,
56 return FALSE;
57 }
58
59- *section_size = msec->rawsize ? msec->rawsize : msec->size;
60+ amt = bfd_get_section_limit_octets (abfd, msec);
61+ filesize = bfd_get_file_size (abfd);
62+ if (amt >= filesize)
63+ {
64+ /* PR 26946 */
65+ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
66+ section_name, (long) amt, (long) filesize);
67+ bfd_set_error (bfd_error_bad_value);
68+ return FALSE;
69+ }
70+ *section_size = amt;
71 /* Paranoia - alloc one extra so that we can make sure a string
72 section is NUL terminated. */
73- amt = *section_size + 1;
74+ amt += 1;
75 if (amt == 0)
76 {
77+ /* Paranoia - this should never happen. */
78 bfd_set_error (bfd_error_no_memory);
79 return FALSE;
80 }
81--
822.27.0
83
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
new file mode 100644
index 0000000000..5f56dd7696
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,183 @@
1From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 11 Feb 2021 16:56:42 +1030
4Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
5
6Adds missing sanity checks for avr device info note, to avoid
7potential buffer overflows. Uses bfd_malloc_and_get_section for
8sanity checking section size.
9
10 PR 27290
11 PR 27293
12 PR 27295
13 * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
14 Use bfd_malloc_and_get_section.
15 (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
16 check namesz. Return NULL if descsz is too small. Ensure
17 string table is terminated.
18 (elf32_avr_get_device_info): Formatting. Add note_size param.
19 Sanity check note.
20 (elf32_avr_dump_mem_usage): Adjust to suit.
21
22Upstream-Status: Backport
23CVE: CVE-2021-3549
24Signed-of-by: Armin Kuster <akuster@mvista.com>
25
26---
27diff --git a/binutils/ChangeLog b/binutils/ChangeLog
28index 1e9a96c9bb6..02e5019204e 100644
29--- a/binutils/ChangeLog
30+++ b/binutils/ChangeLog
31@@ -1,3 +1,17 @@
32+2021-02-11 Alan Modra <amodra@gmail.com>
33+
34+ PR 27290
35+ PR 27293
36+ PR 27295
37+ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
38+ Use bfd_malloc_and_get_section.
39+ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
40+ check namesz. Return NULL if descsz is too small. Ensure
41+ string table is terminated.
42+ (elf32_avr_get_device_info): Formatting. Add note_size param.
43+ Sanity check note.
44+ (elf32_avr_dump_mem_usage): Adjust to suit.
45+
46 2020-03-25 H.J. Lu <hongjiu.lu@intel.com>
47
48 * ar.c (main): Update bfd_plugin_set_program_name call.
49diff --git a/binutils/od-elf32_avr.c b/binutils/od-elf32_avr.c
50index 5ec99957fe9..1d32bce918e 100644
51--- a/binutils/od-elf32_avr.c
52+++ b/binutils/od-elf32_avr.c
53@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
54 return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
55 }
56
57-static char*
58+static char *
59 elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size)
60 {
61 asection *section;
62+ bfd_byte *contents;
63
64- if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
65+ section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
66+ if (section == NULL)
67 return NULL;
68
69- *size = bfd_section_size (section);
70- char *contents = (char *) xmalloc (*size);
71- bfd_get_section_contents (abfd, section, contents, 0, *size);
72+ if (!bfd_malloc_and_get_section (abfd, section, &contents))
73+ {
74+ free (contents);
75+ contents = NULL;
76+ }
77
78- return contents;
79+ *size = bfd_section_size (section);
80+ return (char *) contents;
81 }
82
83-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
84- bfd_size_type size)
85+static char *
86+elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size,
87+ bfd_size_type *descsz)
88 {
89 Elf_External_Note *xnp = (Elf_External_Note *) contents;
90 Elf_Internal_Note in;
91@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
92 if (in.namesz > contents - in.namedata + size)
93 return NULL;
94
95+ if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0)
96+ return NULL;
97+
98 in.descsz = bfd_get_32 (abfd, xnp->descsz);
99 in.descdata = in.namedata + align_power (in.namesz, 2);
100- if (in.descsz != 0
101- && (in.descdata >= contents + size
102- || in.descsz > contents - in.descdata + size))
103+ if (in.descsz < 6 * sizeof (uint32_t)
104+ || in.descdata >= contents + size
105+ || in.descsz > contents - in.descdata + size)
106 return NULL;
107
108- if (strcmp (in.namedata, "AVR") != 0)
109- return NULL;
110+ /* If the note has a string table, ensure it is 0 terminated. */
111+ if (in.descsz > 8 * sizeof (uint32_t))
112+ in.descdata[in.descsz - 1] = 0;
113
114+ *descsz = in.descsz;
115 return in.descdata;
116 }
117
118 static void
119 elf32_avr_get_device_info (bfd *abfd, char *description,
120- deviceinfo *device)
121+ bfd_size_type desc_size, deviceinfo *device)
122 {
123 if (description == NULL)
124 return;
125
126 const bfd_size_type memory_sizes = 6;
127
128- memcpy (device, description, memory_sizes * sizeof(uint32_t));
129- device->name = NULL;
130+ memcpy (device, description, memory_sizes * sizeof (uint32_t));
131+ desc_size -= memory_sizes * sizeof (uint32_t);
132+ if (desc_size < 8)
133+ return;
134
135- uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
136+ uint32_t *stroffset_table = (uint32_t *) description + memory_sizes;
137 bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
138- char *str_table = ((char *) stroffset_table) + stroffset_table_size;
139
140 /* If the only content is the size itself, there's nothing in the table */
141- if (stroffset_table_size == 4)
142+ if (stroffset_table_size < 8)
143 return;
144+ if (desc_size <= stroffset_table_size)
145+ return;
146+ desc_size -= stroffset_table_size;
147
148 /* First entry is the device name index. */
149 uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
150+ if (device_name_index >= desc_size)
151+ return;
152
153+ char *str_table = (char *) stroffset_table + stroffset_table_size;
154 device->name = str_table + device_name_index;
155 }
156
157@@ -183,7 +201,7 @@ static void
158 elf32_avr_dump_mem_usage (bfd *abfd)
159 {
160 char *description = NULL;
161- bfd_size_type note_section_size = 0;
162+ bfd_size_type sec_size, desc_size;
163
164 deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
165 device.name = "Unknown";
166@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
167 bfd_size_type text_usage = 0;
168 bfd_size_type eeprom_usage = 0;
169
170- char *contents = elf32_avr_get_note_section_contents (abfd,
171- &note_section_size);
172+ char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
173
174 if (contents != NULL)
175 {
176- description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
177- elf32_avr_get_device_info (abfd, description, &device);
178+ description = elf32_avr_get_note_desc (abfd, contents, sec_size,
179+ &desc_size);
180+ elf32_avr_get_device_info (abfd, description, desc_size, &device);
181 }
182
183 elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
new file mode 100644
index 0000000000..2addf5139e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
@@ -0,0 +1,35 @@
1From 46322722ad40ac1a75672ae0f62f4969195f1368 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 20 Jan 2022 13:58:38 +1030
4Subject: [PATCH] PR28753, buffer overflow in read_section_stabs_debugging_info
5
6 PR 28753
7 * rddbg.c (read_section_stabs_debugging_info): Don't read past
8 end of section when concatentating stab strings.
9
10CVE: CVE-2021-46174
11Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cad4d6b91e97]
12
13(cherry picked from commit 085b299b71721e15f5c5c5344dc3e4e4536dadba)
14(cherry picked from commit cad4d6b91e97b6962807d33c04ed7e7797788438)
15Signed-off-by: poojitha adireddy <pooadire@cisco.com>
16---
17 binutils/rddbg.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/binutils/rddbg.c b/binutils/rddbg.c
21index 72e934055b5..5e76d94a3c4 100644
22--- a/binutils/rddbg.c
23+++ b/binutils/rddbg.c
24@@ -207,7 +207,7 @@ read_section_stabs_debugging_info (bfd *abfd, asymbol **syms, long symcount,
25 an attempt to read the byte before 'strings' would occur. */
26 while ((len = strlen (s)) > 0
27 && s[len - 1] == '\\'
28- && stab + 12 < stabs + stabsize)
29+ && stab + 16 <= stabs + stabsize)
30 {
31 char *p;
32
33--
342.23.1
35
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch
new file mode 100644
index 0000000000..102d65f8a6
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch
@@ -0,0 +1,37 @@
1From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Sat, 13 Aug 2022 15:32:47 +0930
4Subject: [PATCH] PR29482 - strip: heap-buffer-overflow
5
6 PR 29482
7 * coffcode.h (coff_set_section_contents): Sanity check _LIB.
8
9CVE: CVE-2022-38533
10Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797]
11
12Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
13
14---
15 bfd/coffcode.h | 7 +++++--
16 1 file changed, 5 insertions(+), 2 deletions(-)
17
18diff --git a/bfd/coffcode.h b/bfd/coffcode.h
19index dec2e9c6370..75c18d88602 100644
20--- a/bfd/coffcode.h
21+++ b/bfd/coffcode.h
22@@ -4170,10 +4170,13 @@ coff_set_section_contents (bfd * abfd,
23
24 rec = (bfd_byte *) location;
25 recend = rec + count;
26- while (rec < recend)
27+ while (recend - rec >= 4)
28 {
29+ size_t len = bfd_get_32 (abfd, rec);
30+ if (len == 0 || len > (size_t) (recend - rec) / 4)
31+ break;
32+ rec += len * 4;
33 ++section->lma;
34- rec += bfd_get_32 (abfd, rec) * 4;
35 }
36
37 BFD_ASSERT (rec == recend);
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
new file mode 100644
index 0000000000..ddb564bc8c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
@@ -0,0 +1,32 @@
1From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 17 Jun 2022 09:00:41 +0930
4Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg
5
6 PR 29254
7 * stabs.c (stab_demangle_v3_arg): Free dt on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb]
9CVE: CVE-2022-47007
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/stabs.c | 5 ++++-
14 1 file changed, 4 insertions(+), 1 deletion(-)
15
16diff --git a/binutils/stabs.c b/binutils/stabs.c
17index 2b5241637c1..796ff85b86a 100644
18--- a/binutils/stabs.c
19+++ b/binutils/stabs.c
20@@ -5476,7 +5476,10 @@
21 dc->u.s_binary.right,
22 &varargs);
23 if (pargs == NULL)
24- return NULL;
25+ {
26+ free (dt);
27+ return NULL;
28+ }
29
30 return debug_make_function_type (dhandle, dt, pargs, varargs);
31 }
32
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
new file mode 100644
index 0000000000..9527390ccf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
@@ -0,0 +1,64 @@
1From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 17 Jun 2022 09:13:38 +0930
4Subject: [PATCH] PR29255, memory leak in make_tempdir
5
6 PR 29255
7 * bucomm.c (make_tempdir, make_tempname): Free template on all
8 failure paths.
9Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682]
10CVE: CVE-2022-47008
11Signed-off-by: Virendra Thakur <virendrak@kpit.com>
12Comment: Patch refreshed based on codebase.
13---
14 binutils/bucomm.c | 20 +++++++++++---------
15 1 file changed, 11 insertions(+), 9 deletions(-)
16
17diff --git a/binutils/bucomm.c b/binutils/bucomm.c
18index fdc2209df9c..4395cb9f7f5 100644
19--- a/binutils/bucomm.c
20+++ b/binutils/bucomm.c
21@@ -542,8 +542,9 @@
22 #else
23 tmpname = mktemp (tmpname);
24 if (tmpname == NULL)
25- return NULL;
26- fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
27+ fd = -1;
28+ else
29+ fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
30 #endif
31 if (fd == -1)
32 {
33@@ -561,22 +562,23 @@
34 make_tempdir (const char *filename)
35 {
36 char *tmpname = template_in_dir (filename);
37+ char *ret;
38
39 #ifdef HAVE_MKDTEMP
40- return mkdtemp (tmpname);
41+ ret = mkdtemp (tmpname);
42 #else
43- tmpname = mktemp (tmpname);
44- if (tmpname == NULL)
45- return NULL;
46+ ret = mktemp (tmpname);
47 #if defined (_WIN32) && !defined (__CYGWIN32__)
48 if (mkdir (tmpname) != 0)
49- return NULL;
50+ ret = NULL;
51 #else
52 if (mkdir (tmpname, 0700) != 0)
53- return NULL;
54+ ret = NULL;
55 #endif
56- return tmpname;
57 #endif
58+ if (ret == NULL)
59+ free (tmpname);
60+ return ret;
61 }
62
63 /* Parse a string into a VMA, with a fatal error if it can't be
64
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
new file mode 100644
index 0000000000..d831ed4756
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
@@ -0,0 +1,34 @@
1From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Mon, 20 Jun 2022 10:39:31 +0930
4Subject: [PATCH] PR29262, memory leak in pr_function_type
5
6 PR 29262
7 * prdbg.c (pr_function_type): Free "s" on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab]
9CVE: CVE-2022-47010
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/prdbg.c | 7 ++-----
14 1 file changed, 2 insertions(+), 5 deletions(-)
15
16diff --git a/binutils/prdbg.c b/binutils/prdbg.c
17index c1e41628d26..bb42a5b6c2d 100644
18--- a/binutils/prdbg.c
19+++ b/binutils/prdbg.c
20@@ -778,12 +778,9 @@
21
22 strcat (s, ")");
23
24- if (! substitute_type (info, s))
25- return FALSE;
26-
27+ bfd_boolean ret = substitute_type (info, s);
28 free (s);
29-
30- return TRUE;
31+ return ret;
32 }
33
34 /* Turn the top type on the stack into a reference to that type. */
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
new file mode 100644
index 0000000000..250756bd38
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
@@ -0,0 +1,31 @@
1From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Mon, 20 Jun 2022 10:39:13 +0930
4Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields
5
6 PR 29261
7 * stabs.c (parse_stab_struct_fields): Free "fields" on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35]
9CVE: CVE-2022-47011
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/stabs.c | 5 ++++-
14 1 file changed, 4 insertions(+), 1 deletion(-)
15
16diff --git a/binutils/stabs.c b/binutils/stabs.c
17index 796ff85b86a..bf3f578cbcc 100644
18--- a/binutils/stabs.c
19+++ b/binutils/stabs.c
20@@ -2368,7 +2368,10 @@
21
22 if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c,
23 staticsp, p_end))
24- return FALSE;
25+ {
26+ free (fields);
27+ return FALSE;
28+ }
29
30 ++c;
31 }
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
new file mode 100644
index 0000000000..101a4cdb4e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
@@ -0,0 +1,57 @@
1From 3d3af4ba39e892b1c544d667ca241846bc3df386 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Sun, 4 Dec 2022 22:15:40 +1030
4Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols
5
6Fixes a fuzzed object file problem where plt relocs were manipulated
7in such a way that two synthetic symbols were generated at the same
8plt location. Won't occur in real object files.
9
10 PR 29846
11 PR 20337
12 * objdump.c (compare_symbols): Test symbol flags to exclude
13 section and synthetic symbols before attempting to check flavour.
14Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
15CVE: CVE-2022-47695
16Signed-off-by: Virendra Thakur <virendrak@kpit.com>
17Comment: Patch refreshed based on codebase.
18---
19 binutils/objdump.c | 23 ++++++++++-------------
20 1 file changed, 10 insertions(+), 13 deletions(-)
21
22diff --git a/binutils/objdump.c b/binutils/objdump.c
23index e8481b2d928..d95c8b68bf0 100644
24--- a/binutils/objdump.c
25+++ b/binutils/objdump.c
26@@ -935,20 +935,17 @@
27 return 1;
28 }
29
30- if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour
31+ /* Sort larger size ELF symbols before smaller. See PR20337. */
32+ bfd_vma asz = 0;
33+ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
34+ && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour)
35+ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
36+ bfd_vma bsz = 0;
37+ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
38 && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour)
39- {
40- bfd_vma asz, bsz;
41-
42- asz = 0;
43- if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
44- asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
45- bsz = 0;
46- if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
47- bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
48- if (asz != bsz)
49- return asz > bsz ? -1 : 1;
50- }
51+ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
52+ if (asz != bsz)
53+ return asz > bsz ? -1 : 1;
54
55 /* Symbols that start with '.' might be section names, so sort them
56 after symbols that don't start with '.'. */
57
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
new file mode 100644
index 0000000000..f41c02a02b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
@@ -0,0 +1,49 @@
1From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Wed, 21 Dec 2022 11:51:23 +0000
4Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of
5 memory when parsing a corrupt ELF file.
6
7 PR 29924
8 * objdump.c (load_specific_debug_section): Check for excessively
9 large sections.
10Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd]
11CVE: CVE-2022-48063
12Signed-off-by: Virendra Thakur <virendrak@kpit.com>
13Comment: Patch refreshed based on codebase.
14---
15 binutils/ChangeLog | 6 ++++++
16 binutils/objdump.c | 4 +++-
17 2 files changed, 9 insertions(+), 1 deletion(-)
18
19diff --git a/binutils/ChangeLog b/binutils/ChangeLog
20index e7f918d3f65..020e09f3700 100644
21--- a/binutils/ChangeLog
22+++ b/binutils/ChangeLog
23@@ -1,3 +1,9 @@
24+2022-12-21 Nick Clifton <nickc@redhat.com>
25+
26+ PR 29924
27+ * objdump.c (load_specific_debug_section): Check for excessively
28+ large sections.
29+
30 2021-02-11 Alan Modra <amodra@gmail.com>
31
32 PR 27290
33
34diff --git a/binutils/objdump.c b/binutils/objdump.c
35index d51abbe3858..2eb02de0e76 100644
36--- a/binutils/objdump.c
37+++ b/binutils/objdump.c
38@@ -3479,7 +3479,9 @@
39 section->size = bfd_section_size (sec);
40 /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
41 alloced = amt = section->size + 1;
42- if (alloced != amt || alloced == 0)
43+ if (alloced != amt
44+ || alloced == 0
45+ || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd)))
46 {
47 section->start = NULL;
48 free_debug_section (debug);
49
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch
new file mode 100644
index 0000000000..732ea43210
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch
@@ -0,0 +1,530 @@
1CVE: CVE-2023-25584
2Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 ]
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4
5[Ubuntu note: this is backport of the original patch, no major changes just
6 fix this patch for this release]
7From 77c225bdeb410cf60da804879ad41622f5f1aa44 Mon Sep 17 00:00:00 2001
8From: Alan Modra <amodra@gmail.com>
9Date: Mon, 12 Dec 2022 18:28:49 +1030
10Subject: [PATCH] Lack of bounds checking in vms-alpha.c parse_module
11
12 PR 29873
13 PR 29874
14 PR 29875
15 PR 29876
16 PR 29877
17 PR 29878
18 PR 29879
19 PR 29880
20 PR 29881
21 PR 29882
22 PR 29883
23 PR 29884
24 PR 29885
25 PR 29886
26 PR 29887
27 PR 29888
28 PR 29889
29 PR 29890
30 PR 29891
31 * vms-alpha.c (parse_module): Make length param bfd_size_type.
32 Delete length == -1 checks. Sanity check record_length.
33 Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
34 Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
35 before accessing.
36 (build_module_list): Pass dst_section size to parse_module.
37---
38 bfd/vms-alpha.c | 213 ++++++++++++++++++++++++++++++++++++++----------
39 1 file changed, 168 insertions(+), 45 deletions(-)
40
41--- binutils-2.34.orig/bfd/vms-alpha.c
42+++ binutils-2.34/bfd/vms-alpha.c
43@@ -4267,7 +4267,7 @@ new_module (bfd *abfd)
44
45 static void
46 parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
47- int length)
48+ bfd_size_type length)
49 {
50 unsigned char *maxptr = ptr + length;
51 unsigned char *src_ptr, *pcl_ptr;
52@@ -4284,7 +4284,7 @@ parse_module (bfd *abfd, struct module *
53 curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo));
54 module->line_table = curr_line;
55
56- while (length == -1 || ptr < maxptr)
57+ while (ptr < maxptr)
58 {
59 /* The first byte is not counted in the recorded length. */
60 int rec_length = bfd_getl16 (ptr) + 1;
61@@ -4292,15 +4292,19 @@ parse_module (bfd *abfd, struct module *
62
63 vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type));
64
65- if (length == -1 && rec_type == DST__K_MODEND)
66+ if (rec_length > maxptr - ptr)
67+ break;
68+ if (rec_type == DST__K_MODEND)
69 break;
70
71 switch (rec_type)
72 {
73 case DST__K_MODBEG:
74+ if (rec_length <= DST_S_B_MODBEG_NAME)
75+ break;
76 module->name
77 = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME,
78- maxptr - (ptr + DST_S_B_MODBEG_NAME));
79+ rec_length - DST_S_B_MODBEG_NAME);
80
81 curr_pc = 0;
82 prev_pc = 0;
83@@ -4314,11 +4318,13 @@ parse_module (bfd *abfd, struct module *
84 break;
85
86 case DST__K_RTNBEG:
87+ if (rec_length <= DST_S_B_RTNBEG_NAME)
88+ break;
89 funcinfo = (struct funcinfo *)
90 bfd_zalloc (abfd, sizeof (struct funcinfo));
91 funcinfo->name
92 = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
93- maxptr - (ptr + DST_S_B_RTNBEG_NAME));
94+ rec_length - DST_S_B_RTNBEG_NAME);
95 funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
96 funcinfo->next = module->func_table;
97 module->func_table = funcinfo;
98@@ -4328,6 +4334,8 @@ parse_module (bfd *abfd, struct module *
99 break;
100
101 case DST__K_RTNEND:
102+ if (rec_length < DST_S_L_RTNEND_SIZE + 4)
103+ break;
104 module->func_table->high = module->func_table->low
105 + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1;
106
107@@ -4358,13 +4366,66 @@ parse_module (bfd *abfd, struct module *
108
109 vms_debug2 ((3, "source info\n"));
110
111- while (src_ptr < ptr + rec_length)
112+ while (src_ptr - ptr < rec_length)
113 {
114 int cmd = src_ptr[0], cmd_length, data;
115
116 switch (cmd)
117 {
118 case DST__K_SRC_DECLFILE:
119+ if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length)
120+ cmd_length = 0x10000;
121+ else
122+ cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
123+ break;
124+
125+ case DST__K_SRC_DEFLINES_B:
126+ cmd_length = 2;
127+ break;
128+
129+ case DST__K_SRC_DEFLINES_W:
130+ cmd_length = 3;
131+ break;
132+
133+ case DST__K_SRC_INCRLNUM_B:
134+ cmd_length = 2;
135+ break;
136+
137+ case DST__K_SRC_SETFILE:
138+ cmd_length = 3;
139+ break;
140+
141+ case DST__K_SRC_SETLNUM_L:
142+ cmd_length = 5;
143+ break;
144+
145+ case DST__K_SRC_SETLNUM_W:
146+ cmd_length = 3;
147+ break;
148+
149+ case DST__K_SRC_SETREC_L:
150+ cmd_length = 5;
151+ break;
152+
153+ case DST__K_SRC_SETREC_W:
154+ cmd_length = 3;
155+ break;
156+
157+ case DST__K_SRC_FORMFEED:
158+ cmd_length = 1;
159+ break;
160+
161+ default:
162+ cmd_length = 2;
163+ break;
164+ }
165+
166+ if (src_ptr - ptr + cmd_length > rec_length)
167+ break;
168+
169+ switch (cmd)
170+ {
171+ case DST__K_SRC_DECLFILE:
172 {
173 unsigned int fileid
174 = bfd_getl16 (src_ptr + DST_S_W_SRC_DF_FILEID);
175@@ -4384,7 +4445,6 @@ parse_module (bfd *abfd, struct module *
176
177 module->file_table [fileid].name = filename;
178 module->file_table [fileid].srec = 1;
179- cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
180 vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n",
181 fileid, module->file_table [fileid].name));
182 }
183@@ -4401,7 +4461,6 @@ parse_module (bfd *abfd, struct module *
184 srec->sfile = curr_srec->sfile;
185 curr_srec->next = srec;
186 curr_srec = srec;
187- cmd_length = 2;
188 vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data));
189 break;
190
191@@ -4416,14 +4475,12 @@ parse_module (bfd *abfd, struct module *
192 srec->sfile = curr_srec->sfile;
193 curr_srec->next = srec;
194 curr_srec = srec;
195- cmd_length = 3;
196 vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data));
197 break;
198
199 case DST__K_SRC_INCRLNUM_B:
200 data = src_ptr[DST_S_B_SRC_UNSBYTE];
201 curr_srec->line += data;
202- cmd_length = 2;
203 vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data));
204 break;
205
206@@ -4431,21 +4488,18 @@ parse_module (bfd *abfd, struct module *
207 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
208 curr_srec->sfile = data;
209 curr_srec->srec = module->file_table[data].srec;
210- cmd_length = 3;
211 vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data));
212 break;
213
214 case DST__K_SRC_SETLNUM_L:
215 data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
216 curr_srec->line = data;
217- cmd_length = 5;
218 vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data));
219 break;
220
221 case DST__K_SRC_SETLNUM_W:
222 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
223 curr_srec->line = data;
224- cmd_length = 3;
225 vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data));
226 break;
227
228@@ -4453,7 +4507,6 @@ parse_module (bfd *abfd, struct module *
229 data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
230 curr_srec->srec = data;
231 module->file_table[curr_srec->sfile].srec = data;
232- cmd_length = 5;
233 vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data));
234 break;
235
236@@ -4461,19 +4514,16 @@ parse_module (bfd *abfd, struct module *
237 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
238 curr_srec->srec = data;
239 module->file_table[curr_srec->sfile].srec = data;
240- cmd_length = 3;
241 vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data));
242 break;
243
244 case DST__K_SRC_FORMFEED:
245- cmd_length = 1;
246 vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n"));
247 break;
248
249 default:
250 _bfd_error_handler (_("unknown source command %d"),
251 cmd);
252- cmd_length = 2;
253 break;
254 }
255
256@@ -4486,7 +4536,7 @@ parse_module (bfd *abfd, struct module *
257
258 vms_debug2 ((3, "line info\n"));
259
260- while (pcl_ptr < ptr + rec_length)
261+ while (pcl_ptr - ptr < rec_length)
262 {
263 /* The command byte is signed so we must sign-extend it. */
264 int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data;
265@@ -4494,10 +4544,106 @@ parse_module (bfd *abfd, struct module *
266 switch (cmd)
267 {
268 case DST__K_DELTA_PC_W:
269+ cmd_length = 3;
270+ break;
271+
272+ case DST__K_DELTA_PC_L:
273+ cmd_length = 5;
274+ break;
275+
276+ case DST__K_INCR_LINUM:
277+ cmd_length = 2;
278+ break;
279+
280+ case DST__K_INCR_LINUM_W:
281+ cmd_length = 3;
282+ break;
283+
284+ case DST__K_INCR_LINUM_L:
285+ cmd_length = 5;
286+ break;
287+
288+ case DST__K_SET_LINUM_INCR:
289+ cmd_length = 2;
290+ break;
291+
292+ case DST__K_SET_LINUM_INCR_W:
293+ cmd_length = 3;
294+ break;
295+
296+ case DST__K_RESET_LINUM_INCR:
297+ cmd_length = 1;
298+ break;
299+
300+ case DST__K_BEG_STMT_MODE:
301+ cmd_length = 1;
302+ break;
303+
304+ case DST__K_END_STMT_MODE:
305+ cmd_length = 1;
306+ break;
307+
308+ case DST__K_SET_LINUM_B:
309+ cmd_length = 2;
310+ break;
311+
312+ case DST__K_SET_LINUM:
313+ cmd_length = 3;
314+ break;
315+
316+ case DST__K_SET_LINUM_L:
317+ cmd_length = 5;
318+ break;
319+
320+ case DST__K_SET_PC:
321+ cmd_length = 2;
322+ break;
323+
324+ case DST__K_SET_PC_W:
325+ cmd_length = 3;
326+ break;
327+
328+ case DST__K_SET_PC_L:
329+ cmd_length = 5;
330+ break;
331+
332+ case DST__K_SET_STMTNUM:
333+ cmd_length = 2;
334+ break;
335+
336+ case DST__K_TERM:
337+ cmd_length = 2;
338+ break;
339+
340+ case DST__K_TERM_W:
341+ cmd_length = 3;
342+ break;
343+
344+ case DST__K_TERM_L:
345+ cmd_length = 5;
346+ break;
347+
348+ case DST__K_SET_ABS_PC:
349+ cmd_length = 5;
350+ break;
351+
352+ default:
353+ if (cmd <= 0)
354+ cmd_length = 1;
355+ else
356+ cmd_length = 2;
357+ break;
358+ }
359+
360+ if (pcl_ptr - ptr + cmd_length > rec_length)
361+ break;
362+
363+ switch (cmd)
364+ {
365+ case DST__K_DELTA_PC_W:
366 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
367 curr_pc += data;
368 curr_linenum += 1;
369- cmd_length = 3;
370 vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data));
371 break;
372
373@@ -4505,131 +4651,111 @@ parse_module (bfd *abfd, struct module *
374 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
375 curr_pc += data;
376 curr_linenum += 1;
377- cmd_length = 5;
378 vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data));
379 break;
380
381 case DST__K_INCR_LINUM:
382 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
383 curr_linenum += data;
384- cmd_length = 2;
385 vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data));
386 break;
387
388 case DST__K_INCR_LINUM_W:
389 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
390 curr_linenum += data;
391- cmd_length = 3;
392 vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data));
393 break;
394
395 case DST__K_INCR_LINUM_L:
396 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
397 curr_linenum += data;
398- cmd_length = 5;
399 vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data));
400 break;
401
402 case DST__K_SET_LINUM_INCR:
403 _bfd_error_handler
404 (_("%s not implemented"), "DST__K_SET_LINUM_INCR");
405- cmd_length = 2;
406 break;
407
408 case DST__K_SET_LINUM_INCR_W:
409 _bfd_error_handler
410 (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W");
411- cmd_length = 3;
412 break;
413
414 case DST__K_RESET_LINUM_INCR:
415 _bfd_error_handler
416 (_("%s not implemented"), "DST__K_RESET_LINUM_INCR");
417- cmd_length = 1;
418 break;
419
420 case DST__K_BEG_STMT_MODE:
421 _bfd_error_handler
422 (_("%s not implemented"), "DST__K_BEG_STMT_MODE");
423- cmd_length = 1;
424 break;
425
426 case DST__K_END_STMT_MODE:
427 _bfd_error_handler
428 (_("%s not implemented"), "DST__K_END_STMT_MODE");
429- cmd_length = 1;
430 break;
431
432 case DST__K_SET_LINUM_B:
433 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
434 curr_linenum = data;
435- cmd_length = 2;
436 vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data));
437 break;
438
439 case DST__K_SET_LINUM:
440 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
441 curr_linenum = data;
442- cmd_length = 3;
443 vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data));
444 break;
445
446 case DST__K_SET_LINUM_L:
447 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
448 curr_linenum = data;
449- cmd_length = 5;
450 vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data));
451 break;
452
453 case DST__K_SET_PC:
454 _bfd_error_handler
455 (_("%s not implemented"), "DST__K_SET_PC");
456- cmd_length = 2;
457 break;
458
459 case DST__K_SET_PC_W:
460 _bfd_error_handler
461 (_("%s not implemented"), "DST__K_SET_PC_W");
462- cmd_length = 3;
463 break;
464
465 case DST__K_SET_PC_L:
466 _bfd_error_handler
467 (_("%s not implemented"), "DST__K_SET_PC_L");
468- cmd_length = 5;
469 break;
470
471 case DST__K_SET_STMTNUM:
472 _bfd_error_handler
473 (_("%s not implemented"), "DST__K_SET_STMTNUM");
474- cmd_length = 2;
475 break;
476
477 case DST__K_TERM:
478 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
479 curr_pc += data;
480- cmd_length = 2;
481 vms_debug2 ((4, "DST__K_TERM: %d\n", data));
482 break;
483
484 case DST__K_TERM_W:
485 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
486 curr_pc += data;
487- cmd_length = 3;
488 vms_debug2 ((4, "DST__K_TERM_W: %d\n", data));
489 break;
490
491 case DST__K_TERM_L:
492 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
493 curr_pc += data;
494- cmd_length = 5;
495 vms_debug2 ((4, "DST__K_TERM_L: %d\n", data));
496 break;
497
498 case DST__K_SET_ABS_PC:
499 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
500 curr_pc = data;
501- cmd_length = 5;
502 vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data));
503 break;
504
505@@ -4638,15 +4764,11 @@ parse_module (bfd *abfd, struct module *
506 {
507 curr_pc -= cmd;
508 curr_linenum += 1;
509- cmd_length = 1;
510 vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n",
511 (unsigned long)curr_pc, curr_linenum));
512 }
513 else
514- {
515- _bfd_error_handler (_("unknown line command %d"), cmd);
516- cmd_length = 2;
517- }
518+ _bfd_error_handler (_("unknown line command %d"), cmd);
519 break;
520 }
521
522@@ -4778,7 +4900,7 @@ build_module_list (bfd *abfd)
523 return NULL;
524
525 module = new_module (abfd);
526- parse_module (abfd, module, PRIV (dst_section)->contents, -1);
527+ parse_module (abfd, module, PRIV (dst_section)->contents, PRIV (dst_section)->size);
528 list = module;
529 }
530
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
new file mode 100644
index 0000000000..aa5ce5f3ff
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
@@ -0,0 +1,149 @@
1From d12f8998d2d086f0a6606589e5aedb7147e6f2f1 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 14 Oct 2022 10:30:21 +1030
4Subject: [PATCH] PR29677, Field `the_bfd` of `asymbol` is uninitialised
5
6Besides not initialising the_bfd of synthetic symbols, counting
7symbols when sizing didn't match symbols created if there were any
8dynsyms named "". We don't want synthetic symbols without names
9anyway, so get rid of them. Also, simplify and correct sanity checks.
10
11 PR 29677
12 * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
13---
14Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
15CVE: CVE-2023-25588
16CVE: CVE-2022-47696
17
18Signed-off-by: Ashish Sharma <asharma@mvista.com>
19Signed-off-by: poojitha adireddy <pooadire@cisco.com>
20
21 bfd/mach-o.c | 72 ++++++++++++++++++++++------------------------------
22 1 file changed, 31 insertions(+), 41 deletions(-)
23
24diff --git a/bfd/mach-o.c b/bfd/mach-o.c
25index acb35e7f0c6..5279343768c 100644
26--- a/bfd/mach-o.c
27+++ b/bfd/mach-o.c
28@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
29 bfd_mach_o_symtab_command *symtab = mdata->symtab;
30 asymbol *s;
31 char * s_start;
32- char * s_end;
33 unsigned long count, i, j, n;
34 size_t size;
35 char *names;
36- char *nul_name;
37 const char stub [] = "$stub";
38
39 *ret = NULL;
40@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
41 /* We need to allocate a bfd symbol for every indirect symbol and to
42 allocate the memory for its name. */
43 count = dysymtab->nindirectsyms;
44- size = count * sizeof (asymbol) + 1;
45-
46+ size = 0;
47 for (j = 0; j < count; j++)
48 {
49- const char * strng;
50 unsigned int isym = dysymtab->indirect_syms[j];
51+ const char *str;
52
53 /* Some indirect symbols are anonymous. */
54- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
55- /* PR 17512: file: f5b8eeba. */
56- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
57+ if (isym < symtab->nsyms
58+ && (str = symtab->symbols[isym].symbol.name) != NULL)
59+ {
60+ /* PR 17512: file: f5b8eeba. */
61+ size += strnlen (str, symtab->strsize - (str - symtab->strtab));
62+ size += sizeof (stub);
63+ }
64 }
65
66- s_start = bfd_malloc (size);
67+ s_start = bfd_malloc (size + count * sizeof (asymbol));
68 s = *ret = (asymbol *) s_start;
69 if (s == NULL)
70 return -1;
71 names = (char *) (s + count);
72- nul_name = names;
73- *names++ = 0;
74- s_end = s_start + size;
75
76 n = 0;
77 for (i = 0; i < mdata->nsects; i++)
78@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
79 entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
80
81 /* PR 17512: file: 08e15eec. */
82- if (first >= count || last >= count || first > last)
83+ if (first >= count || last > count || first > last)
84 goto fail;
85
86 for (j = first; j < last; j++)
87 {
88 unsigned int isym = dysymtab->indirect_syms[j];
89-
90- /* PR 17512: file: 04d64d9b. */
91- if (((char *) s) + sizeof (* s) > s_end)
92- goto fail;
93-
94- s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
95- s->section = sec->bfdsection;
96- s->value = addr - sec->addr;
97- s->udata.p = NULL;
98+ const char *str;
99+ size_t len;
100
101 if (isym < symtab->nsyms
102- && symtab->symbols[isym].symbol.name)
103+ && (str = symtab->symbols[isym].symbol.name) != NULL)
104 {
105- const char *sym = symtab->symbols[isym].symbol.name;
106- size_t len;
107-
108- s->name = names;
109- len = strlen (sym);
110- /* PR 17512: file: 47dfd4d2. */
111- if (names + len >= s_end)
112+ /* PR 17512: file: 04d64d9b. */
113+ if (n >= count)
114 goto fail;
115- memcpy (names, sym, len);
116- names += len;
117- /* PR 17512: file: 18f340a4. */
118- if (names + sizeof (stub) >= s_end)
119+ len = strnlen (str, symtab->strsize - (str - symtab->strtab));
120+ /* PR 17512: file: 47dfd4d2, 18f340a4. */
121+ if (size < len + sizeof (stub))
122 goto fail;
123- memcpy (names, stub, sizeof (stub));
124- names += sizeof (stub);
125+ memcpy (names, str, len);
126+ memcpy (names + len, stub, sizeof (stub));
127+ s->name = names;
128+ names += len + sizeof (stub);
129+ size -= len + sizeof (stub);
130+ s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
131+ s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
132+ s->section = sec->bfdsection;
133+ s->value = addr - sec->addr;
134+ s->udata.p = NULL;
135+ s++;
136+ n++;
137 }
138- else
139- s->name = nul_name;
140-
141 addr += entry_size;
142- s++;
143- n++;
144 }
145 break;
146 default:
147--
1482.39.3
149
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-27 04:56:14 +0000