2 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 3e10279b1d..1c1118df54 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -48,5 +48,6 @@ SRC_URI = "\
     file://CVE-2020-16598.patch \
     file://CVE-2021-20197.patch \
     file://CVE-2021-3487.patch \
+     file://CVE-2021-3549.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
new file mode 100644
index 0000000000..4391db340a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,187 @@
+From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 11 Feb 2021 16:56:42 +1030
+Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
+Adds missing sanity checks for avr device info note, to avoid
+potential buffer overflows.  Uses bfd_malloc_and_get_section for
+sanity checking section size.
+        PR 27290
+        PR 27293
+        PR 27295
+        * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
+        Use bfd_malloc_and_get_section.
+        (elf32_avr_get_note_desc): Formatting.  Return descsz.  Sanity
+        check namesz.  Return NULL if descsz is too small.  Ensure
+        string table is terminated.
+        (elf32_avr_get_device_info): Formatting.  Add note_size param.
+        Sanity check note.
+        (elf32_avr_dump_mem_usage): Adjust to suit.
+Upstream-Status: Backport
+CVE: CVE-2021-3549
+Signed-of-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/ChangeLog      | 14 +++++++++
+ binutils/od-elf32_avr.c | 66 ++++++++++++++++++++++++++---------------
+ 2 files changed, 56 insertions(+), 24 deletions(-)
+Index: git/binutils/od-elf32_avr.c
+===================================================================
+--- git.orig/binutils/od-elf32_avr.c
+++ git/binutils/od-elf32_avr.c
+@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
+   return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
+ }
+ 
+-static char*
+static char *
+ elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size)
+ {
+   asection *section;
+  bfd_byte *contents;
+ 
+-  if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
+  section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
+  if (section == NULL)
+     return NULL;
+ 
+-  *size = bfd_section_size (section);
+-  char *contents = (char *) xmalloc (*size);
+-  bfd_get_section_contents (abfd, section, contents, 0, *size);
+  if (!bfd_malloc_and_get_section (abfd, section, &contents))
+    {
+      free (contents);
+      contents = NULL;
+    }
+ 
+-  return contents;
+  *size = bfd_section_size (section);
+  return (char *) contents;
+ }
+ 
+-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
+-        bfd_size_type size)
+static char *
+elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size,
+                        bfd_size_type *descsz)
+ {
+   Elf_External_Note *xnp = (Elf_External_Note *) contents;
+   Elf_Internal_Note in;
+@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bf
+   if (in.namesz > contents - in.namedata + size)
+     return NULL;
+ 
+  if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0)
+    return NULL;
+
+   in.descsz = bfd_get_32 (abfd, xnp->descsz);
+   in.descdata = in.namedata + align_power (in.namesz, 2);
+-  if (in.descsz != 0
+-        && (in.descdata >= contents + size
+-            || in.descsz > contents - in.descdata + size))
+  if (in.descsz < 6 * sizeof (uint32_t)
+      || in.descdata >= contents + size
+      || in.descsz > contents - in.descdata + size)
+     return NULL;
+ 
+-  if (strcmp (in.namedata, "AVR") != 0)
+-    return NULL;
+  /* If the note has a string table, ensure it is 0 terminated.  */
+  if (in.descsz > 8 * sizeof (uint32_t))
+    in.descdata[in.descsz - 1] = 0;
+ 
+  *descsz = in.descsz;
+   return in.descdata;
+ }
+ 
+ static void
+ elf32_avr_get_device_info (bfd *abfd, char *description,
+-        deviceinfo *device)
+                          bfd_size_type desc_size, deviceinfo *device)
+ {
+   if (description == NULL)
+     return;
+ 
+   const bfd_size_type memory_sizes = 6;
+ 
+-  memcpy (device, description, memory_sizes * sizeof(uint32_t));
+-  device->name = NULL;
+  memcpy (device, description, memory_sizes * sizeof (uint32_t));
+  desc_size -= memory_sizes * sizeof (uint32_t);
+  if (desc_size < 8)
+    return;
+ 
+-  uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
+  uint32_t *stroffset_table = (uint32_t *) description + memory_sizes;
+   bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
+-  char *str_table = ((char *) stroffset_table) + stroffset_table_size;
+ 
+   /* If the only content is the size itself, there's nothing in the table */
+-  if (stroffset_table_size == 4)
+  if (stroffset_table_size < 8)
+     return;
+  if (desc_size <= stroffset_table_size)
+    return;
+  desc_size -= stroffset_table_size;
+ 
+   /* First entry is the device name index. */
+   uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
+  if (device_name_index >= desc_size)
+    return;
+ 
+  char *str_table = (char *) stroffset_table + stroffset_table_size;
+   device->name = str_table + device_name_index;
+ }
+ 
+@@ -183,7 +201,7 @@ static void
+ elf32_avr_dump_mem_usage (bfd *abfd)
+ {
+   char *description = NULL;
+-  bfd_size_type note_section_size = 0;
+  bfd_size_type sec_size, desc_size;
+ 
+   deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
+   device.name = "Unknown";
+@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
+   bfd_size_type text_usage = 0;
+   bfd_size_type eeprom_usage = 0;
+ 
+-  char *contents = elf32_avr_get_note_section_contents (abfd,
+-    &note_section_size);
+  char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
+ 
+   if (contents != NULL)
+     {
+-      description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
+-      elf32_avr_get_device_info (abfd, description, &device);
+      description = elf32_avr_get_note_desc (abfd, contents, sec_size,
+                                            &desc_size);
+      elf32_avr_get_device_info (abfd, description, desc_size, &device);
+     }
+ 
+   elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
+@@ -1,3 +1,17 @@
+2021-02-11  Alan Modra  <amodra@gmail.com>
+
+       PR 27290
+       PR 27293
+       PR 27295
+       * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
+       Use bfd_malloc_and_get_section.
+       (elf32_avr_get_note_desc): Formatting.  Return descsz.  Sanity
+       check namesz.  Return NULL if descsz is too small.  Ensure
+       string table is terminated.
+       (elf32_avr_get_device_info): Formatting.  Add note_size param.
+       Sanity check note.
+       (elf32_avr_dump_mem_usage): Adjust to suit.
+
+ 2020-02-01  Nick Clifton  <nickc@redhat.com>
+ 
+        * configure: Regenerate.

diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 3e10279b1d..1c1118df54 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -48,5 +48,6 @@ SRC_URI = "\
48	file://CVE-2020-16598.patch \	48	file://CVE-2020-16598.patch \
49	file://CVE-2021-20197.patch \	49	file://CVE-2021-20197.patch \
50	file://CVE-2021-3487.patch \	50	file://CVE-2021-3487.patch \
		51	file://CVE-2021-3549.patch \
51	"	52	"
52	S = "${WORKDIR}/git"	53	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch new file mode 100644 index 0000000000..4391db340a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,187 @@
		1	From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Thu, 11 Feb 2021 16:56:42 +1030
		4	Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
		5
		6	Adds missing sanity checks for avr device info note, to avoid
		7	potential buffer overflows. Uses bfd_malloc_and_get_section for
		8	sanity checking section size.
		9
		10	PR 27290
		11	PR 27293
		12	PR 27295
		13	* od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
		14	Use bfd_malloc_and_get_section.
		15	(elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
		16	check namesz. Return NULL if descsz is too small. Ensure
		17	string table is terminated.
		18	(elf32_avr_get_device_info): Formatting. Add note_size param.
		19	Sanity check note.
		20	(elf32_avr_dump_mem_usage): Adjust to suit.
		21
		22	Upstream-Status: Backport
		23	CVE: CVE-2021-3549
		24	Signed-of-by: Armin Kuster <akuster@mvista.com>
		25
		26	---
		27	binutils/ChangeLog \| 14 +++++++++
		28	binutils/od-elf32_avr.c \| 66 ++++++++++++++++++++++++++---------------
		29	2 files changed, 56 insertions(+), 24 deletions(-)
		30
		31	Index: git/binutils/od-elf32_avr.c
		32	===================================================================
		33	--- git.orig/binutils/od-elf32_avr.c
		34	+++ git/binutils/od-elf32_avr.c
		35	@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
		36	return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
		37	}
		38
		39	-static char*
		40	+static char *
		41	elf32_avr_get_note_section_contents (bfd abfd, bfd_size_type size)
		42	{
		43	asection *section;
		44	+ bfd_byte *contents;
		45
		46	- if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
		47	+ section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
		48	+ if (section == NULL)
		49	return NULL;
		50
		51	- *size = bfd_section_size (section);
		52	- char contents = (char ) xmalloc (*size);
		53	- bfd_get_section_contents (abfd, section, contents, 0, *size);
		54	+ if (!bfd_malloc_and_get_section (abfd, section, &contents))
		55	+ {
		56	+ free (contents);
		57	+ contents = NULL;
		58	+ }
		59
		60	- return contents;
		61	+ *size = bfd_section_size (section);
		62	+ return (char *) contents;
		63	}
		64
		65	-static char* elf32_avr_get_note_desc (bfd abfd, char contents,
		66	- bfd_size_type size)
		67	+static char *
		68	+elf32_avr_get_note_desc (bfd abfd, char contents, bfd_size_type size,
		69	+ bfd_size_type *descsz)
		70	{
		71	Elf_External_Note xnp = (Elf_External_Note ) contents;
		72	Elf_Internal_Note in;
		73	@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bf
		74	if (in.namesz > contents - in.namedata + size)
		75	return NULL;
		76
		77	+ if (in.namesz != 4 \|\| strcmp (in.namedata, "AVR") != 0)
		78	+ return NULL;
		79	+
		80	in.descsz = bfd_get_32 (abfd, xnp->descsz);
		81	in.descdata = in.namedata + align_power (in.namesz, 2);
		82	- if (in.descsz != 0
		83	- && (in.descdata >= contents + size
		84	- \|\| in.descsz > contents - in.descdata + size))
		85	+ if (in.descsz < 6 * sizeof (uint32_t)
		86	+ \|\| in.descdata >= contents + size
		87	+ \|\| in.descsz > contents - in.descdata + size)
		88	return NULL;
		89
		90	- if (strcmp (in.namedata, "AVR") != 0)
		91	- return NULL;
		92	+ /* If the note has a string table, ensure it is 0 terminated. */
		93	+ if (in.descsz > 8 * sizeof (uint32_t))
		94	+ in.descdata[in.descsz - 1] = 0;
		95
		96	+ *descsz = in.descsz;
		97	return in.descdata;
		98	}
		99
		100	static void
		101	elf32_avr_get_device_info (bfd abfd, char description,
		102	- deviceinfo *device)
		103	+ bfd_size_type desc_size, deviceinfo *device)
		104	{
		105	if (description == NULL)
		106	return;
		107
		108	const bfd_size_type memory_sizes = 6;
		109
		110	- memcpy (device, description, memory_sizes * sizeof(uint32_t));
		111	- device->name = NULL;
		112	+ memcpy (device, description, memory_sizes * sizeof (uint32_t));
		113	+ desc_size -= memory_sizes * sizeof (uint32_t);
		114	+ if (desc_size < 8)
		115	+ return;
		116
		117	- uint32_t stroffset_table = ((uint32_t ) description) + memory_sizes;
		118	+ uint32_t stroffset_table = (uint32_t ) description + memory_sizes;
		119	bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
		120	- char str_table = ((char ) stroffset_table) + stroffset_table_size;
		121
		122	/* If the only content is the size itself, there's nothing in the table */
		123	- if (stroffset_table_size == 4)
		124	+ if (stroffset_table_size < 8)
		125	return;
		126	+ if (desc_size <= stroffset_table_size)
		127	+ return;
		128	+ desc_size -= stroffset_table_size;
		129
		130	/* First entry is the device name index. */
		131	uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
		132	+ if (device_name_index >= desc_size)
		133	+ return;
		134
		135	+ char str_table = (char ) stroffset_table + stroffset_table_size;
		136	device->name = str_table + device_name_index;
		137	}
		138
		139	@@ -183,7 +201,7 @@ static void
		140	elf32_avr_dump_mem_usage (bfd *abfd)
		141	{
		142	char *description = NULL;
		143	- bfd_size_type note_section_size = 0;
		144	+ bfd_size_type sec_size, desc_size;
		145
		146	deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
		147	device.name = "Unknown";
		148	@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
		149	bfd_size_type text_usage = 0;
		150	bfd_size_type eeprom_usage = 0;
		151
		152	- char *contents = elf32_avr_get_note_section_contents (abfd,
		153	- &note_section_size);
		154	+ char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
		155
		156	if (contents != NULL)
		157	{
		158	- description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
		159	- elf32_avr_get_device_info (abfd, description, &device);
		160	+ description = elf32_avr_get_note_desc (abfd, contents, sec_size,
		161	+ &desc_size);
		162	+ elf32_avr_get_device_info (abfd, description, desc_size, &device);
		163	}
		164
		165	elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,
		166	Index: git/binutils/ChangeLog
		167	===================================================================
		168	--- git.orig/binutils/ChangeLog
		169	+++ git/binutils/ChangeLog
		170	@@ -1,3 +1,17 @@
		171	+2021-02-11 Alan Modra <amodra@gmail.com>
		172	+
		173	+ PR 27290
		174	+ PR 27293
		175	+ PR 27295
		176	+ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
		177	+ Use bfd_malloc_and_get_section.
		178	+ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
		179	+ check namesz. Return NULL if descsz is too small. Ensure
		180	+ string table is terminated.
		181	+ (elf32_avr_get_device_info): Formatting. Add note_size param.
		182	+ Sanity check note.
		183	+ (elf32_avr_dump_mem_usage): Adjust to suit.
		184	+
		185	2020-02-01 Nick Clifton <nickc@redhat.com>
		186
		187	* configure: Regenerate.