summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.34.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch187
2 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 3e10279b1d..1c1118df54 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -48,5 +48,6 @@ SRC_URI = "\
48 file://CVE-2020-16598.patch \ 48 file://CVE-2020-16598.patch \
49 file://CVE-2021-20197.patch \ 49 file://CVE-2021-20197.patch \
50 file://CVE-2021-3487.patch \ 50 file://CVE-2021-3487.patch \
51 file://CVE-2021-3549.patch \
51" 52"
52S = "${WORKDIR}/git" 53S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
new file mode 100644
index 0000000000..4391db340a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,187 @@
1From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 11 Feb 2021 16:56:42 +1030
4Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
5
6Adds missing sanity checks for avr device info note, to avoid
7potential buffer overflows. Uses bfd_malloc_and_get_section for
8sanity checking section size.
9
10 PR 27290
11 PR 27293
12 PR 27295
13 * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
14 Use bfd_malloc_and_get_section.
15 (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
16 check namesz. Return NULL if descsz is too small. Ensure
17 string table is terminated.
18 (elf32_avr_get_device_info): Formatting. Add note_size param.
19 Sanity check note.
20 (elf32_avr_dump_mem_usage): Adjust to suit.
21
22Upstream-Status: Backport
23CVE: CVE-2021-3549
24Signed-of-by: Armin Kuster <akuster@mvista.com>
25
26---
27 binutils/ChangeLog | 14 +++++++++
28 binutils/od-elf32_avr.c | 66 ++++++++++++++++++++++++++---------------
29 2 files changed, 56 insertions(+), 24 deletions(-)
30
31Index: git/binutils/od-elf32_avr.c
32===================================================================
33--- git.orig/binutils/od-elf32_avr.c
34+++ git/binutils/od-elf32_avr.c
35@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
36 return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
37 }
38
39-static char*
40+static char *
41 elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size)
42 {
43 asection *section;
44+ bfd_byte *contents;
45
46- if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
47+ section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
48+ if (section == NULL)
49 return NULL;
50
51- *size = bfd_section_size (section);
52- char *contents = (char *) xmalloc (*size);
53- bfd_get_section_contents (abfd, section, contents, 0, *size);
54+ if (!bfd_malloc_and_get_section (abfd, section, &contents))
55+ {
56+ free (contents);
57+ contents = NULL;
58+ }
59
60- return contents;
61+ *size = bfd_section_size (section);
62+ return (char *) contents;
63 }
64
65-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
66- bfd_size_type size)
67+static char *
68+elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size,
69+ bfd_size_type *descsz)
70 {
71 Elf_External_Note *xnp = (Elf_External_Note *) contents;
72 Elf_Internal_Note in;
73@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bf
74 if (in.namesz > contents - in.namedata + size)
75 return NULL;
76
77+ if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0)
78+ return NULL;
79+
80 in.descsz = bfd_get_32 (abfd, xnp->descsz);
81 in.descdata = in.namedata + align_power (in.namesz, 2);
82- if (in.descsz != 0
83- && (in.descdata >= contents + size
84- || in.descsz > contents - in.descdata + size))
85+ if (in.descsz < 6 * sizeof (uint32_t)
86+ || in.descdata >= contents + size
87+ || in.descsz > contents - in.descdata + size)
88 return NULL;
89
90- if (strcmp (in.namedata, "AVR") != 0)
91- return NULL;
92+ /* If the note has a string table, ensure it is 0 terminated. */
93+ if (in.descsz > 8 * sizeof (uint32_t))
94+ in.descdata[in.descsz - 1] = 0;
95
96+ *descsz = in.descsz;
97 return in.descdata;
98 }
99
100 static void
101 elf32_avr_get_device_info (bfd *abfd, char *description,
102- deviceinfo *device)
103+ bfd_size_type desc_size, deviceinfo *device)
104 {
105 if (description == NULL)
106 return;
107
108 const bfd_size_type memory_sizes = 6;
109
110- memcpy (device, description, memory_sizes * sizeof(uint32_t));
111- device->name = NULL;
112+ memcpy (device, description, memory_sizes * sizeof (uint32_t));
113+ desc_size -= memory_sizes * sizeof (uint32_t);
114+ if (desc_size < 8)
115+ return;
116
117- uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
118+ uint32_t *stroffset_table = (uint32_t *) description + memory_sizes;
119 bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
120- char *str_table = ((char *) stroffset_table) + stroffset_table_size;
121
122 /* If the only content is the size itself, there's nothing in the table */
123- if (stroffset_table_size == 4)
124+ if (stroffset_table_size < 8)
125 return;
126+ if (desc_size <= stroffset_table_size)
127+ return;
128+ desc_size -= stroffset_table_size;
129
130 /* First entry is the device name index. */
131 uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
132+ if (device_name_index >= desc_size)
133+ return;
134
135+ char *str_table = (char *) stroffset_table + stroffset_table_size;
136 device->name = str_table + device_name_index;
137 }
138
139@@ -183,7 +201,7 @@ static void
140 elf32_avr_dump_mem_usage (bfd *abfd)
141 {
142 char *description = NULL;
143- bfd_size_type note_section_size = 0;
144+ bfd_size_type sec_size, desc_size;
145
146 deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
147 device.name = "Unknown";
148@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
149 bfd_size_type text_usage = 0;
150 bfd_size_type eeprom_usage = 0;
151
152- char *contents = elf32_avr_get_note_section_contents (abfd,
153- &note_section_size);
154+ char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
155
156 if (contents != NULL)
157 {
158- description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
159- elf32_avr_get_device_info (abfd, description, &device);
160+ description = elf32_avr_get_note_desc (abfd, contents, sec_size,
161+ &desc_size);
162+ elf32_avr_get_device_info (abfd, description, desc_size, &device);
163 }
164
165 elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,
166Index: git/binutils/ChangeLog
167===================================================================
168--- git.orig/binutils/ChangeLog
169+++ git/binutils/ChangeLog
170@@ -1,3 +1,17 @@
171+2021-02-11 Alan Modra <amodra@gmail.com>
172+
173+ PR 27290
174+ PR 27293
175+ PR 27295
176+ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
177+ Use bfd_malloc_and_get_section.
178+ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
179+ check namesz. Return NULL if descsz is too small. Ensure
180+ string table is terminated.
181+ (elf32_avr_get_device_info): Formatting. Add note_size param.
182+ Sanity check note.
183+ (elf32_avr_dump_mem_usage): Adjust to suit.
184+
185 2020-02-01 Nick Clifton <nickc@redhat.com>
186
187 * configure: Regenerate.