diff options
| author | Yi Fan Yu <yifan.yu@windriver.com> | 2021-01-15 12:41:29 -0500 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-01-27 09:32:45 +0000 |
| commit | 5251cbb92ad75018ae9ec801fdea9265dd57ea86 (patch) | |
| tree | 48f2bd42c62807897c5a04ea04ca4dc43bdf95be | |
| parent | 38d5c5e7fd87efb441a99e69ed7b4760a8b082c7 (diff) | |
| download | poky-5251cbb92ad75018ae9ec801fdea9265dd57ea86.tar.gz | |
binutils: Fix CVE-2020-35448
Fix related to a buffer overflow in bfd library
CVE Details https://nvd.nist.gov/vuln/detail/CVE-2020-35448
Upstream Tracking https://sourceware.org/bugzilla/show_bug.cgi?id=26574
Patch from Upstream
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
h=8642dafaef21aa6747cec01df1977e9c52eb4679
(From OE-Core rev: f097519cb5d2acc65674f3a1d4c1c716cd2e75ca)
Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cb83312131f6c4f69d89d639085e07ea1f53167e)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.35.1.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch | 85 |
2 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc index c92cb75543..775af2b8f2 100644 --- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc | |||
| @@ -43,5 +43,6 @@ SRC_URI = "\ | |||
| 43 | file://0016-Check-for-clang-before-checking-gcc-version.patch \ | 43 | file://0016-Check-for-clang-before-checking-gcc-version.patch \ |
| 44 | file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \ | 44 | file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \ |
| 45 | file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \ | 45 | file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \ |
| 46 | file://CVE-2020-35448.patch \ | ||
| 46 | " | 47 | " |
| 47 | S = "${WORKDIR}/git" | 48 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch new file mode 100644 index 0000000000..3bc64776e5 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch | |||
| @@ -0,0 +1,85 @@ | |||
| 1 | From 6caa41daeb7aa17c400b7300fb78d207cf064d70 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alan Modra <amodra@gmail.com> | ||
| 3 | Date: Fri, 4 Sep 2020 19:19:18 +0930 | ||
| 4 | Subject: [PATCH] PR26574, heap buffer overflow in | ||
| 5 | _bfd_elf_slurp_secondary_reloc_section | ||
| 6 | |||
| 7 | A horribly fuzzed object with section headers inside the ELF header. | ||
| 8 | Disallow that, and crazy reloc sizes. | ||
| 9 | |||
| 10 | PR 26574 | ||
| 11 | * elfcode.h (elf_object_p): Sanity check section header offset. | ||
| 12 | * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check | ||
| 13 | sh_entsize. | ||
| 14 | |||
| 15 | Upstream-Status: Backport | ||
| 16 | CVE: CVE-2020-35448 | ||
| 17 | |||
| 18 | Reference to upstream patch: | ||
| 19 | https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; | ||
| 20 | h=8642dafaef21aa6747cec01df1977e9c52eb4679 | ||
| 21 | |||
| 22 | Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> | ||
| 23 | --- | ||
| 24 | bfd/elf.c | 4 +++- | ||
| 25 | bfd/elfcode.h | 8 ++++---- | ||
| 26 | 2 files changed, 7 insertions(+), 5 deletions(-) | ||
| 27 | |||
| 28 | diff --git a/bfd/elf.c b/bfd/elf.c | ||
| 29 | index fe375e7346..9f29166399 100644 | ||
| 30 | --- a/bfd/elf.c | ||
| 31 | +++ b/bfd/elf.c | ||
| 32 | @@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd, | ||
| 33 | Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr; | ||
| 34 | |||
| 35 | if (hdr->sh_type == SHT_SECONDARY_RELOC | ||
| 36 | - && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx) | ||
| 37 | + && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx | ||
| 38 | + && (hdr->sh_entsize == ebd->s->sizeof_rel | ||
| 39 | + || hdr->sh_entsize == ebd->s->sizeof_rela)) | ||
| 40 | { | ||
| 41 | bfd_byte * native_relocs; | ||
| 42 | bfd_byte * native_reloc; | ||
| 43 | diff --git a/bfd/elfcode.h b/bfd/elfcode.h | ||
| 44 | index f4a7829f27..54ef890637 100644 | ||
| 45 | --- a/bfd/elfcode.h | ||
| 46 | +++ b/bfd/elfcode.h | ||
| 47 | @@ -568,7 +568,7 @@ elf_object_p (bfd *abfd) | ||
| 48 | |||
| 49 | /* If this is a relocatable file and there is no section header | ||
| 50 | table, then we're hosed. */ | ||
| 51 | - if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL) | ||
| 52 | + if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL) | ||
| 53 | goto got_wrong_format_error; | ||
| 54 | |||
| 55 | /* As a simple sanity check, verify that what BFD thinks is the | ||
| 56 | @@ -578,7 +578,7 @@ elf_object_p (bfd *abfd) | ||
| 57 | goto got_wrong_format_error; | ||
| 58 | |||
| 59 | /* Further sanity check. */ | ||
| 60 | - if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0) | ||
| 61 | + if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0) | ||
| 62 | goto got_wrong_format_error; | ||
| 63 | |||
| 64 | ebd = get_elf_backend_data (abfd); | ||
| 65 | @@ -615,7 +615,7 @@ elf_object_p (bfd *abfd) | ||
| 66 | && ebd->elf_osabi != ELFOSABI_NONE) | ||
| 67 | goto got_wrong_format_error; | ||
| 68 | |||
| 69 | - if (i_ehdrp->e_shoff != 0) | ||
| 70 | + if (i_ehdrp->e_shoff >= sizeof (x_ehdr)) | ||
| 71 | { | ||
| 72 | file_ptr where = (file_ptr) i_ehdrp->e_shoff; | ||
| 73 | |||
| 74 | @@ -807,7 +807,7 @@ elf_object_p (bfd *abfd) | ||
| 75 | } | ||
| 76 | } | ||
| 77 | |||
| 78 | - if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0) | ||
| 79 | + if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr)) | ||
| 80 | { | ||
| 81 | unsigned int num_sec; | ||
| 82 | |||
| 83 | -- | ||
| 84 | 2.29.2 | ||
| 85 | |||