2 files changed, 256 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc b/meta/recipes-devtools/binutils/binutils-2.36.inc
index e4fdadc70a..9574ddb6e1 100644
--- a/meta/recipes-devtools/binutils/binutils-2.36.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.36.inc
@@ -47,5 +47,6 @@ SRC_URI = "\
     file://0017-CVE-2021-3530.patch \
     file://0018-CVE-2021-3530.patch \
     file://0001-CVE-2021-42574.patch \
+     file://0001-CVE-2021-45078.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
new file mode 100644
index 0000000000..f118e2599b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
@@ -0,0 +1,255 @@
+From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Dec 2021 11:48:42 +1030
+Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type
+        PR 28694
+        * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
+        Negate typenum earlier, simplifying bounds checking.  Correct
+        off-by-one indexing.  Adjust switch cases.
+CVE: CVE-2021-45078
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
+Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
+---
+ binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------
+ 1 file changed, 43 insertions(+), 44 deletions(-)
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 274bfb0e7fa..83ee3ea5fa4 100644
+--- a/binutils/stabs.c
+++ b/binutils/stabs.c
+@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *);
+ static bfd_boolean stab_record_type
+   (void *, struct stab_handle *, const int *, debug_type);
+ static debug_type stab_xcoff_builtin_type
+-  (void *, struct stab_handle *, int);
+  (void *, struct stab_handle *, unsigned int);
+ static debug_type stab_find_tagged_type
+   (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
+ static debug_type *stab_demangle_argtypes
+@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info,
+ 
+ static debug_type
+ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+-                        int typenum)
+                        unsigned int typenum)
+ {
+   debug_type rettype;
+   const char *name;
+ 
+-  if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
+  typenum = -typenum - 1;
+  if (typenum >= XCOFF_TYPE_COUNT)
+     {
+-      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
+      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
+       return DEBUG_TYPE_NULL;
+     }
+-  if (info->xcoff_types[-typenum] != NULL)
+-    return info->xcoff_types[-typenum];
+  if (info->xcoff_types[typenum] != NULL)
+    return info->xcoff_types[typenum];
+ 
+-  switch (-typenum)
+  switch (typenum)
+     {
+-    case 1:
+    case 0:
+       /* The size of this and all the other types are fixed, defined
+         by the debugging format.  */
+       name = "int";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 2:
+    case 1:
+       name = "char";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 3:
+    case 2:
+       name = "short";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 4:
+    case 3:
+       name = "long";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 5:
+    case 4:
+       name = "unsigned char";
+       rettype = debug_make_int_type (dhandle, 1, TRUE);
+       break;
+-    case 6:
+    case 5:
+       name = "signed char";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 7:
+    case 6:
+       name = "unsigned short";
+       rettype = debug_make_int_type (dhandle, 2, TRUE);
+       break;
+-    case 8:
+    case 7:
+       name = "unsigned int";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 9:
+    case 8:
+       name = "unsigned";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 10:
+    case 9:
+       name = "unsigned long";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 11:
+    case 10:
+       name = "void";
+       rettype = debug_make_void_type (dhandle);
+       break;
+-    case 12:
+    case 11:
+       /* IEEE single precision (32 bit).  */
+       name = "float";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 13:
+    case 12:
+       /* IEEE double precision (64 bit).  */
+       name = "double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 14:
+    case 13:
+       /* This is an IEEE double on the RS/6000, and different machines
+         with different sizes for "long double" should use different
+         negative type numbers.  See stabs.texinfo.  */
+       name = "long double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 15:
+    case 14:
+       name = "integer";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 16:
+    case 15:
+       name = "boolean";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 17:
+    case 16:
+       name = "short real";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 18:
+    case 17:
+       name = "real";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 19:
+    case 18:
+       /* FIXME */
+       name = "stringptr";
+       rettype = NULL;
+       break;
+-    case 20:
+    case 19:
+       /* FIXME */
+       name = "character";
+       rettype = debug_make_int_type (dhandle, 1, TRUE);
+       break;
+-    case 21:
+    case 20:
+       name = "logical*1";
+       rettype = debug_make_bool_type (dhandle, 1);
+       break;
+-    case 22:
+    case 21:
+       name = "logical*2";
+       rettype = debug_make_bool_type (dhandle, 2);
+       break;
+-    case 23:
+    case 22:
+       name = "logical*4";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 24:
+    case 23:
+       name = "logical";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 25:
+    case 24:
+       /* Complex type consisting of two IEEE single precision values.  */
+       name = "complex";
+       rettype = debug_make_complex_type (dhandle, 8);
+       break;
+-    case 26:
+    case 25:
+       /* Complex type consisting of two IEEE double precision values.  */
+       name = "double complex";
+       rettype = debug_make_complex_type (dhandle, 16);
+       break;
+-    case 27:
+    case 26:
+       name = "integer*1";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 28:
+    case 27:
+       name = "integer*2";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 29:
+    case 28:
+       name = "integer*4";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 30:
+    case 29:
+       /* FIXME */
+       name = "wchar";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 31:
+    case 30:
+       name = "long long";
+       rettype = debug_make_int_type (dhandle, 8, FALSE);
+       break;
+-    case 32:
+    case 31:
+       name = "unsigned long long";
+       rettype = debug_make_int_type (dhandle, 8, TRUE);
+       break;
+-    case 33:
+    case 32:
+       name = "logical*8";
+       rettype = debug_make_bool_type (dhandle, 8);
+       break;
+-    case 34:
+    case 33:
+       name = "integer*8";
+       rettype = debug_make_int_type (dhandle, 8, FALSE);
+       break;
+@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+     }
+ 
+   rettype = debug_name_type (dhandle, name, rettype);
+-
+-  info->xcoff_types[-typenum] = rettype;
+-
+  info->xcoff_types[typenum] = rettype;
+   return rettype;
+ }
+ 
+-- 
+2.27.0

diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc b/meta/recipes-devtools/binutils/binutils-2.36.inc index e4fdadc70a..9574ddb6e1 100644 --- a/meta/recipes-devtools/binutils/binutils-2.36.inc +++ b/meta/recipes-devtools/binutils/binutils-2.36.inc
@@ -47,5 +47,6 @@ SRC_URI = "\
47	file://0017-CVE-2021-3530.patch \	47	file://0017-CVE-2021-3530.patch \
48	file://0018-CVE-2021-3530.patch \	48	file://0018-CVE-2021-3530.patch \
49	file://0001-CVE-2021-42574.patch \	49	file://0001-CVE-2021-42574.patch \
		50	file://0001-CVE-2021-45078.patch \
50	"	51	"
51	S = "${WORKDIR}/git"	52	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch new file mode 100644 index 0000000000..f118e2599b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
@@ -0,0 +1,255 @@
		1	From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Wed, 15 Dec 2021 11:48:42 +1030
		4	Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type
		5
		6	PR 28694
		7	* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
		8	Negate typenum earlier, simplifying bounds checking. Correct
		9	off-by-one indexing. Adjust switch cases.
		10
		11
		12	CVE: CVE-2021-45078
		13	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
		14
		15	Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
		16	---
		17	binutils/stabs.c \| 87 ++++++++++++++++++++++++------------------------
		18	1 file changed, 43 insertions(+), 44 deletions(-)
		19
		20
		21	diff --git a/binutils/stabs.c b/binutils/stabs.c
		22	index 274bfb0e7fa..83ee3ea5fa4 100644
		23	--- a/binutils/stabs.c
		24	+++ b/binutils/stabs.c
		25	@@ -202,7 +202,7 @@ static debug_type stab_find_type (void , struct stab_handle , const int *);
		26	static bfd_boolean stab_record_type
		27	(void , struct stab_handle , const int *, debug_type);
		28	static debug_type stab_xcoff_builtin_type
		29	- (void , struct stab_handle , int);
		30	+ (void , struct stab_handle , unsigned int);
		31	static debug_type stab_find_tagged_type
		32	(void , struct stab_handle , const char *, int, enum debug_type_kind);
		33	static debug_type *stab_demangle_argtypes
		34	@@ -3496,166 +3496,167 @@ stab_record_type (void dhandle ATTRIBUTE_UNUSED, struct stab_handle info,
		35
		36	static debug_type
		37	stab_xcoff_builtin_type (void dhandle, struct stab_handle info,
		38	- int typenum)
		39	+ unsigned int typenum)
		40	{
		41	debug_type rettype;
		42	const char *name;
		43
		44	- if (typenum >= 0 \|\| typenum < -XCOFF_TYPE_COUNT)
		45	+ typenum = -typenum - 1;
		46	+ if (typenum >= XCOFF_TYPE_COUNT)
		47	{
		48	- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
		49	+ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
		50	return DEBUG_TYPE_NULL;
		51	}
		52	- if (info->xcoff_types[-typenum] != NULL)
		53	- return info->xcoff_types[-typenum];
		54	+ if (info->xcoff_types[typenum] != NULL)
		55	+ return info->xcoff_types[typenum];
		56
		57	- switch (-typenum)
		58	+ switch (typenum)
		59	{
		60	- case 1:
		61	+ case 0:
		62	/* The size of this and all the other types are fixed, defined
		63	by the debugging format. */
		64	name = "int";
		65	rettype = debug_make_int_type (dhandle, 4, FALSE);
		66	break;
		67	- case 2:
		68	+ case 1:
		69	name = "char";
		70	rettype = debug_make_int_type (dhandle, 1, FALSE);
		71	break;
		72	- case 3:
		73	+ case 2:
		74	name = "short";
		75	rettype = debug_make_int_type (dhandle, 2, FALSE);
		76	break;
		77	- case 4:
		78	+ case 3:
		79	name = "long";
		80	rettype = debug_make_int_type (dhandle, 4, FALSE);
		81	break;
		82	- case 5:
		83	+ case 4:
		84	name = "unsigned char";
		85	rettype = debug_make_int_type (dhandle, 1, TRUE);
		86	break;
		87	- case 6:
		88	+ case 5:
		89	name = "signed char";
		90	rettype = debug_make_int_type (dhandle, 1, FALSE);
		91	break;
		92	- case 7:
		93	+ case 6:
		94	name = "unsigned short";
		95	rettype = debug_make_int_type (dhandle, 2, TRUE);
		96	break;
		97	- case 8:
		98	+ case 7:
		99	name = "unsigned int";
		100	rettype = debug_make_int_type (dhandle, 4, TRUE);
		101	break;
		102	- case 9:
		103	+ case 8:
		104	name = "unsigned";
		105	rettype = debug_make_int_type (dhandle, 4, TRUE);
		106	break;
		107	- case 10:
		108	+ case 9:
		109	name = "unsigned long";
		110	rettype = debug_make_int_type (dhandle, 4, TRUE);
		111	break;
		112	- case 11:
		113	+ case 10:
		114	name = "void";
		115	rettype = debug_make_void_type (dhandle);
		116	break;
		117	- case 12:
		118	+ case 11:
		119	/* IEEE single precision (32 bit). */
		120	name = "float";
		121	rettype = debug_make_float_type (dhandle, 4);
		122	break;
		123	- case 13:
		124	+ case 12:
		125	/* IEEE double precision (64 bit). */
		126	name = "double";
		127	rettype = debug_make_float_type (dhandle, 8);
		128	break;
		129	- case 14:
		130	+ case 13:
		131	/* This is an IEEE double on the RS/6000, and different machines
		132	with different sizes for "long double" should use different
		133	negative type numbers. See stabs.texinfo. */
		134	name = "long double";
		135	rettype = debug_make_float_type (dhandle, 8);
		136	break;
		137	- case 15:
		138	+ case 14:
		139	name = "integer";
		140	rettype = debug_make_int_type (dhandle, 4, FALSE);
		141	break;
		142	- case 16:
		143	+ case 15:
		144	name = "boolean";
		145	rettype = debug_make_bool_type (dhandle, 4);
		146	break;
		147	- case 17:
		148	+ case 16:
		149	name = "short real";
		150	rettype = debug_make_float_type (dhandle, 4);
		151	break;
		152	- case 18:
		153	+ case 17:
		154	name = "real";
		155	rettype = debug_make_float_type (dhandle, 8);
		156	break;
		157	- case 19:
		158	+ case 18:
		159	/* FIXME */
		160	name = "stringptr";
		161	rettype = NULL;
		162	break;
		163	- case 20:
		164	+ case 19:
		165	/* FIXME */
		166	name = "character";
		167	rettype = debug_make_int_type (dhandle, 1, TRUE);
		168	break;
		169	- case 21:
		170	+ case 20:
		171	name = "logical*1";
		172	rettype = debug_make_bool_type (dhandle, 1);
		173	break;
		174	- case 22:
		175	+ case 21:
		176	name = "logical*2";
		177	rettype = debug_make_bool_type (dhandle, 2);
		178	break;
		179	- case 23:
		180	+ case 22:
		181	name = "logical*4";
		182	rettype = debug_make_bool_type (dhandle, 4);
		183	break;
		184	- case 24:
		185	+ case 23:
		186	name = "logical";
		187	rettype = debug_make_bool_type (dhandle, 4);
		188	break;
		189	- case 25:
		190	+ case 24:
		191	/* Complex type consisting of two IEEE single precision values. */
		192	name = "complex";
		193	rettype = debug_make_complex_type (dhandle, 8);
		194	break;
		195	- case 26:
		196	+ case 25:
		197	/* Complex type consisting of two IEEE double precision values. */
		198	name = "double complex";
		199	rettype = debug_make_complex_type (dhandle, 16);
		200	break;
		201	- case 27:
		202	+ case 26:
		203	name = "integer*1";
		204	rettype = debug_make_int_type (dhandle, 1, FALSE);
		205	break;
		206	- case 28:
		207	+ case 27:
		208	name = "integer*2";
		209	rettype = debug_make_int_type (dhandle, 2, FALSE);
		210	break;
		211	- case 29:
		212	+ case 28:
		213	name = "integer*4";
		214	rettype = debug_make_int_type (dhandle, 4, FALSE);
		215	break;
		216	- case 30:
		217	+ case 29:
		218	/* FIXME */
		219	name = "wchar";
		220	rettype = debug_make_int_type (dhandle, 2, FALSE);
		221	break;
		222	- case 31:
		223	+ case 30:
		224	name = "long long";
		225	rettype = debug_make_int_type (dhandle, 8, FALSE);
		226	break;
		227	- case 32:
		228	+ case 31:
		229	name = "unsigned long long";
		230	rettype = debug_make_int_type (dhandle, 8, TRUE);
		231	break;
		232	- case 33:
		233	+ case 32:
		234	name = "logical*8";
		235	rettype = debug_make_bool_type (dhandle, 8);
		236	break;
		237	- case 34:
		238	+ case 33:
		239	name = "integer*8";
		240	rettype = debug_make_int_type (dhandle, 8, FALSE);
		241	break;
		242	@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void dhandle, struct stab_handle info,
		243	}
		244
		245	rettype = debug_name_type (dhandle, name, rettype);
		246	-
		247	- info->xcoff_types[-typenum] = rettype;
		248	-
		249	+ info->xcoff_types[typenum] = rettype;
		250	return rettype;
		251	}
		252
		253	--
		254	2.27.0
		255