mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-21 13:54:22 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
854aafaea449e5808c0cc2ddf02088511cd3defb
poky/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
Sundeep KOKKONDA d86149ba65 binutils: stable 2.34 branch updates 
Below commits on binutils-2.34 stable branch are updated.
c4e78c0868a PR27755, powerpc-ld infinite loop
33973d228c9 gas, arm: PR26858 Fix availability of single precision vmul/vmla in arm mode
0c8652fe288 x86: Update GNU property tests
5c1bd3f52c6 x86: Properly merge -z ibt and -z shstk
93b9bf1651a PowerPC TPREL_HA/LO optimisation
58950a3bfd4 Date update
e3b314d3a61 aarch64: set sh_entsize of .plt to 0
26b6ab7a0e4 S/390: z13: Accept vector alignment hints
7324292cd94 gas: Fix checking for backwards .org with negative offset
463ec189fe9 Prevent a potential use-after-fee memory corruption bug in the linker (for PE format files).
ef2826c0fdb Fix the ARM assembler to generate a Realtime profile for armv8-r.
8524bb5bd28 Re: Fix tight loop on recursively-defined symbols
5768460022b Fix tight loop on recursively-defined symbols
a72427b1ae0 gas: PR 25863: Fix scalar vmul inside it block when assembling for MVE
9f57ab49b32 BFD: Exclude sections with no content from compress check.
aaf3f0599a2 Arm: Fix LSB of GOT for Thumb2 only PLT.
97f92b3e90a Arm: Fix thumb2 PLT branch offsets.
3053d7a163c include: Sync plugin-api.h with GCC
f7aec2b8e09 PR25745, powerpc64-ld overflows string buffer in --stats mode
1b2bf0f65c1 include: Sync plugin-api.h with GCC
5e8619b9597 include: Sync lto-symtab.h and plugin-api.h with GCC
23820109ced plugin: Don't invoke LTO-wrapper
64f5c0afcc4 plugin: Use LDPT_ADD_SYMBOLS_V2 to get symbol type
aaa1e160040 Silence warnings due to plugin API change
e7c0ee5110c Include: Sync lto-symtab.h and plugin-api.h with GCC
b6520be37fd Fix dwarf.c build with GCC 10
a560c29ca5a bfd: Change num_group to unsigned int
3ca4cd1ebde gas, arm: Fix bad backport
b3174859c4b gas, arm: PR25660L Fix vadd/vsub with lt and le condition codes for MVE
de9c1b7cfe6 powerpc64-ld infinite loop
0318fc4e18e Adjust PR25355 testcase
40bfb976274 Re: PR24511, nm should not mark symbols in .init_array as "t"
42b2380cdce Don't call lto-wrapper for ar and ranlib
acc4a8b8ac8 PR25585, PHDR segment not covered by LOAD segment

(From OE-Core rev: ad15d44b6c56ccbbe8e4c12717e7dfe3492a659a)

Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-11-20 08:19:10 +00:00

184 lines
6.1 KiB
Diff
Raw Blame History

From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 11 Feb 2021 16:56:42 +1030
Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
Adds missing sanity checks for avr device info note, to avoid
potential buffer overflows. Uses bfd_malloc_and_get_section for
sanity checking section size.
PR 27290
PR 27293
PR 27295
* od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
Use bfd_malloc_and_get_section.
(elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
check namesz. Return NULL if descsz is too small. Ensure
string table is terminated.
(elf32_avr_get_device_info): Formatting. Add note_size param.
Sanity check note.
(elf32_avr_dump_mem_usage): Adjust to suit.
Upstream-Status: Backport
CVE: CVE-2021-3549
Signed-of-by: Armin Kuster <akuster@mvista.com>
---
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 1e9a96c9bb6..02e5019204e 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,17 @@
+2021-02-11 Alan Modra <amodra@gmail.com>
+
+ PR 27290
+ PR 27293
+ PR 27295
+ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
+ Use bfd_malloc_and_get_section.
+ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
+ check namesz. Return NULL if descsz is too small. Ensure
+ string table is terminated.
+ (elf32_avr_get_device_info): Formatting. Add note_size param.
+ Sanity check note.
+ (elf32_avr_dump_mem_usage): Adjust to suit.
+
2020-03-25 H.J. Lu <hongjiu.lu@intel.com>
* ar.c (main): Update bfd_plugin_set_program_name call.
diff --git a/binutils/od-elf32_avr.c b/binutils/od-elf32_avr.c
index 5ec99957fe9..1d32bce918e 100644
--- a/binutils/od-elf32_avr.c
+++ b/binutils/od-elf32_avr.c
@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
}
-static char*
+static char *
elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size)
{
asection *section;
+ bfd_byte *contents;
- if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
+ section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
+ if (section == NULL)
return NULL;
- *size = bfd_section_size (section);
- char *contents = (char *) xmalloc (*size);
- bfd_get_section_contents (abfd, section, contents, 0, *size);
+ if (!bfd_malloc_and_get_section (abfd, section, &contents))
+ {
+ free (contents);
+ contents = NULL;
+ }
- return contents;
+ *size = bfd_section_size (section);
+ return (char *) contents;
}
-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
- bfd_size_type size)
+static char *
+elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size,
+ bfd_size_type *descsz)
{
Elf_External_Note *xnp = (Elf_External_Note *) contents;
Elf_Internal_Note in;
@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
if (in.namesz > contents - in.namedata + size)
return NULL;
+ if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0)
+ return NULL;
+
in.descsz = bfd_get_32 (abfd, xnp->descsz);
in.descdata = in.namedata + align_power (in.namesz, 2);
- if (in.descsz != 0
- && (in.descdata >= contents + size
- || in.descsz > contents - in.descdata + size))
+ if (in.descsz < 6 * sizeof (uint32_t)
+ || in.descdata >= contents + size
+ || in.descsz > contents - in.descdata + size)
return NULL;
- if (strcmp (in.namedata, "AVR") != 0)
- return NULL;
+ /* If the note has a string table, ensure it is 0 terminated. */
+ if (in.descsz > 8 * sizeof (uint32_t))
+ in.descdata[in.descsz - 1] = 0;
+ *descsz = in.descsz;
return in.descdata;
}
static void
elf32_avr_get_device_info (bfd *abfd, char *description,
- deviceinfo *device)
+ bfd_size_type desc_size, deviceinfo *device)
{
if (description == NULL)
return;
const bfd_size_type memory_sizes = 6;
- memcpy (device, description, memory_sizes * sizeof(uint32_t));
- device->name = NULL;
+ memcpy (device, description, memory_sizes * sizeof (uint32_t));
+ desc_size -= memory_sizes * sizeof (uint32_t);
+ if (desc_size < 8)
+ return;
- uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
+ uint32_t *stroffset_table = (uint32_t *) description + memory_sizes;
bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
- char *str_table = ((char *) stroffset_table) + stroffset_table_size;
/* If the only content is the size itself, there's nothing in the table */
- if (stroffset_table_size == 4)
+ if (stroffset_table_size < 8)
return;
+ if (desc_size <= stroffset_table_size)
+ return;
+ desc_size -= stroffset_table_size;
/* First entry is the device name index. */
uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
+ if (device_name_index >= desc_size)
+ return;
+ char *str_table = (char *) stroffset_table + stroffset_table_size;
device->name = str_table + device_name_index;
}
@@ -183,7 +201,7 @@ static void
elf32_avr_dump_mem_usage (bfd *abfd)
{
char *description = NULL;
- bfd_size_type note_section_size = 0;
+ bfd_size_type sec_size, desc_size;
deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
device.name = "Unknown";
@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
bfd_size_type text_usage = 0;
bfd_size_type eeprom_usage = 0;
- char *contents = elf32_avr_get_note_section_contents (abfd,
- &note_section_size);
+ char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
if (contents != NULL)
{
- description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
- elf32_avr_get_device_info (abfd, description, &device);
+ description = elf32_avr_get_note_desc (abfd, contents, sec_size,
+ &desc_size);
+ elf32_avr_get_device_info (abfd, description, desc_size, &device);
}
elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,
Reference in New Issue View Git Blame Copy Permalink