aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYi Fan Yu <yifan.yu@windriver.com>2021-01-15 12:41:29 -0500
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-01-16 22:39:17 +0000
commitcb83312131f6c4f69d89d639085e07ea1f53167e (patch)
tree3a96fb4ead9b0d93347ddfa59a5da1b973c9fe7f
parent06b72a91b6dcf63fed437fd2105c59e922ba6525 (diff)
downloadopenembedded-core-contrib-cb83312131f6c4f69d89d639085e07ea1f53167e.tar.gz
openembedded-core-contrib-cb83312131f6c4f69d89d639085e07ea1f53167e.tar.bz2
openembedded-core-contrib-cb83312131f6c4f69d89d639085e07ea1f53167e.zip
binutils: Fix CVE-2020-35448
Fix related to a buffer overflow in bfd library CVE Details https://nvd.nist.gov/vuln/detail/CVE-2020-35448 Upstream Tracking https://sourceware.org/bugzilla/show_bug.cgi?id=26574 Patch from Upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; h=8642dafaef21aa6747cec01df1977e9c52eb4679 Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.35.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch85
2 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
index c92cb75543d..775af2b8f20 100644
--- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
@@ -43,5 +43,6 @@ SRC_URI = "\
file://0016-Check-for-clang-before-checking-gcc-version.patch \
file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \
file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \
+ file://CVE-2020-35448.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
new file mode 100644
index 00000000000..3bc64776e52
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
@@ -0,0 +1,85 @@
+From 6caa41daeb7aa17c400b7300fb78d207cf064d70 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 4 Sep 2020 19:19:18 +0930
+Subject: [PATCH] PR26574, heap buffer overflow in
+ _bfd_elf_slurp_secondary_reloc_section
+
+A horribly fuzzed object with section headers inside the ELF header.
+Disallow that, and crazy reloc sizes.
+
+ PR 26574
+ * elfcode.h (elf_object_p): Sanity check section header offset.
+ * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
+ sh_entsize.
+
+Upstream-Status: Backport
+CVE: CVE-2020-35448
+
+Reference to upstream patch:
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
+ h=8642dafaef21aa6747cec01df1977e9c52eb4679
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ bfd/elf.c | 4 +++-
+ bfd/elfcode.h | 8 ++++----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index fe375e7346..9f29166399 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
+ Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
+
+ if (hdr->sh_type == SHT_SECONDARY_RELOC
+- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
++ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
++ && (hdr->sh_entsize == ebd->s->sizeof_rel
++ || hdr->sh_entsize == ebd->s->sizeof_rela))
+ {
+ bfd_byte * native_relocs;
+ bfd_byte * native_reloc;
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index f4a7829f27..54ef890637 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
+
+ /* If this is a relocatable file and there is no section header
+ table, then we're hosed. */
+- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
+ goto got_wrong_format_error;
+
+ /* As a simple sanity check, verify that what BFD thinks is the
+@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
+ goto got_wrong_format_error;
+
+ /* Further sanity check. */
+- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
+ goto got_wrong_format_error;
+
+ ebd = get_elf_backend_data (abfd);
+@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
+ && ebd->elf_osabi != ELFOSABI_NONE)
+ goto got_wrong_format_error;
+
+- if (i_ehdrp->e_shoff != 0)
++ if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
+ {
+ file_ptr where = (file_ptr) i_ehdrp->e_shoff;
+
+@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
+ }
+ }
+
+- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
++ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
+ {
+ unsigned int num_sec;
+
+--
+2.29.2
+