[OE-core] [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598

[Lee Chee Yang]

From: Lee Chee Yang <chee.yang....@intel.com>

fix CVE-2020-16592 & CVE-2020-16598

removed changes to Changelog in patch file

Signed-off-by: Lee Chee Yang <chee.yang....@intel.com>
---
 .../binutils/binutils-2.34.inc                |  2 +
 .../binutils/binutils/CVE-2020-16592.patch    | 61 +++++++++++++++++++
 .../binutils/binutils/CVE-2020-16598.patch    | 32 ++++++++++
 3 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc 
b/meta/recipes-devtools/binutils/binutils-2.34.inc
index b5f5a1c69a..f557fe970c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -44,5 +44,7 @@ SRC_URI = "\
      file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
      file://CVE-2020-0551.patch \
      file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
+     file://CVE-2020-16592.patch \
+     file://CVE-2020-16598.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch 
b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
new file mode 100644
index 0000000000..f5f9ccdd53
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
@@ -0,0 +1,61 @@
+From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001
+From: Alan Modra <amo...@gmail.com>
+Date: Wed, 15 Apr 2020 18:58:11 +0930
+Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup
+
+       PR 25823
+       * peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
+       pointer into strings that may be freed for section name, always
+       allocate a new string.
+
+Upstream-Status: Backport 
[https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a]
+CVE: CVE-2020-16592
+Signed-off-by: Chee Yang Lee <chee.yang....@intel.com>
+
+---
+ bfd/peXXigen.c | 20 ++++++++++----------
+ 1 files changed, 10 insertions(+), 10 deletions(-)
+ 
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index b9eeb775d9b..8aa5914acd9 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * 
in1)
+         int unused_section_number = 0;
+         asection *sec;
+         flagword flags;
++        size_t name_len;
++        char *sec_name;
+ 
+         for (sec = abfd->sections; sec; sec = sec->next)
+           if (unused_section_number <= sec->target_index)
+             unused_section_number = sec->target_index + 1;
+ 
+-        if (name == namebuf)
++        name_len = strlen (name) + 1;
++        sec_name = bfd_alloc (abfd, name_len);
++        if (sec_name == NULL)
+           {
+-            name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1);
+-            if (name == NULL)
+-              {
+-                _bfd_error_handler (_("%pB: out of memory creating name for 
empty section"),
+-                                    abfd);
+-                return;
+-              }
+-            strcpy ((char *) name, namebuf);
++            _bfd_error_handler (_("%pB: out of memory creating name "
++                                  "for empty section"), abfd);
++            return;
+           }
++        memcpy (sec_name, name, name_len);
+ 
+         flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD;
+-        sec = bfd_make_section_anyway_with_flags (abfd, name, flags);
++        sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags);
+         if (sec == NULL)
+           {
+             _bfd_error_handler (_("%pB: unable to create fake empty section"),
+-- 
+2.27.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch 
b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
new file mode 100644
index 0000000000..52bd925c97
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
@@ -0,0 +1,32 @@
+From ca3f923f82a079dcf441419f4a50a50f8b4b33c2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amo...@gmail.com>
+Date: Fri, 17 Apr 2020 10:38:16 +0930
+Subject: [PATCH] PR25840, Null pointer dereference in objdump
+
+       PR 25840
+       * debug.c (debug_class_type_samep): Don't segfault on NULL type.
+
+Upstream-Status: Backport 
[https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2]
+CVE: CVE-2020-16598
+Signed-off-by: Chee Yang Lee <chee.yang....@intel.com>
+
+---
+ binutils/debug.c   | 2 ++
+ 1 files changed, 2 insertions(+)
+
+diff --git a/binutils/debug.c b/binutils/debug.c
+index 022fa4edffb..5470e155edc 100644
+--- a/binutils/debug.c
++++ b/binutils/debug.c
+@@ -3277,6 +3277,8 @@ debug_class_type_samep (struct debug_handle *info, 
struct debug_type_s *t1,
+              names, since that sometimes fails in the presence of
+              typedefs and we really don't care.  */
+         if (strcmp (f1->name, f2->name) != 0
++            || f1->type == NULL
++            || f2->type == NULL
+             || ! debug_type_samep (info,
+                                    debug_get_real_type ((void *) info,
+                                                         f1->type, NULL),
+-- 
+2.27.0
+
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145546): 
https://lists.openembedded.org/g/openembedded-core/message/145546
Mute This Topic: https://lists.openembedded.org/mt/78947983/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-