On Fri, Jan 15, 2021 at 4:32 AM Yi Fan Yu <yifan...@windriver.com> wrote: > > Fix related to a buffer overflow in bfd library > > CVE Details https://nvd.nist.gov/vuln/detail/CVE-2020-35448 > > Upstream Tracking https://sourceware.org/bugzilla/show_bug.cgi?id=26574 > > Patch from Upstream > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; > h=8642dafaef21aa6747cec01df1977e9c52eb4679 > > Signed-off-by: Yi Fan Yu <yifan...@windriver.com> > --- > .../binutils/binutils-2.35.1.inc | 1 + > .../binutils/binutils/CVE-2020-35448.patch | 78 +++++++++++++++++++ > 2 files changed, 79 insertions(+) > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc > b/meta/recipes-devtools/binutils/binutils-2.35.1.inc > index c92cb75543..775af2b8f2 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc > @@ -43,5 +43,6 @@ SRC_URI = "\ > file://0016-Check-for-clang-before-checking-gcc-version.patch \ > file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \ > file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \ > + file://CVE-2020-35448.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch > b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch > new file mode 100644 > index 0000000000..3b0f18bdb1 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch > @@ -0,0 +1,78 @@ > +From dc40540e4b4b1771182a9c0fc6ba5f1a830802bc Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amo...@gmail.com> > +Date: Fri, 4 Sep 2020 19:19:18 +0930 > +Subject: [PATCH] PR26574, heap buffer overflow in > + _bfd_elf_slurp_secondary_reloc_section > + > +A horribly fuzzed object with section headers inside the ELF header. > +Disallow that, and crazy reloc sizes. > + > + PR 26574 > + * elfcode.h (elf_object_p): Sanity check section header offset. > + * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check > + sh_entsize. > + > +Upstream-Status: Backport > [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8642dafaef21aa6747cec01df1977e9c52eb4679]
First of all, thanks for helping with CVEs! You are missing the CVE and Signed-off-by tags in the patch. Please see the "Patch name convention and commit message" section at: https://wiki.yoctoproject.org/wiki/Security Steve > +--- > + bfd/elf.c | 4 +++- > + bfd/elfcode.h | 8 ++++---- > + 2 files changed, 7 insertions(+), 5 deletions(-) > + > +diff --git a/bfd/elf.c b/bfd/elf.c > +index fe375e7346..9f29166399 100644 > +--- a/bfd/elf.c > ++++ b/bfd/elf.c > +@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * > abfd, > + Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr; > + > + if (hdr->sh_type == SHT_SECONDARY_RELOC > +- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx) > ++ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx > ++ && (hdr->sh_entsize == ebd->s->sizeof_rel > ++ || hdr->sh_entsize == ebd->s->sizeof_rela)) > + { > + bfd_byte * native_relocs; > + bfd_byte * native_reloc; > +diff --git a/bfd/elfcode.h b/bfd/elfcode.h > +index f4a7829f27..54ef890637 100644 > +--- a/bfd/elfcode.h > ++++ b/bfd/elfcode.h > +@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd) > + > + /* If this is a relocatable file and there is no section header > + table, then we're hosed. */ > +- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL) > ++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL) > + goto got_wrong_format_error; > + > + /* As a simple sanity check, verify that what BFD thinks is the > +@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd) > + goto got_wrong_format_error; > + > + /* Further sanity check. */ > +- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0) > ++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0) > + goto got_wrong_format_error; > + > + ebd = get_elf_backend_data (abfd); > +@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd) > + && ebd->elf_osabi != ELFOSABI_NONE) > + goto got_wrong_format_error; > + > +- if (i_ehdrp->e_shoff != 0) > ++ if (i_ehdrp->e_shoff >= sizeof (x_ehdr)) > + { > + file_ptr where = (file_ptr) i_ehdrp->e_shoff; > + > +@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd) > + } > + } > + > +- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0) > ++ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr)) > + { > + unsigned int num_sec; > + > +-- > +2.29.2 > + > -- > 2.29.2 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146838): https://lists.openembedded.org/g/openembedded-core/message/146838 Mute This Topic: https://lists.openembedded.org/mt/79702587/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
