diff options
Diffstat (limited to 'poky/meta/recipes-devtools/binutils')
7 files changed, 371 insertions, 11 deletions
diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.32.inc b/poky/meta/recipes-devtools/binutils/binutils-2.32.inc index 49e6827c1..19baf8a88 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.32.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.32.inc @@ -14,11 +14,8 @@ def binutils_branch_version(d): pvsplit = d.getVar('PV').split('.') return pvsplit[0] + "_" + pvsplit[1] -# Actual upstream version is 2.32 (without the .0), so we have to set -# UPSTREAM_VERSION_UNKNOWN to avoid the version check failure. The line can -# be removed when a new version of binutils is released (if the PV is then -# correctly set to match the upstream version tag). -UPSTREAM_VERSION_UNKNOWN = "1" +# When upgrading to 2.33, please make sure there is no trailing .0, so +# that upstream version check can work correctly. PV = "2.32.0" CVE_VERSION = "2.32" BINUPV = "${@binutils_branch_version(d)}" @@ -48,6 +45,10 @@ SRC_URI = "\ file://CVE-2019-9075.patch \ file://CVE-2019-9076.patch \ file://CVE-2019-9077.patch \ + file://CVE-2019-9071.patch \ + file://CVE-2019-12972.patch \ + file://CVE-2019-14250.patch \ + file://CVE-2019-14444.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils-cross-testsuite_2.32.bb b/poky/meta/recipes-devtools/binutils/binutils-cross-testsuite_2.32.bb new file mode 100644 index 000000000..07a8e7c41 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils-cross-testsuite_2.32.bb @@ -0,0 +1,85 @@ +require binutils.inc +require binutils-${PV}.inc + +BPN = "binutils" + +DEPENDS += "dejagnu-native expect-native" +DEPENDS += "binutils-native" + +deltask do_compile +deltask do_install + +inherit nopackages + +do_configure[dirs] += "${B}/ld ${B}/bfd" +do_configure() { + # create config.h, oe enables initfini-array by default + echo "#define HAVE_INITFINI_ARRAY" > ${B}/ld/config.h + # use the bfd_stdint.h from binutils-native, this is the same of the one + # generated by binutils-cross + cp ${RECIPE_SYSROOT_NATIVE}/usr/include/bfd_stdint.h ${B}/bfd/ +} + +# target depends +DEPENDS += "virtual/${MLPREFIX}${TARGET_PREFIX}binutils" +DEPENDS += "virtual/${MLPREFIX}${TARGET_PREFIX}gcc" +DEPENDS += "virtual/${MLPREFIX}${TARGET_PREFIX}compilerlibs" +DEPENDS += "virtual/${MLPREFIX}libc" + +python check_prepare() { + def suffix_sys(sys): + if sys.endswith("-linux"): + return sys + "-gnu" + return sys + + def generate_site_exp(d, suite): + content = [] + content.append('set srcdir "{0}/{1}"'.format(d.getVar("S"), suite)) + content.append('set objdir "{0}/{1}"'.format(d.getVar("B"), suite)) + content.append('set build_alias "{0}"'.format(d.getVar("BUILD_SYS"))) + content.append('set build_triplet {0}'.format(d.getVar("BUILD_SYS"))) + # use BUILD here since HOST=TARGET + content.append('set host_alias "{0}"'.format(d.getVar("BUILD_SYS"))) + content.append('set host_triplet {0}'.format(d.getVar("BUILD_SYS"))) + content.append('set target_alias "{0}"'.format(d.getVar("TARGET_SYS"))) + content.append('set target_triplet {0}'.format(suffix_sys(d.getVar("TARGET_SYS")))) + content.append("set development true") + content.append("set experimental false") + + content.append(d.expand('set CXXFILT "${TARGET_PREFIX}c++filt"')) + content.append(d.expand('set CC "${TARGET_PREFIX}gcc --sysroot=${STAGING_DIR_TARGET} ${TUNE_CCARGS}"')) + content.append(d.expand('set CXX "${TARGET_PREFIX}g++ --sysroot=${STAGING_DIR_TARGET} ${TUNE_CCARGS}"')) + content.append(d.expand('set CFLAGS_FOR_TARGET "--sysroot=${STAGING_DIR_TARGET} ${TUNE_CCARGS}"')) + + if suite == "ld" and d.getVar("TUNE_ARCH") == "mips64": + # oe patches binutils to have the default mips64 abi as 64bit, but + # skips gas causing issues with the ld test suite (which uses gas) + content.append('set ASFLAGS "-64"') + + return "\n".join(content) + + for i in ["binutils", "gas", "ld"]: + builddir = os.path.join(d.getVar("B"), i) + if not os.path.isdir(builddir): + os.makedirs(builddir) + with open(os.path.join(builddir, "site.exp"), "w") as f: + f.write(generate_site_exp(d, i)) +} + +CHECK_TARGETS ??= "binutils gas ld" + +do_check[dirs] = "${B} ${B}/binutils ${B}/gas ${B}/ld" +do_check[prefuncs] += "check_prepare" +do_check[nostamp] = "1" +do_check() { + export LC_ALL=C + for i in ${CHECK_TARGETS}; do + (cd ${B}/$i; runtest \ + --tool $i \ + --srcdir ${S}/$i/testsuite \ + --ignore 'plugin.exp' \ + || true) + done +} +addtask check after do_configure + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch b/poky/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch index ba5e4c2ce..5f4ac72f4 100644 --- a/poky/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch +++ b/poky/meta/recipes-devtools/binutils/binutils/0010-Change-default-emulation-for-mips64-linux.patch @@ -1,4 +1,4 @@ -From d540e95d05cd7c4b8924ac7b257c14ae0105d0ab Mon Sep 17 00:00:00 2001 +From 958a49749b772660d3bafb80748829cba6bed065 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Mon, 2 Mar 2015 01:44:14 +0000 Subject: [PATCH 10/15] Change default emulation for mips64*-*-linux @@ -14,7 +14,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bfd/config.bfd b/bfd/config.bfd -index 0e1ddb659c..cc65547588 100644 +index 0e1ddb659c..d4f50f0a8d 100644 --- a/bfd/config.bfd +++ b/bfd/config.bfd @@ -919,12 +919,12 @@ case "${targ}" in @@ -30,7 +30,7 @@ index 0e1ddb659c..cc65547588 100644 - targ_defvec=mips_elf32_ntrad_be_vec - targ_selvecs="mips_elf32_ntrad_le_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_be_vec mips_elf64_trad_le_vec" + targ_defvec=mips_elf64_trad_be_vec -+ targ_selvecs="mips_elf32_ntrad_be_vec mips_elf32_ntrad_be_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_le_vec" ++ targ_selvecs="mips_elf32_ntrad_be_vec mips_elf32_ntrad_le_vec mips_elf32_trad_be_vec mips_elf32_trad_le_vec mips_elf64_trad_le_vec" ;; mips*el-*-linux*) targ_defvec=mips_elf32_trad_le_vec @@ -54,6 +54,3 @@ index beba17ef51..917be6f8eb 100644 targ_extra_libpath=$targ_extra_emuls ;; mips*el-*-linux-*) targ_emul=elf32ltsmip targ_extra_emuls="elf32btsmip elf32ltsmipn32 elf64ltsmip elf32btsmipn32 elf64btsmip" --- -2.20.1 - diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch new file mode 100644 index 000000000..07d1d6546 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch @@ -0,0 +1,51 @@ +From 30bcc01478433a1cb05b36dc5c4beef7d2c89b5b Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 21 Jun 2019 11:51:38 +0930 +Subject: [PATCH] PR24689, string table corruption + +The testcase in the PR had a e_shstrndx section of type SHT_GROUP. +hdr->contents were initialized by setup_group rather than being read +from the file, thus last byte was not zero and string dereference ran +off the end of the buffer. + + PR 24689 + * elfcode.h (elf_object_p): Check type of e_shstrndx section. + +Upstream-Status: Backport +CVE: CVE-2019-12972 +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + bfd/ChangeLog | 5 +++++ + bfd/elfcode.h | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bfd/ChangeLog b/bfd/ChangeLog +index 91f09e6346..e66fb40a2c 100644 +--- a/bfd/ChangeLog ++++ b/bfd/ChangeLog +@@ -1,3 +1,8 @@ ++2019-06-21 Alan Modra <amodra@gmail.com> ++ ++ PR 24689 ++ * elfcode.h (elf_object_p): Check type of e_shstrndx section. ++ + 2019-02-20 Alan Modra <amodra@gmail.com> + + PR 24236 +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index ec5ea766de..a35a629087 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -755,7 +755,8 @@ elf_object_p (bfd *abfd) + /* A further sanity check. */ + if (i_ehdrp->e_shnum != 0) + { +- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)) ++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd) ++ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB) + { + /* PR 2257: + We used to just goto got_wrong_format_error here +-- +2.20.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch new file mode 100644 index 000000000..c915a832b --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14250.patch @@ -0,0 +1,33 @@ +From df78be05daf4eb07f60f50ec1080cb979af32ec0 Mon Sep 17 00:00:00 2001 +From: marxin <marxin@138bc75d-0d04-0410-961f-82ee72b054a4> +Date: Tue, 23 Jul 2019 07:33:32 +0000 +Subject: [PATCH] libiberty: Check zero value shstrndx in simple-object-elf.c + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@273718 138bc75d-0d04-0410-961f-82ee72b054a4 + +CVE: CVE-2019-14250 +Upstream-Status: Backport [from gcc: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=273718] +[Removed Changelog entry] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- +diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c +index 502388991a08..bdee963634d6 100644 +--- a/libiberty/simple-object-elf.c ++++ b/libiberty/simple-object-elf.c +@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char header[SIMPLE_OBJECT_MATCH_HEADER_LEN], + XDELETE (eor); + return NULL; + } +- ++ ++ if (eor->shstrndx == 0) ++ { ++ *errmsg = "invalid ELF shstrndx == 0"; ++ *err = 0; ++ XDELETE (eor); ++ return NULL; ++ } ++ + return (void *) eor; + } + diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch new file mode 100644 index 000000000..85b9a9f91 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch @@ -0,0 +1,28 @@ +From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 5 Aug 2019 10:40:35 +0100 +Subject: [PATCH] Catch potential integer overflow in readelf when processing + corrupt binaries. + + PR 24829 + * readelf.c (apply_relocations): Catch potential integer overflow + whilst checking reloc location against section size. + +CVE: CVE-2019-14444 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7] +[Removed Changelog entry] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- +diff --git a/binutils/readelf.c b/binutils/readelf.c +index b896ad9f406..e785fde43e7 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -13366,7 +13366,7 @@ apply_relocations (Filedata * filedata, + } + + rloc = start + rp->r_offset; +- if ((rloc + reloc_size) > end || (rloc < start)) ++ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start)) + { + warn (_("skipping invalid relocation offset 0x%lx in section %s\n"), + (unsigned long) rp->r_offset, diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch new file mode 100644 index 000000000..f02539942 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch @@ -0,0 +1,165 @@ +From c1202057eb9161a86af27d867703235fee7b7555 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 10 Apr 2019 15:49:36 +0100 +Subject: [PATCH] Pull in patch for libiberty that fixes a stack exhaustion bug + when demangling a pathalogically constructed mangled name. + + PR 89394 + * cp-demangle.c (cplus_demangle_fill_name): Reject negative + lengths. + (d_count_templates_scopes): Replace num_templates and num_scopes + parameters with a struct d_print_info pointer parameter. Adjust + body of the function accordingly. Add recursion counter and check + that the recursion limit is not reached. + (d_print_init): Pass dpi parameter to d_count_templates_scopes. + Reset recursion counter afterwards, unless the recursion limit was + reached. + +CVE: CVE-2019-9071 +CVE: CVE-2019-9070 +Upstream-Status: Backport +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + ChangeLog | 16 ++++++++++++++ + libiberty/cp-demangle.c | 48 ++++++++++++++++++++++------------------- + 2 files changed, 42 insertions(+), 22 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index cd631a15b6..4df3aaa62c 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,19 @@ ++2019-04-10 Nick Clifton <nickc@redhat.com> ++ ++ * libiberty: Sync with gcc. Bring in: ++ 2019-04-10 Nick Clifton <nickc@redhat.com> ++ ++ PR 89394 ++ * cp-demangle.c (cplus_demangle_fill_name): Reject negative ++ lengths. ++ (d_count_templates_scopes): Replace num_templates and num_scopes ++ parameters with a struct d_print_info pointer parameter. Adjust ++ body of the function accordingly. Add recursion counter and check ++ that the recursion limit is not reached. ++ (d_print_init): Pass dpi parameter to d_count_templates_scopes. ++ Reset recursion counter afterwards, unless the recursion limit was ++ reached. ++ + 2018-06-24 Nick Clifton <nickc@redhat.com> + + 2.32 branch created. +diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c +index b34b485692..779b4e763a 100644 +--- a/libiberty/cp-demangle.c ++++ b/libiberty/cp-demangle.c +@@ -861,7 +861,7 @@ CP_STATIC_IF_GLIBCPP_V3 + int + cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len) + { +- if (p == NULL || s == NULL || len == 0) ++ if (p == NULL || s == NULL || len <= 0) + return 0; + p->d_printing = 0; + p->type = DEMANGLE_COMPONENT_NAME; +@@ -4061,7 +4061,7 @@ d_growable_string_callback_adapter (const char *s, size_t l, void *opaque) + are larger than the actual numbers encountered. */ + + static void +-d_count_templates_scopes (int *num_templates, int *num_scopes, ++d_count_templates_scopes (struct d_print_info *dpi, + const struct demangle_component *dc) + { + if (dc == NULL) +@@ -4081,13 +4081,13 @@ d_count_templates_scopes (int *num_templates, int *num_scopes, + break; + + case DEMANGLE_COMPONENT_TEMPLATE: +- (*num_templates)++; ++ dpi->num_copy_templates++; + goto recurse_left_right; + + case DEMANGLE_COMPONENT_REFERENCE: + case DEMANGLE_COMPONENT_RVALUE_REFERENCE: + if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM) +- (*num_scopes)++; ++ dpi->num_saved_scopes++; + goto recurse_left_right; + + case DEMANGLE_COMPONENT_QUAL_NAME: +@@ -4152,42 +4152,42 @@ d_count_templates_scopes (int *num_templates, int *num_scopes, + case DEMANGLE_COMPONENT_TAGGED_NAME: + case DEMANGLE_COMPONENT_CLONE: + recurse_left_right: +- d_count_templates_scopes (num_templates, num_scopes, +- d_left (dc)); +- d_count_templates_scopes (num_templates, num_scopes, +- d_right (dc)); ++ /* PR 89394 - Check for too much recursion. */ ++ if (dpi->recursion > DEMANGLE_RECURSION_LIMIT) ++ /* FIXME: There ought to be a way to report to the ++ user that the recursion limit has been reached. */ ++ return; ++ ++ ++ dpi->recursion; ++ d_count_templates_scopes (dpi, d_left (dc)); ++ d_count_templates_scopes (dpi, d_right (dc)); ++ -- dpi->recursion; + break; + + case DEMANGLE_COMPONENT_CTOR: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_ctor.name); ++ d_count_templates_scopes (dpi, dc->u.s_ctor.name); + break; + + case DEMANGLE_COMPONENT_DTOR: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_dtor.name); ++ d_count_templates_scopes (dpi, dc->u.s_dtor.name); + break; + + case DEMANGLE_COMPONENT_EXTENDED_OPERATOR: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_extended_operator.name); ++ d_count_templates_scopes (dpi, dc->u.s_extended_operator.name); + break; + + case DEMANGLE_COMPONENT_FIXED_TYPE: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_fixed.length); ++ d_count_templates_scopes (dpi, dc->u.s_fixed.length); + break; + + case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS: + case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS: +- d_count_templates_scopes (num_templates, num_scopes, +- d_left (dc)); ++ d_count_templates_scopes (dpi, d_left (dc)); + break; + + case DEMANGLE_COMPONENT_LAMBDA: + case DEMANGLE_COMPONENT_DEFAULT_ARG: +- d_count_templates_scopes (num_templates, num_scopes, +- dc->u.s_unary_num.sub); ++ d_count_templates_scopes (dpi, dc->u.s_unary_num.sub); + break; + } + } +@@ -4222,8 +4222,12 @@ d_print_init (struct d_print_info *dpi, demangle_callbackref callback, + dpi->next_copy_template = 0; + dpi->num_copy_templates = 0; + +- d_count_templates_scopes (&dpi->num_copy_templates, +- &dpi->num_saved_scopes, dc); ++ d_count_templates_scopes (dpi, dc); ++ /* If we did not reach the recursion limit, then reset the ++ current recursion value back to 0, so that we can print ++ the templates. */ ++ if (dpi->recursion < DEMANGLE_RECURSION_LIMIT) ++ dpi->recursion = 0; + dpi->num_copy_templates *= dpi->num_saved_scopes; + + dpi->current_template = NULL; +-- +2.20.1 + |