diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch')
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch new file mode 100644 index 0000000000..f5f9ccdd53 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch @@ -0,0 +1,61 @@ +From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 15 Apr 2020 18:58:11 +0930 +Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup + + PR 25823 + * peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a + pointer into strings that may be freed for section name, always + allocate a new string. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a] +CVE: CVE-2020-16592 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + bfd/peXXigen.c | 20 ++++++++++---------- + 1 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index b9eeb775d9b..8aa5914acd9 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1) + int unused_section_number = 0; + asection *sec; + flagword flags; ++ size_t name_len; ++ char *sec_name; + + for (sec = abfd->sections; sec; sec = sec->next) + if (unused_section_number <= sec->target_index) + unused_section_number = sec->target_index + 1; + +- if (name == namebuf) ++ name_len = strlen (name) + 1; ++ sec_name = bfd_alloc (abfd, name_len); ++ if (sec_name == NULL) + { +- name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1); +- if (name == NULL) +- { +- _bfd_error_handler (_("%pB: out of memory creating name for empty section"), +- abfd); +- return; +- } +- strcpy ((char *) name, namebuf); ++ _bfd_error_handler (_("%pB: out of memory creating name " ++ "for empty section"), abfd); ++ return; + } ++ memcpy (sec_name, name, name_len); + + flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD; +- sec = bfd_make_section_anyway_with_flags (abfd, name, flags); ++ sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags); + if (sec == NULL) + { + _bfd_error_handler (_("%pB: unable to create fake empty section"), +-- +2.27.0 + |