diff options
Diffstat (limited to 'meta/recipes-devtools/binutils')
16 files changed, 1722 insertions, 14 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 3e10279b1d..032263fe63 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -24,7 +24,7 @@ BRANCH ?= "binutils-2_34-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)" -SRCREV ?= "d4b50999b3b287b5f984ade2f8734aa8c9359440" +SRCREV ?= "c4e78c0868a22971680217a41fdb73516a26813d" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${BRANCH};protocol=git" SRC_URI = "\ ${BINUTILS_GIT_URI} \ @@ -42,11 +42,25 @@ SRC_URI = "\ file://0015-sync-with-OE-libtool-changes.patch \ file://0016-Check-for-clang-before-checking-gcc-version.patch \ file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \ + file://0018-Include-members-in-the-variable-table-used-when-reso.patch \ file://CVE-2020-0551.patch \ file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \ file://CVE-2020-16592.patch \ file://CVE-2020-16598.patch \ file://CVE-2021-20197.patch \ file://CVE-2021-3487.patch \ + file://CVE-2021-3549.patch \ + file://CVE-2020-16593.patch \ + file://0001-CVE-2021-45078.patch \ + file://CVE-2022-38533.patch \ + file://CVE-2023-25588.patch \ + file://CVE-2021-46174.patch \ + file://CVE-2023-25584.patch \ + file://CVE-2022-47007.patch \ + file://CVE-2022-47008.patch \ + file://CVE-2022-47010.patch \ + file://CVE-2022-47011.patch \ + file://CVE-2022-48063.patch \ + file://CVE-2022-47695.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch new file mode 100644 index 0000000000..2af82477ac --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch @@ -0,0 +1,257 @@ +From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 15 Dec 2021 11:48:42 +1030 +Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type + + PR 28694 + * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned. + Negate typenum earlier, simplifying bounds checking. Correct + off-by-one indexing. Adjust switch cases. + + +CVE: CVE-2021-45078 +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02] + +Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> +Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> +Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> +--- + binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------ + 1 file changed, 43 insertions(+), 44 deletions(-) + + +diff --git a/binutils/stabs.c b/binutils/stabs.c +index 274bfb0e7fa..83ee3ea5fa4 100644 +--- a/binutils/stabs.c ++++ b/binutils/stabs.c +@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *); + static bfd_boolean stab_record_type + (void *, struct stab_handle *, const int *, debug_type); + static debug_type stab_xcoff_builtin_type +- (void *, struct stab_handle *, int); ++ (void *, struct stab_handle *, unsigned int); + static debug_type stab_find_tagged_type + (void *, struct stab_handle *, const char *, int, enum debug_type_kind); + static debug_type *stab_demangle_argtypes +@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info, + + static debug_type + stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, +- int typenum) ++ unsigned int typenum) + { + debug_type rettype; + const char *name; + +- if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT) ++ typenum = -typenum - 1; ++ if (typenum >= XCOFF_TYPE_COUNT) + { +- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum); ++ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1); + return DEBUG_TYPE_NULL; + } +- if (info->xcoff_types[-typenum] != NULL) +- return info->xcoff_types[-typenum]; ++ if (info->xcoff_types[typenum] != NULL) ++ return info->xcoff_types[typenum]; + +- switch (-typenum) ++ switch (typenum) + { +- case 1: ++ case 0: + /* The size of this and all the other types are fixed, defined + by the debugging format. */ + name = "int"; + rettype = debug_make_int_type (dhandle, 4, FALSE); + break; +- case 2: ++ case 1: + name = "char"; + rettype = debug_make_int_type (dhandle, 1, FALSE); + break; +- case 3: ++ case 2: + name = "short"; + rettype = debug_make_int_type (dhandle, 2, FALSE); + break; +- case 4: ++ case 3: + name = "long"; + rettype = debug_make_int_type (dhandle, 4, FALSE); + break; +- case 5: ++ case 4: + name = "unsigned char"; + rettype = debug_make_int_type (dhandle, 1, TRUE); + break; +- case 6: ++ case 5: + name = "signed char"; + rettype = debug_make_int_type (dhandle, 1, FALSE); + break; +- case 7: ++ case 6: + name = "unsigned short"; + rettype = debug_make_int_type (dhandle, 2, TRUE); + break; +- case 8: ++ case 7: + name = "unsigned int"; + rettype = debug_make_int_type (dhandle, 4, TRUE); + break; +- case 9: ++ case 8: + name = "unsigned"; + rettype = debug_make_int_type (dhandle, 4, TRUE); + break; +- case 10: ++ case 9: + name = "unsigned long"; + rettype = debug_make_int_type (dhandle, 4, TRUE); + break; +- case 11: ++ case 10: + name = "void"; + rettype = debug_make_void_type (dhandle); + break; +- case 12: ++ case 11: + /* IEEE single precision (32 bit). */ + name = "float"; + rettype = debug_make_float_type (dhandle, 4); + break; +- case 13: ++ case 12: + /* IEEE double precision (64 bit). */ + name = "double"; + rettype = debug_make_float_type (dhandle, 8); + break; +- case 14: ++ case 13: + /* This is an IEEE double on the RS/6000, and different machines + with different sizes for "long double" should use different + negative type numbers. See stabs.texinfo. */ + name = "long double"; + rettype = debug_make_float_type (dhandle, 8); + break; +- case 15: ++ case 14: + name = "integer"; + rettype = debug_make_int_type (dhandle, 4, FALSE); + break; +- case 16: ++ case 15: + name = "boolean"; + rettype = debug_make_bool_type (dhandle, 4); + break; +- case 17: ++ case 16: + name = "short real"; + rettype = debug_make_float_type (dhandle, 4); + break; +- case 18: ++ case 17: + name = "real"; + rettype = debug_make_float_type (dhandle, 8); + break; +- case 19: ++ case 18: + /* FIXME */ + name = "stringptr"; + rettype = NULL; + break; +- case 20: ++ case 19: + /* FIXME */ + name = "character"; + rettype = debug_make_int_type (dhandle, 1, TRUE); + break; +- case 21: ++ case 20: + name = "logical*1"; + rettype = debug_make_bool_type (dhandle, 1); + break; +- case 22: ++ case 21: + name = "logical*2"; + rettype = debug_make_bool_type (dhandle, 2); + break; +- case 23: ++ case 22: + name = "logical*4"; + rettype = debug_make_bool_type (dhandle, 4); + break; +- case 24: ++ case 23: + name = "logical"; + rettype = debug_make_bool_type (dhandle, 4); + break; +- case 25: ++ case 24: + /* Complex type consisting of two IEEE single precision values. */ + name = "complex"; + rettype = debug_make_complex_type (dhandle, 8); + break; +- case 26: ++ case 25: + /* Complex type consisting of two IEEE double precision values. */ + name = "double complex"; + rettype = debug_make_complex_type (dhandle, 16); + break; +- case 27: ++ case 26: + name = "integer*1"; + rettype = debug_make_int_type (dhandle, 1, FALSE); + break; +- case 28: ++ case 27: + name = "integer*2"; + rettype = debug_make_int_type (dhandle, 2, FALSE); + break; +- case 29: ++ case 28: + name = "integer*4"; + rettype = debug_make_int_type (dhandle, 4, FALSE); + break; +- case 30: ++ case 29: + /* FIXME */ + name = "wchar"; + rettype = debug_make_int_type (dhandle, 2, FALSE); + break; +- case 31: ++ case 30: + name = "long long"; + rettype = debug_make_int_type (dhandle, 8, FALSE); + break; +- case 32: ++ case 31: + name = "unsigned long long"; + rettype = debug_make_int_type (dhandle, 8, TRUE); + break; +- case 33: ++ case 32: + name = "logical*8"; + rettype = debug_make_bool_type (dhandle, 8); + break; +- case 34: ++ case 33: + name = "integer*8"; + rettype = debug_make_int_type (dhandle, 8, FALSE); + break; +@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, + } + + rettype = debug_name_type (dhandle, name, rettype); +- +- info->xcoff_types[-typenum] = rettype; +- ++ info->xcoff_types[typenum] = rettype; + return rettype; + } + +-- +2.27.0 + diff --git a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch index 11a8110d40..88cce49e46 100644 --- a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch +++ b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch @@ -1,4 +1,4 @@ -From 7b24f81e04c9d00d96de7dbd250beade6d2c6e44 Mon Sep 17 00:00:00 2001 +From 12b658c0fe5771d16067baef933b7f34ed455def Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Fri, 15 Jan 2016 06:31:09 +0000 Subject: [PATCH] warn for uses of system directories when cross linking @@ -59,8 +59,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> ld/ldfile.c | 17 +++++++++++++++++ ld/ldlex.h | 2 ++ ld/ldmain.c | 2 ++ - ld/lexsup.c | 15 +++++++++++++++ - 9 files changed, 85 insertions(+) + ld/lexsup.c | 16 ++++++++++++++++ + 9 files changed, 86 insertions(+) diff --git a/ld/config.in b/ld/config.in index d93c9b0830..5da2742bea 100644 @@ -77,10 +77,10 @@ index d93c9b0830..5da2742bea 100644 #undef EXTRA_SHLIB_EXTENSION diff --git a/ld/configure b/ld/configure -index 811134a503..f8c17c19ae 100755 +index f432f4637d..a9da3c115e 100755 --- a/ld/configure +++ b/ld/configure -@@ -826,6 +826,7 @@ with_lib_path +@@ -830,6 +830,7 @@ with_lib_path enable_targets enable_64_bit_bfd with_sysroot @@ -88,7 +88,7 @@ index 811134a503..f8c17c19ae 100755 enable_gold enable_got enable_compressed_debug_sections -@@ -1491,6 +1492,8 @@ Optional Features: +@@ -1495,6 +1496,8 @@ Optional Features: --disable-largefile omit support for large files --enable-targets alternative target configurations --enable-64-bit-bfd 64-bit support (on hosts with narrower word sizes) @@ -97,7 +97,7 @@ index 811134a503..f8c17c19ae 100755 --enable-gold[=ARG] build gold [ARG={default,yes,no}] --enable-got=<type> GOT handling scheme (target, single, negative, multigot) -@@ -15788,6 +15791,19 @@ fi +@@ -16624,6 +16627,19 @@ fi @@ -222,10 +222,10 @@ index 5287f19a7f..55096e4fc9 100644 /* The initial parser states. */ diff --git a/ld/ldmain.c b/ld/ldmain.c -index da1ad17763..12d0b07d8a 100644 +index c4af10f4e9..95b56b2d2d 100644 --- a/ld/ldmain.c +++ b/ld/ldmain.c -@@ -274,6 +274,8 @@ main (int argc, char **argv) +@@ -273,6 +273,8 @@ main (int argc, char **argv) command_line.warn_mismatch = TRUE; command_line.warn_search_mismatch = TRUE; command_line.check_section_addresses = -1; @@ -235,7 +235,7 @@ index da1ad17763..12d0b07d8a 100644 /* We initialize DEMANGLING based on the environment variable COLLECT_NO_DEMANGLE. The gcc collect2 program will demangle the diff --git a/ld/lexsup.c b/ld/lexsup.c -index 3d15cc491d..0e8b4f2b7a 100644 +index 3d15cc491d..6478821443 100644 --- a/ld/lexsup.c +++ b/ld/lexsup.c @@ -550,6 +550,14 @@ static const struct ld_option ld_options[] = @@ -253,10 +253,10 @@ index 3d15cc491d..0e8b4f2b7a 100644 }; #define OPTION_COUNT ARRAY_SIZE (ld_options) -@@ -1603,6 +1611,13 @@ parse_args (unsigned argc, char **argv) - +@@ -1604,6 +1612,14 @@ parse_args (unsigned argc, char **argv) case OPTION_PRINT_MAP_DISCARDED: config.print_map_discarded = TRUE; + break; + + case OPTION_NO_POISON_SYSTEM_DIRECTORIES: + command_line.poison_system_directories = FALSE; @@ -264,6 +264,6 @@ index 3d15cc491d..0e8b4f2b7a 100644 + + case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES: + command_line.error_poison_system_directories = TRUE; - break; ++ break; } } diff --git a/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch new file mode 100644 index 0000000000..dc1e09d46b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch @@ -0,0 +1,32 @@ +From bf2252dca8c76e4c1f1c2dbf98dab7ffc9f5e5af Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Sat, 29 Aug 2020 08:03:15 +0100 +Subject: [PATCH] Include members in the variable table used when resolving + DW_AT_specification tags. + + PR 26520 + * dwarf2.c (scan_unit_for_symbols): Add member entries to the + variable table. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6f04d55f681149a69102a73937d0987719c3f16] +--- + bfd/dwarf2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index dd3568a8532..ef2f6a3c63c 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -3248,7 +3248,8 @@ scan_unit_for_symbols (struct comp_unit *unit) + else + { + func = NULL; +- if (abbrev->tag == DW_TAG_variable) ++ if (abbrev->tag == DW_TAG_variable ++ || abbrev->tag == DW_TAG_member) + { + bfd_size_type amt = sizeof (struct varinfo); + var = (struct varinfo *) bfd_zalloc (abfd, amt); +-- +2.34.1 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch new file mode 100644 index 0000000000..c7c7829261 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch @@ -0,0 +1,204 @@ +From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 16 Apr 2020 17:49:38 +0930 +Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols + + PR 25827 + * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't + strdup(0). + +Upstream-Status: Backport +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729 +CVE: CVE-2020-16593 +Signed-off-by: Armin Kuster <akuster@mvista.com> + + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -295,12 +295,12 @@ struct comp_unit + /* This data structure holds the information of an abbrev. */ + struct abbrev_info + { +- unsigned int number; /* Number identifying abbrev. */ +- enum dwarf_tag tag; /* DWARF tag. */ +- int has_children; /* Boolean. */ +- unsigned int num_attrs; /* Number of attributes. */ +- struct attr_abbrev *attrs; /* An array of attribute descriptions. */ +- struct abbrev_info *next; /* Next in chain. */ ++ unsigned int number; /* Number identifying abbrev. */ ++ enum dwarf_tag tag; /* DWARF tag. */ ++ bfd_boolean has_children; /* TRUE if the abbrev has children. */ ++ unsigned int num_attrs; /* Number of attributes. */ ++ struct attr_abbrev * attrs; /* An array of attribute descriptions. */ ++ struct abbrev_info * next; /* Next in chain. */ + }; + + struct attr_abbrev +@@ -1487,6 +1487,8 @@ struct varinfo + { + /* Pointer to previous variable in list of all variables */ + struct varinfo *prev_var; ++ /* The offset of the varinfo from the start of the unit. */ ++ bfd_uint64_t unit_offset; + /* Source location file name */ + char *file; + /* Source location line number */ +@@ -1497,7 +1499,7 @@ struct varinfo + /* Where the symbol is defined */ + asection *sec; + /* Is this a stack variable? */ +- unsigned int stack: 1; ++ bfd_boolean stack; + }; + + /* Return TRUE if NEW_LINE should sort after LINE. */ +@@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct + struct varinfo* each; + + for (each = unit->variable_table; each; each = each->prev_var) +- if (each->stack == 0 ++ if (! each->stack + && each->file != NULL + && each->name != NULL + && each->addr == addr +@@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit, + return TRUE; + } + ++static struct varinfo * ++lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table) ++{ ++ while (table) ++ { ++ if (table->unit_offset == offset) ++ return table; ++ table = table->prev_var; ++ } ++ ++ return NULL; ++} ++ ++ + /* DWARF2 Compilation unit functions. */ + + /* Scan over each die in a comp. unit looking for functions to add +@@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit + bfd_vma low_pc = 0; + bfd_vma high_pc = 0; + bfd_boolean high_pc_relative = FALSE; ++ bfd_uint64_t current_offset; ++ ++ current_offset = info_ptr - unit->info_ptr_unit; + + /* PR 17512: file: 9f405d9d. */ + if (info_ptr >= info_ptr_end) +@@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit + goto fail; + } + +- var = NULL; + if (abbrev->tag == DW_TAG_subprogram + || abbrev->tag == DW_TAG_entry_point + || abbrev->tag == DW_TAG_inlined_subroutine) + { + bfd_size_type amt = sizeof (struct funcinfo); ++ ++ var = NULL; + func = (struct funcinfo *) bfd_zalloc (abfd, amt); + if (func == NULL) + goto fail; +@@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit + if (var == NULL) + goto fail; + var->tag = abbrev->tag; +- var->stack = 1; ++ var->stack = TRUE; + var->prev_var = unit->variable_table; + unit->variable_table = var; ++ var->unit_offset = current_offset; + /* PR 18205: Missing debug information can cause this + var to be attached to an already cached unit. */ + } +- ++ else ++ var = NULL; + /* No inline function in scope at this nesting level. */ + nested_funcs[nesting_level].func = 0; + } +@@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit + { + switch (attr.name) + { ++ case DW_AT_specification: ++ if (attr.u.val) ++ { ++ struct varinfo * spec_var; ++ ++ spec_var = lookup_var_by_offset (attr.u.val, ++ unit->variable_table); ++ if (spec_var == NULL) ++ { ++ _bfd_error_handler (_("DWARF error: could not find " ++ "variable specification " ++ "at offset %lx"), ++ (unsigned long) attr.u.val); ++ break; ++ } ++ ++ if (var->name == NULL) ++ var->name = spec_var->name; ++ if (var->file == NULL && spec_var->file != NULL) ++ var->file = strdup (spec_var->file); ++ if (var->line == 0) ++ var->line = spec_var->line; ++ if (var->sec == NULL) ++ var->sec = spec_var->sec; ++ } ++ break; ++ + case DW_AT_name: + if (is_str_attr (attr.form)) + var->name = attr.u.str; +@@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit + + case DW_AT_external: + if (attr.u.val != 0) +- var->stack = 0; ++ var->stack = FALSE; + break; + + case DW_AT_location: +@@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit + if (attr.u.blk->data != NULL + && *attr.u.blk->data == DW_OP_addr) + { +- var->stack = 0; ++ var->stack = FALSE; + + /* Verify that DW_OP_addr is the only opcode in the + location, in which case the block size will be 1 +@@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug + each_var = each_var->prev_var) + { + /* Skip stack vars and vars with no files or names. */ +- if (each_var->stack == 0 ++ if (! each_var->stack + && each_var->file != NULL + && each_var->name != NULL) + /* There is no need to copy name string into hash table as +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2020-04-16 Alan Modra <amodra@gmail.com> ++ ++ PR 25827 ++ * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't ++ strdup(0). ++ + 2021-05-03 Alan Modra <amodra@gmail.com> + + PR 27755 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch new file mode 100644 index 0000000000..5f56dd7696 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch @@ -0,0 +1,183 @@ +From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 11 Feb 2021 16:56:42 +1030 +Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes + +Adds missing sanity checks for avr device info note, to avoid +potential buffer overflows. Uses bfd_malloc_and_get_section for +sanity checking section size. + + PR 27290 + PR 27293 + PR 27295 + * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting. + Use bfd_malloc_and_get_section. + (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity + check namesz. Return NULL if descsz is too small. Ensure + string table is terminated. + (elf32_avr_get_device_info): Formatting. Add note_size param. + Sanity check note. + (elf32_avr_dump_mem_usage): Adjust to suit. + +Upstream-Status: Backport +CVE: CVE-2021-3549 +Signed-of-by: Armin Kuster <akuster@mvista.com> + +--- +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index 1e9a96c9bb6..02e5019204e 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -1,3 +1,17 @@ ++2021-02-11 Alan Modra <amodra@gmail.com> ++ ++ PR 27290 ++ PR 27293 ++ PR 27295 ++ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting. ++ Use bfd_malloc_and_get_section. ++ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity ++ check namesz. Return NULL if descsz is too small. Ensure ++ string table is terminated. ++ (elf32_avr_get_device_info): Formatting. Add note_size param. ++ Sanity check note. ++ (elf32_avr_dump_mem_usage): Adjust to suit. ++ + 2020-03-25 H.J. Lu <hongjiu.lu@intel.com> + + * ar.c (main): Update bfd_plugin_set_program_name call. +diff --git a/binutils/od-elf32_avr.c b/binutils/od-elf32_avr.c +index 5ec99957fe9..1d32bce918e 100644 +--- a/binutils/od-elf32_avr.c ++++ b/binutils/od-elf32_avr.c +@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd) + return bfd_get_flavour (abfd) == bfd_target_elf_flavour; + } + +-static char* ++static char * + elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size) + { + asection *section; ++ bfd_byte *contents; + +- if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL) ++ section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo"); ++ if (section == NULL) + return NULL; + +- *size = bfd_section_size (section); +- char *contents = (char *) xmalloc (*size); +- bfd_get_section_contents (abfd, section, contents, 0, *size); ++ if (!bfd_malloc_and_get_section (abfd, section, &contents)) ++ { ++ free (contents); ++ contents = NULL; ++ } + +- return contents; ++ *size = bfd_section_size (section); ++ return (char *) contents; + } + +-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents, +- bfd_size_type size) ++static char * ++elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size, ++ bfd_size_type *descsz) + { + Elf_External_Note *xnp = (Elf_External_Note *) contents; + Elf_Internal_Note in; +@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bfd *abfd, char *contents, + if (in.namesz > contents - in.namedata + size) + return NULL; + ++ if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0) ++ return NULL; ++ + in.descsz = bfd_get_32 (abfd, xnp->descsz); + in.descdata = in.namedata + align_power (in.namesz, 2); +- if (in.descsz != 0 +- && (in.descdata >= contents + size +- || in.descsz > contents - in.descdata + size)) ++ if (in.descsz < 6 * sizeof (uint32_t) ++ || in.descdata >= contents + size ++ || in.descsz > contents - in.descdata + size) + return NULL; + +- if (strcmp (in.namedata, "AVR") != 0) +- return NULL; ++ /* If the note has a string table, ensure it is 0 terminated. */ ++ if (in.descsz > 8 * sizeof (uint32_t)) ++ in.descdata[in.descsz - 1] = 0; + ++ *descsz = in.descsz; + return in.descdata; + } + + static void + elf32_avr_get_device_info (bfd *abfd, char *description, +- deviceinfo *device) ++ bfd_size_type desc_size, deviceinfo *device) + { + if (description == NULL) + return; + + const bfd_size_type memory_sizes = 6; + +- memcpy (device, description, memory_sizes * sizeof(uint32_t)); +- device->name = NULL; ++ memcpy (device, description, memory_sizes * sizeof (uint32_t)); ++ desc_size -= memory_sizes * sizeof (uint32_t); ++ if (desc_size < 8) ++ return; + +- uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes; ++ uint32_t *stroffset_table = (uint32_t *) description + memory_sizes; + bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table); +- char *str_table = ((char *) stroffset_table) + stroffset_table_size; + + /* If the only content is the size itself, there's nothing in the table */ +- if (stroffset_table_size == 4) ++ if (stroffset_table_size < 8) + return; ++ if (desc_size <= stroffset_table_size) ++ return; ++ desc_size -= stroffset_table_size; + + /* First entry is the device name index. */ + uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1); ++ if (device_name_index >= desc_size) ++ return; + ++ char *str_table = (char *) stroffset_table + stroffset_table_size; + device->name = str_table + device_name_index; + } + +@@ -183,7 +201,7 @@ static void + elf32_avr_dump_mem_usage (bfd *abfd) + { + char *description = NULL; +- bfd_size_type note_section_size = 0; ++ bfd_size_type sec_size, desc_size; + + deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL }; + device.name = "Unknown"; +@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd) + bfd_size_type text_usage = 0; + bfd_size_type eeprom_usage = 0; + +- char *contents = elf32_avr_get_note_section_contents (abfd, +- ¬e_section_size); ++ char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size); + + if (contents != NULL) + { +- description = elf32_avr_get_note_desc (abfd, contents, note_section_size); +- elf32_avr_get_device_info (abfd, description, &device); ++ description = elf32_avr_get_note_desc (abfd, contents, sec_size, ++ &desc_size); ++ elf32_avr_get_device_info (abfd, description, desc_size, &device); + } + + elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage, diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch new file mode 100644 index 0000000000..2addf5139e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch @@ -0,0 +1,35 @@ +From 46322722ad40ac1a75672ae0f62f4969195f1368 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 20 Jan 2022 13:58:38 +1030 +Subject: [PATCH] PR28753, buffer overflow in read_section_stabs_debugging_info + + PR 28753 + * rddbg.c (read_section_stabs_debugging_info): Don't read past + end of section when concatentating stab strings. + +CVE: CVE-2021-46174 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cad4d6b91e97] + +(cherry picked from commit 085b299b71721e15f5c5c5344dc3e4e4536dadba) +(cherry picked from commit cad4d6b91e97b6962807d33c04ed7e7797788438) +Signed-off-by: poojitha adireddy <pooadire@cisco.com> +--- + binutils/rddbg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/binutils/rddbg.c b/binutils/rddbg.c +index 72e934055b5..5e76d94a3c4 100644 +--- a/binutils/rddbg.c ++++ b/binutils/rddbg.c +@@ -207,7 +207,7 @@ read_section_stabs_debugging_info (bfd *abfd, asymbol **syms, long symcount, + an attempt to read the byte before 'strings' would occur. */ + while ((len = strlen (s)) > 0 + && s[len - 1] == '\\' +- && stab + 12 < stabs + stabsize) ++ && stab + 16 <= stabs + stabsize) + { + char *p; + +-- +2.23.1 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch new file mode 100644 index 0000000000..102d65f8a6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch @@ -0,0 +1,37 @@ +From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 13 Aug 2022 15:32:47 +0930 +Subject: [PATCH] PR29482 - strip: heap-buffer-overflow + + PR 29482 + * coffcode.h (coff_set_section_contents): Sanity check _LIB. + +CVE: CVE-2022-38533 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797] + +Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> + +--- + bfd/coffcode.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/bfd/coffcode.h b/bfd/coffcode.h +index dec2e9c6370..75c18d88602 100644 +--- a/bfd/coffcode.h ++++ b/bfd/coffcode.h +@@ -4170,10 +4170,13 @@ coff_set_section_contents (bfd * abfd, + + rec = (bfd_byte *) location; + recend = rec + count; +- while (rec < recend) ++ while (recend - rec >= 4) + { ++ size_t len = bfd_get_32 (abfd, rec); ++ if (len == 0 || len > (size_t) (recend - rec) / 4) ++ break; ++ rec += len * 4; + ++section->lma; +- rec += bfd_get_32 (abfd, rec) * 4; + } + + BFD_ASSERT (rec == recend); diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch new file mode 100644 index 0000000000..ddb564bc8c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch @@ -0,0 +1,32 @@ +From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 17 Jun 2022 09:00:41 +0930 +Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg + + PR 29254 + * stabs.c (stab_demangle_v3_arg): Free dt on failure path. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb] +CVE: CVE-2022-47007 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Patch refreshed based on codebase. +--- + binutils/stabs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/binutils/stabs.c b/binutils/stabs.c +index 2b5241637c1..796ff85b86a 100644 +--- a/binutils/stabs.c ++++ b/binutils/stabs.c +@@ -5476,7 +5476,10 @@ + dc->u.s_binary.right, + &varargs); + if (pargs == NULL) +- return NULL; ++ { ++ free (dt); ++ return NULL; ++ } + + return debug_make_function_type (dhandle, dt, pargs, varargs); + } + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch new file mode 100644 index 0000000000..9527390ccf --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch @@ -0,0 +1,64 @@ +From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 17 Jun 2022 09:13:38 +0930 +Subject: [PATCH] PR29255, memory leak in make_tempdir + + PR 29255 + * bucomm.c (make_tempdir, make_tempname): Free template on all + failure paths. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682] +CVE: CVE-2022-47008 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Patch refreshed based on codebase. +--- + binutils/bucomm.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/binutils/bucomm.c b/binutils/bucomm.c +index fdc2209df9c..4395cb9f7f5 100644 +--- a/binutils/bucomm.c ++++ b/binutils/bucomm.c +@@ -542,8 +542,9 @@ + #else + tmpname = mktemp (tmpname); + if (tmpname == NULL) +- return NULL; +- fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600); ++ fd = -1; ++ else ++ fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600); + #endif + if (fd == -1) + { +@@ -561,22 +562,23 @@ + make_tempdir (const char *filename) + { + char *tmpname = template_in_dir (filename); ++ char *ret; + + #ifdef HAVE_MKDTEMP +- return mkdtemp (tmpname); ++ ret = mkdtemp (tmpname); + #else +- tmpname = mktemp (tmpname); +- if (tmpname == NULL) +- return NULL; ++ ret = mktemp (tmpname); + #if defined (_WIN32) && !defined (__CYGWIN32__) + if (mkdir (tmpname) != 0) +- return NULL; ++ ret = NULL; + #else + if (mkdir (tmpname, 0700) != 0) +- return NULL; ++ ret = NULL; + #endif +- return tmpname; + #endif ++ if (ret == NULL) ++ free (tmpname); ++ return ret; + } + + /* Parse a string into a VMA, with a fatal error if it can't be + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch new file mode 100644 index 0000000000..d831ed4756 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch @@ -0,0 +1,34 @@ +From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Mon, 20 Jun 2022 10:39:31 +0930 +Subject: [PATCH] PR29262, memory leak in pr_function_type + + PR 29262 + * prdbg.c (pr_function_type): Free "s" on failure path. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab] +CVE: CVE-2022-47010 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Patch refreshed based on codebase. +--- + binutils/prdbg.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index c1e41628d26..bb42a5b6c2d 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -778,12 +778,9 @@ + + strcat (s, ")"); + +- if (! substitute_type (info, s)) +- return FALSE; +- ++ bfd_boolean ret = substitute_type (info, s); + free (s); +- +- return TRUE; ++ return ret; + } + + /* Turn the top type on the stack into a reference to that type. */ diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch new file mode 100644 index 0000000000..250756bd38 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch @@ -0,0 +1,31 @@ +From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Mon, 20 Jun 2022 10:39:13 +0930 +Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields + + PR 29261 + * stabs.c (parse_stab_struct_fields): Free "fields" on failure path. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35] +CVE: CVE-2022-47011 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Patch refreshed based on codebase. +--- + binutils/stabs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/binutils/stabs.c b/binutils/stabs.c +index 796ff85b86a..bf3f578cbcc 100644 +--- a/binutils/stabs.c ++++ b/binutils/stabs.c +@@ -2368,7 +2368,10 @@ + + if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c, + staticsp, p_end)) +- return FALSE; ++ { ++ free (fields); ++ return FALSE; ++ } + + ++c; + } diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch new file mode 100644 index 0000000000..101a4cdb4e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch @@ -0,0 +1,57 @@ +From 3d3af4ba39e892b1c544d667ca241846bc3df386 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 4 Dec 2022 22:15:40 +1030 +Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols + +Fixes a fuzzed object file problem where plt relocs were manipulated +in such a way that two synthetic symbols were generated at the same +plt location. Won't occur in real object files. + + PR 29846 + PR 20337 + * objdump.c (compare_symbols): Test symbol flags to exclude + section and synthetic symbols before attempting to check flavour. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386] +CVE: CVE-2022-47695 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Patch refreshed based on codebase. +--- + binutils/objdump.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index e8481b2d928..d95c8b68bf0 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -935,20 +935,17 @@ + return 1; + } + +- if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour ++ /* Sort larger size ELF symbols before smaller. See PR20337. */ ++ bfd_vma asz = 0; ++ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 ++ && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour) ++ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; ++ bfd_vma bsz = 0; ++ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 + && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour) +- { +- bfd_vma asz, bsz; +- +- asz = 0; +- if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) +- asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; +- bsz = 0; +- if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) +- bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; +- if (asz != bsz) +- return asz > bsz ? -1 : 1; +- } ++ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; ++ if (asz != bsz) ++ return asz > bsz ? -1 : 1; + + /* Symbols that start with '.' might be section names, so sort them + after symbols that don't start with '.'. */ + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch new file mode 100644 index 0000000000..f41c02a02b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch @@ -0,0 +1,49 @@ +From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 21 Dec 2022 11:51:23 +0000 +Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of + memory when parsing a corrupt ELF file. + + PR 29924 + * objdump.c (load_specific_debug_section): Check for excessively + large sections. +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd] +CVE: CVE-2022-48063 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Patch refreshed based on codebase. +--- + binutils/ChangeLog | 6 ++++++ + binutils/objdump.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/binutils/ChangeLog b/binutils/ChangeLog +index e7f918d3f65..020e09f3700 100644 +--- a/binutils/ChangeLog ++++ b/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2022-12-21 Nick Clifton <nickc@redhat.com> ++ ++ PR 29924 ++ * objdump.c (load_specific_debug_section): Check for excessively ++ large sections. ++ + 2021-02-11 Alan Modra <amodra@gmail.com> + + PR 27290 + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index d51abbe3858..2eb02de0e76 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -3479,7 +3479,9 @@ + section->size = bfd_section_size (sec); + /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */ + alloced = amt = section->size + 1; +- if (alloced != amt || alloced == 0) ++ if (alloced != amt ++ || alloced == 0 ++ || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd))) + { + section->start = NULL; + free_debug_section (debug); + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch new file mode 100644 index 0000000000..732ea43210 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch @@ -0,0 +1,530 @@ +CVE: CVE-2023-25584 +Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +[Ubuntu note: this is backport of the original patch, no major changes just + fix this patch for this release] +From 77c225bdeb410cf60da804879ad41622f5f1aa44 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Mon, 12 Dec 2022 18:28:49 +1030 +Subject: [PATCH] Lack of bounds checking in vms-alpha.c parse_module + + PR 29873 + PR 29874 + PR 29875 + PR 29876 + PR 29877 + PR 29878 + PR 29879 + PR 29880 + PR 29881 + PR 29882 + PR 29883 + PR 29884 + PR 29885 + PR 29886 + PR 29887 + PR 29888 + PR 29889 + PR 29890 + PR 29891 + * vms-alpha.c (parse_module): Make length param bfd_size_type. + Delete length == -1 checks. Sanity check record_length. + Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. + Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements + before accessing. + (build_module_list): Pass dst_section size to parse_module. +--- + bfd/vms-alpha.c | 213 ++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 168 insertions(+), 45 deletions(-) + +--- binutils-2.34.orig/bfd/vms-alpha.c ++++ binutils-2.34/bfd/vms-alpha.c +@@ -4267,7 +4267,7 @@ new_module (bfd *abfd) + + static void + parse_module (bfd *abfd, struct module *module, unsigned char *ptr, +- int length) ++ bfd_size_type length) + { + unsigned char *maxptr = ptr + length; + unsigned char *src_ptr, *pcl_ptr; +@@ -4284,7 +4284,7 @@ parse_module (bfd *abfd, struct module * + curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo)); + module->line_table = curr_line; + +- while (length == -1 || ptr < maxptr) ++ while (ptr < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; +@@ -4292,15 +4292,19 @@ parse_module (bfd *abfd, struct module * + + vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type)); + +- if (length == -1 && rec_type == DST__K_MODEND) ++ if (rec_length > maxptr - ptr) ++ break; ++ if (rec_type == DST__K_MODEND) + break; + + switch (rec_type) + { + case DST__K_MODBEG: ++ if (rec_length <= DST_S_B_MODBEG_NAME) ++ break; + module->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME, +- maxptr - (ptr + DST_S_B_MODBEG_NAME)); ++ rec_length - DST_S_B_MODBEG_NAME); + + curr_pc = 0; + prev_pc = 0; +@@ -4314,11 +4318,13 @@ parse_module (bfd *abfd, struct module * + break; + + case DST__K_RTNBEG: ++ if (rec_length <= DST_S_B_RTNBEG_NAME) ++ break; + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, +- maxptr - (ptr + DST_S_B_RTNBEG_NAME)); ++ rec_length - DST_S_B_RTNBEG_NAME); + funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS); + funcinfo->next = module->func_table; + module->func_table = funcinfo; +@@ -4328,6 +4334,8 @@ parse_module (bfd *abfd, struct module * + break; + + case DST__K_RTNEND: ++ if (rec_length < DST_S_L_RTNEND_SIZE + 4) ++ break; + module->func_table->high = module->func_table->low + + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1; + +@@ -4358,13 +4366,66 @@ parse_module (bfd *abfd, struct module * + + vms_debug2 ((3, "source info\n")); + +- while (src_ptr < ptr + rec_length) ++ while (src_ptr - ptr < rec_length) + { + int cmd = src_ptr[0], cmd_length, data; + + switch (cmd) + { + case DST__K_SRC_DECLFILE: ++ if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length) ++ cmd_length = 0x10000; ++ else ++ cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; ++ break; ++ ++ case DST__K_SRC_DEFLINES_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SRC_DEFLINES_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_INCRLNUM_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SRC_SETFILE: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_SETLNUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SRC_SETLNUM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_SETREC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SRC_SETREC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_FORMFEED: ++ cmd_length = 1; ++ break; ++ ++ default: ++ cmd_length = 2; ++ break; ++ } ++ ++ if (src_ptr - ptr + cmd_length > rec_length) ++ break; ++ ++ switch (cmd) ++ { ++ case DST__K_SRC_DECLFILE: + { + unsigned int fileid + = bfd_getl16 (src_ptr + DST_S_W_SRC_DF_FILEID); +@@ -4384,7 +4445,6 @@ parse_module (bfd *abfd, struct module * + + module->file_table [fileid].name = filename; + module->file_table [fileid].srec = 1; +- cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; + vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n", + fileid, module->file_table [fileid].name)); + } +@@ -4401,7 +4461,6 @@ parse_module (bfd *abfd, struct module * + srec->sfile = curr_srec->sfile; + curr_srec->next = srec; + curr_srec = srec; +- cmd_length = 2; + vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data)); + break; + +@@ -4416,14 +4475,12 @@ parse_module (bfd *abfd, struct module * + srec->sfile = curr_srec->sfile; + curr_srec->next = srec; + curr_srec = srec; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data)); + break; + + case DST__K_SRC_INCRLNUM_B: + data = src_ptr[DST_S_B_SRC_UNSBYTE]; + curr_srec->line += data; +- cmd_length = 2; + vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data)); + break; + +@@ -4431,21 +4488,18 @@ parse_module (bfd *abfd, struct module * + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->sfile = data; + curr_srec->srec = module->file_table[data].srec; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data)); + break; + + case DST__K_SRC_SETLNUM_L: + data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); + curr_srec->line = data; +- cmd_length = 5; + vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data)); + break; + + case DST__K_SRC_SETLNUM_W: + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->line = data; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data)); + break; + +@@ -4453,7 +4507,6 @@ parse_module (bfd *abfd, struct module * + data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); + curr_srec->srec = data; + module->file_table[curr_srec->sfile].srec = data; +- cmd_length = 5; + vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data)); + break; + +@@ -4461,19 +4514,16 @@ parse_module (bfd *abfd, struct module * + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->srec = data; + module->file_table[curr_srec->sfile].srec = data; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data)); + break; + + case DST__K_SRC_FORMFEED: +- cmd_length = 1; + vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n")); + break; + + default: + _bfd_error_handler (_("unknown source command %d"), + cmd); +- cmd_length = 2; + break; + } + +@@ -4486,7 +4536,7 @@ parse_module (bfd *abfd, struct module * + + vms_debug2 ((3, "line info\n")); + +- while (pcl_ptr < ptr + rec_length) ++ while (pcl_ptr - ptr < rec_length) + { + /* The command byte is signed so we must sign-extend it. */ + int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data; +@@ -4494,10 +4544,106 @@ parse_module (bfd *abfd, struct module * + switch (cmd) + { + case DST__K_DELTA_PC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_DELTA_PC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_INCR_LINUM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_INCR_LINUM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_INCR_LINUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_LINUM_INCR: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_LINUM_INCR_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_RESET_LINUM_INCR: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_BEG_STMT_MODE: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_END_STMT_MODE: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_SET_LINUM_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_LINUM: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SET_LINUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_PC: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_PC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SET_PC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_STMTNUM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_TERM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_TERM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_TERM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_ABS_PC: ++ cmd_length = 5; ++ break; ++ ++ default: ++ if (cmd <= 0) ++ cmd_length = 1; ++ else ++ cmd_length = 2; ++ break; ++ } ++ ++ if (pcl_ptr - ptr + cmd_length > rec_length) ++ break; ++ ++ switch (cmd) ++ { ++ case DST__K_DELTA_PC_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_pc += data; + curr_linenum += 1; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data)); + break; + +@@ -4505,131 +4651,111 @@ parse_module (bfd *abfd, struct module * + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc += data; + curr_linenum += 1; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data)); + break; + + case DST__K_INCR_LINUM: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_linenum += data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data)); + break; + + case DST__K_INCR_LINUM_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_linenum += data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data)); + break; + + case DST__K_INCR_LINUM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_linenum += data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data)); + break; + + case DST__K_SET_LINUM_INCR: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_LINUM_INCR"); +- cmd_length = 2; + break; + + case DST__K_SET_LINUM_INCR_W: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W"); +- cmd_length = 3; + break; + + case DST__K_RESET_LINUM_INCR: + _bfd_error_handler + (_("%s not implemented"), "DST__K_RESET_LINUM_INCR"); +- cmd_length = 1; + break; + + case DST__K_BEG_STMT_MODE: + _bfd_error_handler + (_("%s not implemented"), "DST__K_BEG_STMT_MODE"); +- cmd_length = 1; + break; + + case DST__K_END_STMT_MODE: + _bfd_error_handler + (_("%s not implemented"), "DST__K_END_STMT_MODE"); +- cmd_length = 1; + break; + + case DST__K_SET_LINUM_B: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_linenum = data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data)); + break; + + case DST__K_SET_LINUM: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_linenum = data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data)); + break; + + case DST__K_SET_LINUM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_linenum = data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data)); + break; + + case DST__K_SET_PC: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC"); +- cmd_length = 2; + break; + + case DST__K_SET_PC_W: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC_W"); +- cmd_length = 3; + break; + + case DST__K_SET_PC_L: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC_L"); +- cmd_length = 5; + break; + + case DST__K_SET_STMTNUM: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_STMTNUM"); +- cmd_length = 2; + break; + + case DST__K_TERM: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_pc += data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_TERM: %d\n", data)); + break; + + case DST__K_TERM_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_pc += data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_TERM_W: %d\n", data)); + break; + + case DST__K_TERM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc += data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_TERM_L: %d\n", data)); + break; + + case DST__K_SET_ABS_PC: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc = data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data)); + break; + +@@ -4638,15 +4764,11 @@ parse_module (bfd *abfd, struct module * + { + curr_pc -= cmd; + curr_linenum += 1; +- cmd_length = 1; + vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n", + (unsigned long)curr_pc, curr_linenum)); + } + else +- { +- _bfd_error_handler (_("unknown line command %d"), cmd); +- cmd_length = 2; +- } ++ _bfd_error_handler (_("unknown line command %d"), cmd); + break; + } + +@@ -4778,7 +4900,7 @@ build_module_list (bfd *abfd) + return NULL; + + module = new_module (abfd); +- parse_module (abfd, module, PRIV (dst_section)->contents, -1); ++ parse_module (abfd, module, PRIV (dst_section)->contents, PRIV (dst_section)->size); + list = module; + } + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch new file mode 100644 index 0000000000..aa5ce5f3ff --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch @@ -0,0 +1,149 @@ +From d12f8998d2d086f0a6606589e5aedb7147e6f2f1 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 14 Oct 2022 10:30:21 +1030 +Subject: [PATCH] PR29677, Field `the_bfd` of `asymbol` is uninitialised + +Besides not initialising the_bfd of synthetic symbols, counting +symbols when sizing didn't match symbols created if there were any +dynsyms named "". We don't want synthetic symbols without names +anyway, so get rid of them. Also, simplify and correct sanity checks. + + PR 29677 + * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite. +--- +Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] +CVE: CVE-2023-25588 +CVE: CVE-2022-47696 + +Signed-off-by: Ashish Sharma <asharma@mvista.com> +Signed-off-by: poojitha adireddy <pooadire@cisco.com> + + bfd/mach-o.c | 72 ++++++++++++++++++++++------------------------------ + 1 file changed, 31 insertions(+), 41 deletions(-) + +diff --git a/bfd/mach-o.c b/bfd/mach-o.c +index acb35e7f0c6..5279343768c 100644 +--- a/bfd/mach-o.c ++++ b/bfd/mach-o.c +@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + bfd_mach_o_symtab_command *symtab = mdata->symtab; + asymbol *s; + char * s_start; +- char * s_end; + unsigned long count, i, j, n; + size_t size; + char *names; +- char *nul_name; + const char stub [] = "$stub"; + + *ret = NULL; +@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + /* We need to allocate a bfd symbol for every indirect symbol and to + allocate the memory for its name. */ + count = dysymtab->nindirectsyms; +- size = count * sizeof (asymbol) + 1; +- ++ size = 0; + for (j = 0; j < count; j++) + { +- const char * strng; + unsigned int isym = dysymtab->indirect_syms[j]; ++ const char *str; + + /* Some indirect symbols are anonymous. */ +- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name)) +- /* PR 17512: file: f5b8eeba. */ +- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub); ++ if (isym < symtab->nsyms ++ && (str = symtab->symbols[isym].symbol.name) != NULL) ++ { ++ /* PR 17512: file: f5b8eeba. */ ++ size += strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ size += sizeof (stub); ++ } + } + +- s_start = bfd_malloc (size); ++ s_start = bfd_malloc (size + count * sizeof (asymbol)); + s = *ret = (asymbol *) s_start; + if (s == NULL) + return -1; + names = (char *) (s + count); +- nul_name = names; +- *names++ = 0; +- s_end = s_start + size; + + n = 0; + for (i = 0; i < mdata->nsects; i++) +@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + entry_size = bfd_mach_o_section_get_entry_size (abfd, sec); + + /* PR 17512: file: 08e15eec. */ +- if (first >= count || last >= count || first > last) ++ if (first >= count || last > count || first > last) + goto fail; + + for (j = first; j < last; j++) + { + unsigned int isym = dysymtab->indirect_syms[j]; +- +- /* PR 17512: file: 04d64d9b. */ +- if (((char *) s) + sizeof (* s) > s_end) +- goto fail; +- +- s->flags = BSF_GLOBAL | BSF_SYNTHETIC; +- s->section = sec->bfdsection; +- s->value = addr - sec->addr; +- s->udata.p = NULL; ++ const char *str; ++ size_t len; + + if (isym < symtab->nsyms +- && symtab->symbols[isym].symbol.name) ++ && (str = symtab->symbols[isym].symbol.name) != NULL) + { +- const char *sym = symtab->symbols[isym].symbol.name; +- size_t len; +- +- s->name = names; +- len = strlen (sym); +- /* PR 17512: file: 47dfd4d2. */ +- if (names + len >= s_end) ++ /* PR 17512: file: 04d64d9b. */ ++ if (n >= count) + goto fail; +- memcpy (names, sym, len); +- names += len; +- /* PR 17512: file: 18f340a4. */ +- if (names + sizeof (stub) >= s_end) ++ len = strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ /* PR 17512: file: 47dfd4d2, 18f340a4. */ ++ if (size < len + sizeof (stub)) + goto fail; +- memcpy (names, stub, sizeof (stub)); +- names += sizeof (stub); ++ memcpy (names, str, len); ++ memcpy (names + len, stub, sizeof (stub)); ++ s->name = names; ++ names += len + sizeof (stub); ++ size -= len + sizeof (stub); ++ s->the_bfd = symtab->symbols[isym].symbol.the_bfd; ++ s->flags = BSF_GLOBAL | BSF_SYNTHETIC; ++ s->section = sec->bfdsection; ++ s->value = addr - sec->addr; ++ s->udata.p = NULL; ++ s++; ++ n++; + } +- else +- s->name = nul_name; +- + addr += entry_size; +- s++; +- n++; + } + break; + default: +-- +2.39.3 + |