summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2023-12-14 20:32:52 +0800
committerSteve Sakoman <steve@sakoman.com>2023-12-21 05:17:55 -1000
commit3eda06c358c313368c25c99e6f8b2635ca4b4bd0 (patch)
tree42257c438b4fe542e625a48e2cb08b6e4222ffe2
parent8efd61ccb1964360444ed6eba9b88e20e2ee5953 (diff)
downloadpoky-3eda06c358c313368c25c99e6f8b2635ca4b4bd0.tar.gz
binutils: Fix CVE-2023-25584
import patch from ubuntu to fix CVE-2023-25584 http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz upstream patch : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 (From OE-Core rev: 8eff0e0ce44c60efcf6bec083d5794313f3ac4ad) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.34.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch530
2 files changed, 531 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 371e8e9fa4..4824db6dcf 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -55,5 +55,6 @@ SRC_URI = "\
55 file://CVE-2022-38533.patch \ 55 file://CVE-2022-38533.patch \
56 file://CVE-2023-25588.patch \ 56 file://CVE-2023-25588.patch \
57 file://CVE-2021-46174.patch \ 57 file://CVE-2021-46174.patch \
58 file://CVE-2023-25584.patch \
58" 59"
59S = "${WORKDIR}/git" 60S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch
new file mode 100644
index 0000000000..732ea43210
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch
@@ -0,0 +1,530 @@
1CVE: CVE-2023-25584
2Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 ]
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4
5[Ubuntu note: this is backport of the original patch, no major changes just
6 fix this patch for this release]
7From 77c225bdeb410cf60da804879ad41622f5f1aa44 Mon Sep 17 00:00:00 2001
8From: Alan Modra <amodra@gmail.com>
9Date: Mon, 12 Dec 2022 18:28:49 +1030
10Subject: [PATCH] Lack of bounds checking in vms-alpha.c parse_module
11
12 PR 29873
13 PR 29874
14 PR 29875
15 PR 29876
16 PR 29877
17 PR 29878
18 PR 29879
19 PR 29880
20 PR 29881
21 PR 29882
22 PR 29883
23 PR 29884
24 PR 29885
25 PR 29886
26 PR 29887
27 PR 29888
28 PR 29889
29 PR 29890
30 PR 29891
31 * vms-alpha.c (parse_module): Make length param bfd_size_type.
32 Delete length == -1 checks. Sanity check record_length.
33 Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
34 Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
35 before accessing.
36 (build_module_list): Pass dst_section size to parse_module.
37---
38 bfd/vms-alpha.c | 213 ++++++++++++++++++++++++++++++++++++++----------
39 1 file changed, 168 insertions(+), 45 deletions(-)
40
41--- binutils-2.34.orig/bfd/vms-alpha.c
42+++ binutils-2.34/bfd/vms-alpha.c
43@@ -4267,7 +4267,7 @@ new_module (bfd *abfd)
44
45 static void
46 parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
47- int length)
48+ bfd_size_type length)
49 {
50 unsigned char *maxptr = ptr + length;
51 unsigned char *src_ptr, *pcl_ptr;
52@@ -4284,7 +4284,7 @@ parse_module (bfd *abfd, struct module *
53 curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo));
54 module->line_table = curr_line;
55
56- while (length == -1 || ptr < maxptr)
57+ while (ptr < maxptr)
58 {
59 /* The first byte is not counted in the recorded length. */
60 int rec_length = bfd_getl16 (ptr) + 1;
61@@ -4292,15 +4292,19 @@ parse_module (bfd *abfd, struct module *
62
63 vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type));
64
65- if (length == -1 && rec_type == DST__K_MODEND)
66+ if (rec_length > maxptr - ptr)
67+ break;
68+ if (rec_type == DST__K_MODEND)
69 break;
70
71 switch (rec_type)
72 {
73 case DST__K_MODBEG:
74+ if (rec_length <= DST_S_B_MODBEG_NAME)
75+ break;
76 module->name
77 = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME,
78- maxptr - (ptr + DST_S_B_MODBEG_NAME));
79+ rec_length - DST_S_B_MODBEG_NAME);
80
81 curr_pc = 0;
82 prev_pc = 0;
83@@ -4314,11 +4318,13 @@ parse_module (bfd *abfd, struct module *
84 break;
85
86 case DST__K_RTNBEG:
87+ if (rec_length <= DST_S_B_RTNBEG_NAME)
88+ break;
89 funcinfo = (struct funcinfo *)
90 bfd_zalloc (abfd, sizeof (struct funcinfo));
91 funcinfo->name
92 = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
93- maxptr - (ptr + DST_S_B_RTNBEG_NAME));
94+ rec_length - DST_S_B_RTNBEG_NAME);
95 funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
96 funcinfo->next = module->func_table;
97 module->func_table = funcinfo;
98@@ -4328,6 +4334,8 @@ parse_module (bfd *abfd, struct module *
99 break;
100
101 case DST__K_RTNEND:
102+ if (rec_length < DST_S_L_RTNEND_SIZE + 4)
103+ break;
104 module->func_table->high = module->func_table->low
105 + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1;
106
107@@ -4358,13 +4366,66 @@ parse_module (bfd *abfd, struct module *
108
109 vms_debug2 ((3, "source info\n"));
110
111- while (src_ptr < ptr + rec_length)
112+ while (src_ptr - ptr < rec_length)
113 {
114 int cmd = src_ptr[0], cmd_length, data;
115
116 switch (cmd)
117 {
118 case DST__K_SRC_DECLFILE:
119+ if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length)
120+ cmd_length = 0x10000;
121+ else
122+ cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
123+ break;
124+
125+ case DST__K_SRC_DEFLINES_B:
126+ cmd_length = 2;
127+ break;
128+
129+ case DST__K_SRC_DEFLINES_W:
130+ cmd_length = 3;
131+ break;
132+
133+ case DST__K_SRC_INCRLNUM_B:
134+ cmd_length = 2;
135+ break;
136+
137+ case DST__K_SRC_SETFILE:
138+ cmd_length = 3;
139+ break;
140+
141+ case DST__K_SRC_SETLNUM_L:
142+ cmd_length = 5;
143+ break;
144+
145+ case DST__K_SRC_SETLNUM_W:
146+ cmd_length = 3;
147+ break;
148+
149+ case DST__K_SRC_SETREC_L:
150+ cmd_length = 5;
151+ break;
152+
153+ case DST__K_SRC_SETREC_W:
154+ cmd_length = 3;
155+ break;
156+
157+ case DST__K_SRC_FORMFEED:
158+ cmd_length = 1;
159+ break;
160+
161+ default:
162+ cmd_length = 2;
163+ break;
164+ }
165+
166+ if (src_ptr - ptr + cmd_length > rec_length)
167+ break;
168+
169+ switch (cmd)
170+ {
171+ case DST__K_SRC_DECLFILE:
172 {
173 unsigned int fileid
174 = bfd_getl16 (src_ptr + DST_S_W_SRC_DF_FILEID);
175@@ -4384,7 +4445,6 @@ parse_module (bfd *abfd, struct module *
176
177 module->file_table [fileid].name = filename;
178 module->file_table [fileid].srec = 1;
179- cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
180 vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n",
181 fileid, module->file_table [fileid].name));
182 }
183@@ -4401,7 +4461,6 @@ parse_module (bfd *abfd, struct module *
184 srec->sfile = curr_srec->sfile;
185 curr_srec->next = srec;
186 curr_srec = srec;
187- cmd_length = 2;
188 vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data));
189 break;
190
191@@ -4416,14 +4475,12 @@ parse_module (bfd *abfd, struct module *
192 srec->sfile = curr_srec->sfile;
193 curr_srec->next = srec;
194 curr_srec = srec;
195- cmd_length = 3;
196 vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data));
197 break;
198
199 case DST__K_SRC_INCRLNUM_B:
200 data = src_ptr[DST_S_B_SRC_UNSBYTE];
201 curr_srec->line += data;
202- cmd_length = 2;
203 vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data));
204 break;
205
206@@ -4431,21 +4488,18 @@ parse_module (bfd *abfd, struct module *
207 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
208 curr_srec->sfile = data;
209 curr_srec->srec = module->file_table[data].srec;
210- cmd_length = 3;
211 vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data));
212 break;
213
214 case DST__K_SRC_SETLNUM_L:
215 data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
216 curr_srec->line = data;
217- cmd_length = 5;
218 vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data));
219 break;
220
221 case DST__K_SRC_SETLNUM_W:
222 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
223 curr_srec->line = data;
224- cmd_length = 3;
225 vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data));
226 break;
227
228@@ -4453,7 +4507,6 @@ parse_module (bfd *abfd, struct module *
229 data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
230 curr_srec->srec = data;
231 module->file_table[curr_srec->sfile].srec = data;
232- cmd_length = 5;
233 vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data));
234 break;
235
236@@ -4461,19 +4514,16 @@ parse_module (bfd *abfd, struct module *
237 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
238 curr_srec->srec = data;
239 module->file_table[curr_srec->sfile].srec = data;
240- cmd_length = 3;
241 vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data));
242 break;
243
244 case DST__K_SRC_FORMFEED:
245- cmd_length = 1;
246 vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n"));
247 break;
248
249 default:
250 _bfd_error_handler (_("unknown source command %d"),
251 cmd);
252- cmd_length = 2;
253 break;
254 }
255
256@@ -4486,7 +4536,7 @@ parse_module (bfd *abfd, struct module *
257
258 vms_debug2 ((3, "line info\n"));
259
260- while (pcl_ptr < ptr + rec_length)
261+ while (pcl_ptr - ptr < rec_length)
262 {
263 /* The command byte is signed so we must sign-extend it. */
264 int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data;
265@@ -4494,10 +4544,106 @@ parse_module (bfd *abfd, struct module *
266 switch (cmd)
267 {
268 case DST__K_DELTA_PC_W:
269+ cmd_length = 3;
270+ break;
271+
272+ case DST__K_DELTA_PC_L:
273+ cmd_length = 5;
274+ break;
275+
276+ case DST__K_INCR_LINUM:
277+ cmd_length = 2;
278+ break;
279+
280+ case DST__K_INCR_LINUM_W:
281+ cmd_length = 3;
282+ break;
283+
284+ case DST__K_INCR_LINUM_L:
285+ cmd_length = 5;
286+ break;
287+
288+ case DST__K_SET_LINUM_INCR:
289+ cmd_length = 2;
290+ break;
291+
292+ case DST__K_SET_LINUM_INCR_W:
293+ cmd_length = 3;
294+ break;
295+
296+ case DST__K_RESET_LINUM_INCR:
297+ cmd_length = 1;
298+ break;
299+
300+ case DST__K_BEG_STMT_MODE:
301+ cmd_length = 1;
302+ break;
303+
304+ case DST__K_END_STMT_MODE:
305+ cmd_length = 1;
306+ break;
307+
308+ case DST__K_SET_LINUM_B:
309+ cmd_length = 2;
310+ break;
311+
312+ case DST__K_SET_LINUM:
313+ cmd_length = 3;
314+ break;
315+
316+ case DST__K_SET_LINUM_L:
317+ cmd_length = 5;
318+ break;
319+
320+ case DST__K_SET_PC:
321+ cmd_length = 2;
322+ break;
323+
324+ case DST__K_SET_PC_W:
325+ cmd_length = 3;
326+ break;
327+
328+ case DST__K_SET_PC_L:
329+ cmd_length = 5;
330+ break;
331+
332+ case DST__K_SET_STMTNUM:
333+ cmd_length = 2;
334+ break;
335+
336+ case DST__K_TERM:
337+ cmd_length = 2;
338+ break;
339+
340+ case DST__K_TERM_W:
341+ cmd_length = 3;
342+ break;
343+
344+ case DST__K_TERM_L:
345+ cmd_length = 5;
346+ break;
347+
348+ case DST__K_SET_ABS_PC:
349+ cmd_length = 5;
350+ break;
351+
352+ default:
353+ if (cmd <= 0)
354+ cmd_length = 1;
355+ else
356+ cmd_length = 2;
357+ break;
358+ }
359+
360+ if (pcl_ptr - ptr + cmd_length > rec_length)
361+ break;
362+
363+ switch (cmd)
364+ {
365+ case DST__K_DELTA_PC_W:
366 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
367 curr_pc += data;
368 curr_linenum += 1;
369- cmd_length = 3;
370 vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data));
371 break;
372
373@@ -4505,131 +4651,111 @@ parse_module (bfd *abfd, struct module *
374 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
375 curr_pc += data;
376 curr_linenum += 1;
377- cmd_length = 5;
378 vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data));
379 break;
380
381 case DST__K_INCR_LINUM:
382 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
383 curr_linenum += data;
384- cmd_length = 2;
385 vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data));
386 break;
387
388 case DST__K_INCR_LINUM_W:
389 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
390 curr_linenum += data;
391- cmd_length = 3;
392 vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data));
393 break;
394
395 case DST__K_INCR_LINUM_L:
396 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
397 curr_linenum += data;
398- cmd_length = 5;
399 vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data));
400 break;
401
402 case DST__K_SET_LINUM_INCR:
403 _bfd_error_handler
404 (_("%s not implemented"), "DST__K_SET_LINUM_INCR");
405- cmd_length = 2;
406 break;
407
408 case DST__K_SET_LINUM_INCR_W:
409 _bfd_error_handler
410 (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W");
411- cmd_length = 3;
412 break;
413
414 case DST__K_RESET_LINUM_INCR:
415 _bfd_error_handler
416 (_("%s not implemented"), "DST__K_RESET_LINUM_INCR");
417- cmd_length = 1;
418 break;
419
420 case DST__K_BEG_STMT_MODE:
421 _bfd_error_handler
422 (_("%s not implemented"), "DST__K_BEG_STMT_MODE");
423- cmd_length = 1;
424 break;
425
426 case DST__K_END_STMT_MODE:
427 _bfd_error_handler
428 (_("%s not implemented"), "DST__K_END_STMT_MODE");
429- cmd_length = 1;
430 break;
431
432 case DST__K_SET_LINUM_B:
433 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
434 curr_linenum = data;
435- cmd_length = 2;
436 vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data));
437 break;
438
439 case DST__K_SET_LINUM:
440 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
441 curr_linenum = data;
442- cmd_length = 3;
443 vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data));
444 break;
445
446 case DST__K_SET_LINUM_L:
447 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
448 curr_linenum = data;
449- cmd_length = 5;
450 vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data));
451 break;
452
453 case DST__K_SET_PC:
454 _bfd_error_handler
455 (_("%s not implemented"), "DST__K_SET_PC");
456- cmd_length = 2;
457 break;
458
459 case DST__K_SET_PC_W:
460 _bfd_error_handler
461 (_("%s not implemented"), "DST__K_SET_PC_W");
462- cmd_length = 3;
463 break;
464
465 case DST__K_SET_PC_L:
466 _bfd_error_handler
467 (_("%s not implemented"), "DST__K_SET_PC_L");
468- cmd_length = 5;
469 break;
470
471 case DST__K_SET_STMTNUM:
472 _bfd_error_handler
473 (_("%s not implemented"), "DST__K_SET_STMTNUM");
474- cmd_length = 2;
475 break;
476
477 case DST__K_TERM:
478 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
479 curr_pc += data;
480- cmd_length = 2;
481 vms_debug2 ((4, "DST__K_TERM: %d\n", data));
482 break;
483
484 case DST__K_TERM_W:
485 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
486 curr_pc += data;
487- cmd_length = 3;
488 vms_debug2 ((4, "DST__K_TERM_W: %d\n", data));
489 break;
490
491 case DST__K_TERM_L:
492 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
493 curr_pc += data;
494- cmd_length = 5;
495 vms_debug2 ((4, "DST__K_TERM_L: %d\n", data));
496 break;
497
498 case DST__K_SET_ABS_PC:
499 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
500 curr_pc = data;
501- cmd_length = 5;
502 vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data));
503 break;
504
505@@ -4638,15 +4764,11 @@ parse_module (bfd *abfd, struct module *
506 {
507 curr_pc -= cmd;
508 curr_linenum += 1;
509- cmd_length = 1;
510 vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n",
511 (unsigned long)curr_pc, curr_linenum));
512 }
513 else
514- {
515- _bfd_error_handler (_("unknown line command %d"), cmd);
516- cmd_length = 2;
517- }
518+ _bfd_error_handler (_("unknown line command %d"), cmd);
519 break;
520 }
521
522@@ -4778,7 +4900,7 @@ build_module_list (bfd *abfd)
523 return NULL;
524
525 module = new_module (abfd);
526- parse_module (abfd, module, PRIV (dst_section)->contents, -1);
527+ parse_module (abfd, module, PRIV (dst_section)->contents, PRIV (dst_section)->size);
528 list = module;
529 }
530
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-05 23:57:59 +0000