summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorYash Shinde <Yash.Shinde@windriver.com>2024-12-12 06:30:29 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2024-12-13 12:26:01 +0000
commitdd6c679a16c4650bbf67e9ca938e87a512122f18 (patch)
treec0651e512c95b69610d45a34c8e5731f6e2508ad /meta/recipes-devtools
parent3291a8faa4b3a61477acca73913775dfba962d7c (diff)
downloadpoky-dd6c679a16c4650bbf67e9ca938e87a512122f18.tar.gz
binutils: Fix CVE-2024-53589
A buffer overflow vulnerability exists in GNU Binutils’ objdump utility when processing tekhex format files. The vulnerability occurs in the Binary File Descriptor (BFD) library’s tekhex parser during format identification. Specifically, the issue manifests when attempting to read 8 bytes at an address that precedes the global variable ‘_bfd_std_section’, resulting in an out-of-bounds read. Backport a patch from upstream to fix CVE-2024-53589. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88] (From OE-Core rev: 7c9a9020d1e9204ba875ac10b20ab7ccabce82bc) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.43.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch92
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.43.1.inc b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
index f472631932..4a8666b433 100644
--- a/meta/recipes-devtools/binutils/binutils-2.43.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
@@ -35,5 +35,6 @@ SRC_URI = "\
35 file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \ 35 file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
36 file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ 36 file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
37 file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ 37 file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
38 file://0015-CVE-2024-53589.patch \
38" 39"
39S = "${WORKDIR}/git" 40S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch b/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch
new file mode 100644
index 0000000000..380112a3ba
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch
@@ -0,0 +1,92 @@
1Author: Alan Modra <amodra@gmail.com>
2Date: Mon Nov 11 10:24:09 2024 +1030
3
4 Re: tekhex object file output fixes
5
6 Commit 8b5a212495 supported *ABS* symbols by allowing "section" to be
7 bfd_abs_section, but bfd_abs_section needs to be treated specially.
8 In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
9 is invalid.
10
11 PR 32347
12 * tekhex.c (first_phase): Guard against modification of
13 _bfd_std_section[] entries.
14
15Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]
16CVE: CVE-2024-53589
17
18Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
19
20diff --git a/bfd/tekhex.c b/bfd/tekhex.c
21index aea2ebb23df..b305c1f96f1 100644
22--- a/bfd/tekhex.c
23+++ b/bfd/tekhex.c
24@@ -361,6 +361,7 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
25 {
26 asection *section, *alt_section;
27 unsigned int len;
28+ bfd_vma addr;
29 bfd_vma val;
30 char sym[17]; /* A symbol can only be 16chars long. */
31
32@@ -368,20 +369,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
33 {
34 case '6':
35 /* Data record - read it and store it. */
36- {
37- bfd_vma addr;
38-
39- if (!getvalue (&src, &addr, src_end))
40- return false;
41-
42- while (*src && src < src_end - 1)
43- {
44- insert_byte (abfd, HEX (src), addr);
45- src += 2;
46- addr++;
47- }
48- return true;
49- }
50+ if (!getvalue (&src, &addr, src_end))
51+ return false;
52+
53+ while (*src && src < src_end - 1)
54+ {
55+ insert_byte (abfd, HEX (src), addr);
56+ src += 2;
57+ addr++;
58+ }
59+ return true;
60
61 case '3':
62 /* Symbol record, read the segment. */
63@@ -406,13 +403,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
64 {
65 case '1': /* Section range. */
66 src++;
67- if (!getvalue (&src, &section->vma, src_end))
68+ if (!getvalue (&src, &addr, src_end))
69 return false;
70 if (!getvalue (&src, &val, src_end))
71 return false;
72- if (val < section->vma)
73- val = section->vma;
74- section->size = val - section->vma;
75+ if (bfd_is_const_section (section))
76+ break;
77+ section->vma = addr;
78+ if (val < addr)
79+ val = addr;
80+ section->size = val - addr;
81 /* PR 17512: file: objdump-s-endless-loop.tekhex.
82 Check for overlarge section sizes. */
83 if (section->size & 0x80000000)
84@@ -455,6 +455,8 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
85 new_symbol->symbol.flags = BSF_LOCAL;
86 if (stype == '2' || stype == '6')
87 new_symbol->symbol.section = bfd_abs_section_ptr;
88+ else if (bfd_is_const_section (section))
89+ ;
90 else if (stype == '3' || stype == '7')
91 {
92 if ((section->flags & SEC_DATA) == 0)