binutils : Fix CVE-2023-25588

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] (From OE-Core rev: fd0d01aca6f2aea51e9704e0ba48dc35dfd87b81) Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Deepthi Hemraj <deepadeepthi98@gmail.com> 2023-05-04 15:12:57 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-05-10 04:19:56 -1000
commit: 8876f530212b7dbbfb762dc09d0060cc9dea06a9 (patch)
tree: 579e4cc178992540f1044f45a1ae5a652ae4b1e0 /meta
parent: 2396bda0797e9e89646882fe5a60fea9d6493c9b (diff)
download: poky-8876f530212b7dbbfb762dc09d0060cc9dea06a9.tar.gz
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 1ea17990c8..5c3ff3d93a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -55,5 +55,6 @@ SRC_URI = "\
     file://0022-CVE-2023-25584-3.patch \
     file://0023-CVE-2023-25585.patch \
     file://0026-CVE-2023-1972.patch \
+     file://0025-CVE-2023-25588.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
new file mode 100644
index 0000000000..142d201c40
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
@@ -0,0 +1,147 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030)
+Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised
+X-Git-Tag: gdb-13-branchpoint~871
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1
+PR29677, Field `the_bfd` of `asymbol` is uninitialised
+Besides not initialising the_bfd of synthetic symbols, counting
+symbols when sizing didn't match symbols created if there were any
+dynsyms named "".  We don't want synthetic symbols without names
+anyway, so get rid of them.  Also, simplify and correct sanity checks.
+        PR 29677
+        * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
+CVE: CVE-2023-25588
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+---
+diff --git a/bfd/mach-o.c b/bfd/mach-o.c
+index acb35e7f0c6..5279343768c 100644
+--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
+@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+   bfd_mach_o_symtab_command *symtab = mdata->symtab;
+   asymbol *s;
+   char * s_start;
+-  char * s_end;
+   unsigned long count, i, j, n;
+   size_t size;
+   char *names;
+-  char *nul_name;
+   const char stub [] = "$stub";
+   *ret = NULL;
+@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+   /* We need to allocate a bfd symbol for every indirect symbol and to
+      allocate the memory for its name.  */
+   count = dysymtab->nindirectsyms;
+-  size = count * sizeof (asymbol) + 1;
+-
+  size = 0;
+   for (j = 0; j < count; j++)
+     {
+-      const char * strng;
+       unsigned int isym = dysymtab->indirect_syms[j];
+      const char *str;
+       /* Some indirect symbols are anonymous.  */
+-      if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
+-       /* PR 17512: file: f5b8eeba.  */
+-       size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
+      if (isym < symtab->nsyms
+         && (str = symtab->symbols[isym].symbol.name) != NULL)
+       {
+         /* PR 17512: file: f5b8eeba.  */
+         size += strnlen (str, symtab->strsize - (str - symtab->strtab));
+         size += sizeof (stub);
+       }
+     }
+-  s_start = bfd_malloc (size);
+  s_start = bfd_malloc (size + count * sizeof (asymbol));
+   s = *ret = (asymbol *) s_start;
+   if (s == NULL)
+     return -1;
+   names = (char *) (s + count);
+-  nul_name = names;
+-  *names++ = 0;
+-  s_end = s_start + size;
+   n = 0;
+   for (i = 0; i < mdata->nsects; i++)
+@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+          entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
+          /* PR 17512: file: 08e15eec.  */
+-         if (first >= count || last >= count || first > last)
+         if (first >= count || last > count || first > last)
+            goto fail;
+          for (j = first; j < last; j++)
+            {
+              unsigned int isym = dysymtab->indirect_syms[j];
+-
+-             /* PR 17512: file: 04d64d9b.  */
+-             if (((char *) s) + sizeof (* s) > s_end)
+-               goto fail;
+-
+-             s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
+-             s->section = sec->bfdsection;
+-             s->value = addr - sec->addr;
+-             s->udata.p = NULL;
+             const char *str;
+             size_t len;
+              if (isym < symtab->nsyms
+-                 && symtab->symbols[isym].symbol.name)
+                 && (str = symtab->symbols[isym].symbol.name) != NULL)
+                {
+-                 const char *sym = symtab->symbols[isym].symbol.name;
+-                 size_t len;
+-
+-                 s->name = names;
+-                 len = strlen (sym);
+-                 /* PR 17512: file: 47dfd4d2.  */
+-                 if (names + len >= s_end)
+                 /* PR 17512: file: 04d64d9b.  */
+                 if (n >= count)
+                    goto fail;
+-                 memcpy (names, sym, len);
+-                 names += len;
+-                 /* PR 17512: file: 18f340a4.  */
+-                 if (names + sizeof (stub) >= s_end)
+                 len = strnlen (str, symtab->strsize - (str - symtab->strtab));
+                 /* PR 17512: file: 47dfd4d2, 18f340a4.  */
+                 if (size < len + sizeof (stub))
+                    goto fail;
+-                 memcpy (names, stub, sizeof (stub));
+-                 names += sizeof (stub);
+                 memcpy (names, str, len);
+                 memcpy (names + len, stub, sizeof (stub));
+                 s->name = names;
+                 names += len + sizeof (stub);
+                 size -= len + sizeof (stub);
+                 s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
+                 s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
+                 s->section = sec->bfdsection;
+                 s->value = addr - sec->addr;
+                 s->udata.p = NULL;
+                 s++;
+                 n++;
+                }
+-             else
+-               s->name = nul_name;
+-
+              addr += entry_size;
+-             s++;
+-             n++;
+            }
+          break;
+        default:
author	Deepthi Hemraj <deepadeepthi98@gmail.com>	2023-05-04 15:12:57 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-05-10 04:19:56 -1000
commit	8876f530212b7dbbfb762dc09d0060cc9dea06a9 (patch)
tree	579e4cc178992540f1044f45a1ae5a652ae4b1e0 /meta
parent	2396bda0797e9e89646882fe5a60fea9d6493c9b (diff)
download	poky-8876f530212b7dbbfb762dc09d0060cc9dea06a9.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 1ea17990c8..5c3ff3d93a 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -55,5 +55,6 @@ SRC_URI = "\
55	file://0022-CVE-2023-25584-3.patch \	55	file://0022-CVE-2023-25584-3.patch \
56	file://0023-CVE-2023-25585.patch \	56	file://0023-CVE-2023-25585.patch \
57	file://0026-CVE-2023-1972.patch \	57	file://0026-CVE-2023-1972.patch \
		58	file://0025-CVE-2023-25588.patch \
58	"	59	"
59	S = "${WORKDIR}/git"	60	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch new file mode 100644 index 0000000000..142d201c40 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
@@ -0,0 +1,147 @@
		1	From: Alan Modra <amodra@gmail.com>
		2	Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030)
		3	Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised
		4	X-Git-Tag: gdb-13-branchpoint~871
		5	X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1
		6
		7	PR29677, Field `the_bfd` of `asymbol` is uninitialised
		8
		9	Besides not initialising the_bfd of synthetic symbols, counting
		10	symbols when sizing didn't match symbols created if there were any
		11	dynsyms named "". We don't want synthetic symbols without names
		12	anyway, so get rid of them. Also, simplify and correct sanity checks.
		13
		14	PR 29677
		15	* mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
		16
		17	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
		18
		19	CVE: CVE-2023-25588
		20
		21	Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
		22
		23	---
		24
		25	diff --git a/bfd/mach-o.c b/bfd/mach-o.c
		26	index acb35e7f0c6..5279343768c 100644
		27	--- a/bfd/mach-o.c
		28	+++ b/bfd/mach-o.c
		29	@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
		30	bfd_mach_o_symtab_command *symtab = mdata->symtab;
		31	asymbol *s;
		32	char * s_start;
		33	- char * s_end;
		34	unsigned long count, i, j, n;
		35	size_t size;
		36	char *names;
		37	- char *nul_name;
		38	const char stub [] = "$stub";
		39
		40	*ret = NULL;
		41	@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
		42	/* We need to allocate a bfd symbol for every indirect symbol and to
		43	allocate the memory for its name. */
		44	count = dysymtab->nindirectsyms;
		45	- size = count * sizeof (asymbol) + 1;
		46	-
		47	+ size = 0;
		48	for (j = 0; j < count; j++)
		49	{
		50	- const char * strng;
		51	unsigned int isym = dysymtab->indirect_syms[j];
		52	+ const char *str;
		53
		54	/* Some indirect symbols are anonymous. */
		55	- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
		56	- /* PR 17512: file: f5b8eeba. */
		57	- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
		58	+ if (isym < symtab->nsyms
		59	+ && (str = symtab->symbols[isym].symbol.name) != NULL)
		60	+ {
		61	+ /* PR 17512: file: f5b8eeba. */
		62	+ size += strnlen (str, symtab->strsize - (str - symtab->strtab));
		63	+ size += sizeof (stub);
		64	+ }
		65	}
		66
		67	- s_start = bfd_malloc (size);
		68	+ s_start = bfd_malloc (size + count * sizeof (asymbol));
		69	s = ret = (asymbol ) s_start;
		70	if (s == NULL)
		71	return -1;
		72	names = (char *) (s + count);
		73	- nul_name = names;
		74	- *names++ = 0;
		75	- s_end = s_start + size;
		76
		77	n = 0;
		78	for (i = 0; i < mdata->nsects; i++)
		79	@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
		80	entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
		81
		82	/* PR 17512: file: 08e15eec. */
		83	- if (first >= count \|\| last >= count \|\| first > last)
		84	+ if (first >= count \|\| last > count \|\| first > last)
		85	goto fail;
		86
		87	for (j = first; j < last; j++)
		88	{
		89	unsigned int isym = dysymtab->indirect_syms[j];
		90	-
		91	- /* PR 17512: file: 04d64d9b. */
		92	- if (((char ) s) + sizeof ( s) > s_end)
		93	- goto fail;
		94	-
		95	- s->flags = BSF_GLOBAL \| BSF_SYNTHETIC;
		96	- s->section = sec->bfdsection;
		97	- s->value = addr - sec->addr;
		98	- s->udata.p = NULL;
		99	+ const char *str;
		100	+ size_t len;
		101
		102	if (isym < symtab->nsyms
		103	- && symtab->symbols[isym].symbol.name)
		104	+ && (str = symtab->symbols[isym].symbol.name) != NULL)
		105	{
		106	- const char *sym = symtab->symbols[isym].symbol.name;
		107	- size_t len;
		108	-
		109	- s->name = names;
		110	- len = strlen (sym);
		111	- /* PR 17512: file: 47dfd4d2. */
		112	- if (names + len >= s_end)
		113	+ /* PR 17512: file: 04d64d9b. */
		114	+ if (n >= count)
		115	goto fail;
		116	- memcpy (names, sym, len);
		117	- names += len;
		118	- /* PR 17512: file: 18f340a4. */
		119	- if (names + sizeof (stub) >= s_end)
		120	+ len = strnlen (str, symtab->strsize - (str - symtab->strtab));
		121	+ /* PR 17512: file: 47dfd4d2, 18f340a4. */
		122	+ if (size < len + sizeof (stub))
		123	goto fail;
		124	- memcpy (names, stub, sizeof (stub));
		125	- names += sizeof (stub);
		126	+ memcpy (names, str, len);
		127	+ memcpy (names + len, stub, sizeof (stub));
		128	+ s->name = names;
		129	+ names += len + sizeof (stub);
		130	+ size -= len + sizeof (stub);
		131	+ s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
		132	+ s->flags = BSF_GLOBAL \| BSF_SYNTHETIC;
		133	+ s->section = sec->bfdsection;
		134	+ s->value = addr - sec->addr;
		135	+ s->udata.p = NULL;
		136	+ s++;
		137	+ n++;
		138	}
		139	- else
		140	- s->name = nul_name;
		141	-
		142	addr += entry_size;
		143	- s++;
		144	- n++;
		145	}
		146	break;
		147	default: