binutils: Fix CVE-2021-3530

Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=25162c795b1a2becf936bb3581d86a307ea491eb] Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=999566402e3] (From OE-Core rev: b9c13f5bc6be0fa63640caeef4947c4c2ca1d290) Signed-off-by: Pgowda <pgowda.cve@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Pgowda <pgowda.cve@gmail.com> 2021-10-28 02:58:14 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-03 11:19:04 +0000
commit: 452df8f85f289d4e35d0559d810d8f067edb3431 (patch)
tree: d47c524d1a5407312c7864b37b3c7e0ba1a7b200 /meta
parent: d416648255ac1fd49cf70360104ac67f5d2397d5 (diff)
download: poky-452df8f85f289d4e35d0559d810d8f067edb3431.tar.gz
3 files changed, 168 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc b/meta/recipes-devtools/binutils/binutils-2.36.inc
index 9d770db5a8..7d0824e060 100644
--- a/meta/recipes-devtools/binutils/binutils-2.36.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.36.inc
@@ -44,5 +44,7 @@ SRC_URI = "\
     file://0001-CVE-2021-20197.patch \
     file://0002-CVE-2021-20197.patch \
     file://0003-CVE-2021-20197.patch \
+     file://0017-CVE-2021-3530.patch \
+     file://0018-CVE-2021-3530.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch
new file mode 100644
index 0000000000..fa10a6c99a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch
@@ -0,0 +1,102 @@
+From 25162c795b1a2becf936bb3581d86a307ea491eb Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 15 Jul 2021 16:51:56 +0100
+Subject: [PATCH] Fix a stack exhaustion problem in the Rust demangling code in
+ the libiberty library.
+        PR 99935
+        * rust-demangle.c: Add recursion limit.
+CVE: CVE-2021-3530
+Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=25162c795b1a2becf936bb3581d86a307ea491eb]
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+---
+ libiberty/ChangeLog       |  5 +++++
+ libiberty/rust-demangle.c | 31 +++++++++++++++++++++++++------
+ 2 files changed, 30 insertions(+), 6 deletions(-)
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index bc1b35b97c4..8e39fd28eba 100644
+--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
+@@ -1,3 +1,8 @@
+2021-07-15  Nick Clifton  <nickc@redhat.com>
+
+       PR 99935
+       * rust-demangle.c: Add recursion limit.
+
+ 2021-01-04  Martin Liska  <mliska@suse.cz>
+ 
+        * strverscmp.c: Convert to utf8 from iso8859.
+diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c
+index 449941b56dc..df09b7b8fdd 100644
+--- a/libiberty/rust-demangle.c
+++ b/libiberty/rust-demangle.c
+@@ -74,6 +74,12 @@ struct rust_demangler
+   /* Rust mangling version, with legacy mangling being -1. */
+   int version;
+ 
+  /* Recursion depth.  */
+  uint recursion;
+  /* Maximum number of times demangle_path may be called recursively.  */
+#define RUST_MAX_RECURSION_COUNT  1024
+#define RUST_NO_RECURSION_LIMIT   ((uint) -1)
+
+   uint64_t bound_lifetime_depth;
+ };
+ 
+@@ -671,6 +677,15 @@ demangle_path (struct rust_demangler *rd
+   if (rdm->errored)
+     return;
+ 
+  if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
+    {
+      ++ rdm->recursion;
+      if (rdm->recursion > RUST_MAX_RECURSION_COUNT)
+       /* FIXME: There ought to be a way to report
+          that the recursion limit has been reached.  */
+       goto fail_return;
+    }
+
+   switch (tag = next (rdm))
+     {
+     case 'C':
+@@ -688,10 +703,7 @@ demangle_path (struct rust_demangler *rd
+     case 'N':
+       ns = next (rdm);
+       if (!ISLOWER (ns) && !ISUPPER (ns))
+-        {
+-          rdm->errored = 1;
+-          return;
+-        }
+       goto fail_return;
+ 
+       demangle_path (rdm, in_value);
+ 
+@@ -776,9 +788,15 @@ demangle_path (struct rust_demangler *rd
+         }
+       break;
+     default:
+-      rdm->errored = 1;
+-      return;
+      goto fail_return;
+     }
+  goto pass_return;
+
+ fail_return:
+  rdm->errored = 1;
+ pass_return:
+  if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
+    -- rdm->recursion;
+ }
+ 
+ static void
+@@ -1317,6 +1335,7 @@ rust_demangle_callback (const char *mang
+   rdm.skipping_printing = 0;
+   rdm.verbose = (options & DMGL_VERBOSE) != 0;
+   rdm.version = 0;
+  rdm.recursion = (options & DMGL_NO_RECURSE_LIMIT) ? RUST_NO_RECURSION_LIMIT : 0;
+   rdm.bound_lifetime_depth = 0;
+ 
+   /* Rust symbols always start with _R (v0) or _ZN (legacy). */
diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2021-3530.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2021-3530.patch
new file mode 100644
index 0000000000..e569a6bc47
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2021-3530.patch
@@ -0,0 +1,64 @@
+From 999566402e3d7c69032bbf47e28b44fc0926fe62 Mon Sep 17 00:00:00 2001
+From: Christopher Wellons <wellons@nullprogram.com>
+Date: Sun, 18 Jul 2021 16:57:19 -0400
+Subject: [PATCH] Change "uint" to "unsigned"
+This fixes a defect introduced in 25162c795. The "uint" type has not
+been explicitly defined here on mingw, causing compilation to fail.
+On linux we have this in /usr/include/sys/types.h
+/* Old compatibility names for C types.  */
+typedef unsigned long int ulong;
+typedef unsigned short int ushort;
+typedef unsigned int uint;
+So it's easy to see how such bugs can creep in.
+        * rust-demangle.c (struct rust_demangler): Change type of
+        "recursion" to unsigned.
+        (RUST_NO_RECURSION_LIMIT): Similarly in cast.
+CVE: CVE-2021-3530
+Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=999566402e3]
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+---
+ libiberty/ChangeLog       | 6 ++++++
+ libiberty/rust-demangle.c | 4 ++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index 8e39fd28eba..3f749455f05 100644
+--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
+@@ -1,3 +1,9 @@
+2021-07-19  Christopher Wellons  <wellons@nullprogram.com>
+
+       * rust-demangle.c (struct rust_demangler): Change type of
+       "recursion" to unsigned.
+       (RUST_NO_RECURSION_LIMIT): Similarly in cast.
+
+ 2021-07-15  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 99935
+diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c
+index df09b7b8fdd..ac1eb8eb02c 100644
+--- a/libiberty/rust-demangle.c
+++ b/libiberty/rust-demangle.c
+@@ -75,10 +75,10 @@ struct rust_demangler
+   int version;
+ 
+   /* Recursion depth.  */
+-  uint recursion;
+  unsigned recursion;
+   /* Maximum number of times demangle_path may be called recursively.  */
+ #define RUST_MAX_RECURSION_COUNT  1024
+-#define RUST_NO_RECURSION_LIMIT   ((uint) -1)
+#define RUST_NO_RECURSION_LIMIT   ((unsigned) -1)
+ 
+   uint64_t bound_lifetime_depth;
+ };
+-- 
+2.27.0
author	Pgowda <pgowda.cve@gmail.com>	2021-10-28 02:58:14 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-03 11:19:04 +0000
commit	452df8f85f289d4e35d0559d810d8f067edb3431 (patch)
tree	d47c524d1a5407312c7864b37b3c7e0ba1a7b200 /meta
parent	d416648255ac1fd49cf70360104ac67f5d2397d5 (diff)
download	poky-452df8f85f289d4e35d0559d810d8f067edb3431.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc b/meta/recipes-devtools/binutils/binutils-2.36.inc index 9d770db5a8..7d0824e060 100644 --- a/meta/recipes-devtools/binutils/binutils-2.36.inc +++ b/meta/recipes-devtools/binutils/binutils-2.36.inc
@@ -44,5 +44,7 @@ SRC_URI = "\
44	file://0001-CVE-2021-20197.patch \	44	file://0001-CVE-2021-20197.patch \
45	file://0002-CVE-2021-20197.patch \	45	file://0002-CVE-2021-20197.patch \
46	file://0003-CVE-2021-20197.patch \	46	file://0003-CVE-2021-20197.patch \
		47	file://0017-CVE-2021-3530.patch \
		48	file://0018-CVE-2021-3530.patch \
47	"	49	"
48	S = "${WORKDIR}/git"	50	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch new file mode 100644 index 0000000000..fa10a6c99a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch
@@ -0,0 +1,102 @@
		1	From 25162c795b1a2becf936bb3581d86a307ea491eb Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Thu, 15 Jul 2021 16:51:56 +0100
		4	Subject: [PATCH] Fix a stack exhaustion problem in the Rust demangling code in
		5	the libiberty library.
		6
		7	PR 99935
		8	* rust-demangle.c: Add recursion limit.
		9
		10	CVE: CVE-2021-3530
		11	Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=25162c795b1a2becf936bb3581d86a307ea491eb]
		12	Signed-off-by: Pgowda <pgowda.cve@gmail.com>
		13
		14	---
		15	libiberty/ChangeLog \| 5 +++++
		16	libiberty/rust-demangle.c \| 31 +++++++++++++++++++++++++------
		17	2 files changed, 30 insertions(+), 6 deletions(-)
		18
		19	diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
		20	index bc1b35b97c4..8e39fd28eba 100644
		21	--- a/libiberty/ChangeLog
		22	+++ b/libiberty/ChangeLog
		23	@@ -1,3 +1,8 @@
		24	+2021-07-15 Nick Clifton <nickc@redhat.com>
		25	+
		26	+ PR 99935
		27	+ * rust-demangle.c: Add recursion limit.
		28	+
		29	2021-01-04 Martin Liska <mliska@suse.cz>
		30
		31	* strverscmp.c: Convert to utf8 from iso8859.
		32	diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c
		33	index 449941b56dc..df09b7b8fdd 100644
		34	--- a/libiberty/rust-demangle.c
		35	+++ b/libiberty/rust-demangle.c
		36	@@ -74,6 +74,12 @@ struct rust_demangler
		37	/* Rust mangling version, with legacy mangling being -1. */
		38	int version;
		39
		40	+ /* Recursion depth. */
		41	+ uint recursion;
		42	+ /* Maximum number of times demangle_path may be called recursively. */
		43	+#define RUST_MAX_RECURSION_COUNT 1024
		44	+#define RUST_NO_RECURSION_LIMIT ((uint) -1)
		45	+
		46	uint64_t bound_lifetime_depth;
		47	};
		48
		49	@@ -671,6 +677,15 @@ demangle_path (struct rust_demangler *rd
		50	if (rdm->errored)
		51	return;
		52
		53	+ if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
		54	+ {
		55	+ ++ rdm->recursion;
		56	+ if (rdm->recursion > RUST_MAX_RECURSION_COUNT)
		57	+ /* FIXME: There ought to be a way to report
		58	+ that the recursion limit has been reached. */
		59	+ goto fail_return;
		60	+ }
		61	+
		62	switch (tag = next (rdm))
		63	{
		64	case 'C':
		65	@@ -688,10 +703,7 @@ demangle_path (struct rust_demangler *rd
		66	case 'N':
		67	ns = next (rdm);
		68	if (!ISLOWER (ns) && !ISUPPER (ns))
		69	- {
		70	- rdm->errored = 1;
		71	- return;
		72	- }
		73	+ goto fail_return;
		74
		75	demangle_path (rdm, in_value);
		76
		77	@@ -776,9 +788,15 @@ demangle_path (struct rust_demangler *rd
		78	}
		79	break;
		80	default:
		81	- rdm->errored = 1;
		82	- return;
		83	+ goto fail_return;
		84	}
		85	+ goto pass_return;
		86	+
		87	+ fail_return:
		88	+ rdm->errored = 1;
		89	+ pass_return:
		90	+ if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
		91	+ -- rdm->recursion;
		92	}
		93
		94	static void
		95	@@ -1317,6 +1335,7 @@ rust_demangle_callback (const char *mang
		96	rdm.skipping_printing = 0;
		97	rdm.verbose = (options & DMGL_VERBOSE) != 0;
		98	rdm.version = 0;
		99	+ rdm.recursion = (options & DMGL_NO_RECURSE_LIMIT) ? RUST_NO_RECURSION_LIMIT : 0;
		100	rdm.bound_lifetime_depth = 0;
		101
		102	/* Rust symbols always start with _R (v0) or _ZN (legacy). */


diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2021-3530.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2021-3530.patch new file mode 100644 index 0000000000..e569a6bc47 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2021-3530.patch
@@ -0,0 +1,64 @@
		1	From 999566402e3d7c69032bbf47e28b44fc0926fe62 Mon Sep 17 00:00:00 2001
		2	From: Christopher Wellons <wellons@nullprogram.com>
		3	Date: Sun, 18 Jul 2021 16:57:19 -0400
		4	Subject: [PATCH] Change "uint" to "unsigned"
		5
		6	This fixes a defect introduced in 25162c795. The "uint" type has not
		7	been explicitly defined here on mingw, causing compilation to fail.
		8
		9	On linux we have this in /usr/include/sys/types.h
		10
		11	/* Old compatibility names for C types. */
		12	typedef unsigned long int ulong;
		13	typedef unsigned short int ushort;
		14	typedef unsigned int uint;
		15
		16	So it's easy to see how such bugs can creep in.
		17
		18	* rust-demangle.c (struct rust_demangler): Change type of
		19	"recursion" to unsigned.
		20	(RUST_NO_RECURSION_LIMIT): Similarly in cast.
		21
		22	CVE: CVE-2021-3530
		23	Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=999566402e3]
		24	Signed-off-by: Pgowda <pgowda.cve@gmail.com>
		25
		26	---
		27	libiberty/ChangeLog \| 6 ++++++
		28	libiberty/rust-demangle.c \| 4 ++--
		29	2 files changed, 8 insertions(+), 2 deletions(-)
		30
		31	diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
		32	index 8e39fd28eba..3f749455f05 100644
		33	--- a/libiberty/ChangeLog
		34	+++ b/libiberty/ChangeLog
		35	@@ -1,3 +1,9 @@
		36	+2021-07-19 Christopher Wellons <wellons@nullprogram.com>
		37	+
		38	+ * rust-demangle.c (struct rust_demangler): Change type of
		39	+ "recursion" to unsigned.
		40	+ (RUST_NO_RECURSION_LIMIT): Similarly in cast.
		41	+
		42	2021-07-15 Nick Clifton <nickc@redhat.com>
		43
		44	PR 99935
		45	diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c
		46	index df09b7b8fdd..ac1eb8eb02c 100644
		47	--- a/libiberty/rust-demangle.c
		48	+++ b/libiberty/rust-demangle.c
		49	@@ -75,10 +75,10 @@ struct rust_demangler
		50	int version;
		51
		52	/* Recursion depth. */
		53	- uint recursion;
		54	+ unsigned recursion;
		55	/* Maximum number of times demangle_path may be called recursively. */
		56	#define RUST_MAX_RECURSION_COUNT 1024
		57	-#define RUST_NO_RECURSION_LIMIT ((uint) -1)
		58	+#define RUST_NO_RECURSION_LIMIT ((unsigned) -1)
		59
		60	uint64_t bound_lifetime_depth;
		61	};
		62	--
		63	2.27.0
		64