binutils: patch CVE-2025-0840

Backport [1] as listed in [2]. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-0840 (From OE-Core rev: 059b6bb3058fadbeee2626ab241de315ed1b0baa) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-03-07 21:27:50 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-03-15 06:44:46 -0700
commit: 0bab6572a6164facc1758a55c21c512c266aba14 (patch)
tree: de2eb443ca937a8411ddbf6ce0bfc126b57a5287
parent: 6ab341172661255b47cc254789df1e32bc1464be (diff)
download: poky-0bab6572a6164facc1758a55c21c512c266aba14.tar.gz
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.43.1.inc b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
index 4a8666b433..091fa61cc6 100644
--- a/meta/recipes-devtools/binutils/binutils-2.43.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
     file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
     file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
     file://0015-CVE-2024-53589.patch \
+     file://0016-CVE-2025-0840.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch
new file mode 100644
index 0000000000..2f60a7a0f1
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch
@@ -0,0 +1,55 @@
+From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Jan 2025 19:13:43 +1030
+Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
+There's always someone pushing the boundaries.
+        PR 32560
+        * objdump.c (MAX_INSN_WIDTH): Define.
+        (insn_width): Make it an unsigned long.
+        (disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+        (main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+CVE: CVE-2025-0840
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index ecbe39e942e..80044dea580 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -117,7 +117,8 @@ static bool disassemble_all;                /* -D */
+ static int disassemble_zeroes;         /* --disassemble-zeroes */
+ static bool formats_info;              /* -i */
+ int wide_output;                       /* -w */
+-static int insn_width;                 /* --insn-width */
+#define MAX_INSN_WIDTH 49
+static unsigned long insn_width;       /* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;             /* --debugging */
+@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf,
+        }
+       else
+        {
+-         char buf[50];
+         char buf[MAX_INSN_WIDTH + 1];
+          unsigned int bpc = 0;
+          unsigned int pb = 0;
+ 
+@@ -6091,8 +6092,9 @@ main (int argc, char **argv)
+          break;
+        case OPTION_INSN_WIDTH:
+          insn_width = strtoul (optarg, NULL, 0);
+-         if (insn_width <= 0)
+-           fatal (_("error: instruction width must be positive"));
+         if (insn_width - 1 >= MAX_INSN_WIDTH)
+           fatal (_("error: instruction width must be in the range 1 to "
+                    XSTRING (MAX_INSN_WIDTH)));
+          break;
+        case OPTION_INLINES:
+          unwind_inlines = true;
author	Peter Marko <peter.marko@siemens.com>	2025-03-07 21:27:50 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-03-15 06:44:46 -0700
commit	0bab6572a6164facc1758a55c21c512c266aba14 (patch)
tree	de2eb443ca937a8411ddbf6ce0bfc126b57a5287
parent	6ab341172661255b47cc254789df1e32bc1464be (diff)
download	poky-0bab6572a6164facc1758a55c21c512c266aba14.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.43.1.inc b/meta/recipes-devtools/binutils/binutils-2.43.1.inc index 4a8666b433..091fa61cc6 100644 --- a/meta/recipes-devtools/binutils/binutils-2.43.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
36	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \	36	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
37	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \	37	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
38	file://0015-CVE-2024-53589.patch \	38	file://0015-CVE-2024-53589.patch \
		39	file://0016-CVE-2025-0840.patch \
39	"	40	"
40	S = "${WORKDIR}/git"	41	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch new file mode 100644 index 0000000000..2f60a7a0f1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch
@@ -0,0 +1,55 @@
		1	From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Wed, 15 Jan 2025 19:13:43 +1030
		4	Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
		5
		6	There's always someone pushing the boundaries.
		7
		8	PR 32560
		9	* objdump.c (MAX_INSN_WIDTH): Define.
		10	(insn_width): Make it an unsigned long.
		11	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
		12	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
		13
		14	CVE: CVE-2025-0840
		15	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
		16	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		17	---
		18	binutils/objdump.c \| 10 ++++++----
		19	1 file changed, 6 insertions(+), 4 deletions(-)
		20
		21	diff --git a/binutils/objdump.c b/binutils/objdump.c
		22	index ecbe39e942e..80044dea580 100644
		23	--- a/binutils/objdump.c
		24	+++ b/binutils/objdump.c
		25	@@ -117,7 +117,8 @@ static bool disassemble_all; /* -D */
		26	static int disassemble_zeroes; /* --disassemble-zeroes */
		27	static bool formats_info; /* -i */
		28	int wide_output; /* -w */
		29	-static int insn_width; /* --insn-width */
		30	+#define MAX_INSN_WIDTH 49
		31	+static unsigned long insn_width; /* --insn-width */
		32	static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
		33	static bfd_vma stop_address = (bfd_vma) -1; /* --stop-address */
		34	static int dump_debugging; /* --debugging */
		35	@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf,
		36	}
		37	else
		38	{
		39	- char buf[50];
		40	+ char buf[MAX_INSN_WIDTH + 1];
		41	unsigned int bpc = 0;
		42	unsigned int pb = 0;
		43
		44	@@ -6091,8 +6092,9 @@ main (int argc, char **argv)
		45	break;
		46	case OPTION_INSN_WIDTH:
		47	insn_width = strtoul (optarg, NULL, 0);
		48	- if (insn_width <= 0)
		49	- fatal (_("error: instruction width must be positive"));
		50	+ if (insn_width - 1 >= MAX_INSN_WIDTH)
		51	+ fatal (_("error: instruction width must be in the range 1 to "
		52	+ XSTRING (MAX_INSN_WIDTH)));
		53	break;
		54	case OPTION_INLINES:
		55	unwind_inlines = true;