binutils: Fix CVE-2025-0840

PR32560 stack-buffer-overflow at objdump disassemble_bytes Backport a patch from upstream to fix CVE-2025-0840 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893] (From OE-Core rev: 338a2a95eb9a99c8e56dfb1f6336497ddd654372) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> 2025-03-05 21:43:48 -0800
committer: Steve Sakoman <steve@sakoman.com> 2025-03-08 06:22:57 -0800
commit: dc83c0c30ad57eaccd4a238c7719c4b104063172 (patch)
tree: 5e0edbb916e2810bef1abf441d22dd963cb1f6ec
parent: a18a302dba4acc867e92abc0856cb0f5fce6d8a8 (diff)
download: poky-dc83c0c30ad57eaccd4a238c7719c4b104063172.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 8bccf8c56a..809c4207d4 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -38,5 +38,6 @@ SRC_URI = "\
     file://0015-gprofng-change-use-of-bignum-to-bigint.patch \
     file://0016-CVE-2024-53589.patch \
     file://0017-dlltool-file-name-too-long.patch \
+     file://0018-CVE-2025-0840.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-0840.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-0840.patch
new file mode 100644
index 0000000000..3814d63e1f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-0840.patch
@@ -0,0 +1,53 @@
+Author: Alan Modra <amodra@gmail.com>
+Date:   Wed, 15 Jan 2025 19:13:43 +1030
+PR32560 stack-buffer-overflow at objdump disassemble_bytes
+There's always someone pushing the boundaries.
+        PR 32560
+        * objdump.c (MAX_INSN_WIDTH): Define.
+        (insn_width): Make it an unsigned long.
+        (disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+        (main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
+CVE: CVE-2025-0840
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 49e944b1..dba726e3 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -116,7 +116,8 @@ static bool disassemble_all;                /* -D */
+ static int disassemble_zeroes;         /* --disassemble-zeroes */
+ static bool formats_info;              /* -i */
+ int wide_output;                       /* -w */
+-static int insn_width;                 /* --insn-width */
+#define MAX_INSN_WIDTH 49
+static unsigned long insn_width;       /* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;             /* --debugging */
+@@ -3327,7 +3328,7 @@ disassemble_bytes (struct disassemble_info *inf,
+        }
+       else
+        {
+-         char buf[50];
+         char buf[MAX_INSN_WIDTH + 1];
+          unsigned int bpc = 0;
+          unsigned int pb = 0;
+ 
+@@ -5995,8 +5996,9 @@ main (int argc, char **argv)
+          break;
+        case OPTION_INSN_WIDTH:
+          insn_width = strtoul (optarg, NULL, 0);
+-         if (insn_width <= 0)
+-           fatal (_("error: instruction width must be positive"));
+         if (insn_width - 1 >= MAX_INSN_WIDTH)
+           fatal (_("error: instruction width must be in the range 1 to "
+                    XSTRING (MAX_INSN_WIDTH)));
+          break;
+        case OPTION_INLINES:
+          unwind_inlines = true;
author	Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>	2025-03-05 21:43:48 -0800
committer	Steve Sakoman <steve@sakoman.com>	2025-03-08 06:22:57 -0800
commit	dc83c0c30ad57eaccd4a238c7719c4b104063172 (patch)
tree	5e0edbb916e2810bef1abf441d22dd963cb1f6ec
parent	a18a302dba4acc867e92abc0856cb0f5fce6d8a8 (diff)
download	poky-dc83c0c30ad57eaccd4a238c7719c4b104063172.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 8bccf8c56a..809c4207d4 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -38,5 +38,6 @@ SRC_URI = "\
38	file://0015-gprofng-change-use-of-bignum-to-bigint.patch \	38	file://0015-gprofng-change-use-of-bignum-to-bigint.patch \
39	file://0016-CVE-2024-53589.patch \	39	file://0016-CVE-2024-53589.patch \
40	file://0017-dlltool-file-name-too-long.patch \	40	file://0017-dlltool-file-name-too-long.patch \
		41	file://0018-CVE-2025-0840.patch \
41	"	42	"
42	S = "${WORKDIR}/git"	43	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-0840.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-0840.patch new file mode 100644 index 0000000000..3814d63e1f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-0840.patch
@@ -0,0 +1,53 @@
		1	Author: Alan Modra <amodra@gmail.com>
		2	Date: Wed, 15 Jan 2025 19:13:43 +1030
		3
		4	PR32560 stack-buffer-overflow at objdump disassemble_bytes
		5
		6	There's always someone pushing the boundaries.
		7
		8	PR 32560
		9	* objdump.c (MAX_INSN_WIDTH): Define.
		10	(insn_width): Make it an unsigned long.
		11	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
		12	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
		13
		14	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
		15	CVE: CVE-2025-0840
		16
		17	Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
		18
		19	diff --git a/binutils/objdump.c b/binutils/objdump.c
		20	index 49e944b1..dba726e3 100644
		21	--- a/binutils/objdump.c
		22	+++ b/binutils/objdump.c
		23	@@ -116,7 +116,8 @@ static bool disassemble_all; /* -D */
		24	static int disassemble_zeroes; /* --disassemble-zeroes */
		25	static bool formats_info; /* -i */
		26	int wide_output; /* -w */
		27	-static int insn_width; /* --insn-width */
		28	+#define MAX_INSN_WIDTH 49
		29	+static unsigned long insn_width; /* --insn-width */
		30	static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
		31	static bfd_vma stop_address = (bfd_vma) -1; /* --stop-address */
		32	static int dump_debugging; /* --debugging */
		33	@@ -3327,7 +3328,7 @@ disassemble_bytes (struct disassemble_info *inf,
		34	}
		35	else
		36	{
		37	- char buf[50];
		38	+ char buf[MAX_INSN_WIDTH + 1];
		39	unsigned int bpc = 0;
		40	unsigned int pb = 0;
		41
		42	@@ -5995,8 +5996,9 @@ main (int argc, char **argv)
		43	break;
		44	case OPTION_INSN_WIDTH:
		45	insn_width = strtoul (optarg, NULL, 0);
		46	- if (insn_width <= 0)
		47	- fatal (_("error: instruction width must be positive"));
		48	+ if (insn_width - 1 >= MAX_INSN_WIDTH)
		49	+ fatal (_("error: instruction width must be in the range 1 to "
		50	+ XSTRING (MAX_INSN_WIDTH)));
		51	break;
		52	case OPTION_INLINES:
		53	unwind_inlines = true;