binutils: Fix CVE-2022-47695

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386] (From OE-Core rev: 4d4732c2e295fea610d266fa12bae3cc01f93dfa) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> 2023-10-13 19:27:17 -0500
committer: Steve Sakoman <steve@sakoman.com> 2023-10-21 05:21:35 -1000
commit: 4537f28311194f5076f46b30c2c4bbdc76e857ed (patch)
tree: c408c7d84663ce1f32a9f68062fbde2248a7d1e0
parent: 47d212a57f7c26ebd35970b78803ad36572b57bd (diff)
download: poky-4537f28311194f5076f46b30c2c4bbdc76e857ed.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 0964ab0825..da444ed1ba 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -62,5 +62,6 @@ SRC_URI = "\
     file://0030-CVE-2022-44840.patch \
     file://0031-CVE-2022-45703-1.patch \
     file://0031-CVE-2022-45703-2.patch \
+     file://0031-CVE-2022-47695.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch
new file mode 100644
index 0000000000..f2e9cea027
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch
@@ -0,0 +1,58 @@
+From 2f7426b9bb2d2450b32cad3d79fab9abe3ec42bb Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 4 Dec 2022 22:15:40 +1030
+Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols
+Fixes a fuzzed object file problem where plt relocs were manipulated
+in such a way that two synthetic symbols were generated at the same
+plt location.  Won't occur in real object files.
+        PR 29846
+        PR 20337
+        * objdump.c (compare_symbols): Test symbol flags to exclude
+        section and synthetic symbols before attempting to check flavour.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
+CVE: CVE-2022-47695
+Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
+---
+ binutils/objdump.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 08a0fe521d8..21f75f4db40 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -1165,20 +1165,17 @@ compare_symbols (const void *ap, const void *bp)
+        return 1;
+     }
+ 
+-  if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour
+  /* Sort larger size ELF symbols before smaller.  See PR20337.  */
+  bfd_vma asz = 0;
+  if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+      && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour)
+    asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
+  bfd_vma bsz = 0;
+  if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+       && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour)
+-    {
+-      bfd_vma asz, bsz;
+-
+-      asz = 0;
+-      if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+-       asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
+-      bsz = 0;
+-      if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+-       bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
+-      if (asz != bsz)
+-       return asz > bsz ? -1 : 1;
+-    }
+    bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
+  if (asz != bsz)
+    return asz > bsz ? -1 : 1;
+ 
+   /* Symbols that start with '.' might be section names, so sort them
+      after symbols that don't start with '.'.  */
author	Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>	2023-10-13 19:27:17 -0500
committer	Steve Sakoman <steve@sakoman.com>	2023-10-21 05:21:35 -1000
commit	4537f28311194f5076f46b30c2c4bbdc76e857ed (patch)
tree	c408c7d84663ce1f32a9f68062fbde2248a7d1e0
parent	47d212a57f7c26ebd35970b78803ad36572b57bd (diff)
download	poky-4537f28311194f5076f46b30c2c4bbdc76e857ed.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 0964ab0825..da444ed1ba 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -62,5 +62,6 @@ SRC_URI = "\
62	file://0030-CVE-2022-44840.patch \	62	file://0030-CVE-2022-44840.patch \
63	file://0031-CVE-2022-45703-1.patch \	63	file://0031-CVE-2022-45703-1.patch \
64	file://0031-CVE-2022-45703-2.patch \	64	file://0031-CVE-2022-45703-2.patch \
		65	file://0031-CVE-2022-47695.patch \
65	"	66	"
66	S = "${WORKDIR}/git"	67	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch new file mode 100644 index 0000000000..f2e9cea027 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch
@@ -0,0 +1,58 @@
		1	From 2f7426b9bb2d2450b32cad3d79fab9abe3ec42bb Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Sun, 4 Dec 2022 22:15:40 +1030
		4	Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols
		5
		6	Fixes a fuzzed object file problem where plt relocs were manipulated
		7	in such a way that two synthetic symbols were generated at the same
		8	plt location. Won't occur in real object files.
		9
		10	PR 29846
		11	PR 20337
		12	* objdump.c (compare_symbols): Test symbol flags to exclude
		13	section and synthetic symbols before attempting to check flavour.
		14
		15	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
		16
		17	CVE: CVE-2022-47695
		18
		19	Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
		20	---
		21	binutils/objdump.c \| 23 ++++++++++-------------
		22	1 file changed, 10 insertions(+), 13 deletions(-)
		23
		24	diff --git a/binutils/objdump.c b/binutils/objdump.c
		25	index 08a0fe521d8..21f75f4db40 100644
		26	--- a/binutils/objdump.c
		27	+++ b/binutils/objdump.c
		28	@@ -1165,20 +1165,17 @@ compare_symbols (const void ap, const void bp)
		29	return 1;
		30	}
		31
		32	- if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour
		33	+ /* Sort larger size ELF symbols before smaller. See PR20337. */
		34	+ bfd_vma asz = 0;
		35	+ if ((a->flags & (BSF_SECTION_SYM \| BSF_SYNTHETIC)) == 0
		36	+ && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour)
		37	+ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
		38	+ bfd_vma bsz = 0;
		39	+ if ((b->flags & (BSF_SECTION_SYM \| BSF_SYNTHETIC)) == 0
		40	&& bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour)
		41	- {
		42	- bfd_vma asz, bsz;
		43	-
		44	- asz = 0;
		45	- if ((a->flags & (BSF_SECTION_SYM \| BSF_SYNTHETIC)) == 0)
		46	- asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
		47	- bsz = 0;
		48	- if ((b->flags & (BSF_SECTION_SYM \| BSF_SYNTHETIC)) == 0)
		49	- bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
		50	- if (asz != bsz)
		51	- return asz > bsz ? -1 : 1;
		52	- }
		53	+ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
		54	+ if (asz != bsz)
		55	+ return asz > bsz ? -1 : 1;
		56
		57	/* Symbols that start with '.' might be section names, so sort them
		58	after symbols that don't start with '.'. */