binutils: Fix CVE-2022-44840

(From OE-Core rev: 7a42ae332ebde565cc7c6fca568563f076bd26ba) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yash Shinde <Yash.Shinde@windriver.com> 2023-10-11 06:25:49 -0700
committer: Steve Sakoman <steve@sakoman.com> 2023-10-18 05:13:24 -1000
commit: 600b508c376d587bbb9067af3e8b8567fc767449 (patch)
tree: b5d140943382ca7e0080147497dc6fb0e7a52658
parent: 2a2ea5ac7502b0d67c8bce454eb3a8300c101e41 (diff)
download: poky-600b508c376d587bbb9067af3e8b8567fc767449.tar.gz
2 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 638b1ba93d..7c5d8f79ec 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -59,5 +59,6 @@ SRC_URI = "\
     file://0029-CVE-2022-48065-1.patch \
     file://0029-CVE-2022-48065-2.patch \
     file://0029-CVE-2022-48065-3.patch \
+     file://0030-CVE-2022-44840.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch b/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch
new file mode 100644
index 0000000000..2f4c38044b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch
@@ -0,0 +1,151 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 30 Oct 2022 08:38:51 +0000 (+1030)
+Subject: Pool section entries for DWP version 1
+X-Git-Tag: gdb-13-branchpoint~664
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=28750e3b967da2207d51cbce9fc8be262817ee59
+Pool section entries for DWP version 1
+Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3
+Fuzzers have found a weakness in the code stashing pool section
+entries.  With random nonsensical values in the index entries (rather
+than each index pointing to its own set distinct from other sets),
+it's possible to overflow the space allocated, losing the NULL
+terminator.  Without a terminator, find_section_in_set can run off the
+end of the shndx_pool buffer.  Fix this by scanning the pool directly.
+binutils/
+        * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check.
+        (end_cu_tu_entry): Likewise.
+        (process_cu_tu_index): Fill shndx_pool by directly scanning
+        pool, rather than indirectly from index entries.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils/dwarf.c;h=7730293326ac1049451eb4a037ac86d827030700;hp=c6340a28906114e9df29d7401472c7dc0a98c2b1;hb=28750e3b967da2207d51cbce9fc8be262817ee59;hpb=60095ba3b8f8ba26a6389dded732fa446422c98f]
+CVE: CVE-2022-44840
+Signed-off-by: yash shinde <yash.shinde@windriver.com>
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index c6340a28906..7730293326a 100644
+--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
+@@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx)
+ static void
+ add_shndx_to_cu_tu_entry (unsigned int shndx)
+ {
+-  if (shndx_pool_used >= shndx_pool_size)
+-    {
+-      error (_("Internal error: out of space in the shndx pool.\n"));
+-      return;
+-    }
+   shndx_pool [shndx_pool_used++] = shndx;
+ }
+ 
+ static void
+ end_cu_tu_entry (void)
+ {
+-  if (shndx_pool_used >= shndx_pool_size)
+-    {
+-      error (_("Internal error: out of space in the shndx pool.\n"));
+-      return;
+-    }
+   shndx_pool [shndx_pool_used++] = 0;
+ }
+ 
+@@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
+ 
+   if (version == 1)
+     {
+      unsigned char *shndx_list;
+      unsigned int shndx;
+
+       if (!do_display)
+-       prealloc_cu_tu_list ((limit - ppool) / 4);
+-      for (i = 0; i < nslots; i++)
+        {
+-         unsigned char *shndx_list;
+-         unsigned int shndx;
+-
+-         SAFE_BYTE_GET (signature, phash, 8, limit);
+-         if (signature != 0)
+         prealloc_cu_tu_list ((limit - ppool) / 4);
+         for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
+            {
+-             SAFE_BYTE_GET (j, pindex, 4, limit);
+-             shndx_list = ppool + j * 4;
+-             /* PR 17531: file: 705e010d.  */
+-             if (shndx_list < ppool)
+-               {
+-                 warn (_("Section index pool located before start of section\n"));
+-                 return 0;
+-               }
+             shndx = byte_get (shndx_list, 4);
+             add_shndx_to_cu_tu_entry (shndx);
+           }
+         end_cu_tu_entry ();
+       }
+      else
+       for (i = 0; i < nslots; i++)
+         {
+           SAFE_BYTE_GET (signature, phash, 8, limit);
+           if (signature != 0)
+             {
+               SAFE_BYTE_GET (j, pindex, 4, limit);
+               shndx_list = ppool + j * 4;
+               /* PR 17531: file: 705e010d.  */
+               if (shndx_list < ppool)
+                 {
+                   warn (_("Section index pool located before start of section\n"));
+                   return 0;
+                 }
+ 
+-             if (do_display)
+                printf (_("  [%3d] Signature:  0x%s  Sections: "),
+                        i, dwarf_vmatoa ("x", signature));
+-             for (;;)
+-               {
+-                 if (shndx_list >= limit)
+-                   {
+-                     warn (_("Section %s too small for shndx pool\n"),
+-                           section->name);
+-                     return 0;
+-                   }
+-                 SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
+-                 if (shndx == 0)
+-                   break;
+-                 if (do_display)
+               for (;;)
+                 {
+                   if (shndx_list >= limit)
+                     {
+                       warn (_("Section %s too small for shndx pool\n"),
+                             section->name);
+                       return 0;
+                     }
+                   SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
+                   if (shndx == 0)
+                     break;
+                    printf (" %d", shndx);
+-                 else
+-                   add_shndx_to_cu_tu_entry (shndx);
+-                 shndx_list += 4;
+-               }
+-             if (do_display)
+                   shndx_list += 4;
+                 }
+                printf ("\n");
+-             else
+-               end_cu_tu_entry ();
+-           }
+-         phash += 8;
+-         pindex += 4;
+-       }
+             }
+           phash += 8;
+           pindex += 4;
+         }
+     }
+   else if (version == 2)
+     {
author	Yash Shinde <Yash.Shinde@windriver.com>	2023-10-11 06:25:49 -0700
committer	Steve Sakoman <steve@sakoman.com>	2023-10-18 05:13:24 -1000
commit	600b508c376d587bbb9067af3e8b8567fc767449 (patch)
tree	b5d140943382ca7e0080147497dc6fb0e7a52658
parent	2a2ea5ac7502b0d67c8bce454eb3a8300c101e41 (diff)
download	poky-600b508c376d587bbb9067af3e8b8567fc767449.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 638b1ba93d..7c5d8f79ec 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -59,5 +59,6 @@ SRC_URI = "\
59	file://0029-CVE-2022-48065-1.patch \	59	file://0029-CVE-2022-48065-1.patch \
60	file://0029-CVE-2022-48065-2.patch \	60	file://0029-CVE-2022-48065-2.patch \
61	file://0029-CVE-2022-48065-3.patch \	61	file://0029-CVE-2022-48065-3.patch \
		62	file://0030-CVE-2022-44840.patch \
62	"	63	"
63	S = "${WORKDIR}/git"	64	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch b/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch new file mode 100644 index 0000000000..2f4c38044b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch
@@ -0,0 +1,151 @@
		1	From: Alan Modra <amodra@gmail.com>
		2	Date: Sun, 30 Oct 2022 08:38:51 +0000 (+1030)
		3	Subject: Pool section entries for DWP version 1
		4	X-Git-Tag: gdb-13-branchpoint~664
		5	X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=28750e3b967da2207d51cbce9fc8be262817ee59
		6
		7	Pool section entries for DWP version 1
		8
		9	Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3
		10
		11	Fuzzers have found a weakness in the code stashing pool section
		12	entries. With random nonsensical values in the index entries (rather
		13	than each index pointing to its own set distinct from other sets),
		14	it's possible to overflow the space allocated, losing the NULL
		15	terminator. Without a terminator, find_section_in_set can run off the
		16	end of the shndx_pool buffer. Fix this by scanning the pool directly.
		17
		18	binutils/
		19	* dwarf.c (add_shndx_to_cu_tu_entry): Delete range check.
		20	(end_cu_tu_entry): Likewise.
		21	(process_cu_tu_index): Fill shndx_pool by directly scanning
		22	pool, rather than indirectly from index entries.
		23
		24	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils/dwarf.c;h=7730293326ac1049451eb4a037ac86d827030700;hp=c6340a28906114e9df29d7401472c7dc0a98c2b1;hb=28750e3b967da2207d51cbce9fc8be262817ee59;hpb=60095ba3b8f8ba26a6389dded732fa446422c98f]
		25
		26	CVE: CVE-2022-44840
		27
		28	Signed-off-by: yash shinde <yash.shinde@windriver.com>
		29
		30	diff --git a/binutils/dwarf.c b/binutils/dwarf.c
		31	index c6340a28906..7730293326a 100644
		32	--- a/binutils/dwarf.c
		33	+++ b/binutils/dwarf.c
		34	@@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx)
		35	static void
		36	add_shndx_to_cu_tu_entry (unsigned int shndx)
		37	{
		38	- if (shndx_pool_used >= shndx_pool_size)
		39	- {
		40	- error (_("Internal error: out of space in the shndx pool.\n"));
		41	- return;
		42	- }
		43	shndx_pool [shndx_pool_used++] = shndx;
		44	}
		45
		46	static void
		47	end_cu_tu_entry (void)
		48	{
		49	- if (shndx_pool_used >= shndx_pool_size)
		50	- {
		51	- error (_("Internal error: out of space in the shndx pool.\n"));
		52	- return;
		53	- }
		54	shndx_pool [shndx_pool_used++] = 0;
		55	}
		56
		57	@@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
		58
		59	if (version == 1)
		60	{
		61	+ unsigned char *shndx_list;
		62	+ unsigned int shndx;
		63	+
		64	if (!do_display)
		65	- prealloc_cu_tu_list ((limit - ppool) / 4);
		66	- for (i = 0; i < nslots; i++)
		67	{
		68	- unsigned char *shndx_list;
		69	- unsigned int shndx;
		70	-
		71	- SAFE_BYTE_GET (signature, phash, 8, limit);
		72	- if (signature != 0)
		73	+ prealloc_cu_tu_list ((limit - ppool) / 4);
		74	+ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
		75	{
		76	- SAFE_BYTE_GET (j, pindex, 4, limit);
		77	- shndx_list = ppool + j * 4;
		78	- /* PR 17531: file: 705e010d. */
		79	- if (shndx_list < ppool)
		80	- {
		81	- warn (_("Section index pool located before start of section\n"));
		82	- return 0;
		83	- }
		84	+ shndx = byte_get (shndx_list, 4);
		85	+ add_shndx_to_cu_tu_entry (shndx);
		86	+ }
		87	+ end_cu_tu_entry ();
		88	+ }
		89	+ else
		90	+ for (i = 0; i < nslots; i++)
		91	+ {
		92	+ SAFE_BYTE_GET (signature, phash, 8, limit);
		93	+ if (signature != 0)
		94	+ {
		95	+ SAFE_BYTE_GET (j, pindex, 4, limit);
		96	+ shndx_list = ppool + j * 4;
		97	+ /* PR 17531: file: 705e010d. */
		98	+ if (shndx_list < ppool)
		99	+ {
		100	+ warn (_("Section index pool located before start of section\n"));
		101	+ return 0;
		102	+ }
		103
		104	- if (do_display)
		105	printf (_(" [%3d] Signature: 0x%s Sections: "),
		106	i, dwarf_vmatoa ("x", signature));
		107	- for (;;)
		108	- {
		109	- if (shndx_list >= limit)
		110	- {
		111	- warn (_("Section %s too small for shndx pool\n"),
		112	- section->name);
		113	- return 0;
		114	- }
		115	- SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
		116	- if (shndx == 0)
		117	- break;
		118	- if (do_display)
		119	+ for (;;)
		120	+ {
		121	+ if (shndx_list >= limit)
		122	+ {
		123	+ warn (_("Section %s too small for shndx pool\n"),
		124	+ section->name);
		125	+ return 0;
		126	+ }
		127	+ SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
		128	+ if (shndx == 0)
		129	+ break;
		130	printf (" %d", shndx);
		131	- else
		132	- add_shndx_to_cu_tu_entry (shndx);
		133	- shndx_list += 4;
		134	- }
		135	- if (do_display)
		136	+ shndx_list += 4;
		137	+ }
		138	printf ("\n");
		139	- else
		140	- end_cu_tu_entry ();
		141	- }
		142	- phash += 8;
		143	- pindex += 4;
		144	- }
		145	+ }
		146	+ phash += 8;
		147	+ pindex += 4;
		148	+ }
		149	}
		150	else if (version == 2)
		151	{