binutils: Fix CVE-2022-45703

(From OE-Core rev: b2fa5b29462a16b238f8a6a40886b45aa483e963) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yash Shinde <Yash.Shinde@windriver.com> 2023-10-11 06:25:50 -0700
committer: Steve Sakoman <steve@sakoman.com> 2023-10-18 05:13:24 -1000
commit: e77b551dbfa641b6402893e985882487b65fab27 (patch)
tree: 7715b2473d4d788c11b0ac9e75854b50885a4ff6
parent: 600b508c376d587bbb9067af3e8b8567fc767449 (diff)
download: poky-e77b551dbfa641b6402893e985882487b65fab27.tar.gz
3 files changed, 180 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 7c5d8f79ec..0964ab0825 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -60,5 +60,7 @@ SRC_URI = "\
     file://0029-CVE-2022-48065-2.patch \
     file://0029-CVE-2022-48065-3.patch \
     file://0030-CVE-2022-44840.patch \
+     file://0031-CVE-2022-45703-1.patch \
+     file://0031-CVE-2022-45703-2.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch
new file mode 100644
index 0000000000..3db4385e13
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch
@@ -0,0 +1,147 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 24 May 2022 00:02:14 +0000 (+0930)
+Subject: PR29169, invalid read displaying fuzzed .gdb_index
+X-Git-Tag: binutils-2_39~530
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636
+PR29169, invalid read displaying fuzzed .gdb_index
+        PR 29169
+        * dwarf.c (display_gdb_index): Combine sanity checks.  Calculate
+        element counts, not word counts.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636]
+CVE: CVE-2022-45703   
+Signed-off-by: yash shinde <yash.shinde@windriver.com>
+---
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 7de6f28161f..c855972a12f 100644
+--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
+@@ -10406,7 +10406,7 @@ display_gdb_index (struct dwarf_section *section,
+   uint32_t cu_list_offset, tu_list_offset;
+   uint32_t address_table_offset, symbol_table_offset, constant_pool_offset;
+   unsigned int cu_list_elements, tu_list_elements;
+-  unsigned int address_table_size, symbol_table_slots;
+  unsigned int address_table_elements, symbol_table_slots;
+   unsigned char *cu_list, *tu_list;
+   unsigned char *address_table, *symbol_table, *constant_pool;
+   unsigned int i;
+@@ -10454,48 +10454,19 @@ display_gdb_index (struct dwarf_section *section,
+       || tu_list_offset > section->size
+       || address_table_offset > section->size
+       || symbol_table_offset > section->size
+-      || constant_pool_offset > section->size)
+      || constant_pool_offset > section->size
+      || tu_list_offset < cu_list_offset
+      || address_table_offset < tu_list_offset
+      || symbol_table_offset < address_table_offset
+      || constant_pool_offset < symbol_table_offset)
+     {
+       warn (_("Corrupt header in the %s section.\n"), section->name);
+       return 0;
+     }
+ 
+-  /* PR 17531: file: 418d0a8a.  */
+-  if (tu_list_offset < cu_list_offset)
+-    {
+-      warn (_("TU offset (%x) is less than CU offset (%x)\n"),
+-           tu_list_offset, cu_list_offset);
+-      return 0;
+-    }
+-
+-  cu_list_elements = (tu_list_offset - cu_list_offset) / 8;
+-
+-  if (address_table_offset < tu_list_offset)
+-    {
+-      warn (_("Address table offset (%x) is less than TU offset (%x)\n"),
+-           address_table_offset, tu_list_offset);
+-      return 0;
+-    }
+-
+-  tu_list_elements = (address_table_offset - tu_list_offset) / 8;
+-
+-  /* PR 17531: file: 18a47d3d.  */
+-  if (symbol_table_offset < address_table_offset)
+-    {
+-      warn (_("Symbol table offset (%x) is less then Address table offset (%x)\n"),
+-           symbol_table_offset, address_table_offset);
+-      return 0;
+-    }
+-
+-  address_table_size = symbol_table_offset - address_table_offset;
+-
+-  if (constant_pool_offset < symbol_table_offset)
+-    {
+-      warn (_("Constant pool offset (%x) is less than symbol table offset (%x)\n"),
+-           constant_pool_offset, symbol_table_offset);
+-      return 0;
+-    }
+-
+  cu_list_elements = (tu_list_offset - cu_list_offset) / 16;
+  tu_list_elements = (address_table_offset - tu_list_offset) / 24;
+  address_table_elements = (symbol_table_offset - address_table_offset) / 20;
+   symbol_table_slots = (constant_pool_offset - symbol_table_offset) / 8;
+ 
+   cu_list = start + cu_list_offset;
+@@ -10504,31 +10475,25 @@ display_gdb_index (struct dwarf_section *section,
+   symbol_table = start + symbol_table_offset;
+   constant_pool = start + constant_pool_offset;
+ 
+-  if (address_table_offset + address_table_size > section->size)
+-    {
+-      warn (_("Address table extends beyond end of section.\n"));
+-      return 0;
+-    }
+-
+   printf (_("\nCU table:\n"));
+-  for (i = 0; i < cu_list_elements; i += 2)
+  for (i = 0; i < cu_list_elements; i++)
+     {
+-      uint64_t cu_offset = byte_get_little_endian (cu_list + i * 8, 8);
+-      uint64_t cu_length = byte_get_little_endian (cu_list + i * 8 + 8, 8);
+      uint64_t cu_offset = byte_get_little_endian (cu_list + i * 16, 8);
+      uint64_t cu_length = byte_get_little_endian (cu_list + i * 16 + 8, 8);
+ 
+-      printf (_("[%3u] 0x%lx - 0x%lx\n"), i / 2,
+      printf (_("[%3u] 0x%lx - 0x%lx\n"), i,
+              (unsigned long) cu_offset,
+              (unsigned long) (cu_offset + cu_length - 1));
+     }
+ 
+   printf (_("\nTU table:\n"));
+-  for (i = 0; i < tu_list_elements; i += 3)
+  for (i = 0; i < tu_list_elements; i++)
+     {
+-      uint64_t tu_offset = byte_get_little_endian (tu_list + i * 8, 8);
+-      uint64_t type_offset = byte_get_little_endian (tu_list + i * 8 + 8, 8);
+-      uint64_t signature = byte_get_little_endian (tu_list + i * 8 + 16, 8);
+      uint64_t tu_offset = byte_get_little_endian (tu_list + i * 24, 8);
+      uint64_t type_offset = byte_get_little_endian (tu_list + i * 24 + 8, 8);
+      uint64_t signature = byte_get_little_endian (tu_list + i * 24 + 16, 8);
+ 
+-      printf (_("[%3u] 0x%lx 0x%lx "), i / 3,
+      printf (_("[%3u] 0x%lx 0x%lx "), i,
+              (unsigned long) tu_offset,
+              (unsigned long) type_offset);
+       print_dwarf_vma (signature, 8);
+@@ -10536,12 +10501,11 @@ display_gdb_index (struct dwarf_section *section,
+     }
+ 
+   printf (_("\nAddress table:\n"));
+-  for (i = 0; i < address_table_size && i <= address_table_size - (2 * 8 + 4);
+-       i += 2 * 8 + 4)
+  for (i = 0; i < address_table_elements; i++)
+     {
+-      uint64_t low = byte_get_little_endian (address_table + i, 8);
+-      uint64_t high = byte_get_little_endian (address_table + i + 8, 8);
+-      uint32_t cu_index = byte_get_little_endian (address_table + i + 16, 4);
+      uint64_t low = byte_get_little_endian (address_table + i * 20, 8);
+      uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8);
+      uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4);
+ 
+       print_dwarf_vma (low, 8);
+       print_dwarf_vma (high, 8);
diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch
new file mode 100644
index 0000000000..1fac9739dd
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch
@@ -0,0 +1,31 @@
+From 69bfd1759db41c8d369f9dcc98a135c5a5d97299 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 18 Nov 2022 11:29:13 +1030
+Subject: [PATCH] PR29799 heap buffer overflow in display_gdb_index
+ dwarf.c:10548
+        PR 29799
+        * dwarf.c (display_gdb_index): Typo fix.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils/dwarf.c;h=4bba8dfb81a6df49f5e61b3fae99dd545cc5c7dd;hp=7730293326ac1049451eb4a037ac86d827030700;hb=69bfd1759db41c8d369f9dcc98a135c5a5d97299;hpb=7828dfa93b210b6bbc6596e6e096cc150a9f8aa4]
+CVE: CVE-2022-45703
+Signed-off-by: yash shinde <yash.shinde@windriver.com>
+---
+ binutils/dwarf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 7730293326a..4bba8dfb81a 100644
+--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
+@@ -10562,7 +10562,7 @@ display_gdb_index (struct dwarf_section
+     {
+       uint64_t low = byte_get_little_endian (address_table + i * 20, 8);
+       uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8);
+-      uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4);
+      uint32_t cu_index = byte_get_little_endian (address_table + i * 20 + 16, 4);
+ 
+       print_dwarf_vma (low, 8);
+       print_dwarf_vma (high, 8);
author	Yash Shinde <Yash.Shinde@windriver.com>	2023-10-11 06:25:50 -0700
committer	Steve Sakoman <steve@sakoman.com>	2023-10-18 05:13:24 -1000
commit	e77b551dbfa641b6402893e985882487b65fab27 (patch)
tree	7715b2473d4d788c11b0ac9e75854b50885a4ff6
parent	600b508c376d587bbb9067af3e8b8567fc767449 (diff)
download	poky-e77b551dbfa641b6402893e985882487b65fab27.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 7c5d8f79ec..0964ab0825 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -60,5 +60,7 @@ SRC_URI = "\
60	file://0029-CVE-2022-48065-2.patch \	60	file://0029-CVE-2022-48065-2.patch \
61	file://0029-CVE-2022-48065-3.patch \	61	file://0029-CVE-2022-48065-3.patch \
62	file://0030-CVE-2022-44840.patch \	62	file://0030-CVE-2022-44840.patch \
		63	file://0031-CVE-2022-45703-1.patch \
		64	file://0031-CVE-2022-45703-2.patch \
63	"	65	"
64	S = "${WORKDIR}/git"	66	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch new file mode 100644 index 0000000000..3db4385e13 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch
@@ -0,0 +1,147 @@
		1	From: Alan Modra <amodra@gmail.com>
		2	Date: Tue, 24 May 2022 00:02:14 +0000 (+0930)
		3	Subject: PR29169, invalid read displaying fuzzed .gdb_index
		4	X-Git-Tag: binutils-2_39~530
		5	X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636
		6
		7	PR29169, invalid read displaying fuzzed .gdb_index
		8
		9	PR 29169
		10	* dwarf.c (display_gdb_index): Combine sanity checks. Calculate
		11	element counts, not word counts.
		12	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636]
		13
		14	CVE: CVE-2022-45703
		15
		16	Signed-off-by: yash shinde <yash.shinde@windriver.com>
		17
		18	---
		19
		20	diff --git a/binutils/dwarf.c b/binutils/dwarf.c
		21	index 7de6f28161f..c855972a12f 100644
		22	--- a/binutils/dwarf.c
		23	+++ b/binutils/dwarf.c
		24	@@ -10406,7 +10406,7 @@ display_gdb_index (struct dwarf_section *section,
		25	uint32_t cu_list_offset, tu_list_offset;
		26	uint32_t address_table_offset, symbol_table_offset, constant_pool_offset;
		27	unsigned int cu_list_elements, tu_list_elements;
		28	- unsigned int address_table_size, symbol_table_slots;
		29	+ unsigned int address_table_elements, symbol_table_slots;
		30	unsigned char cu_list, tu_list;
		31	unsigned char address_table, symbol_table, *constant_pool;
		32	unsigned int i;
		33	@@ -10454,48 +10454,19 @@ display_gdb_index (struct dwarf_section *section,
		34	\|\| tu_list_offset > section->size
		35	\|\| address_table_offset > section->size
		36	\|\| symbol_table_offset > section->size
		37	- \|\| constant_pool_offset > section->size)
		38	+ \|\| constant_pool_offset > section->size
		39	+ \|\| tu_list_offset < cu_list_offset
		40	+ \|\| address_table_offset < tu_list_offset
		41	+ \|\| symbol_table_offset < address_table_offset
		42	+ \|\| constant_pool_offset < symbol_table_offset)
		43	{
		44	warn (_("Corrupt header in the %s section.\n"), section->name);
		45	return 0;
		46	}
		47
		48	- /* PR 17531: file: 418d0a8a. */
		49	- if (tu_list_offset < cu_list_offset)
		50	- {
		51	- warn (_("TU offset (%x) is less than CU offset (%x)\n"),
		52	- tu_list_offset, cu_list_offset);
		53	- return 0;
		54	- }
		55	-
		56	- cu_list_elements = (tu_list_offset - cu_list_offset) / 8;
		57	-
		58	- if (address_table_offset < tu_list_offset)
		59	- {
		60	- warn (_("Address table offset (%x) is less than TU offset (%x)\n"),
		61	- address_table_offset, tu_list_offset);
		62	- return 0;
		63	- }
		64	-
		65	- tu_list_elements = (address_table_offset - tu_list_offset) / 8;
		66	-
		67	- /* PR 17531: file: 18a47d3d. */
		68	- if (symbol_table_offset < address_table_offset)
		69	- {
		70	- warn (_("Symbol table offset (%x) is less then Address table offset (%x)\n"),
		71	- symbol_table_offset, address_table_offset);
		72	- return 0;
		73	- }
		74	-
		75	- address_table_size = symbol_table_offset - address_table_offset;
		76	-
		77	- if (constant_pool_offset < symbol_table_offset)
		78	- {
		79	- warn (_("Constant pool offset (%x) is less than symbol table offset (%x)\n"),
		80	- constant_pool_offset, symbol_table_offset);
		81	- return 0;
		82	- }
		83	-
		84	+ cu_list_elements = (tu_list_offset - cu_list_offset) / 16;
		85	+ tu_list_elements = (address_table_offset - tu_list_offset) / 24;
		86	+ address_table_elements = (symbol_table_offset - address_table_offset) / 20;
		87	symbol_table_slots = (constant_pool_offset - symbol_table_offset) / 8;
		88
		89	cu_list = start + cu_list_offset;
		90	@@ -10504,31 +10475,25 @@ display_gdb_index (struct dwarf_section *section,
		91	symbol_table = start + symbol_table_offset;
		92	constant_pool = start + constant_pool_offset;
		93
		94	- if (address_table_offset + address_table_size > section->size)
		95	- {
		96	- warn (_("Address table extends beyond end of section.\n"));
		97	- return 0;
		98	- }
		99	-
		100	printf (_("\nCU table:\n"));
		101	- for (i = 0; i < cu_list_elements; i += 2)
		102	+ for (i = 0; i < cu_list_elements; i++)
		103	{
		104	- uint64_t cu_offset = byte_get_little_endian (cu_list + i * 8, 8);
		105	- uint64_t cu_length = byte_get_little_endian (cu_list + i * 8 + 8, 8);
		106	+ uint64_t cu_offset = byte_get_little_endian (cu_list + i * 16, 8);
		107	+ uint64_t cu_length = byte_get_little_endian (cu_list + i * 16 + 8, 8);
		108
		109	- printf (_("[%3u] 0x%lx - 0x%lx\n"), i / 2,
		110	+ printf (_("[%3u] 0x%lx - 0x%lx\n"), i,
		111	(unsigned long) cu_offset,
		112	(unsigned long) (cu_offset + cu_length - 1));
		113	}
		114
		115	printf (_("\nTU table:\n"));
		116	- for (i = 0; i < tu_list_elements; i += 3)
		117	+ for (i = 0; i < tu_list_elements; i++)
		118	{
		119	- uint64_t tu_offset = byte_get_little_endian (tu_list + i * 8, 8);
		120	- uint64_t type_offset = byte_get_little_endian (tu_list + i * 8 + 8, 8);
		121	- uint64_t signature = byte_get_little_endian (tu_list + i * 8 + 16, 8);
		122	+ uint64_t tu_offset = byte_get_little_endian (tu_list + i * 24, 8);
		123	+ uint64_t type_offset = byte_get_little_endian (tu_list + i * 24 + 8, 8);
		124	+ uint64_t signature = byte_get_little_endian (tu_list + i * 24 + 16, 8);
		125
		126	- printf (_("[%3u] 0x%lx 0x%lx "), i / 3,
		127	+ printf (_("[%3u] 0x%lx 0x%lx "), i,
		128	(unsigned long) tu_offset,
		129	(unsigned long) type_offset);
		130	print_dwarf_vma (signature, 8);
		131	@@ -10536,12 +10501,11 @@ display_gdb_index (struct dwarf_section *section,
		132	}
		133
		134	printf (_("\nAddress table:\n"));
		135	- for (i = 0; i < address_table_size && i <= address_table_size - (2 * 8 + 4);
		136	- i += 2 * 8 + 4)
		137	+ for (i = 0; i < address_table_elements; i++)
		138	{
		139	- uint64_t low = byte_get_little_endian (address_table + i, 8);
		140	- uint64_t high = byte_get_little_endian (address_table + i + 8, 8);
		141	- uint32_t cu_index = byte_get_little_endian (address_table + i + 16, 4);
		142	+ uint64_t low = byte_get_little_endian (address_table + i * 20, 8);
		143	+ uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8);
		144	+ uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4);
		145
		146	print_dwarf_vma (low, 8);
		147	print_dwarf_vma (high, 8);


diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch new file mode 100644 index 0000000000..1fac9739dd --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch
@@ -0,0 +1,31 @@
		1	From 69bfd1759db41c8d369f9dcc98a135c5a5d97299 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Fri, 18 Nov 2022 11:29:13 +1030
		4	Subject: [PATCH] PR29799 heap buffer overflow in display_gdb_index
		5	dwarf.c:10548
		6
		7	PR 29799
		8	* dwarf.c (display_gdb_index): Typo fix.
		9	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils/dwarf.c;h=4bba8dfb81a6df49f5e61b3fae99dd545cc5c7dd;hp=7730293326ac1049451eb4a037ac86d827030700;hb=69bfd1759db41c8d369f9dcc98a135c5a5d97299;hpb=7828dfa93b210b6bbc6596e6e096cc150a9f8aa4]
		10
		11	CVE: CVE-2022-45703
		12
		13	Signed-off-by: yash shinde <yash.shinde@windriver.com>
		14
		15	---
		16	binutils/dwarf.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/binutils/dwarf.c b/binutils/dwarf.c
		20	index 7730293326a..4bba8dfb81a 100644
		21	--- a/binutils/dwarf.c
		22	+++ b/binutils/dwarf.c
		23	@@ -10562,7 +10562,7 @@ display_gdb_index (struct dwarf_section
		24	{
		25	uint64_t low = byte_get_little_endian (address_table + i * 20, 8);
		26	uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8);
		27	- uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4);
		28	+ uint32_t cu_index = byte_get_little_endian (address_table + i * 20 + 16, 4);
		29
		30	print_dwarf_vma (low, 8);
		31	print_dwarf_vma (high, 8);