binutils: Fix CVE-2025-0840

PR32560 stack-buffer-overflow at objdump disassemble_bytes Backport a patch from upstream to fix CVE-2025-0840 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893] (From OE-Core rev: e12ee4b1713aa25465aa3f866d345d84e9eb948a) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> 2025-03-06 02:48:06 -0800
committer: Steve Sakoman <steve@sakoman.com> 2025-03-13 08:50:03 -0700
commit: e9f1ad69225a1cdd74628fbfd64135b55da96f51 (patch)
tree: 9a3c6a97b077bd08abe82395e2b099e613e1dffc
parent: 079c58a5000ed5da5149f8b7af01ecf999b46293 (diff)
download: poky-e9f1ad69225a1cdd74628fbfd64135b55da96f51.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index e577a10cb8..26d0b570f3 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -72,5 +72,6 @@ SRC_URI = "\
     file://0035-CVE-2023-39129.patch \
     file://0036-CVE-2023-39130.patch \
     file://0037-CVE-2024-53589.patch \
+     file://0038-CVE-2025-0840.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0038-CVE-2025-0840.patch b/meta/recipes-devtools/binutils/binutils/0038-CVE-2025-0840.patch
new file mode 100644
index 0000000000..b04e750690
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0038-CVE-2025-0840.patch
@@ -0,0 +1,53 @@
+Author: Alan Modra <amodra@gmail.com>
+Date:   Wed, 15 Jan 2025 19:13:43 +1030
+PR32560 stack-buffer-overflow at objdump disassemble_bytes
+There's always someone pushing the boundaries.
+        PR 32560
+        * objdump.c (MAX_INSN_WIDTH): Define.
+        (insn_width): Make it an unsigned long.
+        (disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+        (main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
+CVE: CVE-2025-0840
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 59f454b0..bd6180be 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -110,7 +110,8 @@ static bool disassemble_all;                /* -D */
+ static int disassemble_zeroes;         /* --disassemble-zeroes */
+ static bool formats_info;              /* -i */
+ static int wide_output;                        /* -w */
+-static int insn_width;                 /* --insn-width */
+#define MAX_INSN_WIDTH 49
+static unsigned long insn_width;        /* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;             /* --debugging */
+@@ -2897,7 +2898,7 @@ disassemble_bytes (struct disassemble_info *inf,
+        }
+       else
+        {
+-         char buf[50];
+         char buf[MAX_INSN_WIDTH + 1];
+          unsigned int bpc = 0;
+          unsigned int pb = 0;
+ 
+@@ -5457,8 +5458,9 @@ main (int argc, char **argv)
+          break;
+        case OPTION_INSN_WIDTH:
+          insn_width = strtoul (optarg, NULL, 0);
+-         if (insn_width <= 0)
+-           fatal (_("error: instruction width must be positive"));
+         if (insn_width - 1 >= MAX_INSN_WIDTH)
+           fatal (_("error: instruction width must be in the range 1 to "
+                     XSTRING (MAX_INSN_WIDTH)));
+          break;
+        case OPTION_INLINES:
+          unwind_inlines = true;
author	Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>	2025-03-06 02:48:06 -0800
committer	Steve Sakoman <steve@sakoman.com>	2025-03-13 08:50:03 -0700
commit	e9f1ad69225a1cdd74628fbfd64135b55da96f51 (patch)
tree	9a3c6a97b077bd08abe82395e2b099e613e1dffc
parent	079c58a5000ed5da5149f8b7af01ecf999b46293 (diff)
download	poky-e9f1ad69225a1cdd74628fbfd64135b55da96f51.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index e577a10cb8..26d0b570f3 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -72,5 +72,6 @@ SRC_URI = "\
72	file://0035-CVE-2023-39129.patch \	72	file://0035-CVE-2023-39129.patch \
73	file://0036-CVE-2023-39130.patch \	73	file://0036-CVE-2023-39130.patch \
74	file://0037-CVE-2024-53589.patch \	74	file://0037-CVE-2024-53589.patch \
		75	file://0038-CVE-2025-0840.patch \
75	"	76	"
76	S = "${WORKDIR}/git"	77	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0038-CVE-2025-0840.patch b/meta/recipes-devtools/binutils/binutils/0038-CVE-2025-0840.patch new file mode 100644 index 0000000000..b04e750690 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0038-CVE-2025-0840.patch
@@ -0,0 +1,53 @@
		1	Author: Alan Modra <amodra@gmail.com>
		2	Date: Wed, 15 Jan 2025 19:13:43 +1030
		3
		4	PR32560 stack-buffer-overflow at objdump disassemble_bytes
		5
		6	There's always someone pushing the boundaries.
		7
		8	PR 32560
		9	* objdump.c (MAX_INSN_WIDTH): Define.
		10	(insn_width): Make it an unsigned long.
		11	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
		12	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
		13
		14	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
		15	CVE: CVE-2025-0840
		16
		17	Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
		18
		19	diff --git a/binutils/objdump.c b/binutils/objdump.c
		20	index 59f454b0..bd6180be 100644
		21	--- a/binutils/objdump.c
		22	+++ b/binutils/objdump.c
		23	@@ -110,7 +110,8 @@ static bool disassemble_all; /* -D */
		24	static int disassemble_zeroes; /* --disassemble-zeroes */
		25	static bool formats_info; /* -i */
		26	static int wide_output; /* -w */
		27	-static int insn_width; /* --insn-width */
		28	+#define MAX_INSN_WIDTH 49
		29	+static unsigned long insn_width; /* --insn-width */
		30	static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
		31	static bfd_vma stop_address = (bfd_vma) -1; /* --stop-address */
		32	static int dump_debugging; /* --debugging */
		33	@@ -2897,7 +2898,7 @@ disassemble_bytes (struct disassemble_info *inf,
		34	}
		35	else
		36	{
		37	- char buf[50];
		38	+ char buf[MAX_INSN_WIDTH + 1];
		39	unsigned int bpc = 0;
		40	unsigned int pb = 0;
		41
		42	@@ -5457,8 +5458,9 @@ main (int argc, char **argv)
		43	break;
		44	case OPTION_INSN_WIDTH:
		45	insn_width = strtoul (optarg, NULL, 0);
		46	- if (insn_width <= 0)
		47	- fatal (_("error: instruction width must be positive"));
		48	+ if (insn_width - 1 >= MAX_INSN_WIDTH)
		49	+ fatal (_("error: instruction width must be in the range 1 to "
		50	+ XSTRING (MAX_INSN_WIDTH)));
		51	break;
		52	case OPTION_INLINES:
		53	unwind_inlines = true;