2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index bff97b50c3..41ed39632d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
     file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
     file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
     file://0015-gprofng-change-use-of-bignum-to-bigint.patch \
+     file://0016-CVE-2024-53589.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch
new file mode 100644
index 0000000000..380112a3ba
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch
@@ -0,0 +1,92 @@
+Author: Alan Modra <amodra@gmail.com>
+Date:   Mon Nov 11 10:24:09 2024 +1030
+    Re: tekhex object file output fixes
+    Commit 8b5a212495 supported *ABS* symbols by allowing "section" to be
+    bfd_abs_section, but bfd_abs_section needs to be treated specially.
+    In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
+    is invalid.
+            PR 32347
+            * tekhex.c (first_phase): Guard against modification of
+            _bfd_std_section[] entries.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]
+CVE: CVE-2024-53589
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+diff --git a/bfd/tekhex.c b/bfd/tekhex.c
+index aea2ebb23df..b305c1f96f1 100644
+--- a/bfd/tekhex.c
+++ b/bfd/tekhex.c
+@@ -361,6 +361,7 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+ {
+   asection *section, *alt_section;
+   unsigned int len;
+  bfd_vma addr;
+   bfd_vma val;
+   char sym[17];                        /* A symbol can only be 16chars long.  */
+@@ -368,20 +369,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+     {
+     case '6':
+       /* Data record - read it and store it.  */
+-      {
+-       bfd_vma addr;
+-
+-       if (!getvalue (&src, &addr, src_end))
+-         return false;
+-
+-       while (*src && src < src_end - 1)
+-         {
+-           insert_byte (abfd, HEX (src), addr);
+-           src += 2;
+-           addr++;
+-         }
+-       return true;
+-      }
+      if (!getvalue (&src, &addr, src_end))
+       return false;
+
+      while (*src && src < src_end - 1)
+       {
+         insert_byte (abfd, HEX (src), addr);
+         src += 2;
+         addr++;
+       }
+      return true;
+     case '3':
+       /* Symbol record, read the segment.  */
+@@ -406,13 +403,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+            {
+            case '1':           /* Section range.  */
+              src++;
+-             if (!getvalue (&src, &section->vma, src_end))
+             if (!getvalue (&src, &addr, src_end))
+                return false;
+              if (!getvalue (&src, &val, src_end))
+                return false;
+-             if (val < section->vma)
+-               val = section->vma;
+-             section->size = val - section->vma;
+             if (bfd_is_const_section (section))
+               break;
+             section->vma = addr;
+             if (val < addr)
+               val = addr;
+             section->size = val - addr;
+              /* PR 17512: file: objdump-s-endless-loop.tekhex.
+                 Check for overlarge section sizes.  */
+              if (section->size & 0x80000000)
+@@ -455,6 +455,8 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+                  new_symbol->symbol.flags = BSF_LOCAL;
+                if (stype == '2' || stype == '6')
+                  new_symbol->symbol.section = bfd_abs_section_ptr;
+               else if (bfd_is_const_section (section))
+                 ;
+                else if (stype == '3' || stype == '7')
+                  {
+                    if ((section->flags & SEC_DATA) == 0)

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index bff97b50c3..41ed39632d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
36	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \	36	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
37	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \	37	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
38	file://0015-gprofng-change-use-of-bignum-to-bigint.patch \	38	file://0015-gprofng-change-use-of-bignum-to-bigint.patch \
		39	file://0016-CVE-2024-53589.patch \
39	"	40	"
40	S = "${WORKDIR}/git"	41	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch new file mode 100644 index 0000000000..380112a3ba --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch
@@ -0,0 +1,92 @@
		1	Author: Alan Modra <amodra@gmail.com>
		2	Date: Mon Nov 11 10:24:09 2024 +1030
		3
		4	Re: tekhex object file output fixes
		5
		6	Commit 8b5a212495 supported ABS symbols by allowing "section" to be
		7	bfd_abs_section, but bfd_abs_section needs to be treated specially.
		8	In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
		9	is invalid.
		10
		11	PR 32347
		12	* tekhex.c (first_phase): Guard against modification of
		13	_bfd_std_section[] entries.
		14
		15	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]
		16	CVE: CVE-2024-53589
		17
		18	Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
		19
		20	diff --git a/bfd/tekhex.c b/bfd/tekhex.c
		21	index aea2ebb23df..b305c1f96f1 100644
		22	--- a/bfd/tekhex.c
		23	+++ b/bfd/tekhex.c
		24	@@ -361,6 +361,7 @@ first_phase (bfd abfd, int type, char src, char * src_end)
		25	{
		26	asection section, alt_section;
		27	unsigned int len;
		28	+ bfd_vma addr;
		29	bfd_vma val;
		30	char sym[17]; /* A symbol can only be 16chars long. */
		31
		32	@@ -368,20 +369,16 @@ first_phase (bfd abfd, int type, char src, char * src_end)
		33	{
		34	case '6':
		35	/* Data record - read it and store it. */
		36	- {
		37	- bfd_vma addr;
		38	-
		39	- if (!getvalue (&src, &addr, src_end))
		40	- return false;
		41	-
		42	- while (*src && src < src_end - 1)
		43	- {
		44	- insert_byte (abfd, HEX (src), addr);
		45	- src += 2;
		46	- addr++;
		47	- }
		48	- return true;
		49	- }
		50	+ if (!getvalue (&src, &addr, src_end))
		51	+ return false;
		52	+
		53	+ while (*src && src < src_end - 1)
		54	+ {
		55	+ insert_byte (abfd, HEX (src), addr);
		56	+ src += 2;
		57	+ addr++;
		58	+ }
		59	+ return true;
		60
		61	case '3':
		62	/* Symbol record, read the segment. */
		63	@@ -406,13 +403,16 @@ first_phase (bfd abfd, int type, char src, char * src_end)
		64	{
		65	case '1': /* Section range. */
		66	src++;
		67	- if (!getvalue (&src, &section->vma, src_end))
		68	+ if (!getvalue (&src, &addr, src_end))
		69	return false;
		70	if (!getvalue (&src, &val, src_end))
		71	return false;
		72	- if (val < section->vma)
		73	- val = section->vma;
		74	- section->size = val - section->vma;
		75	+ if (bfd_is_const_section (section))
		76	+ break;
		77	+ section->vma = addr;
		78	+ if (val < addr)
		79	+ val = addr;
		80	+ section->size = val - addr;
		81	/* PR 17512: file: objdump-s-endless-loop.tekhex.
		82	Check for overlarge section sizes. */
		83	if (section->size & 0x80000000)
		84	@@ -455,6 +455,8 @@ first_phase (bfd abfd, int type, char src, char * src_end)
		85	new_symbol->symbol.flags = BSF_LOCAL;
		86	if (stype == '2' \|\| stype == '6')
		87	new_symbol->symbol.section = bfd_abs_section_ptr;
		88	+ else if (bfd_is_const_section (section))
		89	+ ;
		90	else if (stype == '3' \|\| stype == '7')
		91	{
		92	if ((section->flags & SEC_DATA) == 0)