[mickledore] binutils: Fix CVE-2023-39128

Message ID	20230908124109.70317-1-sanjanasanju1608@gmail.com
State	New
Headers	show Return-Path: <sanjanasanju1608@gmail.com> ip: 209.85.214.171, mailfrom: sanjanasanju1608@gmail.com) From: Sanjana <sanjanasanju1608@gmail.com> To: openembedded-core@lists.openembedded.org Cc: rwmacleod@gmail.com, umesh.kalappa0@gmail.com, pgowda.cve@gmail.com, shivams@gmail.com, sundeep.kokkonda@gmail.com, Sanjana <sanjanasanju1608@gmail.com> Subject: [mickledore][PATCH] binutils: Fix CVE-2023-39128 Date: Fri, 8 Sep 2023 18:11:09 +0530 Message-Id: <20230908124109.70317-1-sanjanasanju1608@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[mickledore] binutils: Fix CVE-2023-39128 \| expand [mickledore] binutils: Fix CVE-2023-39128

Message ID

20230908124109.70317-1-sanjanasanju1608@gmail.com

State

New

Headers

From: Sanjana <sanjanasanju1608@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: rwmacleod@gmail.com,
	umesh.kalappa0@gmail.com,
	pgowda.cve@gmail.com,
	shivams@gmail.com,
	sundeep.kokkonda@gmail.com,
	Sanjana <sanjanasanju1608@gmail.com>
Subject: [mickledore][PATCH] binutils: Fix CVE-2023-39128
Date: Fri,  8 Sep 2023 18:11:09 +0530
Message-Id: <20230908124109.70317-1-sanjanasanju1608@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[mickledore] binutils: Fix CVE-2023-39128 | expand

Commit Message

Sanjana V Sept. 8, 2023, 12:41 p.m. UTC

Avoid buffer overflow in ada_decode.

Signed-off-by: Sanjana <sanjanasanju1608@gmail.com>
---
 .../binutils/binutils-2.40.inc                |  1 +
 .../binutils/0017-CVE-2023-39128.patch        | 74 +++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch

Comments

Siddharth Sept. 11, 2023, 7:25 a.m. UTC | #1

Hi Sanjana,

Thank-you for this patch.

But, i feel this is not the right way to patch this vulnerability. No doubts the patch is released for binutils-gdb, but that is because the sources are merged.

However, in our systems, the command gdb comes from gdb package and not from bintuils-gdb.

Additional confirmation can also be obtained from bintuils configuration where we are disabling gdb from bintuils.

So even after patching the vulnerability will exists as it not patched in gdb and where it is patched, the gdb is diasbled.

diff --git a/meta/recipes-devtools/binutils/binutils-2.40.inc b/meta/recipes-devtools/binutils/binutils-2.40.inc
index 33e7f4198d..424cfc48fc 100644
--- a/meta/recipes-devtools/binutils/binutils-2.40.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.40.inc
@@ -35,5 +35,6 @@  SRC_URI = "\
      file://0015-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
      file://0016-CVE-2023-25586.patch \
      file://0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch \
+     file://0017-CVE-2023-39128.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch
new file mode 100644
index 0000000000..cd81a52b15
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch
@@ -0,0 +1,74 @@ 
+From: Tom Tromey <tromey@adacore.com>
+Date: Wed, 16 Aug 2023 17:29:19 +0000 (-0600)
+Subject: Avoid buffer overflow in ada_decode
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=033bc52bb6190393c8eed80925fa78cc35b40c6d
+
+Avoid buffer overflow in ada_decode
+
+A bug report pointed out a buffer overflow in ada_decode, which Keith
+helpfully analyzed.  ada_decode had a logic error when the input was
+all digits.  While this isn't valid -- and would probably only appear
+in fuzzer tests -- it still should be handled properly.
+
+This patch adds a missing bounds check.  Tested with the self-tests in
+an asan build.
+
+Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639
+Reviewed-by: Keith Seitz <keiths@redhat.com>
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=033bc52bb6190393c8eed80925fa78cc35b40c6d]    
+
+CVE: CVE-2023-39128    
+
+Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com>
+
+---
+
+diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c
+index 4a9a6e0f38f..2f934b1e79a 100644
+--- a/gdb/ada-lang.c
++++ b/gdb/ada-lang.c
+@@ -57,6 +57,7 @@
+ #include "cli/cli-utils.h"
+ #include "gdbsupport/function-view.h"
+ #include "gdbsupport/byte-vector.h"
++#include "gdbsupport/selftest.h"
+ #include <algorithm>
+ #include "ada-exp.h"
+ #include "charset.h"
+@@ -1377,7 +1378,7 @@ ada_decode (const char *encoded, bool wrap, bool operators)
+ 	i -= 1;
+       if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_')
+ 	len0 = i - 1;
+-      else if (encoded[i] == '$')
++      else if (i >= 0 && encoded[i] == '$')
+ 	len0 = i;
+     }
+ 
+@@ -1574,6 +1575,18 @@ Suppress:
+   return decoded;
+ }
+ 
++#ifdef GDB_SELF_TEST
++
++static void
++ada_decode_tests ()
++{
++  /* This isn't valid, but used to cause a crash.  PR gdb/30639.  The
++     result does not really matter very much.  */
++  SELF_CHECK (ada_decode ("44") == "44");
++}
++
++#endif
++
+ /* Table for keeping permanent unique copies of decoded names.  Once
+    allocated, names in this table are never released.  While this is a
+    storage leak, it should not be significant unless there are massive
+@@ -13984,4 +13997,8 @@ DWARF attribute."),
+   gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang");
+   gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang");
+   gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang");
++
++#ifdef GDB_SELF_TEST
++  selftests::register_test ("ada-decode", ada_decode_tests);
++#endif
+ }

[mickledore] binutils: Fix CVE-2023-39128

Commit Message

Comments

Patch