diff mbox series

[dunfell,3/4] binutils: Fix CVE-2022-48065

Message ID 20240423073442.48274-3-virendrak@kpit.com
State New
Headers show
Series [dunfell,1/4] binutils: Fix CVE-2022-44840 | expand

Commit Message

virendra thakur April 23, 2024, 7:34 a.m. UTC 
Add patch file to fix CVE-2022-48065

Reference: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/binutils/2.34-6ubuntu1.9/binutils_2.34-6ubuntu1.9.debian.tar.xz

Signed-off-by: virendra thakur <virendrak@kpit.com>
---
 .../binutils/binutils-2.34.inc                |   1 +
 .../binutils/binutils/CVE-2022-48065.patch    | 115 ++++++++++++++++++
 2 files changed, 116 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch
diff mbox series

Patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index fd6138be1e..5ebc7c6f34 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -61,6 +61,7 @@  SRC_URI = "\
      file://CVE-2022-47010.patch \
      file://CVE-2022-47011.patch \
      file://CVE-2022-48063.patch \
+     file://CVE-2022-48065.patch \
      file://CVE-2022-47695.patch \
      file://CVE-2022-44840.patch \
      file://CVE-2022-45703-0.patch \
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch
new file mode 100644
index 0000000000..c157a6144c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch
@@ -0,0 +1,115 @@ 
+From: Nick Galanis <nick.galanis@canonical.com>
+Subject: [SECURITY UPDATE] Memory leak in find_abstract_instance (CVE-2022-48065)
+Description:
+
+ Origin: backport, https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a
+
+ [Canonical note: (nickgalanis) Minor backports were needed for almost every hunk
+  in order to apply to current code. Those backports do not change the functionality
+  of the code or alter the patch, whose goal is to not use the `name` var.
+  Moreover, in scan_unit_for_symbols(), the if statement originally present in the
+  patch was removed, as its introudction by PR28691 needed an intrusive backport
+  to apply. Again, the nature of the fix is not changed, as its goal is to free the 
+  variables before their re-assignment, something that is being achieved]
+
+ From d28fbc7197ba0e021a43f873eff90b05dcdcff6a Mon Sep 17 00:00:00 2001
+ From: Alan Modra <amodra@gmail.com>
+ Date: Wed, 21 Dec 2022 21:40:12 +1030
+ Subject: [PATCH] PR29925, Memory leak in find_abstract_instance
+ 
+ The testcase in the PR had a variable with both DW_AT_decl_file and
+ DW_AT_specification, where the DW_AT_specification also specified
+ DW_AT_decl_file.  This leads to a memory leak as the file name is
+ malloced and duplicates are not expected.
+
+ I've also changed find_abstract_instance to not use a temp for "name",
+ because that can result in a change in behaviour from the usual last
+ of duplicate attributes wins.
+
+ 	PR 29925 
+ 	* dwarf2.c (find_abstract_instance): Delete "name" variable.
+	Free *filename_ptr before assigning new file name.
+	(scan_unit_for_symbols): Similarly free func->file and
+	var->file before assigning.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a]
+
+CVE: CVE-2022-48065
+
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+ ---
+  bfd/dwarf2.c | 31 +++++++++++++++++++------------
+  1 file changed, 19 insertions(+), 12 deletions(-)
+
+Index: binutils-2.34/bfd/dwarf2.c
+===================================================================
+--- binutils-2.34.orig/bfd/dwarf2.c
++++ binutils-2.34/bfd/dwarf2.c
+@@ -2910,7 +2910,6 @@ find_abstract_instance (struct comp_unit
+   struct abbrev_info *abbrev;
+   bfd_uint64_t die_ref = attr_ptr->u.val;
+   struct attribute attr;
+-  const char *name = NULL;
+ 
+   if (recur_count == 100)
+     {
+@@ -3077,16 +3076,16 @@ find_abstract_instance (struct comp_unit
+ 		case DW_AT_name:
+ 		  /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name
+ 		     over DW_AT_name.  */
+-		  if (name == NULL && is_str_attr (attr.form))
++		  if (*pname == NULL && is_str_attr (attr.form))
+ 		    {
+-		      name = attr.u.str;
++		      *pname = attr.u.str;
+ 		      if (non_mangled (unit->lang))
+ 			*is_linkage = TRUE;
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+ 		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
+-					       &name, is_linkage,
++					       pname, is_linkage,
+ 					       filename_ptr, linenumber_ptr))
+ 		    return FALSE;
+ 		  break;
+@@ -3096,13 +3095,14 @@ find_abstract_instance (struct comp_unit
+ 		     non-string forms into these attributes.  */
+ 		  if (is_str_attr (attr.form))
+ 		    {
+-		      name = attr.u.str;
++		      *pname = attr.u.str;
+ 		      *is_linkage = TRUE;
+ 		    }
+ 		  break;
+ 		case DW_AT_decl_file:
+ 		  if (!comp_unit_maybe_decode_line_info (unit))
+ 		    return FALSE;
++         free (*filename_ptr);
+ 		  *filename_ptr = concat_filename (unit->line_table,
+ 						   attr.u.val);
+ 		  break;
+@@ -3115,7 +3115,6 @@ find_abstract_instance (struct comp_unit
+ 	    }
+ 	}
+     }
+-  *pname = name;
+   return TRUE;
+ }
+ 
+@@ -3346,6 +3345,7 @@ scan_unit_for_symbols (struct comp_unit
+ 		  break;
+ 
+ 		case DW_AT_decl_file:
++         free (func->file);
+ 		  func->file = concat_filename (unit->line_table,
+ 						attr.u.val);
+ 		  break;
+@@ -3368,6 +3368,7 @@ scan_unit_for_symbols (struct comp_unit
+ 		  break;
+ 
+ 		case DW_AT_decl_file:
++         free (var->file);
+ 		  var->file = concat_filename (unit->line_table,
+ 					       attr.u.val);
+ 		  break;