| Message ID | 20240423073442.48274-1-virendrak@kpit.com |
|---|---|
| State | New |
| Headers | show |
| Series | [dunfell,1/4] binutils: Fix CVE-2022-44840 | expand |
Dunfell has reached end of life and we are no longer taking changes. The final build was done on April 15. Steve On Tue, Apr 23, 2024 at 12:35 AM virendra thakur via lists.openembedded.org <thakur.virendra1810=gmail.com@lists.openembedded.org> wrote: > > Add patch file to fix CVE-2022-44840 > > Reference: https://answers.launchpad.net/ubuntu/+archive/primary/+sourcefiles/binutils/2.34-6ubuntu1.8/binutils_2.34-6ubuntu1.8.debian.tar.xz > > Signed-off-by: virendra thakur <virendrak@kpit.com> > --- > .../binutils/binutils-2.34.inc | 1 + > .../binutils/binutils/CVE-2022-44840.patch | 162 ++++++++++++++++++ > 2 files changed, 163 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc > index 032263fe63..64f66a30a9 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.34.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc > @@ -62,5 +62,6 @@ SRC_URI = "\ > file://CVE-2022-47011.patch \ > file://CVE-2022-48063.patch \ > file://CVE-2022-47695.patch \ > + file://CVE-2022-44840.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch > new file mode 100644 > index 0000000000..288219871d > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch > @@ -0,0 +1,162 @@ > +[Ubuntu note: commit af2ddf69ab85 is not included in this version of the code, > + so adjustments had to be made to the 2nd hunk in order for it to apply > + cleanly and in order to have the added code match correct macro usage for > + this version of binutils (SAFE_BYTE_GET64 is called with signature_high and > + signature_low in this version of the code, but not in the added lines of the > + original patch). > + -- Camila Camargo de Matos <camila.camargodematos@canonical.com>] > + > +Origin: backport, https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59 > + > +From 28750e3b967da2207d51cbce9fc8be262817ee59 Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amodra@gmail.com> > +Date: Sun, 30 Oct 2022 19:08:51 +1030 > +Subject: [PATCH] Pool section entries for DWP version 1 > + > +Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 > + > +Fuzzers have found a weakness in the code stashing pool section > +entries. With random nonsensical values in the index entries (rather > +than each index pointing to its own set distinct from other sets), > +it's possible to overflow the space allocated, losing the NULL > +terminator. Without a terminator, find_section_in_set can run off the > +end of the shndx_pool buffer. Fix this by scanning the pool directly. > + > +binutils/ > + * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. > + (end_cu_tu_entry): Likewise. > + (process_cu_tu_index): Fill shndx_pool by directly scanning > + pool, rather than indirectly from index entries. > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59] > + > +CVE: CVE-2022-44840 > + > +Signed-off-by: Virendra Thakur <virendrak@kpit.com> > +--- > + binutils/dwarf.c | 90 ++++++++++++++++++++++-------------------------- > + 1 file changed, 41 insertions(+), 49 deletions(-) > + > +Index: binutils-2.34/binutils/dwarf.c > +=================================================================== > +--- binutils-2.34.orig/binutils/dwarf.c > ++++ binutils-2.34/binutils/dwarf.c > +@@ -9454,22 +9454,12 @@ prealloc_cu_tu_list (unsigned int nshndx > + static void > + add_shndx_to_cu_tu_entry (unsigned int shndx) > + { > +- if (shndx_pool_used >= shndx_pool_size) > +- { > +- error (_("Internal error: out of space in the shndx pool.\n")); > +- return; > +- } > + shndx_pool [shndx_pool_used++] = shndx; > + } > + > + static void > + end_cu_tu_entry (void) > + { > +- if (shndx_pool_used >= shndx_pool_size) > +- { > +- error (_("Internal error: out of space in the shndx pool.\n")); > +- return; > +- } > + shndx_pool [shndx_pool_used++] = 0; > + } > + > +@@ -9578,54 +9568,55 @@ process_cu_tu_index (struct dwarf_sectio > + > + if (version == 1) > + { > ++ unsigned char *shndx_list; > ++ unsigned int shndx; > ++ > + if (!do_display) > +- prealloc_cu_tu_list ((limit - ppool) / 4); > +- for (i = 0; i < nslots; i++) > + { > +- unsigned char *shndx_list; > +- unsigned int shndx; > +- > +- SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit); > +- if (signature_high != 0 || signature_low != 0) > ++ prealloc_cu_tu_list ((limit - ppool) / 4); > ++ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4) > + { > +- SAFE_BYTE_GET (j, pindex, 4, limit); > +- shndx_list = ppool + j * 4; > +- /* PR 17531: file: 705e010d. */ > +- if (shndx_list < ppool) > +- { > +- warn (_("Section index pool located before start of section\n")); > +- return 0; > +- } > +- > +- if (do_display) > ++ shndx = byte_get (shndx_list, 4); > ++ add_shndx_to_cu_tu_entry (shndx); > ++ } > ++ end_cu_tu_entry (); > ++ } > ++ else > ++ for (i = 0; i < nslots; i++) > ++ { > ++ SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit); > ++ if (signature_high != 0 || signature_low != 0) > ++ { > ++ SAFE_BYTE_GET (j, pindex, 4, limit); > ++ shndx_list = ppool + j * 4; > ++ /* PR 17531: file: 705e010d. */ > ++ if (shndx_list < ppool) > ++ { > ++ warn (_("Section index pool located before start of section\n")); > ++ return 0; > ++ } > + printf (_(" [%3d] Signature: 0x%s Sections: "), > + i, dwarf_vmatoa64 (signature_high, signature_low, > + buf, sizeof (buf))); > +- for (;;) > +- { > +- if (shndx_list >= limit) > +- { > +- warn (_("Section %s too small for shndx pool\n"), > +- section->name); > +- return 0; > +- } > +- SAFE_BYTE_GET (shndx, shndx_list, 4, limit); > +- if (shndx == 0) > +- break; > +- if (do_display) > ++ for (;;) > ++ { > ++ if (shndx_list >= limit) > ++ { > ++ warn (_("Section %s too small for shndx pool\n"), > ++ section->name); > ++ return 0; > ++ } > ++ SAFE_BYTE_GET (shndx, shndx_list, 4, limit); > ++ if (shndx == 0) > ++ break; > + printf (" %d", shndx); > +- else > +- add_shndx_to_cu_tu_entry (shndx); > +- shndx_list += 4; > +- } > +- if (do_display) > ++ shndx_list += 4; > ++ } > + printf ("\n"); > +- else > +- end_cu_tu_entry (); > +- } > +- phash += 8; > +- pindex += 4; > +- } > ++ } > ++ phash += 8; > ++ pindex += 4; > ++ } > + } > + else if (version == 2) > + { > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#198606): https://lists.openembedded.org/g/openembedded-core/message/198606 > Mute This Topic: https://lists.openembedded.org/mt/105685930/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 032263fe63..64f66a30a9 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -62,5 +62,6 @@ SRC_URI = "\ file://CVE-2022-47011.patch \ file://CVE-2022-48063.patch \ file://CVE-2022-47695.patch \ + file://CVE-2022-44840.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch new file mode 100644 index 0000000000..288219871d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch @@ -0,0 +1,162 @@ +[Ubuntu note: commit af2ddf69ab85 is not included in this version of the code, + so adjustments had to be made to the 2nd hunk in order for it to apply + cleanly and in order to have the added code match correct macro usage for + this version of binutils (SAFE_BYTE_GET64 is called with signature_high and + signature_low in this version of the code, but not in the added lines of the + original patch). + -- Camila Camargo de Matos <camila.camargodematos@canonical.com>] + +Origin: backport, https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59 + +From 28750e3b967da2207d51cbce9fc8be262817ee59 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 30 Oct 2022 19:08:51 +1030 +Subject: [PATCH] Pool section entries for DWP version 1 + +Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 + +Fuzzers have found a weakness in the code stashing pool section +entries. With random nonsensical values in the index entries (rather +than each index pointing to its own set distinct from other sets), +it's possible to overflow the space allocated, losing the NULL +terminator. Without a terminator, find_section_in_set can run off the +end of the shndx_pool buffer. Fix this by scanning the pool directly. + +binutils/ + * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. + (end_cu_tu_entry): Likewise. + (process_cu_tu_index): Fill shndx_pool by directly scanning + pool, rather than indirectly from index entries. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59] + +CVE: CVE-2022-44840 + +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + binutils/dwarf.c | 90 ++++++++++++++++++++++-------------------------- + 1 file changed, 41 insertions(+), 49 deletions(-) + +Index: binutils-2.34/binutils/dwarf.c +=================================================================== +--- binutils-2.34.orig/binutils/dwarf.c ++++ binutils-2.34/binutils/dwarf.c +@@ -9454,22 +9454,12 @@ prealloc_cu_tu_list (unsigned int nshndx + static void + add_shndx_to_cu_tu_entry (unsigned int shndx) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = shndx; + } + + static void + end_cu_tu_entry (void) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = 0; + } + +@@ -9578,54 +9568,55 @@ process_cu_tu_index (struct dwarf_sectio + + if (version == 1) + { ++ unsigned char *shndx_list; ++ unsigned int shndx; ++ + if (!do_display) +- prealloc_cu_tu_list ((limit - ppool) / 4); +- for (i = 0; i < nslots; i++) + { +- unsigned char *shndx_list; +- unsigned int shndx; +- +- SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit); +- if (signature_high != 0 || signature_low != 0) ++ prealloc_cu_tu_list ((limit - ppool) / 4); ++ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4) + { +- SAFE_BYTE_GET (j, pindex, 4, limit); +- shndx_list = ppool + j * 4; +- /* PR 17531: file: 705e010d. */ +- if (shndx_list < ppool) +- { +- warn (_("Section index pool located before start of section\n")); +- return 0; +- } +- +- if (do_display) ++ shndx = byte_get (shndx_list, 4); ++ add_shndx_to_cu_tu_entry (shndx); ++ } ++ end_cu_tu_entry (); ++ } ++ else ++ for (i = 0; i < nslots; i++) ++ { ++ SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit); ++ if (signature_high != 0 || signature_low != 0) ++ { ++ SAFE_BYTE_GET (j, pindex, 4, limit); ++ shndx_list = ppool + j * 4; ++ /* PR 17531: file: 705e010d. */ ++ if (shndx_list < ppool) ++ { ++ warn (_("Section index pool located before start of section\n")); ++ return 0; ++ } + printf (_(" [%3d] Signature: 0x%s Sections: "), + i, dwarf_vmatoa64 (signature_high, signature_low, + buf, sizeof (buf))); +- for (;;) +- { +- if (shndx_list >= limit) +- { +- warn (_("Section %s too small for shndx pool\n"), +- section->name); +- return 0; +- } +- SAFE_BYTE_GET (shndx, shndx_list, 4, limit); +- if (shndx == 0) +- break; +- if (do_display) ++ for (;;) ++ { ++ if (shndx_list >= limit) ++ { ++ warn (_("Section %s too small for shndx pool\n"), ++ section->name); ++ return 0; ++ } ++ SAFE_BYTE_GET (shndx, shndx_list, 4, limit); ++ if (shndx == 0) ++ break; + printf (" %d", shndx); +- else +- add_shndx_to_cu_tu_entry (shndx); +- shndx_list += 4; +- } +- if (do_display) ++ shndx_list += 4; ++ } + printf ("\n"); +- else +- end_cu_tu_entry (); +- } +- phash += 8; +- pindex += 4; +- } ++ } ++ phash += 8; ++ pindex += 4; ++ } + } + else if (version == 2) + {
Add patch file to fix CVE-2022-44840 Reference: https://answers.launchpad.net/ubuntu/+archive/primary/+sourcefiles/binutils/2.34-6ubuntu1.8/binutils_2.34-6ubuntu1.8.debian.tar.xz Signed-off-by: virendra thakur <virendrak@kpit.com> --- .../binutils/binutils-2.34.inc | 1 + .../binutils/binutils/CVE-2022-44840.patch | 162 ++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch