Message ID | 20230515055805.1439114-1-deepadeepthi98@gmail.com |
---|---|
State | Accepted, archived |
Commit | fd0d01aca6f2aea51e9704e0ba48dc35dfd87b81 |
Headers | show |
Series | [kirkstone] binutils : Fix CVE-2023-25588 | expand |
On Sun, May 14, 2023 at 7:58 PM Deepthi Hemraj <deepadeepthi98@gmail.com> wrote: > > Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] > > CVE: CVE-2023-25588 > > Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com> > --- > .../binutils/binutils-2.38.inc | 7 +- > .../binutils/0028-CVE-2023-25588.patch | 147 ++++++++++++++++++ > 2 files changed, 148 insertions(+), 6 deletions(-) > create mode 100644 meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc > index 5c3ff3d93a..e51c65d638 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.38.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc > @@ -50,11 +50,6 @@ SRC_URI = "\ > file://0021-CVE-2023-1579-2.patch \ > file://0021-CVE-2023-1579-3.patch \ > file://0021-CVE-2023-1579-4.patch \ > - file://0022-CVE-2023-25584-1.patch \ > - file://0022-CVE-2023-25584-2.patch \ > - file://0022-CVE-2023-25584-3.patch \ > - file://0023-CVE-2023-25585.patch \ > - file://0026-CVE-2023-1972.patch \ > - file://0025-CVE-2023-25588.patch \ > + file://0028-CVE-2023-25588.patch \ I can't make sense of what you are trying to accomplish with this patch! We already have a patch for CVE-2023-25588. And you don't explain why you are removing the patches for 3 other CVEs. Steve > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch > new file mode 100644 > index 0000000000..c019004a02 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch > @@ -0,0 +1,147 @@ > +From: Alan Modra <amodra@gmail.com> > +Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030) > +Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised > +X-Git-Tag: gdb-13-branchpoint~871 > +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1 > + > +PR29677, Field `the_bfd` of `asymbol` is uninitialised > + > +Besides not initialising the_bfd of synthetic symbols, counting > +symbols when sizing didn't match symbols created if there were any > +dynsyms named "". We don't want synthetic symbols without names > +anyway, so get rid of them. Also, simplify and correct sanity checks. > + > + PR 29677 > + * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite. > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] > + > +CVE: CVE-2023-25588 > + > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > + > +--- > + > +diff --git a/bfd/mach-o.c b/bfd/mach-o.c > +index acb35e7f0c6..5279343768c 100644 > +--- a/bfd/mach-o.c > ++++ b/bfd/mach-o.c > +@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, > + bfd_mach_o_symtab_command *symtab = mdata->symtab; > + asymbol *s; > + char * s_start; > +- char * s_end; > + unsigned long count, i, j, n; > + size_t size; > + char *names; > +- char *nul_name; > + const char stub [] = "$stub"; > + > + *ret = NULL; > +@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, > + /* We need to allocate a bfd symbol for every indirect symbol and to > + allocate the memory for its name. */ > + count = dysymtab->nindirectsyms; > +- size = count * sizeof (asymbol) + 1; > +- > ++ size = 0; > + for (j = 0; j < count; j++) > + { > +- const char * strng; > + unsigned int isym = dysymtab->indirect_syms[j]; > ++ const char *str; > + > + /* Some indirect symbols are anonymous. */ > +- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name)) > +- /* PR 17512: file: f5b8eeba. */ > +- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub); > ++ if (isym < symtab->nsyms > ++ && (str = symtab->symbols[isym].symbol.name) != NULL) > ++ { > ++ /* PR 17512: file: f5b8eeba. */ > ++ size += strnlen (str, symtab->strsize - (str - symtab->strtab)); > ++ size += sizeof (stub); > ++ } > + } > + > +- s_start = bfd_malloc (size); > ++ s_start = bfd_malloc (size + count * sizeof (asymbol)); > + s = *ret = (asymbol *) s_start; > + if (s == NULL) > + return -1; > + names = (char *) (s + count); > +- nul_name = names; > +- *names++ = 0; > +- s_end = s_start + size; > + > + n = 0; > + for (i = 0; i < mdata->nsects; i++) > +@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, > + entry_size = bfd_mach_o_section_get_entry_size (abfd, sec); > + > + /* PR 17512: file: 08e15eec. */ > +- if (first >= count || last >= count || first > last) > ++ if (first >= count || last > count || first > last) > + goto fail; > + > + for (j = first; j < last; j++) > + { > + unsigned int isym = dysymtab->indirect_syms[j]; > +- > +- /* PR 17512: file: 04d64d9b. */ > +- if (((char *) s) + sizeof (* s) > s_end) > +- goto fail; > +- > +- s->flags = BSF_GLOBAL | BSF_SYNTHETIC; > +- s->section = sec->bfdsection; > +- s->value = addr - sec->addr; > +- s->udata.p = NULL; > ++ const char *str; > ++ size_t len; > + > + if (isym < symtab->nsyms > +- && symtab->symbols[isym].symbol.name) > ++ && (str = symtab->symbols[isym].symbol.name) != NULL) > + { > +- const char *sym = symtab->symbols[isym].symbol.name; > +- size_t len; > +- > +- s->name = names; > +- len = strlen (sym); > +- /* PR 17512: file: 47dfd4d2. */ > +- if (names + len >= s_end) > ++ /* PR 17512: file: 04d64d9b. */ > ++ if (n >= count) > + goto fail; > +- memcpy (names, sym, len); > +- names += len; > +- /* PR 17512: file: 18f340a4. */ > +- if (names + sizeof (stub) >= s_end) > ++ len = strnlen (str, symtab->strsize - (str - symtab->strtab)); > ++ /* PR 17512: file: 47dfd4d2, 18f340a4. */ > ++ if (size < len + sizeof (stub)) > + goto fail; > +- memcpy (names, stub, sizeof (stub)); > +- names += sizeof (stub); > ++ memcpy (names, str, len); > ++ memcpy (names + len, stub, sizeof (stub)); > ++ s->name = names; > ++ names += len + sizeof (stub); > ++ size -= len + sizeof (stub); > ++ s->the_bfd = symtab->symbols[isym].symbol.the_bfd; > ++ s->flags = BSF_GLOBAL | BSF_SYNTHETIC; > ++ s->section = sec->bfdsection; > ++ s->value = addr - sec->addr; > ++ s->udata.p = NULL; > ++ s++; > ++ n++; > + } > +- else > +- s->name = nul_name; > +- > + addr += entry_size; > +- s++; > +- n++; > + } > + break; > + default: > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#181229): https://lists.openembedded.org/g/openembedded-core/message/181229 > Mute This Topic: https://lists.openembedded.org/mt/98897943/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 5c3ff3d93a..e51c65d638 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -50,11 +50,6 @@ SRC_URI = "\ file://0021-CVE-2023-1579-2.patch \ file://0021-CVE-2023-1579-3.patch \ file://0021-CVE-2023-1579-4.patch \ - file://0022-CVE-2023-25584-1.patch \ - file://0022-CVE-2023-25584-2.patch \ - file://0022-CVE-2023-25584-3.patch \ - file://0023-CVE-2023-25585.patch \ - file://0026-CVE-2023-1972.patch \ - file://0025-CVE-2023-25588.patch \ + file://0028-CVE-2023-25588.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch new file mode 100644 index 0000000000..c019004a02 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch @@ -0,0 +1,147 @@ +From: Alan Modra <amodra@gmail.com> +Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030) +Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised +X-Git-Tag: gdb-13-branchpoint~871 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1 + +PR29677, Field `the_bfd` of `asymbol` is uninitialised + +Besides not initialising the_bfd of synthetic symbols, counting +symbols when sizing didn't match symbols created if there were any +dynsyms named "". We don't want synthetic symbols without names +anyway, so get rid of them. Also, simplify and correct sanity checks. + + PR 29677 + * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] + +CVE: CVE-2023-25588 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/mach-o.c b/bfd/mach-o.c +index acb35e7f0c6..5279343768c 100644 +--- a/bfd/mach-o.c ++++ b/bfd/mach-o.c +@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + bfd_mach_o_symtab_command *symtab = mdata->symtab; + asymbol *s; + char * s_start; +- char * s_end; + unsigned long count, i, j, n; + size_t size; + char *names; +- char *nul_name; + const char stub [] = "$stub"; + + *ret = NULL; +@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + /* We need to allocate a bfd symbol for every indirect symbol and to + allocate the memory for its name. */ + count = dysymtab->nindirectsyms; +- size = count * sizeof (asymbol) + 1; +- ++ size = 0; + for (j = 0; j < count; j++) + { +- const char * strng; + unsigned int isym = dysymtab->indirect_syms[j]; ++ const char *str; + + /* Some indirect symbols are anonymous. */ +- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name)) +- /* PR 17512: file: f5b8eeba. */ +- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub); ++ if (isym < symtab->nsyms ++ && (str = symtab->symbols[isym].symbol.name) != NULL) ++ { ++ /* PR 17512: file: f5b8eeba. */ ++ size += strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ size += sizeof (stub); ++ } + } + +- s_start = bfd_malloc (size); ++ s_start = bfd_malloc (size + count * sizeof (asymbol)); + s = *ret = (asymbol *) s_start; + if (s == NULL) + return -1; + names = (char *) (s + count); +- nul_name = names; +- *names++ = 0; +- s_end = s_start + size; + + n = 0; + for (i = 0; i < mdata->nsects; i++) +@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + entry_size = bfd_mach_o_section_get_entry_size (abfd, sec); + + /* PR 17512: file: 08e15eec. */ +- if (first >= count || last >= count || first > last) ++ if (first >= count || last > count || first > last) + goto fail; + + for (j = first; j < last; j++) + { + unsigned int isym = dysymtab->indirect_syms[j]; +- +- /* PR 17512: file: 04d64d9b. */ +- if (((char *) s) + sizeof (* s) > s_end) +- goto fail; +- +- s->flags = BSF_GLOBAL | BSF_SYNTHETIC; +- s->section = sec->bfdsection; +- s->value = addr - sec->addr; +- s->udata.p = NULL; ++ const char *str; ++ size_t len; + + if (isym < symtab->nsyms +- && symtab->symbols[isym].symbol.name) ++ && (str = symtab->symbols[isym].symbol.name) != NULL) + { +- const char *sym = symtab->symbols[isym].symbol.name; +- size_t len; +- +- s->name = names; +- len = strlen (sym); +- /* PR 17512: file: 47dfd4d2. */ +- if (names + len >= s_end) ++ /* PR 17512: file: 04d64d9b. */ ++ if (n >= count) + goto fail; +- memcpy (names, sym, len); +- names += len; +- /* PR 17512: file: 18f340a4. */ +- if (names + sizeof (stub) >= s_end) ++ len = strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ /* PR 17512: file: 47dfd4d2, 18f340a4. */ ++ if (size < len + sizeof (stub)) + goto fail; +- memcpy (names, stub, sizeof (stub)); +- names += sizeof (stub); ++ memcpy (names, str, len); ++ memcpy (names + len, stub, sizeof (stub)); ++ s->name = names; ++ names += len + sizeof (stub); ++ size -= len + sizeof (stub); ++ s->the_bfd = symtab->symbols[isym].symbol.the_bfd; ++ s->flags = BSF_GLOBAL | BSF_SYNTHETIC; ++ s->section = sec->bfdsection; ++ s->value = addr - sec->addr; ++ s->udata.p = NULL; ++ s++; ++ n++; + } +- else +- s->name = nul_name; +- + addr += entry_size; +- s++; +- n++; + } + break; + default:
Upstream-Status: Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] CVE: CVE-2023-25588 Signed-off-by: Deepthi Hemraj <deepadeepthi98@gmail.com> --- .../binutils/binutils-2.38.inc | 7 +- .../binutils/0028-CVE-2023-25588.patch | 147 ++++++++++++++++++ 2 files changed, 148 insertions(+), 6 deletions(-) create mode 100644 meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch