From patchwork Tue Apr 23 07:34:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: virendra thakur X-Patchwork-Id: 42773 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AC47C4345F for ; Tue, 23 Apr 2024 07:35:10 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web10.13166.1713857703681249898 for ; Tue, 23 Apr 2024 00:35:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dVezgZda; spf=pass (domain: gmail.com, ip: 209.85.215.172, mailfrom: thakur.virendra1810@gmail.com) Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-5dcc4076c13so3603281a12.0 for ; Tue, 23 Apr 2024 00:35:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713857702; x=1714462502; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=AnvJ3UTX3Y3km84B6PTdL04HjcfQ34x9YQoRC6L2R3E=; b=dVezgZdaeqxrcNJoaObRJnIgzsEU63gHZW7OEb9xCydcHuqqG5t4y7aupf7IeDQelo HUwfF/uf2C0HA/SKNAGvVp7kMzHriWlVjQ8w0KWfz/XDnjiObpz2bxoYto1xb2cUTGeM OtDxURpe+9eDmyrkYxks90k/Pn56DrMAwjjkJb+e2cOCEIJ1Yjxysd+2DMFzctLsoFqz jZZkH1j4K8YGDHBf+7T4//KJ8VS/3ANp3KpkqoGmTQbThZZAbyUXWdaO9qqzzulpcJ8x YDjb53xoLpygchMrbjEoMwe0MwfkBcgkovC5hS/yKItBH9H3KpPFKCJdDpb+u64EYOKF ji3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713857702; x=1714462502; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AnvJ3UTX3Y3km84B6PTdL04HjcfQ34x9YQoRC6L2R3E=; b=FAVeDzztJQZ67JMJ6EZmFrK24nzunsCpr8sf1vfWHTPV29gQ0LVGgrDXCeuWUEWW+2 7GFl/3KrO8hR7WC/IftrkAEnf88XVUG2DP6fhs+BYH/fB5i3h40zMksx+0gNtJOVvkX3 xgDbEoP4J/1dPirnYwJvj5zCPD/L+INjzPxFkC6ZWAz1C3L0O1tBaLBPiWsoIVbHDqUK Rqn5BVkQvzgB287U2UHbaWZ0SWQ8sPQ0rExYcIFHs1r3yp298nkhZtOhNgOdaujM9XED CQwGfWbE+bMUpLkNn0KirNNsFQapsJKhVHfX2MfnSoqZf5gvHL6Zn8EKIdL93yERdPuz Ybyg== X-Gm-Message-State: AOJu0Yw+YdWdmmxpgPE3oA5iyGI4T0v90RJKFNbnT6/J3dy804amhOXI ZOeokMDzgLQajZEVQ3UcKqS99+5LxVG6vb+pd3qURspGiAGLy2JS2NEJVg== X-Google-Smtp-Source: AGHT+IFh4JgL8kG0bv94K97wXj5jO6K7bJnRGbsg+goFo+bIKEZYjkAvwqxn0FMmqTZ3EjuwLmoeBg== X-Received: by 2002:a17:90a:5513:b0:2a5:be1a:6831 with SMTP id b19-20020a17090a551300b002a5be1a6831mr2692945pji.19.1713857701560; Tue, 23 Apr 2024 00:35:01 -0700 (PDT) Received: from L-18076.kpit.com ([223.233.81.5]) by smtp.gmail.com with ESMTPSA id t13-20020a17090ad50d00b002a5dbfca370sm10539761pju.48.2024.04.23.00.34.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 00:35:01 -0700 (PDT) From: virendra thakur X-Google-Original-From: virendra thakur To: openembedded-core@lists.openembedded.org, raj.khem@gmail.com Subject: [OE-core][dunfell][PATCH 1/4] binutils: Fix CVE-2022-44840 Date: Tue, 23 Apr 2024 13:04:39 +0530 Message-Id: <20240423073442.48274-1-virendrak@kpit.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 07:35:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/198606 Add patch file to fix CVE-2022-44840 Reference: https://answers.launchpad.net/ubuntu/+archive/primary/+sourcefiles/binutils/2.34-6ubuntu1.8/binutils_2.34-6ubuntu1.8.debian.tar.xz Signed-off-by: virendra thakur --- .../binutils/binutils-2.34.inc | 1 + .../binutils/binutils/CVE-2022-44840.patch | 162 ++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 032263fe63..64f66a30a9 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -62,5 +62,6 @@ SRC_URI = "\ file://CVE-2022-47011.patch \ file://CVE-2022-48063.patch \ file://CVE-2022-47695.patch \ + file://CVE-2022-44840.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch new file mode 100644 index 0000000000..288219871d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch @@ -0,0 +1,162 @@ +[Ubuntu note: commit af2ddf69ab85 is not included in this version of the code, + so adjustments had to be made to the 2nd hunk in order for it to apply + cleanly and in order to have the added code match correct macro usage for + this version of binutils (SAFE_BYTE_GET64 is called with signature_high and + signature_low in this version of the code, but not in the added lines of the + original patch). + -- Camila Camargo de Matos ] + +Origin: backport, https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59 + +From 28750e3b967da2207d51cbce9fc8be262817ee59 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sun, 30 Oct 2022 19:08:51 +1030 +Subject: [PATCH] Pool section entries for DWP version 1 + +Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 + +Fuzzers have found a weakness in the code stashing pool section +entries. With random nonsensical values in the index entries (rather +than each index pointing to its own set distinct from other sets), +it's possible to overflow the space allocated, losing the NULL +terminator. Without a terminator, find_section_in_set can run off the +end of the shndx_pool buffer. Fix this by scanning the pool directly. + +binutils/ + * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. + (end_cu_tu_entry): Likewise. + (process_cu_tu_index): Fill shndx_pool by directly scanning + pool, rather than indirectly from index entries. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59] + +CVE: CVE-2022-44840 + +Signed-off-by: Virendra Thakur +--- + binutils/dwarf.c | 90 ++++++++++++++++++++++-------------------------- + 1 file changed, 41 insertions(+), 49 deletions(-) + +Index: binutils-2.34/binutils/dwarf.c +=================================================================== +--- binutils-2.34.orig/binutils/dwarf.c ++++ binutils-2.34/binutils/dwarf.c +@@ -9454,22 +9454,12 @@ prealloc_cu_tu_list (unsigned int nshndx + static void + add_shndx_to_cu_tu_entry (unsigned int shndx) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = shndx; + } + + static void + end_cu_tu_entry (void) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = 0; + } + +@@ -9578,54 +9568,55 @@ process_cu_tu_index (struct dwarf_sectio + + if (version == 1) + { ++ unsigned char *shndx_list; ++ unsigned int shndx; ++ + if (!do_display) +- prealloc_cu_tu_list ((limit - ppool) / 4); +- for (i = 0; i < nslots; i++) + { +- unsigned char *shndx_list; +- unsigned int shndx; +- +- SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit); +- if (signature_high != 0 || signature_low != 0) ++ prealloc_cu_tu_list ((limit - ppool) / 4); ++ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4) + { +- SAFE_BYTE_GET (j, pindex, 4, limit); +- shndx_list = ppool + j * 4; +- /* PR 17531: file: 705e010d. */ +- if (shndx_list < ppool) +- { +- warn (_("Section index pool located before start of section\n")); +- return 0; +- } +- +- if (do_display) ++ shndx = byte_get (shndx_list, 4); ++ add_shndx_to_cu_tu_entry (shndx); ++ } ++ end_cu_tu_entry (); ++ } ++ else ++ for (i = 0; i < nslots; i++) ++ { ++ SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit); ++ if (signature_high != 0 || signature_low != 0) ++ { ++ SAFE_BYTE_GET (j, pindex, 4, limit); ++ shndx_list = ppool + j * 4; ++ /* PR 17531: file: 705e010d. */ ++ if (shndx_list < ppool) ++ { ++ warn (_("Section index pool located before start of section\n")); ++ return 0; ++ } + printf (_(" [%3d] Signature: 0x%s Sections: "), + i, dwarf_vmatoa64 (signature_high, signature_low, + buf, sizeof (buf))); +- for (;;) +- { +- if (shndx_list >= limit) +- { +- warn (_("Section %s too small for shndx pool\n"), +- section->name); +- return 0; +- } +- SAFE_BYTE_GET (shndx, shndx_list, 4, limit); +- if (shndx == 0) +- break; +- if (do_display) ++ for (;;) ++ { ++ if (shndx_list >= limit) ++ { ++ warn (_("Section %s too small for shndx pool\n"), ++ section->name); ++ return 0; ++ } ++ SAFE_BYTE_GET (shndx, shndx_list, 4, limit); ++ if (shndx == 0) ++ break; + printf (" %d", shndx); +- else +- add_shndx_to_cu_tu_entry (shndx); +- shndx_list += 4; +- } +- if (do_display) ++ shndx_list += 4; ++ } + printf ("\n"); +- else +- end_cu_tu_entry (); +- } +- phash += 8; +- pindex += 4; +- } ++ } ++ phash += 8; ++ pindex += 4; ++ } + } + else if (version == 2) + { From patchwork Tue Apr 23 07:34:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: virendra thakur X-Patchwork-Id: 42775 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D3D9C4345F for ; Tue, 23 Apr 2024 07:35:20 +0000 (UTC) Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web10.13167.1713857710533582024 for ; Tue, 23 Apr 2024 00:35:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WaBYINKM; spf=pass (domain: gmail.com, ip: 209.85.216.45, mailfrom: thakur.virendra1810@gmail.com) Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-2abf9305afcso3096617a91.1 for ; Tue, 23 Apr 2024 00:35:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713857709; x=1714462509; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PPxiT8fimCXe0Qz5HJ225MJY2uHaDog/8tI7Rkb85e8=; b=WaBYINKMaNvilj3Lb98oBv/E6MbSa+iTvYMrtpE0iPT/N9eWaP/GGsMs652RL0ANDv 8hfMwnl+a8QU2CneCmljZ3jb10CDEq5KHBCzz5Qh2ABvD6Ag8+igZy5VJAtSKcFwP3Ju 6y+g2WKoPONy6gulz8QsiiWtFFnLlKmQObXCjHLkbcetYirw6G4ABZ0tZL9G8oLVmLrE EdSc/LkHSBw4PpA8rV93Dtmp+5EjzXKgz3bzrDSxSdx/4r7Xpq6HOX68JBdym+JG/aMW nwyM4Wzk3uqqc84a/SWsWTUwXG+KmPlUuJuGA7OZ+ll/lTlJmA9O4WcsJ05Z454rSvmS tFUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713857709; x=1714462509; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PPxiT8fimCXe0Qz5HJ225MJY2uHaDog/8tI7Rkb85e8=; b=Ej6lVfosQ8of39ODWDVevmFpvCK9j+9/1b9wQRT+yOfa4d4OZKWjQpxucCLBPB/Okn 1iWgImOJyquqHVlbuGvB6BB6AXxoD0kuwuyptXqwP1z7sNibUhwOSU8DFSrv6IOeIBkT kBI8uog4xmR1myj4Jg/oqJooAbJpsj6K8YA1oHERWzX2b7SZpCDkHJ/rh9KsGls6tY+O O2ZBRMFeXarGhHs2GA+YMU2cPIFtJesAfRJopnZ/57mNfGAciFT5VJaYL+zk3HW8Fuan XbPW8C5w4MIQLcCfEvY3B93ZPJzWj0Jiyk93XDNqdS+CltVL+uK821BP+Xrbr9ycAoe4 HiKg== X-Gm-Message-State: AOJu0YyhU4lZ9P2oaGJ+iK92El+wbNoOC8YFA1dhdfZnKU8RsLwLjtgS 1rFSNbqgRrvxa4rvKZRDJeuM0FcHCN4sxbk4d9QTXjw3763sltUpMRMU3A== X-Google-Smtp-Source: AGHT+IGMqbToP/pz1VaElwkjcg4J9L2ctAuQPhIx2lX+N6uXxfeveI96WufAsCDAYK0812TxUvkOwg== X-Received: by 2002:a17:90a:e20a:b0:2ac:5a83:b8b7 with SMTP id a10-20020a17090ae20a00b002ac5a83b8b7mr12527221pjz.0.1713857709123; Tue, 23 Apr 2024 00:35:09 -0700 (PDT) Received: from L-18076.kpit.com ([223.233.81.5]) by smtp.gmail.com with ESMTPSA id t13-20020a17090ad50d00b002a5dbfca370sm10539761pju.48.2024.04.23.00.35.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 00:35:08 -0700 (PDT) From: virendra thakur X-Google-Original-From: virendra thakur To: openembedded-core@lists.openembedded.org, raj.khem@gmail.com Subject: [OE-core][dunfell][PATCH 2/4] binutils: Fix CVE-2022-45703 Date: Tue, 23 Apr 2024 13:04:40 +0530 Message-Id: <20240423073442.48274-2-virendrak@kpit.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240423073442.48274-1-virendrak@kpit.com> References: <20240423073442.48274-1-virendrak@kpit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 07:35:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/198607 Add patch file to fix CVE-2022-45703 Reference: https://answers.launchpad.net/ubuntu/+archive/primary/+sourcefiles/binutils/2.34-6ubuntu1.8/binutils_2.34-6ubuntu1.8.debian.tar.xz Signed-off-by: virendra thakur --- .../binutils/binutils-2.34.inc | 2 + .../binutils/binutils/CVE-2022-45703-0.patch | 148 ++++++++++++++++++ .../binutils/binutils/CVE-2022-45703-1.patch | 36 +++++ 3 files changed, 186 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-45703-0.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-45703-1.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 64f66a30a9..fd6138be1e 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -63,5 +63,7 @@ SRC_URI = "\ file://CVE-2022-48063.patch \ file://CVE-2022-47695.patch \ file://CVE-2022-44840.patch \ + file://CVE-2022-45703-0.patch \ + file://CVE-2022-45703-1.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-45703-0.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-45703-0.patch new file mode 100644 index 0000000000..a89456cae4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-45703-0.patch @@ -0,0 +1,148 @@ +Origin: backport, https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636 + +From 244e19c79111eed017ee38ab1d44fb2a6cd1b636 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Tue, 24 May 2022 09:32:14 +0930 +Subject: [PATCH] PR29169, invalid read displaying fuzzed .gdb_index + + PR 29169 + * dwarf.c (display_gdb_index): Combine sanity checks. Calculate + element counts, not word counts. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636] + +CVE: CVE-2022-45703 + +Signed-off-by: Virendra Thakur +--- + binutils/dwarf.c | 80 +++++++++++++----------------------------------- + 1 file changed, 22 insertions(+), 58 deletions(-) + +Index: binutils-2.34/binutils/dwarf.c +=================================================================== +--- binutils-2.34.orig/binutils/dwarf.c ++++ binutils-2.34/binutils/dwarf.c +@@ -9208,7 +9208,7 @@ display_gdb_index (struct dwarf_section + uint32_t cu_list_offset, tu_list_offset; + uint32_t address_table_offset, symbol_table_offset, constant_pool_offset; + unsigned int cu_list_elements, tu_list_elements; +- unsigned int address_table_size, symbol_table_slots; ++ unsigned int address_table_elements, symbol_table_slots; + unsigned char *cu_list, *tu_list; + unsigned char *address_table, *symbol_table, *constant_pool; + unsigned int i; +@@ -9256,48 +9256,19 @@ display_gdb_index (struct dwarf_section + || tu_list_offset > section->size + || address_table_offset > section->size + || symbol_table_offset > section->size +- || constant_pool_offset > section->size) ++ || constant_pool_offset > section->size ++ || tu_list_offset < cu_list_offset ++ || address_table_offset < tu_list_offset ++ || symbol_table_offset < address_table_offset ++ || constant_pool_offset < symbol_table_offset) + { + warn (_("Corrupt header in the %s section.\n"), section->name); + return 0; + } + +- /* PR 17531: file: 418d0a8a. */ +- if (tu_list_offset < cu_list_offset) +- { +- warn (_("TU offset (%x) is less than CU offset (%x)\n"), +- tu_list_offset, cu_list_offset); +- return 0; +- } +- +- cu_list_elements = (tu_list_offset - cu_list_offset) / 8; +- +- if (address_table_offset < tu_list_offset) +- { +- warn (_("Address table offset (%x) is less than TU offset (%x)\n"), +- address_table_offset, tu_list_offset); +- return 0; +- } +- +- tu_list_elements = (address_table_offset - tu_list_offset) / 8; +- +- /* PR 17531: file: 18a47d3d. */ +- if (symbol_table_offset < address_table_offset) +- { +- warn (_("Symbol table offset (%x) is less then Address table offset (%x)\n"), +- symbol_table_offset, address_table_offset); +- return 0; +- } +- +- address_table_size = symbol_table_offset - address_table_offset; +- +- if (constant_pool_offset < symbol_table_offset) +- { +- warn (_("Constant pool offset (%x) is less than symbol table offset (%x)\n"), +- constant_pool_offset, symbol_table_offset); +- return 0; +- } +- ++ cu_list_elements = (tu_list_offset - cu_list_offset) / 16; ++ tu_list_elements = (address_table_offset - tu_list_offset) / 24; ++ address_table_elements = (symbol_table_offset - address_table_offset) / 20; + symbol_table_slots = (constant_pool_offset - symbol_table_offset) / 8; + + cu_list = start + cu_list_offset; +@@ -9306,31 +9277,25 @@ display_gdb_index (struct dwarf_section + symbol_table = start + symbol_table_offset; + constant_pool = start + constant_pool_offset; + +- if (address_table + address_table_size > section->start + section->size) +- { +- warn (_("Address table extends beyond end of section.\n")); +- return 0; +- } +- + printf (_("\nCU table:\n")); +- for (i = 0; i < cu_list_elements; i += 2) ++ for (i = 0; i < cu_list_elements; i++) + { +- uint64_t cu_offset = byte_get_little_endian (cu_list + i * 8, 8); +- uint64_t cu_length = byte_get_little_endian (cu_list + i * 8 + 8, 8); ++ uint64_t cu_offset = byte_get_little_endian (cu_list + i * 16, 8); ++ uint64_t cu_length = byte_get_little_endian (cu_list + i * 16 + 8, 8); + +- printf (_("[%3u] 0x%lx - 0x%lx\n"), i / 2, ++ printf (_("[%3u] 0x%lx - 0x%lx\n"), i, + (unsigned long) cu_offset, + (unsigned long) (cu_offset + cu_length - 1)); + } + + printf (_("\nTU table:\n")); +- for (i = 0; i < tu_list_elements; i += 3) ++ for (i = 0; i < tu_list_elements; i++) + { +- uint64_t tu_offset = byte_get_little_endian (tu_list + i * 8, 8); +- uint64_t type_offset = byte_get_little_endian (tu_list + i * 8 + 8, 8); +- uint64_t signature = byte_get_little_endian (tu_list + i * 8 + 16, 8); ++ uint64_t tu_offset = byte_get_little_endian (tu_list + i * 24, 8); ++ uint64_t type_offset = byte_get_little_endian (tu_list + i * 24 + 8, 8); ++ uint64_t signature = byte_get_little_endian (tu_list + i * 24 + 16, 8); + +- printf (_("[%3u] 0x%lx 0x%lx "), i / 3, ++ printf (_("[%3u] 0x%lx 0x%lx "), i, + (unsigned long) tu_offset, + (unsigned long) type_offset); + print_dwarf_vma (signature, 8); +@@ -9338,12 +9303,11 @@ display_gdb_index (struct dwarf_section + } + + printf (_("\nAddress table:\n")); +- for (i = 0; i < address_table_size && i <= address_table_size - (2 * 8 + 4); +- i += 2 * 8 + 4) ++ for (i = 0; i < address_table_elements; i++) + { +- uint64_t low = byte_get_little_endian (address_table + i, 8); +- uint64_t high = byte_get_little_endian (address_table + i + 8, 8); +- uint32_t cu_index = byte_get_little_endian (address_table + i + 16, 4); ++ uint64_t low = byte_get_little_endian (address_table + i * 20, 8); ++ uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8); ++ uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4); + + print_dwarf_vma (low, 8); + print_dwarf_vma (high, 8); diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-45703-1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-45703-1.patch new file mode 100644 index 0000000000..0ed1c4e55b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-45703-1.patch @@ -0,0 +1,36 @@ +[Ubuntu note: print_dwarf_vma was used instead of print_hex in this version of + the code. + -- Camila Camargo de Matos ] + +Origin: backport, https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=69bfd1759db41c8d369f9dcc98a135c5a5d97299 + +From 69bfd1759db41c8d369f9dcc98a135c5a5d97299 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Fri, 18 Nov 2022 11:29:13 +1030 +Subject: [PATCH] PR29799 heap buffer overflow in display_gdb_index + dwarf.c:10548 + + PR 29799 + * dwarf.c (display_gdb_index): Typo fix. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=69bfd1759db41c8d369f9dcc98a135c5a5d97299] + +CVE: CVE-2022-45703 + +Signed-off-by: Virendra Thakur +--- + binutils/dwarf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: binutils-2.34/binutils/dwarf.c +=================================================================== +--- binutils-2.34.orig/binutils/dwarf.c ++++ binutils-2.34/binutils/dwarf.c +@@ -9307,7 +9307,7 @@ display_gdb_index (struct dwarf_section + { + uint64_t low = byte_get_little_endian (address_table + i * 20, 8); + uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8); +- uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4); ++ uint32_t cu_index = byte_get_little_endian (address_table + i * 20 + 16, 4); + + print_dwarf_vma (low, 8); + print_dwarf_vma (high, 8); From patchwork Tue Apr 23 07:34:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: virendra thakur X-Patchwork-Id: 42776 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91A96C41513 for ; Tue, 23 Apr 2024 07:35:20 +0000 (UTC) Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web11.13059.1713857714109121886 for ; Tue, 23 Apr 2024 00:35:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=b++MOOZi; spf=pass (domain: gmail.com, ip: 209.85.216.45, mailfrom: thakur.virendra1810@gmail.com) Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-2a54fb929c8so3604149a91.3 for ; Tue, 23 Apr 2024 00:35:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713857713; x=1714462513; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZHvmOfBHzs82Cpmxs1l5ET+27qvb3hPRdurg9lbw414=; b=b++MOOZiQAVG6CT5wWEIBAxNq5e1fZu/xSUVKFAQELbJ+J4UGaBSOyHvTE+7cEW1DS e6WgCekjxSZo77SSS+ym7tfMGa/HchjX2VwGu0Qv66/nafult7CgE9NoASICaRhNJ+Qu F5rOPFLZThKEztbpfeH++QhTs8S2bxV0abfklWoy/oEygKhe3wX1BZ3WnC4WpGdBll/s HKR+CjHijCchcmRiQNilpctIydnmmqy839BVdxsU5B1JwHx2ZYR8rR9E/2R28DiGFSz6 0FdT97qh8Zm471Mo5z+4WsS6yTjo5cB8g5ONuKEeG+uOsowMoL2zCUPgOOi06W53Hzrs YKjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713857713; x=1714462513; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZHvmOfBHzs82Cpmxs1l5ET+27qvb3hPRdurg9lbw414=; b=rALqBvzVaM97cD7u7jXkmOqlftlYwT6UYeG7GlY1wMKRQEzHWSYIW81lTO9tDgJx3i OMdrM2lVKnOvjNycXoQLv/TPccsX0BMjN22yHnFMdo9kATHs+J5pa/a1R/sn6jyLOPFL zCNGnOhSYhGEs8SXHL4Ean3vxMW6iWyksQI1mnbRBHjBz7IQZQn5RMPjgRZL23+5vCqb 9+ihdoHu7LJDsVfYU0juCJFKmFhke8CFjme7ImFjcYincTNCGleL2Q3IR9XU0MIbyucK I3KbN3VBMBJyACSUQ+VwHmaHs5rDM8Wp+vLZ/fGlAZVGA+Y4Qb8vizQmbn9wxKt8vKbt Q24w== X-Gm-Message-State: AOJu0YwQ+iuQLXcu4QvU56iJgeWjow/YLTIWQv7dqeEL46GLePH076Sn PMs92vFeoG+A9JjNWfeCP1Shq1A9uvFV6EpIxVhR+JCDCAURdGCu5jev2A== X-Google-Smtp-Source: AGHT+IHUv7IZe5Z5y9RgiroGzUrQMcq8YtM4aAgrfmdJo2JbrB6cYPB+Ca/jLoB/uGC5/mNCK+K0jg== X-Received: by 2002:a17:90a:d683:b0:2ac:86c6:d5 with SMTP id x3-20020a17090ad68300b002ac86c600d5mr10204290pju.27.1713857712713; Tue, 23 Apr 2024 00:35:12 -0700 (PDT) Received: from L-18076.kpit.com ([223.233.81.5]) by smtp.gmail.com with ESMTPSA id t13-20020a17090ad50d00b002a5dbfca370sm10539761pju.48.2024.04.23.00.35.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 00:35:12 -0700 (PDT) From: virendra thakur X-Google-Original-From: virendra thakur To: openembedded-core@lists.openembedded.org, raj.khem@gmail.com Subject: [OE-core][dunfell][PATCH 3/4] binutils: Fix CVE-2022-48065 Date: Tue, 23 Apr 2024 13:04:41 +0530 Message-Id: <20240423073442.48274-3-virendrak@kpit.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240423073442.48274-1-virendrak@kpit.com> References: <20240423073442.48274-1-virendrak@kpit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 07:35:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/198608 Add patch file to fix CVE-2022-48065 Reference: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/binutils/2.34-6ubuntu1.9/binutils_2.34-6ubuntu1.9.debian.tar.xz Signed-off-by: virendra thakur --- .../binutils/binutils-2.34.inc | 1 + .../binutils/binutils/CVE-2022-48065.patch | 115 ++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index fd6138be1e..5ebc7c6f34 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -61,6 +61,7 @@ SRC_URI = "\ file://CVE-2022-47010.patch \ file://CVE-2022-47011.patch \ file://CVE-2022-48063.patch \ + file://CVE-2022-48065.patch \ file://CVE-2022-47695.patch \ file://CVE-2022-44840.patch \ file://CVE-2022-45703-0.patch \ diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch new file mode 100644 index 0000000000..c157a6144c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch @@ -0,0 +1,115 @@ +From: Nick Galanis +Subject: [SECURITY UPDATE] Memory leak in find_abstract_instance (CVE-2022-48065) +Description: + + Origin: backport, https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a + + [Canonical note: (nickgalanis) Minor backports were needed for almost every hunk + in order to apply to current code. Those backports do not change the functionality + of the code or alter the patch, whose goal is to not use the `name` var. + Moreover, in scan_unit_for_symbols(), the if statement originally present in the + patch was removed, as its introudction by PR28691 needed an intrusive backport + to apply. Again, the nature of the fix is not changed, as its goal is to free the + variables before their re-assignment, something that is being achieved] + + From d28fbc7197ba0e021a43f873eff90b05dcdcff6a Mon Sep 17 00:00:00 2001 + From: Alan Modra + Date: Wed, 21 Dec 2022 21:40:12 +1030 + Subject: [PATCH] PR29925, Memory leak in find_abstract_instance + + The testcase in the PR had a variable with both DW_AT_decl_file and + DW_AT_specification, where the DW_AT_specification also specified + DW_AT_decl_file. This leads to a memory leak as the file name is + malloced and duplicates are not expected. + + I've also changed find_abstract_instance to not use a temp for "name", + because that can result in a change in behaviour from the usual last + of duplicate attributes wins. + + PR 29925 + * dwarf2.c (find_abstract_instance): Delete "name" variable. + Free *filename_ptr before assigning new file name. + (scan_unit_for_symbols): Similarly free func->file and + var->file before assigning. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a] + +CVE: CVE-2022-48065 + +Signed-off-by: Virendra Thakur + --- + bfd/dwarf2.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +Index: binutils-2.34/bfd/dwarf2.c +=================================================================== +--- binutils-2.34.orig/bfd/dwarf2.c ++++ binutils-2.34/bfd/dwarf2.c +@@ -2910,7 +2910,6 @@ find_abstract_instance (struct comp_unit + struct abbrev_info *abbrev; + bfd_uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; +- const char *name = NULL; + + if (recur_count == 100) + { +@@ -3077,16 +3076,16 @@ find_abstract_instance (struct comp_unit + case DW_AT_name: + /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name + over DW_AT_name. */ +- if (name == NULL && is_str_attr (attr.form)) ++ if (*pname == NULL && is_str_attr (attr.form)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + if (non_mangled (unit->lang)) + *is_linkage = TRUE; + } + break; + case DW_AT_specification: + if (!find_abstract_instance (unit, &attr, recur_count + 1, +- &name, is_linkage, ++ pname, is_linkage, + filename_ptr, linenumber_ptr)) + return FALSE; + break; +@@ -3096,13 +3095,14 @@ find_abstract_instance (struct comp_unit + non-string forms into these attributes. */ + if (is_str_attr (attr.form)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + *is_linkage = TRUE; + } + break; + case DW_AT_decl_file: + if (!comp_unit_maybe_decode_line_info (unit)) + return FALSE; ++ free (*filename_ptr); + *filename_ptr = concat_filename (unit->line_table, + attr.u.val); + break; +@@ -3115,7 +3115,6 @@ find_abstract_instance (struct comp_unit + } + } + } +- *pname = name; + return TRUE; + } + +@@ -3346,6 +3345,7 @@ scan_unit_for_symbols (struct comp_unit + break; + + case DW_AT_decl_file: ++ free (func->file); + func->file = concat_filename (unit->line_table, + attr.u.val); + break; +@@ -3368,6 +3368,7 @@ scan_unit_for_symbols (struct comp_unit + break; + + case DW_AT_decl_file: ++ free (var->file); + var->file = concat_filename (unit->line_table, + attr.u.val); + break; From patchwork Tue Apr 23 07:34:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: virendra thakur X-Patchwork-Id: 42774 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C2B7C04FF8 for ; Tue, 23 Apr 2024 07:35:20 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web10.13169.1713857717288143988 for ; Tue, 23 Apr 2024 00:35:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fdwX8Qo1; spf=pass (domain: gmail.com, ip: 209.85.216.46, mailfrom: thakur.virendra1810@gmail.com) Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-2a559928f46so3446917a91.0 for ; Tue, 23 Apr 2024 00:35:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713857716; x=1714462516; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=D/nbRBDduyhgi+uh6kkZdNVglSjqA+QzerYf3KuwLPw=; b=fdwX8Qo1NO3TRAgtv8XlCJkapnDkjwTWJYNnVKT7G4+u6AJsa6fn+PZesXAU2oX0eG /do2CRvdY/B/46y2Wsphq7bESSCUeTurryVecPDN2MnK0EcDnYMLF+QmqA0RdvPQoFpG kApeJY7iwZpvTGVQQsZu+QhxgED7+oBi4UPrXJ88OD15d7nk11tRFB/KPcCzc7C/F1Md 3MDGCXNRrAZ+JC/4UuzyBFFpZR9khL2AsPVdVQANNEAFvvzUinELuA+/hAdKn5r/u2mB 1dw1PHfZGg16X+osN0L7qrNLaNRFOsO/SnWFTr11OaC1eqUbgRb9woouVT3mw2jCKCD0 FeIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713857716; x=1714462516; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=D/nbRBDduyhgi+uh6kkZdNVglSjqA+QzerYf3KuwLPw=; b=Wlu5nxJnUeDTO8jiOI+0Ub4OaRK6LvVEtXhvYEFQsoEO11DEpL4jc1kJDo88Js5Avs Ptm6tWPLog/ICVYM66NTPOqk91hSvfkKIUaqsDhDRJ6Y4RCYdubEJWIdkN80klFD3wa6 zoS8xZY/n7iqPnA3VQxKKNOUj71TRlD8zAX8iO2EQ4NXEEVETojniGTK9EUHz4EBMWQC Oub4jhPiNRpi7CafcMcyllGgZ0r9iXuYPmj7VBBUNDXeMObzzyEyUSTGAWYlqe9ZdP3m JL6Z0knVW7LAF2dyzNhaFJYTQ03coXMt7P342aeby3NpPa1iYhrmR4EwVGa/kBh4YSdi IdXw== X-Gm-Message-State: AOJu0YxUoqaySaBY8y/Ru5JCVuUZeqrfETvLfb+39KsfXoKGJ3cGxnPT Iq73giUg4UU2usyHQ2D2N7wvBkdBsN+OmSORqnumlvqSd6d7cBIYZMe1+g== X-Google-Smtp-Source: AGHT+IGinlSs/i4QDI0cFxkZfBauGdP1v4Q/9tfIgEMgl2mm3vcL0goQS5BvFOtC3bpIDgZuYsdSpg== X-Received: by 2002:a17:90a:af93:b0:2a6:d3c0:28a3 with SMTP id w19-20020a17090aaf9300b002a6d3c028a3mr11301585pjq.33.1713857716187; Tue, 23 Apr 2024 00:35:16 -0700 (PDT) Received: from L-18076.kpit.com ([223.233.81.5]) by smtp.gmail.com with ESMTPSA id t13-20020a17090ad50d00b002a5dbfca370sm10539761pju.48.2024.04.23.00.35.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 00:35:15 -0700 (PDT) From: virendra thakur X-Google-Original-From: virendra thakur To: openembedded-core@lists.openembedded.org, raj.khem@gmail.com Subject: [OE-core][dunfell][PATCH 4/4] binutils: Mark CVE-2022-47673 as patch Date: Tue, 23 Apr 2024 13:04:42 +0530 Message-Id: <20240423073442.48274-4-virendrak@kpit.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240423073442.48274-1-virendrak@kpit.com> References: <20240423073442.48274-1-virendrak@kpit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 07:35:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/198609 the fix for this issue seems to be the same as the one for the issue described by CVE-2023-25584. Reference: https://ubuntu.com/security/CVE-2022-47673 Signed-off-by: virendra thakur --- meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch index 732ea43210..f85e9c08de 100644 --- a/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch +++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch @@ -1,6 +1,7 @@ -CVE: CVE-2023-25584 +CVE: CVE-2023-25584 CVE-2022-47673 Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 ] Signed-off-by: Lee Chee Yang +Signed-off-by: Virendra Thakur [Ubuntu note: this is backport of the original patch, no major changes just fix this patch for this release]