binutils: Fix CVE-2022-48065

(From OE-Core rev: 860ecdbbf5cfd8737c914522af16dbc8bee0f72f) Signed-off-by: Sanjana <sanjanasanju1608@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-29 21:08:42 +01:00 · 2023-09-17 20:19:46 +05:30
parent cfc7247089
commit 2a7595f1c1
4 changed files with 271 additions and 0 deletions
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -56,5 +56,8 @@ SRC_URI = "\
     file://0023-CVE-2023-25585.patch \
     file://0026-CVE-2023-1972.patch \
     file://0025-CVE-2023-25588.patch \
+     file://0029-CVE-2022-48065-1.patch \
+     file://0029-CVE-2022-48065-2.patch \
+     file://0029-CVE-2022-48065-3.patch \
 "
 S  = "${WORKDIR}/git"
--- a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch
+++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch
@@ -0,0 +1,31 @@
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 29 Mar 2022 06:19:14 +0000 (+0200)
+Subject: bfd/Dwarf2: gas doesn't mangle names
+X-Git-Tag: binutils-2_39~1287
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=ddfc2f56d5782af79c696d7fef7c73bba11e8b09
+
+bfd/Dwarf2: gas doesn't mangle names
+
+Include the language identifier emitted by gas in the set of ones where
+no mangled names are expected. Even if there could be "hand-mangled"
+names, gas doesn't emit DW_AT_linkage_name in the first place.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=ddfc2f56d5782af79c696d7fef7c73bba11e8b09]    
+
+CVE: CVE-2022-48065 
+
+Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com>
+
+---
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 8cd0ce9d425..9aa4e955a5e 100644
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -1441,6 +1441,7 @@ non_mangled (int lang)
+     case DW_LANG_PLI:
+     case DW_LANG_UPC:
+     case DW_LANG_C11:
+    case DW_LANG_Mips_Assembler:
+       return true;
+     }
+ }
--- a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch
+++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch
@@ -0,0 +1,115 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 21 Sep 2022 05:15:44 +0000 (+0930)
+Subject: dwarf2.c: mangle_style
+X-Git-Tag: gdb-13-branchpoint~1165
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=4609af80c29db6015ce01b67c48f237c210da9b4
+
+dwarf2.c: mangle_style
+
+non_mangled incorrectly returned "true" for Ada.  Correct that, and
+add a few more non-mangled entries.  Return a value suitable for
+passing to cplus_demangle to control demangling.
+
+	* dwarf2.c: Include demangle.h.
+	(mangle_style): Rename from non_mangled.  Return DMGL_* value
+	to suit lang.  Adjust all callers.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=4609af80c29db6015ce01b67c48f237c210da9b4]
+
+CVE: CVE-2022-48065
+
+Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com>
+
+---
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index e7c12c3e9de..138cdbb00bb 100644
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -32,6 +32,7 @@
+ #include "sysdep.h"
+ #include "bfd.h"
+ #include "libiberty.h"
+#include "demangle.h"
+ #include "libbfd.h"
+ #include "elf-bfd.h"
+ #include "dwarf2.h"
+@@ -1711,31 +1712,52 @@ read_attribute (struct attribute *    attr,
+   return info_ptr;
+ }
+ 
+-/* Return whether DW_AT_name will return the same as DW_AT_linkage_name
+-   for a function.  */
+/* Return mangling style given LANG.  */
+ 
+-static bool
+-non_mangled (int lang)
+static int
+mangle_style (int lang)
+ {
+   switch (lang)
+     {
+    case DW_LANG_Ada83:
+    case DW_LANG_Ada95:
+      return DMGL_GNAT;
+
+    case DW_LANG_C_plus_plus:
+    case DW_LANG_C_plus_plus_03:
+    case DW_LANG_C_plus_plus_11:
+    case DW_LANG_C_plus_plus_14:
+      return DMGL_GNU_V3;
+
+    case DW_LANG_Java:
+      return DMGL_JAVA;
+
+    case DW_LANG_D:
+      return DMGL_DLANG;
+
+    case DW_LANG_Rust:
+    case DW_LANG_Rust_old:
+      return DMGL_RUST;
+
+     default:
+-      return false;
+      return DMGL_AUTO;
+ 
+     case DW_LANG_C89:
+     case DW_LANG_C:
+-    case DW_LANG_Ada83:
+     case DW_LANG_Cobol74:
+     case DW_LANG_Cobol85:
+     case DW_LANG_Fortran77:
+     case DW_LANG_Pascal83:
+-    case DW_LANG_C99:
+-    case DW_LANG_Ada95:
+     case DW_LANG_PLI:
+    case DW_LANG_C99:
+     case DW_LANG_UPC:
+     case DW_LANG_C11:
+     case DW_LANG_Mips_Assembler:
+-      return true;
+    case DW_LANG_Upc:
+    case DW_LANG_HP_Basic91:
+    case DW_LANG_HP_IMacro:
+    case DW_LANG_HP_Assembler:
+      return 0;
+     }
+ }
+ 
+@@ -3599,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit,
+ 		  if (name == NULL && is_str_form (&attr))
+ 		    {
+ 		      name = attr.u.str;
+-		      if (non_mangled (unit->lang))
+		      if (mangle_style (unit->lang) == 0)
+ 			*is_linkage = true;
+ 		    }
+ 		  break;
+@@ -4095,7 +4117,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 		  if (func->name == NULL && is_str_form (&attr))
+ 		    {
+ 		      func->name = attr.u.str;
+-		      if (non_mangled (unit->lang))
+		      if (mangle_style (unit->lang) == 0)
+ 			func->is_linkage = true;
+ 		    }
+ 		  break;
--- a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch
+++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch
@@ -0,0 +1,122 @@
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 21 Dec 2022 11:10:12 +0000 (+1030)
+Subject: PR29925, Memory leak in find_abstract_instance
+X-Git-Tag: binutils-2_40~192
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a
+
+PR29925, Memory leak in find_abstract_instance
+
+The testcase in the PR had a variable with both DW_AT_decl_file and
+DW_AT_specification, where the DW_AT_specification also specified
+DW_AT_decl_file.  This leads to a memory leak as the file name is
+malloced and duplicates are not expected.
+
+I've also changed find_abstract_instance to not use a temp for "name",
+because that can result in a change in behaviour from the usual last
+of duplicate attributes wins.
+
+	PR 29925
+	* dwarf2.c (find_abstract_instance): Delete "name" variable.
+	Free *filename_ptr before assigning new file name.
+	(scan_unit_for_symbols): Similarly free func->file and
+	var->file before assigning.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a]
+
+CVE: CVE-2022-48065
+
+Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com>
+
+---
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0cd8152ee6e..b608afbc0cf 100644
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -3441,7 +3441,6 @@ find_abstract_instance (struct comp_unit *unit,
+   struct abbrev_info *abbrev;
+   uint64_t die_ref = attr_ptr->u.val;
+   struct attribute attr;
+-  const char *name = NULL;
+ 
+   if (recur_count == 100)
+     {
+@@ -3602,9 +3601,9 @@ find_abstract_instance (struct comp_unit *unit,
+ 		case DW_AT_name:
+ 		  /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name
+ 		     over DW_AT_name.  */
+-		  if (name == NULL && is_str_form (&attr))
+		  if (*pname == NULL && is_str_form (&attr))
+ 		    {
+-		      name = attr.u.str;
+		      *pname = attr.u.str;
+ 		      if (mangle_style (unit->lang) == 0)
+ 			*is_linkage = true;
+ 		    }
+@@ -3612,7 +3611,7 @@ find_abstract_instance (struct comp_unit *unit,
+ 		case DW_AT_specification:
+ 		  if (is_int_form (&attr)
+ 		      && !find_abstract_instance (unit, &attr, recur_count + 1,
+-						  &name, is_linkage,
+						  pname, is_linkage,
+ 						  filename_ptr, linenumber_ptr))
+ 		    return false;
+ 		  break;
+@@ -3622,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit,
+ 		     non-string forms into these attributes.  */
+ 		  if (is_str_form (&attr))
+ 		    {
+-		      name = attr.u.str;
+		      *pname = attr.u.str;
+ 		      *is_linkage = true;
+ 		    }
+ 		  break;
+@@ -3630,8 +3629,11 @@ find_abstract_instance (struct comp_unit *unit,
+ 		  if (!comp_unit_maybe_decode_line_info (unit))
+ 		    return false;
+ 		  if (is_int_form (&attr))
+-		    *filename_ptr = concat_filename (unit->line_table,
+-						     attr.u.val);
+		    {
+		      free (*filename_ptr);
+		      *filename_ptr = concat_filename (unit->line_table,
+						       attr.u.val);
+		    }
+ 		  break;
+ 		case DW_AT_decl_line:
+ 		  if (is_int_form (&attr))
+@@ -3643,7 +3645,6 @@ find_abstract_instance (struct comp_unit *unit,
+ 	    }
+ 	}
+     }
+-  *pname = name;
+   return true;
+ }
+ 
+@@ -4139,8 +4140,11 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 
+ 		case DW_AT_decl_file:
+ 		  if (is_int_form (&attr))
+-		    func->file = concat_filename (unit->line_table,
+-						  attr.u.val);
+		    {
+		      free (func->file);
+		      func->file = concat_filename (unit->line_table,
+						    attr.u.val);
+		    }
+ 		  break;
+ 
+ 		case DW_AT_decl_line:
+@@ -4182,8 +4186,11 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 
+ 		case DW_AT_decl_file:
+ 		  if (is_int_form (&attr))
+-		    var->file = concat_filename (unit->line_table,
+-						 attr.u.val);
+		    {
+		      free (var->file);
+		      var->file = concat_filename (unit->line_table,
+						   attr.u.val);
+		    }
+ 		  break;
+ 
+ 		case DW_AT_decl_line: