From 2a7595f1c13ac6cf60118bdb85aca5f038c349a2 Mon Sep 17 00:00:00 2001 From: Sanjana Date: Sun, 17 Sep 2023 20:19:46 +0530 Subject: [PATCH] binutils: Fix CVE-2022-48065 (From OE-Core rev: 860ecdbbf5cfd8737c914522af16dbc8bee0f72f) Signed-off-by: Sanjana Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.38.inc | 3 + .../binutils/0029-CVE-2022-48065-1.patch | 31 +++++ .../binutils/0029-CVE-2022-48065-2.patch | 115 +++++++++++++++++ .../binutils/0029-CVE-2022-48065-3.patch | 122 ++++++++++++++++++ 4 files changed, 271 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch create mode 100644 meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch create mode 100644 meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 5c3ff3d93a..3bcb0cabb8 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -56,5 +56,8 @@ SRC_URI = "\ file://0023-CVE-2023-25585.patch \ file://0026-CVE-2023-1972.patch \ file://0025-CVE-2023-25588.patch \ + file://0029-CVE-2022-48065-1.patch \ + file://0029-CVE-2022-48065-2.patch \ + file://0029-CVE-2022-48065-3.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch new file mode 100644 index 0000000000..4642251f9b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch @@ -0,0 +1,31 @@ +From: Jan Beulich +Date: Tue, 29 Mar 2022 06:19:14 +0000 (+0200) +Subject: bfd/Dwarf2: gas doesn't mangle names +X-Git-Tag: binutils-2_39~1287 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=ddfc2f56d5782af79c696d7fef7c73bba11e8b09 + +bfd/Dwarf2: gas doesn't mangle names + +Include the language identifier emitted by gas in the set of ones where +no mangled names are expected. Even if there could be "hand-mangled" +names, gas doesn't emit DW_AT_linkage_name in the first place. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=ddfc2f56d5782af79c696d7fef7c73bba11e8b09] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 8cd0ce9d425..9aa4e955a5e 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1441,6 +1441,7 @@ non_mangled (int lang) + case DW_LANG_PLI: + case DW_LANG_UPC: + case DW_LANG_C11: ++ case DW_LANG_Mips_Assembler: + return true; + } + } diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch new file mode 100644 index 0000000000..8aa21f2716 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch @@ -0,0 +1,115 @@ +From: Alan Modra +Date: Wed, 21 Sep 2022 05:15:44 +0000 (+0930) +Subject: dwarf2.c: mangle_style +X-Git-Tag: gdb-13-branchpoint~1165 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=4609af80c29db6015ce01b67c48f237c210da9b4 + +dwarf2.c: mangle_style + +non_mangled incorrectly returned "true" for Ada. Correct that, and +add a few more non-mangled entries. Return a value suitable for +passing to cplus_demangle to control demangling. + + * dwarf2.c: Include demangle.h. + (mangle_style): Rename from non_mangled. Return DMGL_* value + to suit lang. Adjust all callers. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=4609af80c29db6015ce01b67c48f237c210da9b4] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index e7c12c3e9de..138cdbb00bb 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -32,6 +32,7 @@ + #include "sysdep.h" + #include "bfd.h" + #include "libiberty.h" ++#include "demangle.h" + #include "libbfd.h" + #include "elf-bfd.h" + #include "dwarf2.h" +@@ -1711,31 +1712,52 @@ read_attribute (struct attribute * attr, + return info_ptr; + } + +-/* Return whether DW_AT_name will return the same as DW_AT_linkage_name +- for a function. */ ++/* Return mangling style given LANG. */ + +-static bool +-non_mangled (int lang) ++static int ++mangle_style (int lang) + { + switch (lang) + { ++ case DW_LANG_Ada83: ++ case DW_LANG_Ada95: ++ return DMGL_GNAT; ++ ++ case DW_LANG_C_plus_plus: ++ case DW_LANG_C_plus_plus_03: ++ case DW_LANG_C_plus_plus_11: ++ case DW_LANG_C_plus_plus_14: ++ return DMGL_GNU_V3; ++ ++ case DW_LANG_Java: ++ return DMGL_JAVA; ++ ++ case DW_LANG_D: ++ return DMGL_DLANG; ++ ++ case DW_LANG_Rust: ++ case DW_LANG_Rust_old: ++ return DMGL_RUST; ++ + default: +- return false; ++ return DMGL_AUTO; + + case DW_LANG_C89: + case DW_LANG_C: +- case DW_LANG_Ada83: + case DW_LANG_Cobol74: + case DW_LANG_Cobol85: + case DW_LANG_Fortran77: + case DW_LANG_Pascal83: +- case DW_LANG_C99: +- case DW_LANG_Ada95: + case DW_LANG_PLI: ++ case DW_LANG_C99: + case DW_LANG_UPC: + case DW_LANG_C11: + case DW_LANG_Mips_Assembler: +- return true; ++ case DW_LANG_Upc: ++ case DW_LANG_HP_Basic91: ++ case DW_LANG_HP_IMacro: ++ case DW_LANG_HP_Assembler: ++ return 0; + } + } + +@@ -3599,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit, + if (name == NULL && is_str_form (&attr)) + { + name = attr.u.str; +- if (non_mangled (unit->lang)) ++ if (mangle_style (unit->lang) == 0) + *is_linkage = true; + } + break; +@@ -4095,7 +4117,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + if (func->name == NULL && is_str_form (&attr)) + { + func->name = attr.u.str; +- if (non_mangled (unit->lang)) ++ if (mangle_style (unit->lang) == 0) + func->is_linkage = true; + } + break; diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch new file mode 100644 index 0000000000..35a658a22c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch @@ -0,0 +1,122 @@ +From: Alan Modra +Date: Wed, 21 Dec 2022 11:10:12 +0000 (+1030) +Subject: PR29925, Memory leak in find_abstract_instance +X-Git-Tag: binutils-2_40~192 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a + +PR29925, Memory leak in find_abstract_instance + +The testcase in the PR had a variable with both DW_AT_decl_file and +DW_AT_specification, where the DW_AT_specification also specified +DW_AT_decl_file. This leads to a memory leak as the file name is +malloced and duplicates are not expected. + +I've also changed find_abstract_instance to not use a temp for "name", +because that can result in a change in behaviour from the usual last +of duplicate attributes wins. + + PR 29925 + * dwarf2.c (find_abstract_instance): Delete "name" variable. + Free *filename_ptr before assigning new file name. + (scan_unit_for_symbols): Similarly free func->file and + var->file before assigning. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 0cd8152ee6e..b608afbc0cf 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -3441,7 +3441,6 @@ find_abstract_instance (struct comp_unit *unit, + struct abbrev_info *abbrev; + uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; +- const char *name = NULL; + + if (recur_count == 100) + { +@@ -3602,9 +3601,9 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_name: + /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name + over DW_AT_name. */ +- if (name == NULL && is_str_form (&attr)) ++ if (*pname == NULL && is_str_form (&attr)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + if (mangle_style (unit->lang) == 0) + *is_linkage = true; + } +@@ -3612,7 +3611,7 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_specification: + if (is_int_form (&attr) + && !find_abstract_instance (unit, &attr, recur_count + 1, +- &name, is_linkage, ++ pname, is_linkage, + filename_ptr, linenumber_ptr)) + return false; + break; +@@ -3622,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit, + non-string forms into these attributes. */ + if (is_str_form (&attr)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + *is_linkage = true; + } + break; +@@ -3630,8 +3629,11 @@ find_abstract_instance (struct comp_unit *unit, + if (!comp_unit_maybe_decode_line_info (unit)) + return false; + if (is_int_form (&attr)) +- *filename_ptr = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (*filename_ptr); ++ *filename_ptr = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + case DW_AT_decl_line: + if (is_int_form (&attr)) +@@ -3643,7 +3645,6 @@ find_abstract_instance (struct comp_unit *unit, + } + } + } +- *pname = name; + return true; + } + +@@ -4139,8 +4140,11 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_decl_file: + if (is_int_form (&attr)) +- func->file = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (func->file); ++ func->file = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + + case DW_AT_decl_line: +@@ -4182,8 +4186,11 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_decl_file: + if (is_int_form (&attr)) +- var->file = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (var->file); ++ var->file = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + + case DW_AT_decl_line: