binutils : Fix CVE-2022-38127

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=19c26da69d68d5d863f37c06ad73ab6292d02ffa] Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ec41dd75c866599fc03c390c6afb5736c159c0ff] Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f18acc9c4e5d18f4783f3a7d59e3ec95d7af0199] Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e98e7d9a70dcc987bff0e925f20b78cd4a2979ed] (From OE-Core rev: e384b754eb0223928c239db42ece93c06dce6daa) Signed-off-by: pgowda <pgowda.cve@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-29 21:08:42 +01:00 · 2022-09-29 12:45:14 +05:30
parent c615d00a36
commit 401ced2671
5 changed files with 1670 additions and 0 deletions
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -35,5 +35,9 @@ SRC_URI = "\
     file://0014-CVE-2019-1010204.patch \
     file://0015-CVE-2022-38533.patch \
     file://0016-CVE-2022-38126.patch \
+     file://0017-CVE-2022-38127-1.patch \
+     file://0017-CVE-2022-38127-2.patch \
+     file://0017-CVE-2022-38127-3.patch \
+     file://0017-CVE-2022-38127-4.patch \
 "
 S  = "${WORKDIR}/git"
--- a/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-1.patch
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-1.patch
--- a/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-2.patch
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-2.patch
@@ -0,0 +1,188 @@
+From ec41dd75c866599fc03c390c6afb5736c159c0ff Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 21 Jun 2022 16:37:27 +0100
+Subject: [PATCH] Binutils support for dwarf-5 (location and range lists
+ related)
+
+	* dwarf.h (struct debug_info): Add rnglists_base field.
+	* dwarf.c (read_and_display_attr_value): Read attribute DW_AT_rnglists_base.
+	(display_debug_rnglists_list): While handling DW_RLE_base_addressx,
+  	DW_RLE_startx_endx, DW_RLE_startx_length items, pass the proper parameter
+	value to fetch_indexed_addr(), i.e. fetch the proper entry in .debug_addr section.
+	(display_debug_ranges): Add rnglists_base to the .debug_rnglists base address.
+	(load_separate_debug_files): Load .debug_addr section, if exists.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ec41dd75c866599fc03c390c6afb5736c159c0ff]
+
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+---
+ binutils/ChangeLog | 10 +++++++++
+ binutils/dwarf.c   | 53 ++++++++++++++++++++++++++++++++++------------
+ binutils/dwarf.h   |  1 +
+ 3 files changed, 51 insertions(+), 13 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index cb2523af1f3..30b64ac68a8 100644
+--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
+@@ -2812,7 +2812,12 @@ read_and_display_attr_value (unsigned lo
+ 		  dwarf_vmatoa ("x", debug_info_p->cu_offset));
+ 	  debug_info_p->loclists_base = uvalue;
+ 	  break;
+-
+	case DW_AT_rnglists_base:
+	  if (debug_info_p->rnglists_base)
+	    warn (_("CU @ 0x%s has multiple rnglists_base values"),
+	          dwarf_vmatoa ("x", debug_info_p->cu_offset));
+	  debug_info_p->rnglists_base = uvalue;
+	  break;
+ 	case DW_AT_frame_base:
+ 	  have_frame_base = 1;
+ 	  /* Fall through.  */
+@@ -3303,6 +3308,7 @@ read_and_display_attr_value (unsigned lo
+       /* Fall through.  */
+     case DW_AT_location:
+     case DW_AT_loclists_base:
+    case DW_AT_rnglists_base:
+     case DW_AT_string_length:
+     case DW_AT_return_addr:
+     case DW_AT_data_member_location:
+@@ -3322,7 +3328,10 @@ read_and_display_attr_value (unsigned lo
+ 	   && (form == DW_FORM_data4 || form == DW_FORM_data8))
+ 	  || form == DW_FORM_sec_offset
+ 	  || form == DW_FORM_loclistx)
+-	printf (_(" (location list)"));
+	{
+	  if (attribute != DW_AT_rnglists_base)
+	    printf (_(" (location list)"));
+	}
+       /* Fall through.  */
+     case DW_AT_allocated:
+     case DW_AT_associated:
+@@ -3809,6 +3818,7 @@ process_debug_info (struct dwarf_section
+ 	  debug_information [unit].range_lists = NULL;
+ 	  debug_information [unit].max_range_lists= 0;
+ 	  debug_information [unit].num_range_lists = 0;
+	  debug_information [unit].rnglists_base = 0;
+ 	}
+ 
+       if (!do_loc && dwarf_start_die == 0)
+@@ -7932,9 +7942,16 @@ display_debug_rnglists_list (unsigned ch
+ 			     unsigned char * finish,
+ 			     unsigned int    pointer_size,
+ 			     dwarf_vma       offset,
+-			     dwarf_vma       base_address)
+			     dwarf_vma       base_address,
+			     unsigned int    offset_size)
+ {
+   unsigned char *next = start;
+  unsigned int debug_addr_section_hdr_len;
+
+  if (offset_size == 4)
+    debug_addr_section_hdr_len = 8;
+  else
+    debug_addr_section_hdr_len = 16;
+ 
+   while (1)
+     {
+@@ -7964,20 +7981,24 @@ display_debug_rnglists_list (unsigned ch
+ 	  READ_ULEB (base_address, start, finish);
+ 	  print_dwarf_vma (base_address, pointer_size);
+ 	  printf (_("(base address index) "));
+-	  base_address = fetch_indexed_addr (base_address, pointer_size);
+	  base_address = fetch_indexed_addr ((base_address * pointer_size)
+			                     + debug_addr_section_hdr_len, pointer_size);
+ 	  print_dwarf_vma (base_address, pointer_size);
+ 	  printf (_("(base address)\n"));
+ 	  break;
+ 	case DW_RLE_startx_endx:
+ 	  READ_ULEB (begin, start, finish);
+ 	  READ_ULEB (end, start, finish);
+-	  begin = fetch_indexed_addr (begin, pointer_size);
+-	  end   = fetch_indexed_addr (begin, pointer_size);
+	  begin = fetch_indexed_addr ((begin * pointer_size)
+			              + debug_addr_section_hdr_len, pointer_size);
+	  end   = fetch_indexed_addr ((begin * pointer_size)
+			              + debug_addr_section_hdr_len, pointer_size);
+ 	  break;
+ 	case DW_RLE_startx_length:
+ 	  READ_ULEB (begin, start, finish);
+ 	  READ_ULEB (length, start, finish);
+-	  begin = fetch_indexed_addr (begin, pointer_size);
+	  begin = fetch_indexed_addr ((begin * pointer_size)
+			              + debug_addr_section_hdr_len, pointer_size);
+ 	  end = begin + length;
+ 	  break;
+ 	case DW_RLE_offset_pair:
+@@ -8003,6 +8024,7 @@ display_debug_rnglists_list (unsigned ch
+ 	  rlet = DW_RLE_end_of_list;
+ 	  break;
+ 	}
+
+       if (rlet == DW_RLE_end_of_list)
+ 	break;
+       if (rlet == DW_RLE_base_address || rlet == DW_RLE_base_addressx)
+@@ -8043,6 +8065,7 @@ display_debug_ranges (struct dwarf_secti
+   /* Initialize it due to a false compiler warning.  */
+   unsigned char         address_size = 0;
+   dwarf_vma             last_offset = 0;
+  unsigned int          offset_size = 0;
+ 
+   if (bytes == 0)
+     {
+@@ -8054,10 +8077,10 @@ display_debug_ranges (struct dwarf_secti
+ 
+   if (is_rnglists)
+     {
+-      dwarf_vma initial_length;
+-      unsigned char segment_selector_size;
+-      unsigned int offset_size, offset_entry_count;
+-      unsigned short version;
+      dwarf_vma       initial_length;
+      unsigned char   segment_selector_size;
+      unsigned int    offset_entry_count;
+      unsigned short  version;
+ 
+       /* Get and check the length of the block.  */
+       SAFE_BYTE_GET_AND_INC (initial_length, start, 4, finish);
+@@ -8230,7 +8253,8 @@ display_debug_ranges (struct dwarf_secti
+ 		(unsigned long) offset, i);
+ 	  continue;
+ 	}
+-      next = section_begin + offset;
+
+      next = section_begin + offset + debug_info_p->rnglists_base;
+ 
+       /* If multiple DWARF entities reference the same range then we will
+          have multiple entries in the `range_entries' list for the same
+@@ -8262,7 +8286,7 @@ display_debug_ranges (struct dwarf_secti
+ 
+       if (is_rnglists)
+ 	display_debug_rnglists_list
+-	  (start, finish, pointer_size, offset, base_address);
+	  (start, finish, pointer_size, offset, base_address, offset_size);
+       else
+ 	display_debug_ranges_list
+ 	  (start, finish, pointer_size, offset, base_address);
+@@ -11911,6 +11935,9 @@ load_separate_debug_files (void * file,
+       && load_debug_section (abbrev, file)
+       && load_debug_section (info, file))
+     {
+      /* Load the .debug_addr section, if it exists.  */
+      load_debug_section (debug_addr, file);
+
+       free_dwo_info ();
+ 
+       if (process_debug_info (& debug_displays[info].section, file, abbrev,
+diff --git a/binutils/dwarf.h b/binutils/dwarf.h
+index 040e674c6ce..8a89c08e7c2 100644
+--- a/binutils/dwarf.h
+++ b/binutils/dwarf.h
+@@ -192,6 +192,7 @@ typedef struct
+   dwarf_vma *    range_lists;
+   unsigned int   num_range_lists;
+   unsigned int   max_range_lists;
+  dwarf_vma      rnglists_base;
+ }
+ debug_info;
+ 
--- a/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-3.patch
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-3.patch
@@ -0,0 +1,211 @@
+From f18acc9c4e5d18f4783f3a7d59e3ec95d7af0199 Mon Sep 17 00:00:00 2001
+From: "Kumar N, Bhuvanendra" <Kavitha.Natarajan@amd.com>
+Date: Wed, 22 Jun 2022 17:07:25 +0100
+Subject: [PATCH] Binutils support for split-dwarf and dwarf-5
+
+	* dwarf.c (fetch_indexed_string): Added new parameter
+	str_offsets_base to calculate the string offset.
+	(read_and_display_attr_value): Read DW_AT_str_offsets_base
+	attribute.
+	(process_debug_info): While allocating memory and initializing
+	debug_information, do it for do_debug_info also, if its true.
+	(load_separate_debug_files): Load .debug_str_offsets if exists.
+	* dwarf.h (struct debug_info): Add str_offsets_base field.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f18acc9c4e5d18f4783f3a7d59e3ec95d7af0199]
+
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+---
+ binutils/ChangeLog | 13 ++++++++++-
+ binutils/dwarf.c   | 57 ++++++++++++++++++++++++++++++++++------------
+ binutils/dwarf.h   |  1 +
+ 3 files changed, 56 insertions(+), 15 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index f9c46cf54dd..d9a3144023c 100644
+--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
+@@ -687,8 +687,11 @@ fetch_indirect_line_string (dwarf_vma of
+ }
+ 
+ static const char *
+-fetch_indexed_string (dwarf_vma idx, struct cu_tu_set *this_set,
+-		      dwarf_vma offset_size, bool dwo)
+fetch_indexed_string (dwarf_vma           idx,
+		      struct cu_tu_set *  this_set,
+		      dwarf_vma           offset_size,
+		      bool                dwo,
+		      dwarf_vma           str_offsets_base)
+ {
+   enum dwarf_section_display_enum str_sec_idx = dwo ? str_dwo : str;
+   enum dwarf_section_display_enum idx_sec_idx = dwo ? str_index_dwo : str_index;
+@@ -776,7 +779,15 @@ fetch_indexed_string (dwarf_vma idx, str
+       return _("<index offset is too big>");
+     }
+ 
+-  str_offset = byte_get (curr + index_offset, offset_size);
+  if (str_offsets_base > 0)
+    {
+      if (offset_size == 8)
+        str_offsets_base -= 16;
+      else
+        str_offsets_base -= 8;
+    }
+
+  str_offset = byte_get (curr + index_offset + str_offsets_base, offset_size);
+   str_offset -= str_section->address;
+   if (str_offset >= str_section->size)
+     {
+@@ -2721,11 +2732,13 @@ read_and_display_attr_value (unsigned lo
+ 	    /* We have already displayed the form name.  */
+ 	    printf (_("%c(offset: 0x%s): %s"), delimiter,
+ 		    dwarf_vmatoa ("x", uvalue),
+-		    fetch_indexed_string (uvalue, this_set, offset_size, dwo));
+		    fetch_indexed_string (uvalue, this_set, offset_size, dwo,
+	                                  debug_info_p->str_offsets_base));
+ 	  else
+ 	    printf (_("%c(indexed string: 0x%s): %s"), delimiter,
+ 		    dwarf_vmatoa ("x", uvalue),
+-		    fetch_indexed_string (uvalue, this_set, offset_size, dwo));
+		    fetch_indexed_string (uvalue, this_set, offset_size, dwo,
+	                                  debug_info_p->str_offsets_base));
+ 	}
+       break;
+ 
+@@ -2800,7 +2813,7 @@ read_and_display_attr_value (unsigned lo
+       break;
+     }
+ 
+-  if ((do_loc || do_debug_loc || do_debug_ranges)
+  if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
+       && num_debug_info_entries == 0
+       && debug_info_p != NULL)
+     {
+@@ -2818,6 +2831,13 @@ read_and_display_attr_value (unsigned lo
+ 	          dwarf_vmatoa ("x", debug_info_p->cu_offset));
+ 	  debug_info_p->rnglists_base = uvalue;
+ 	  break;
+	case DW_AT_str_offsets_base:
+	  if (debug_info_p->str_offsets_base)
+	    warn (_("CU @ 0x%s has multiple str_offsets_base values"),
+		  dwarf_vmatoa ("x", debug_info_p->cu_offset));
+	  debug_info_p->str_offsets_base = uvalue;
+	  break;
+
+ 	case DW_AT_frame_base:
+ 	  have_frame_base = 1;
+ 	  /* Fall through.  */
+@@ -2956,7 +2976,9 @@ read_and_display_attr_value (unsigned lo
+ 	      case DW_FORM_strx2:
+ 	      case DW_FORM_strx3:
+ 	      case DW_FORM_strx4:
+-		add_dwo_name (fetch_indexed_string (uvalue, this_set, offset_size, false), cu_offset);
+		add_dwo_name (fetch_indexed_string (uvalue, this_set, offset_size, false,
+		                                    debug_info_p->str_offsets_base),
+			      cu_offset);
+ 		break;
+ 	      case DW_FORM_string:
+ 		add_dwo_name ((const char *) orig_data, cu_offset);
+@@ -2988,7 +3010,9 @@ read_and_display_attr_value (unsigned lo
+ 	      case DW_FORM_strx2:
+ 	      case DW_FORM_strx3:
+ 	      case DW_FORM_strx4:
+-		add_dwo_dir (fetch_indexed_string (uvalue, this_set, offset_size, false), cu_offset);
+		add_dwo_dir (fetch_indexed_string (uvalue, this_set, offset_size, false,
+		                                   debug_info_p->str_offsets_base),
+			     cu_offset);
+ 		break;
+ 	      case DW_FORM_string:
+ 		add_dwo_dir ((const char *) orig_data, cu_offset);
+@@ -3309,6 +3333,7 @@ read_and_display_attr_value (unsigned lo
+     case DW_AT_location:
+     case DW_AT_loclists_base:
+     case DW_AT_rnglists_base:
+    case DW_AT_str_offsets_base:
+     case DW_AT_string_length:
+     case DW_AT_return_addr:
+     case DW_AT_data_member_location:
+@@ -3329,7 +3354,8 @@ read_and_display_attr_value (unsigned lo
+ 	  || form == DW_FORM_sec_offset
+ 	  || form == DW_FORM_loclistx)
+ 	{
+-	  if (attribute != DW_AT_rnglists_base)
+	  if (attribute != DW_AT_rnglists_base
+	      && attribute != DW_AT_str_offsets_base)
+ 	    printf (_(" (location list)"));
+ 	}
+       /* Fall through.  */
+@@ -3562,7 +3588,7 @@ process_debug_info (struct dwarf_section
+       return false;
+     }
+ 
+-  if ((do_loc || do_debug_loc || do_debug_ranges)
+  if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
+       && num_debug_info_entries == 0
+       && ! do_types)
+     {
+@@ -3797,7 +3823,7 @@ process_debug_info (struct dwarf_section
+ 	  continue;
+ 	}
+ 
+-      if ((do_loc || do_debug_loc || do_debug_ranges)
+      if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
+ 	  && num_debug_info_entries == 0
+ 	  && alloc_num_debug_info_entries > unit
+ 	  && ! do_types)
+@@ -3819,6 +3845,7 @@ process_debug_info (struct dwarf_section
+ 	  debug_information [unit].max_range_lists= 0;
+ 	  debug_information [unit].num_range_lists = 0;
+ 	  debug_information [unit].rnglists_base = 0;
+	  debug_information [unit].str_offsets_base = 0;
+ 	}
+ 
+       if (!do_loc && dwarf_start_die == 0)
+@@ -4089,7 +4116,7 @@ process_debug_info (struct dwarf_section
+ 
+   /* Set num_debug_info_entries here so that it can be used to check if
+      we need to process .debug_loc and .debug_ranges sections.  */
+-  if ((do_loc || do_debug_loc || do_debug_ranges)
+  if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
+       && num_debug_info_entries == 0
+       && ! do_types)
+     {
+@@ -6237,7 +6264,7 @@ display_debug_macro (struct dwarf_sectio
+ 	      READ_ULEB (lineno, curr, end);
+ 	      READ_ULEB (offset, curr, end);
+ 	      string = (const unsigned char *)
+-		fetch_indexed_string (offset, NULL, offset_size, false);
+		fetch_indexed_string (offset, NULL, offset_size, false, 0);
+ 	      if (op == DW_MACRO_define_strx)
+ 		printf (" DW_MACRO_define_strx ");
+ 	      else
+@@ -7851,7 +7878,7 @@ display_debug_str_offsets (struct dwarf_
+ 	  SAFE_BYTE_GET_AND_INC (offset, curr, entry_length, entries_end);
+ 	  if (dwo)
+ 	    string = (const unsigned char *)
+-	      fetch_indexed_string (idx, NULL, entry_length, dwo);
+	      fetch_indexed_string (idx, NULL, entry_length, dwo, 0);
+ 	  else
+ 	    string = fetch_indirect_string (offset);
+ 
+@@ -11937,6 +11964,8 @@ load_separate_debug_files (void * file,
+     {
+       /* Load the .debug_addr section, if it exists.  */
+       load_debug_section (debug_addr, file);
+      /* Load the .debug_str_offsets section, if it exists.  */
+      load_debug_section (str_index, file);
+ 
+       free_dwo_info ();
+ 
+diff --git a/binutils/dwarf.h b/binutils/dwarf.h
+index 8a89c08e7c2..adbf20f9a28 100644
+--- a/binutils/dwarf.h
+++ b/binutils/dwarf.h
+@@ -193,6 +193,7 @@ typedef struct
+   unsigned int   num_range_lists;
+   unsigned int   max_range_lists;
+   dwarf_vma      rnglists_base;
+  dwarf_vma      str_offsets_base;
+ }
+ debug_info;
+ 
--- a/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-4.patch
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-4.patch
@@ -0,0 +1,43 @@
+From e98e7d9a70dcc987bff0e925f20b78cd4a2979ed Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 27 Jun 2022 13:30:35 +0100
+Subject: [PATCH] Fix NULL pointer indirection when parsing corrupt DWARF data.
+
+	PR 29290
+	* dwarf.c (read_and_display_attr_value): Check that debug_info_p
+	is set before dereferencing it.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e98e7d9a70dcc987bff0e925f20b78cd4a2979ed]
+
+Signed-off-by: Pgowda <pgowda.cve@gmail.com>
+---
+ binutils/dwarf.c   | 11 +++++------
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index bcabb61b871..37b477b886d 100644
+--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
+@@ -2727,18 +2727,17 @@ read_and_display_attr_value (unsigned lo
+ 	{
+ 	  const char *suffix = strrchr (section->name, '.');
+ 	  bool dwo = suffix && strcmp (suffix, ".dwo") == 0;
+	  const char *strng;
+ 
+	  strng = fetch_indexed_string (uvalue, this_set, offset_size, dwo,
+					debug_info_p ? debug_info_p->str_offsets_base : 0);
+ 	  if (do_wide)
+ 	    /* We have already displayed the form name.  */
+ 	    printf (_("%c(offset: 0x%s): %s"), delimiter,
+-		    dwarf_vmatoa ("x", uvalue),
+-		    fetch_indexed_string (uvalue, this_set, offset_size, dwo,
+-	                                  debug_info_p->str_offsets_base));
+		    dwarf_vmatoa ("x", uvalue), strng);
+ 	  else
+ 	    printf (_("%c(indexed string: 0x%s): %s"), delimiter,
+-		    dwarf_vmatoa ("x", uvalue),
+-		    fetch_indexed_string (uvalue, this_set, offset_size, dwo,
+-	                                  debug_info_p->str_offsets_base));
+		    dwarf_vmatoa ("x", uvalue), strng);
+ 	}
+       break;
+