binutils: fix multiple cve

Fix below CVE's CVE-2022-47007 CVE-2022-47008 CVE-2022-47010 CVE-2022-47011 CVE-2022-48063 CVE-2022-47695 (From OE-Core rev: 873163936937a583278e3cd97c6226935f2faa0c) Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-06-03 01:40:07 +00:00 · 2023-12-22 12:40:41 +05:30
parent 3433d043c7
commit 0aa12e4919
7 changed files with 273 additions and 0 deletions
@@ -56,5 +56,11 @@ SRC_URI = "\
     file://CVE-2023-25588.patch \
     file://CVE-2021-46174.patch \
     file://CVE-2023-25584.patch \
     file://CVE-2022-47007.patch \
     file://CVE-2022-47008.patch \
     file://CVE-2022-47010.patch \
     file://CVE-2022-47011.patch \
     file://CVE-2022-48063.patch \
     file://CVE-2022-47695.patch \
 "
 S  = "${WORKDIR}/git"
@@ -0,0 +1,32 @@
 From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001
 From: Alan Modra <amodra@gmail.com>
 Date: Fri, 17 Jun 2022 09:00:41 +0930
 Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg
 	PR 29254
 	* stabs.c (stab_demangle_v3_arg): Free dt on failure path.
 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb]
 CVE: CVE-2022-47007
 Signed-off-by: Virendra Thakur <virendrak@kpit.com>
 Comment: Patch refreshed based on codebase.
 ---
 binutils/stabs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/binutils/stabs.c b/binutils/stabs.c
 index 2b5241637c1..796ff85b86a 100644
 --- a/binutils/stabs.c
 +++ b/binutils/stabs.c
@@ -5476,7 +5476,10 @@
 					  dc->u.s_binary.right,
 					  &varargs);
 	if (pargs == NULL)
 -	  return NULL;
 +         {
 +           free (dt);
 +           return NULL;
 +         }
 	return debug_make_function_type (dhandle, dt, pargs, varargs);
       }
@@ -0,0 +1,64 @@
 From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001
 From: Alan Modra <amodra@gmail.com>
 Date: Fri, 17 Jun 2022 09:13:38 +0930
 Subject: [PATCH] PR29255, memory leak in make_tempdir
 	PR 29255
 	* bucomm.c (make_tempdir, make_tempname): Free template on all
 	failure paths.
 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682]
 CVE: CVE-2022-47008
 Signed-off-by: Virendra Thakur <virendrak@kpit.com>
 Comment: Patch refreshed based on codebase.
 ---
 binutils/bucomm.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)
 diff --git a/binutils/bucomm.c b/binutils/bucomm.c
 index fdc2209df9c..4395cb9f7f5 100644
 --- a/binutils/bucomm.c
 +++ b/binutils/bucomm.c
@@ -542,8 +542,9 @@
 #else
   tmpname = mktemp (tmpname);
   if (tmpname == NULL)
 -    return NULL;
 -  fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
 +    fd = -1;
 +  else
 +    fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
 #endif
   if (fd == -1)
     {
@@ -561,22 +562,23 @@
 make_tempdir (const char *filename)
 {
   char *tmpname = template_in_dir (filename);
 +  char *ret;
 #ifdef HAVE_MKDTEMP
 -  return mkdtemp (tmpname);
 +  ret = mkdtemp (tmpname);
 #else
 -  tmpname = mktemp (tmpname);
 -  if (tmpname == NULL)
 -    return NULL;
 +  ret = mktemp (tmpname);
 #if defined (_WIN32) && !defined (__CYGWIN32__)
   if (mkdir (tmpname) != 0)
 -    return NULL;
 +    ret = NULL;
 #else
   if (mkdir (tmpname, 0700) != 0)
 -    return NULL;
 +    ret = NULL;
 #endif
 -  return tmpname;
 #endif
 +  if (ret == NULL)
 +    free (tmpname);
 +  return ret;
 }
 /* Parse a string into a VMA, with a fatal error if it can't be
@@ -0,0 +1,34 @@
 From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001
 From: Alan Modra <amodra@gmail.com>
 Date: Mon, 20 Jun 2022 10:39:31 +0930
 Subject: [PATCH] PR29262, memory leak in pr_function_type
 	PR 29262
 	* prdbg.c (pr_function_type): Free "s" on failure path.
 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab]
 CVE: CVE-2022-47010
 Signed-off-by: Virendra Thakur <virendrak@kpit.com>
 Comment: Patch refreshed based on codebase.
 ---
 binutils/prdbg.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)
 diff --git a/binutils/prdbg.c b/binutils/prdbg.c
 index c1e41628d26..bb42a5b6c2d 100644
 --- a/binutils/prdbg.c
 +++ b/binutils/prdbg.c
@@ -778,12 +778,9 @@
   strcat (s, ")");
 -  if (! substitute_type (info, s))
 -    return FALSE;
 -
 +  bfd_boolean ret = substitute_type (info, s);
   free (s);
 -
 -  return TRUE;
 +  return ret;
 }
 /* Turn the top type on the stack into a reference to that type.  */
@@ -0,0 +1,31 @@
 From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001
 From: Alan Modra <amodra@gmail.com>
 Date: Mon, 20 Jun 2022 10:39:13 +0930
 Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields
 	PR 29261
 	* stabs.c (parse_stab_struct_fields): Free "fields" on failure path.
 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35]
 CVE: CVE-2022-47011
 Signed-off-by: Virendra Thakur <virendrak@kpit.com>
 Comment: Patch refreshed based on codebase.
 ---
 binutils/stabs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/binutils/stabs.c b/binutils/stabs.c
 index 796ff85b86a..bf3f578cbcc 100644
 --- a/binutils/stabs.c
 +++ b/binutils/stabs.c
@@ -2368,7 +2368,10 @@
       if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c,
 					 staticsp, p_end))
 -	return FALSE;
 +       {
 +         free (fields);
 +         return FALSE;
 +       }
       ++c;
     }
@@ -0,0 +1,57 @@
 From 3d3af4ba39e892b1c544d667ca241846bc3df386 Mon Sep 17 00:00:00 2001
 From: Alan Modra <amodra@gmail.com>
 Date: Sun, 4 Dec 2022 22:15:40 +1030
 Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols
 Fixes a fuzzed object file problem where plt relocs were manipulated
 in such a way that two synthetic symbols were generated at the same
 plt location.  Won't occur in real object files.
 	PR 29846
 	PR 20337
 	* objdump.c (compare_symbols): Test symbol flags to exclude
 	section and synthetic symbols before attempting to check flavour.
 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
 CVE: CVE-2022-47695
 Signed-off-by: Virendra Thakur <virendrak@kpit.com>
 Comment: Patch refreshed based on codebase.
 ---
 binutils/objdump.c | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)
 diff --git a/binutils/objdump.c b/binutils/objdump.c
 index e8481b2d928..d95c8b68bf0 100644
 --- a/binutils/objdump.c
 +++ b/binutils/objdump.c
@@ -935,20 +935,17 @@
 	return 1;
     }
 -  if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour
 +  /* Sort larger size ELF symbols before smaller.  See PR20337.  */
 +  bfd_vma asz = 0;
 +  if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
 +      && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour)
 +    asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
 +  bfd_vma bsz = 0;
 +  if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
       && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour)
 -    {
 -      bfd_vma asz, bsz;
 -
 -      asz = 0;
 -      if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
 -	asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
 -      bsz = 0;
 -      if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
 -	bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
 -      if (asz != bsz)
 -	return asz > bsz ? -1 : 1;
 -    }
 +    bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
 +  if (asz != bsz)
 +    return asz > bsz ? -1 : 1;
   /* Symbols that start with '.' might be section names, so sort them
      after symbols that don't start with '.'.  */
@@ -0,0 +1,49 @@
 From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001
 From: Nick Clifton <nickc@redhat.com>
 Date: Wed, 21 Dec 2022 11:51:23 +0000
 Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of
 memory when parsing a corrupt ELF file.
 	PR  29924
 	* objdump.c (load_specific_debug_section): Check for excessively
 	large sections.
 Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd]
 CVE: CVE-2022-48063
 Signed-off-by: Virendra Thakur <virendrak@kpit.com>
 Comment: Patch refreshed based on codebase.
 ---
 binutils/ChangeLog | 6 ++++++
 binutils/objdump.c | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)
 diff --git a/binutils/ChangeLog b/binutils/ChangeLog
 index e7f918d3f65..020e09f3700 100644
 --- a/binutils/ChangeLog
 +++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
 +2022-12-21  Nick Clifton  <nickc@redhat.com>
 +
 +	PR  29924
 +	* objdump.c (load_specific_debug_section): Check for excessively
 +	large sections.
 +
 2021-02-11  Alan Modra  <amodra@gmail.com>
 	   PR 27290
 diff --git a/binutils/objdump.c b/binutils/objdump.c
 index d51abbe3858..2eb02de0e76 100644
 --- a/binutils/objdump.c
 +++ b/binutils/objdump.c
@@ -3479,7 +3479,9 @@
   section->size = bfd_section_size (sec);
   /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
   alloced = amt = section->size + 1;
 -  if (alloced != amt || alloced == 0)
 +  if (alloced != amt
 +      || alloced == 0
 +      || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd)))
     {
       section->start = NULL;
       free_debug_section (debug);