Dunfell has reached end of life and we are no longer taking changes. The final build was done on April 15.
Steve On Tue, Apr 23, 2024 at 12:35 AM virendra thakur via lists.openembedded.org <thakur.virendra1810=gmail....@lists.openembedded.org> wrote: > > Add patch file to fix CVE-2022-44840 > > Reference: > https://answers.launchpad.net/ubuntu/+archive/primary/+sourcefiles/binutils/2.34-6ubuntu1.8/binutils_2.34-6ubuntu1.8.debian.tar.xz > > Signed-off-by: virendra thakur <virend...@kpit.com> > --- > .../binutils/binutils-2.34.inc | 1 + > .../binutils/binutils/CVE-2022-44840.patch | 162 ++++++++++++++++++ > 2 files changed, 163 insertions(+) > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc > b/meta/recipes-devtools/binutils/binutils-2.34.inc > index 032263fe63..64f66a30a9 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.34.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc > @@ -62,5 +62,6 @@ SRC_URI = "\ > file://CVE-2022-47011.patch \ > file://CVE-2022-48063.patch \ > file://CVE-2022-47695.patch \ > + file://CVE-2022-44840.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch > b/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch > new file mode 100644 > index 0000000000..288219871d > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-44840.patch > @@ -0,0 +1,162 @@ > +[Ubuntu note: commit af2ddf69ab85 is not included in this version of the > code, > + so adjustments had to be made to the 2nd hunk in order for it to apply > + cleanly and in order to have the added code match correct macro usage for > + this version of binutils (SAFE_BYTE_GET64 is called with signature_high and > + signature_low in this version of the code, but not in the added lines of the > + original patch). > + -- Camila Camargo de Matos <camila.camargodema...@canonical.com>] > + > +Origin: backport, > https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59 > + > +From 28750e3b967da2207d51cbce9fc8be262817ee59 Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amo...@gmail.com> > +Date: Sun, 30 Oct 2022 19:08:51 +1030 > +Subject: [PATCH] Pool section entries for DWP version 1 > + > +Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 > + > +Fuzzers have found a weakness in the code stashing pool section > +entries. With random nonsensical values in the index entries (rather > +than each index pointing to its own set distinct from other sets), > +it's possible to overflow the space allocated, losing the NULL > +terminator. Without a terminator, find_section_in_set can run off the > +end of the shndx_pool buffer. Fix this by scanning the pool directly. > + > +binutils/ > + * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. > + (end_cu_tu_entry): Likewise. > + (process_cu_tu_index): Fill shndx_pool by directly scanning > + pool, rather than indirectly from index entries. > + > +Upstream-Status: Backport > [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59] > + > +CVE: CVE-2022-44840 > + > +Signed-off-by: Virendra Thakur <virend...@kpit.com> > +--- > + binutils/dwarf.c | 90 ++++++++++++++++++++++-------------------------- > + 1 file changed, 41 insertions(+), 49 deletions(-) > + > +Index: binutils-2.34/binutils/dwarf.c > +=================================================================== > +--- binutils-2.34.orig/binutils/dwarf.c > ++++ binutils-2.34/binutils/dwarf.c > +@@ -9454,22 +9454,12 @@ prealloc_cu_tu_list (unsigned int nshndx > + static void > + add_shndx_to_cu_tu_entry (unsigned int shndx) > + { > +- if (shndx_pool_used >= shndx_pool_size) > +- { > +- error (_("Internal error: out of space in the shndx pool.\n")); > +- return; > +- } > + shndx_pool [shndx_pool_used++] = shndx; > + } > + > + static void > + end_cu_tu_entry (void) > + { > +- if (shndx_pool_used >= shndx_pool_size) > +- { > +- error (_("Internal error: out of space in the shndx pool.\n")); > +- return; > +- } > + shndx_pool [shndx_pool_used++] = 0; > + } > + > +@@ -9578,54 +9568,55 @@ process_cu_tu_index (struct dwarf_sectio > + > + if (version == 1) > + { > ++ unsigned char *shndx_list; > ++ unsigned int shndx; > ++ > + if (!do_display) > +- prealloc_cu_tu_list ((limit - ppool) / 4); > +- for (i = 0; i < nslots; i++) > + { > +- unsigned char *shndx_list; > +- unsigned int shndx; > +- > +- SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit); > +- if (signature_high != 0 || signature_low != 0) > ++ prealloc_cu_tu_list ((limit - ppool) / 4); > ++ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list > += 4) > + { > +- SAFE_BYTE_GET (j, pindex, 4, limit); > +- shndx_list = ppool + j * 4; > +- /* PR 17531: file: 705e010d. */ > +- if (shndx_list < ppool) > +- { > +- warn (_("Section index pool located before start of > section\n")); > +- return 0; > +- } > +- > +- if (do_display) > ++ shndx = byte_get (shndx_list, 4); > ++ add_shndx_to_cu_tu_entry (shndx); > ++ } > ++ end_cu_tu_entry (); > ++ } > ++ else > ++ for (i = 0; i < nslots; i++) > ++ { > ++ SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit); > ++ if (signature_high != 0 || signature_low != 0) > ++ { > ++ SAFE_BYTE_GET (j, pindex, 4, limit); > ++ shndx_list = ppool + j * 4; > ++ /* PR 17531: file: 705e010d. */ > ++ if (shndx_list < ppool) > ++ { > ++ warn (_("Section index pool located before start of > section\n")); > ++ return 0; > ++ } > + printf (_(" [%3d] Signature: 0x%s Sections: "), > + i, dwarf_vmatoa64 (signature_high, signature_low, > + buf, sizeof (buf))); > +- for (;;) > +- { > +- if (shndx_list >= limit) > +- { > +- warn (_("Section %s too small for shndx pool\n"), > +- section->name); > +- return 0; > +- } > +- SAFE_BYTE_GET (shndx, shndx_list, 4, limit); > +- if (shndx == 0) > +- break; > +- if (do_display) > ++ for (;;) > ++ { > ++ if (shndx_list >= limit) > ++ { > ++ warn (_("Section %s too small for shndx pool\n"), > ++ section->name); > ++ return 0; > ++ } > ++ SAFE_BYTE_GET (shndx, shndx_list, 4, limit); > ++ if (shndx == 0) > ++ break; > + printf (" %d", shndx); > +- else > +- add_shndx_to_cu_tu_entry (shndx); > +- shndx_list += 4; > +- } > +- if (do_display) > ++ shndx_list += 4; > ++ } > + printf ("\n"); > +- else > +- end_cu_tu_entry (); > +- } > +- phash += 8; > +- pindex += 4; > +- } > ++ } > ++ phash += 8; > ++ pindex += 4; > ++ } > + } > + else if (version == 2) > + { > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198618): https://lists.openembedded.org/g/openembedded-core/message/198618 Mute This Topic: https://lists.openembedded.org/mt/105685930/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-