On Sun, May 14, 2023 at 7:58 PM Deepthi Hemraj <[email protected]> wrote:
>
> Upstream-Status:
> Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
>
> CVE: CVE-2023-25588
>
> Signed-off-by: Deepthi Hemraj <[email protected]>
> ---
> .../binutils/binutils-2.38.inc | 7 +-
> .../binutils/0028-CVE-2023-25588.patch | 147 ++++++++++++++++++
> 2 files changed, 148 insertions(+), 6 deletions(-)
> create mode 100644
> meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc
> b/meta/recipes-devtools/binutils/binutils-2.38.inc
> index 5c3ff3d93a..e51c65d638 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.38.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
> @@ -50,11 +50,6 @@ SRC_URI = "\
> file://0021-CVE-2023-1579-2.patch \
> file://0021-CVE-2023-1579-3.patch \
> file://0021-CVE-2023-1579-4.patch \
> - file://0022-CVE-2023-25584-1.patch \
> - file://0022-CVE-2023-25584-2.patch \
> - file://0022-CVE-2023-25584-3.patch \
> - file://0023-CVE-2023-25585.patch \
> - file://0026-CVE-2023-1972.patch \
> - file://0025-CVE-2023-25588.patch \
> + file://0028-CVE-2023-25588.patch \
I can't make sense of what you are trying to accomplish with this
patch! We already have a patch for CVE-2023-25588. And you don't
explain why you are removing the patches for 3 other CVEs.
Steve
> "
> S = "${WORKDIR}/git"
> diff --git
> a/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch
> b/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch
> new file mode 100644
> index 0000000000..c019004a02
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/0028-CVE-2023-25588.patch
> @@ -0,0 +1,147 @@
> +From: Alan Modra <[email protected]>
> +Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030)
> +Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised
> +X-Git-Tag: gdb-13-branchpoint~871
> +X-Git-Url:
> https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1
> +
> +PR29677, Field `the_bfd` of `asymbol` is uninitialised
> +
> +Besides not initialising the_bfd of synthetic symbols, counting
> +symbols when sizing didn't match symbols created if there were any
> +dynsyms named "". We don't want synthetic symbols without names
> +anyway, so get rid of them. Also, simplify and correct sanity checks.
> +
> + PR 29677
> + * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
> +
> +Upstream-Status: Backport
> [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
> +
> +CVE: CVE-2023-25588
> +
> +Signed-off-by: Deepthi Hemraj <[email protected]>
> +
> +---
> +
> +diff --git a/bfd/mach-o.c b/bfd/mach-o.c
> +index acb35e7f0c6..5279343768c 100644
> +--- a/bfd/mach-o.c
> ++++ b/bfd/mach-o.c
> +@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
> + bfd_mach_o_symtab_command *symtab = mdata->symtab;
> + asymbol *s;
> + char * s_start;
> +- char * s_end;
> + unsigned long count, i, j, n;
> + size_t size;
> + char *names;
> +- char *nul_name;
> + const char stub [] = "$stub";
> +
> + *ret = NULL;
> +@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
> + /* We need to allocate a bfd symbol for every indirect symbol and to
> + allocate the memory for its name. */
> + count = dysymtab->nindirectsyms;
> +- size = count * sizeof (asymbol) + 1;
> +-
> ++ size = 0;
> + for (j = 0; j < count; j++)
> + {
> +- const char * strng;
> + unsigned int isym = dysymtab->indirect_syms[j];
> ++ const char *str;
> +
> + /* Some indirect symbols are anonymous. */
> +- if (isym < symtab->nsyms && (strng =
> symtab->symbols[isym].symbol.name))
> +- /* PR 17512: file: f5b8eeba. */
> +- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) +
> sizeof (stub);
> ++ if (isym < symtab->nsyms
> ++ && (str = symtab->symbols[isym].symbol.name) != NULL)
> ++ {
> ++ /* PR 17512: file: f5b8eeba. */
> ++ size += strnlen (str, symtab->strsize - (str - symtab->strtab));
> ++ size += sizeof (stub);
> ++ }
> + }
> +
> +- s_start = bfd_malloc (size);
> ++ s_start = bfd_malloc (size + count * sizeof (asymbol));
> + s = *ret = (asymbol *) s_start;
> + if (s == NULL)
> + return -1;
> + names = (char *) (s + count);
> +- nul_name = names;
> +- *names++ = 0;
> +- s_end = s_start + size;
> +
> + n = 0;
> + for (i = 0; i < mdata->nsects; i++)
> +@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
> + entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
> +
> + /* PR 17512: file: 08e15eec. */
> +- if (first >= count || last >= count || first > last)
> ++ if (first >= count || last > count || first > last)
> + goto fail;
> +
> + for (j = first; j < last; j++)
> + {
> + unsigned int isym = dysymtab->indirect_syms[j];
> +-
> +- /* PR 17512: file: 04d64d9b. */
> +- if (((char *) s) + sizeof (* s) > s_end)
> +- goto fail;
> +-
> +- s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
> +- s->section = sec->bfdsection;
> +- s->value = addr - sec->addr;
> +- s->udata.p = NULL;
> ++ const char *str;
> ++ size_t len;
> +
> + if (isym < symtab->nsyms
> +- && symtab->symbols[isym].symbol.name)
> ++ && (str = symtab->symbols[isym].symbol.name) != NULL)
> + {
> +- const char *sym = symtab->symbols[isym].symbol.name;
> +- size_t len;
> +-
> +- s->name = names;
> +- len = strlen (sym);
> +- /* PR 17512: file: 47dfd4d2. */
> +- if (names + len >= s_end)
> ++ /* PR 17512: file: 04d64d9b. */
> ++ if (n >= count)
> + goto fail;
> +- memcpy (names, sym, len);
> +- names += len;
> +- /* PR 17512: file: 18f340a4. */
> +- if (names + sizeof (stub) >= s_end)
> ++ len = strnlen (str, symtab->strsize - (str -
> symtab->strtab));
> ++ /* PR 17512: file: 47dfd4d2, 18f340a4. */
> ++ if (size < len + sizeof (stub))
> + goto fail;
> +- memcpy (names, stub, sizeof (stub));
> +- names += sizeof (stub);
> ++ memcpy (names, str, len);
> ++ memcpy (names + len, stub, sizeof (stub));
> ++ s->name = names;
> ++ names += len + sizeof (stub);
> ++ size -= len + sizeof (stub);
> ++ s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
> ++ s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
> ++ s->section = sec->bfdsection;
> ++ s->value = addr - sec->addr;
> ++ s->udata.p = NULL;
> ++ s++;
> ++ n++;
> + }
> +- else
> +- s->name = nul_name;
> +-
> + addr += entry_size;
> +- s++;
> +- n++;
> + }
> + break;
> + default:
> --
> 2.34.1
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181261):
https://lists.openembedded.org/g/openembedded-core/message/181261
Mute This Topic: https://lists.openembedded.org/mt/98897943/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
