Re: [OE-core] [PATCH] binutils : CVE-2023-25584
Hi KhemRaj / Richard , Thanks for input . Will check the kirkstone branch Thanks , Ashish -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194245): https://lists.openembedded.org/g/openembedded-core/message/194245 Mute This Topic: https://lists.openembedded.org/mt/103882398/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] binutils : CVE-2023-25584
Hi Khem Raj , Thanks for the input . Do i need to submit v3 with the space fixed ? Just trying to get idea w.r.t process Thanks , Ashish -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194200): https://lists.openembedded.org/g/openembedded-core/message/194200 Mute This Topic: https://lists.openembedded.org/mt/103882398/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] Inputs to share CVE patch for binutils CVE-2023-25584
Hi Members , I have submitted ver2 after locally checking with patchtest https://lists.openembedded.org/g/openembedded-core/message/194129 Any feedback will be helpful as i can learn and look at some other CVE as i have some bandwidth this week Thanks , Ashish -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194176): https://lists.openembedded.org/g/openembedded-core/message/194176 Mute This Topic: https://lists.openembedded.org/mt/103869223/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] binutils: Add patch to fix CVE-2023-25584
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=77c225bdeb410cf60da804879ad41622f5f1aa44] CVE: CVE-2023-25584 Signed-off-by: Ashish Kumar Mishra --- .../binutils/binutils-2.39.inc| 1 + .../binutils/0016-CVE-2023-25584.patch| 535 ++ 2 files changed, 536 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.39.inc b/meta/recipes-devtools/binutils/binutils-2.39.inc index 419571d56c..d57c97edcb 100644 --- a/meta/recipes-devtools/binutils/binutils-2.39.inc +++ b/meta/recipes-devtools/binutils/binutils-2.39.inc @@ -36,6 +36,7 @@ SRC_URI = "\ file://0014-CVE-2022-38128-2.patch \ file://0014-CVE-2022-38128-3.patch \ file://0015-CVE-2022-4285.patch \ + file://0016-CVE-2023-25584.patch \ " S = "${WORKDIR}/git" # Already in 2.39 branch diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch new file mode 100644 index 00..c19e1adb72 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch @@ -0,0 +1,535 @@ +From 278ba66aa1d2f1a355940ae2c706ad804becda07 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sun, 21 Jan 2024 20:10:49 +0530 +Subject: [PATCH] CVE-2023-25584 + +Lack of bounds checking in vms-alpha.c parse_module + + PR 29873 + PR 29874 + PR 29875 + PR 29876 + PR 29877 + PR 29878 + PR 29879 + PR 29880 + PR 29881 + PR 29882 + PR 29883 + PR 29884 + PR 29885 + PR 29886 + PR 29887 + PR 29888 + PR 29889 + PR 29890 + PR 29891 + * vms-alpha.c (parse_module): Make length param bfd_size_type. + Delete length == -1 checks. Sanity check record_length. + Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. + Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements + before accessing. + (build_module_list): Pass dst_section size to parse_modu + +Closes: CVE-2023-25584 +CVE: CVE-2023-25584 + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=77c225bdeb410cf60da804879ad41622f5f1aa44] + +Signed-off-by: Ashish Kumar Mishra +--- + bfd/vms-alpha.c | 213 ++-- + 1 file changed, 168 insertions(+), 45 deletions(-) + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 5a867f71..9b0b2a51 100644 +--- a/bfd/vms-alpha.c b/bfd/vms-alpha.c +@@ -4340,7 +4340,7 @@ new_module (bfd *abfd) + + static bool + parse_module (bfd *abfd, struct module *module, unsigned char *ptr, +-int length) ++bfd_size_type length) + { + unsigned char *maxptr = ptr + length; + unsigned char *src_ptr, *pcl_ptr; +@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + return false; + module->line_table = curr_line; + +- while (length == -1 || ptr < maxptr) ++ while (ptr + 3 < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; +@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type)); + +- if (length == -1 && rec_type == DST__K_MODEND) ++ if (rec_length > maxptr - ptr) ++ break; ++ if (rec_type == DST__K_MODEND) + break; + + switch (rec_type) + { + case DST__K_MODBEG: ++if (rec_length <= DST_S_B_MODBEG_NAME) ++ break; + module->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME, +- maxptr - (ptr + DST_S_B_MODBEG_NAME)); ++ rec_length - DST_S_B_MODBEG_NAME); + + curr_pc = 0; + prev_pc = 0; +@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNBEG: ++if (rec_length <= DST_S_B_RTNBEG_NAME) ++ break; + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); + if (!funcinfo) + return false; + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, +- maxptr - (ptr + DST_S_B_RTNBEG_NAME)); ++ rec_length - DST_S_B_RTNBEG_NAME); + funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS); + funcinfo->next = module->func_table; + module->func_table = funcinfo; +@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNEND: ++if (rec_length <
Re: [OE-core] Inputs to share CVE patch for binutils CVE-2023-25584
Hi Khem Raj / Members , - Have shared my first patch https://lists.openembedded.org/g/openembedded-core/message/194117 Can members please review this and help me improve any aspect of patch if required. - Also how do we know that patch has been accepted and merged ? In BUGZILLA we generally we get an intimation for the patch generally Thanks , Ashish -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194118): https://lists.openembedded.org/g/openembedded-core/message/194118 Mute This Topic: https://lists.openembedded.org/mt/103869223/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] binutils : CVE-2023-25584
Closes: CVE-2023-25584 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=77c225bdeb410cf60da804879ad41622f5f1aa44] Signed-off-by: Ashish Kumar Mishra --- .../binutils/binutils-2.39.inc| 1 + .../binutils/0016-CVE-2023-25584.patch| 534 ++ 2 files changed, 535 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.39.inc b/meta/recipes-devtools/binutils/binutils-2.39.inc index 419571d56c..5b84ee1a8d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.39.inc +++ b/meta/recipes-devtools/binutils/binutils-2.39.inc @@ -36,6 +36,7 @@ SRC_URI = "\ file://0014-CVE-2022-38128-2.patch \ file://0014-CVE-2022-38128-3.patch \ file://0015-CVE-2022-4285.patch \ +file://0016-CVE-2023-25584.patch \ " S = "${WORKDIR}/git" # Already in 2.39 branch diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch new file mode 100644 index 00..876322b75e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch @@ -0,0 +1,534 @@ +From 278ba66aa1d2f1a355940ae2c706ad804becda07 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sun, 21 Jan 2024 20:10:49 +0530 +Subject: [PATCH] CVE-2023-25584 + +Lack of bounds checking in vms-alpha.c parse_module + + PR 29873 + PR 29874 + PR 29875 + PR 29876 + PR 29877 + PR 29878 + PR 29879 + PR 29880 + PR 29881 + PR 29882 + PR 29883 + PR 29884 + PR 29885 + PR 29886 + PR 29887 + PR 29888 + PR 29889 + PR 29890 + PR 29891 + * vms-alpha.c (parse_module): Make length param bfd_size_type. + Delete length == -1 checks. Sanity check record_length. + Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. + Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements + before accessing. + (build_module_list): Pass dst_section size to parse_modu + +Closes: CVE-2023-25584 + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=77c225bdeb410cf60da804879ad41622f5f1aa44] + +Signed-off-by: Ashish Kumar Mishra +--- + bfd/vms-alpha.c | 213 ++-- + 1 file changed, 168 insertions(+), 45 deletions(-) + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 5a867f71..9b0b2a51 100644 +--- a/bfd/vms-alpha.c b/bfd/vms-alpha.c +@@ -4340,7 +4340,7 @@ new_module (bfd *abfd) + + static bool + parse_module (bfd *abfd, struct module *module, unsigned char *ptr, +-int length) ++bfd_size_type length) + { + unsigned char *maxptr = ptr + length; + unsigned char *src_ptr, *pcl_ptr; +@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + return false; + module->line_table = curr_line; + +- while (length == -1 || ptr < maxptr) ++ while (ptr + 3 < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; +@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type)); + +- if (length == -1 && rec_type == DST__K_MODEND) ++ if (rec_length > maxptr - ptr) ++ break; ++ if (rec_type == DST__K_MODEND) + break; + + switch (rec_type) + { + case DST__K_MODBEG: ++if (rec_length <= DST_S_B_MODBEG_NAME) ++ break; + module->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME, +- maxptr - (ptr + DST_S_B_MODBEG_NAME)); ++ rec_length - DST_S_B_MODBEG_NAME); + + curr_pc = 0; + prev_pc = 0; +@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNBEG: ++if (rec_length <= DST_S_B_RTNBEG_NAME) ++ break; + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); + if (!funcinfo) + return false; + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, +- maxptr - (ptr + DST_S_B_RTNBEG_NAME)); ++ rec_length - DST_S_B_RTNBEG_NAME); + funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS); + funcinfo->next = module->func_table; + module->func_table = funcinfo; +@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNEND: ++if (rec_length < DST_S
[OE-core] Inputs to share CVE patch for binutils CVE-2023-25584
Hi Members , I am trying to submit an CVE patch CVE-2023-25584 for binutils *This is my first patch in community so apologies if any basic info is missed* Can members please help me for 1) Do i need to share only specific CVE patch with community or Patch with updates meta/recipes-devtools/binutils/binutils-2.39.inc & CVE both files being updated in same patch (Currently this is what i have created ) 2) Is there any known place where i can share that i am looking at this CVE so we save effort duplication 3) Can i share the patch as attachment here or i need to send via " git send-email " only. Currently i am facing some issue with git send-email at my end 4) I have validated the patch for (langdale) : # devtool build binutils # devtool build-image core-image-minimal # bitbake binutils (after cleanall ) # bitbake core-image-minimal Is there any other test i need to do to ensure the sanity ? Thanks , Ashish. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194093): https://lists.openembedded.org/g/openembedded-core/message/194093 Mute This Topic: https://lists.openembedded.org/mt/103869223/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-