Re: [OE-core] [PATCH] binutils : CVE-2023-25584
Hi KhemRaj / Richard , Thanks for input . Will check the kirkstone branch Thanks , Ashish -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194245): https://lists.openembedded.org/g/openembedded-core/message/194245 Mute This Topic: https://lists.openembedded.org/mt/103882398/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] binutils : CVE-2023-25584
Hi Khem Raj , Thanks for the input . Do i need to submit v3 with the space fixed ? Just trying to get idea w.r.t process Thanks , Ashish -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194200): https://lists.openembedded.org/g/openembedded-core/message/194200 Mute This Topic: https://lists.openembedded.org/mt/103882398/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] Inputs to share CVE patch for binutils CVE-2023-25584
Hi Members , I have submitted ver2 after locally checking with patchtest https://lists.openembedded.org/g/openembedded-core/message/194129 Any feedback will be helpful as i can learn and look at some other CVE as i have some bandwidth this week Thanks , Ashish -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194176): https://lists.openembedded.org/g/openembedded-core/message/194176 Mute This Topic: https://lists.openembedded.org/mt/103869223/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] binutils: Add patch to fix CVE-2023-25584
Upstream-Status: Backport
[https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=77c225bdeb410cf60da804879ad41622f5f1aa44]
CVE: CVE-2023-25584
Signed-off-by: Ashish Kumar Mishra
---
.../binutils/binutils-2.39.inc| 1 +
.../binutils/0016-CVE-2023-25584.patch| 535 ++
2 files changed, 536 insertions(+)
create mode 100644
meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.39.inc
b/meta/recipes-devtools/binutils/binutils-2.39.inc
index 419571d56c..d57c97edcb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.39.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.39.inc
@@ -36,6 +36,7 @@ SRC_URI = "\
file://0014-CVE-2022-38128-2.patch \
file://0014-CVE-2022-38128-3.patch \
file://0015-CVE-2022-4285.patch \
+ file://0016-CVE-2023-25584.patch \
"
S = "${WORKDIR}/git"
# Already in 2.39 branch
diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch
b/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch
new file mode 100644
index 00..c19e1adb72
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch
@@ -0,0 +1,535 @@
+From 278ba66aa1d2f1a355940ae2c706ad804becda07 Mon Sep 17 00:00:00 2001
+From: Alan Modra
+Date: Sun, 21 Jan 2024 20:10:49 +0530
+Subject: [PATCH] CVE-2023-25584
+
+Lack of bounds checking in vms-alpha.c parse_module
+
+ PR 29873
+ PR 29874
+ PR 29875
+ PR 29876
+ PR 29877
+ PR 29878
+ PR 29879
+ PR 29880
+ PR 29881
+ PR 29882
+ PR 29883
+ PR 29884
+ PR 29885
+ PR 29886
+ PR 29887
+ PR 29888
+ PR 29889
+ PR 29890
+ PR 29891
+ * vms-alpha.c (parse_module): Make length param bfd_size_type.
+ Delete length == -1 checks. Sanity check record_length.
+ Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
+ Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
+ before accessing.
+ (build_module_list): Pass dst_section size to parse_modu
+
+Closes: CVE-2023-25584
+CVE: CVE-2023-25584
+
+Upstream-Status: Backport
[https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=77c225bdeb410cf60da804879ad41622f5f1aa44]
+
+Signed-off-by: Ashish Kumar Mishra
+---
+ bfd/vms-alpha.c | 213 ++--
+ 1 file changed, 168 insertions(+), 45 deletions(-)
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index 5a867f71..9b0b2a51 100644
+--- a/bfd/vms-alpha.c
b/bfd/vms-alpha.c
+@@ -4340,7 +4340,7 @@ new_module (bfd *abfd)
+
+ static bool
+ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+-int length)
++bfd_size_type length)
+ {
+ unsigned char *maxptr = ptr + length;
+ unsigned char *src_ptr, *pcl_ptr;
+@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned
char *ptr,
+ return false;
+ module->line_table = curr_line;
+
+- while (length == -1 || ptr < maxptr)
++ while (ptr + 3 < maxptr)
+ {
+ /* The first byte is not counted in the recorded length. */
+ int rec_length = bfd_getl16 (ptr) + 1;
+@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module,
unsigned char *ptr,
+
+ vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length,
rec_type));
+
+- if (length == -1 && rec_type == DST__K_MODEND)
++ if (rec_length > maxptr - ptr)
++ break;
++ if (rec_type == DST__K_MODEND)
+ break;
+
+ switch (rec_type)
+ {
+ case DST__K_MODBEG:
++if (rec_length <= DST_S_B_MODBEG_NAME)
++ break;
+ module->name
+ = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME,
+- maxptr - (ptr +
DST_S_B_MODBEG_NAME));
++ rec_length - DST_S_B_MODBEG_NAME);
+
+ curr_pc = 0;
+ prev_pc = 0;
+@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module,
unsigned char *ptr,
+ break;
+
+ case DST__K_RTNBEG:
++if (rec_length <= DST_S_B_RTNBEG_NAME)
++ break;
+ funcinfo = (struct funcinfo *)
+ bfd_zalloc (abfd, sizeof (struct funcinfo));
+ if (!funcinfo)
+ return false;
+ funcinfo->name
+ = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
+- maxptr - (ptr +
DST_S_B_RTNBEG_NAME));
++ rec_length - DST_S_B_RTNBEG_NAME);
+ funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
+ funcinfo->next = module->func_table;
+ module->func_table = funcinfo;
+@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned
char *ptr,
+ break;
+
+ case DST__K_RTNEND:
++if (rec_length <
Re: [OE-core] Inputs to share CVE patch for binutils CVE-2023-25584
Hi Khem Raj / Members , - Have shared my first patch https://lists.openembedded.org/g/openembedded-core/message/194117 Can members please review this and help me improve any aspect of patch if required. - Also how do we know that patch has been accepted and merged ? In BUGZILLA we generally we get an intimation for the patch generally Thanks , Ashish -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194118): https://lists.openembedded.org/g/openembedded-core/message/194118 Mute This Topic: https://lists.openembedded.org/mt/103869223/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] binutils : CVE-2023-25584
Closes: CVE-2023-25584
Upstream-Status: Backport
[https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=77c225bdeb410cf60da804879ad41622f5f1aa44]
Signed-off-by: Ashish Kumar Mishra
---
.../binutils/binutils-2.39.inc| 1 +
.../binutils/0016-CVE-2023-25584.patch| 534 ++
2 files changed, 535 insertions(+)
create mode 100644
meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.39.inc
b/meta/recipes-devtools/binutils/binutils-2.39.inc
index 419571d56c..5b84ee1a8d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.39.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.39.inc
@@ -36,6 +36,7 @@ SRC_URI = "\
file://0014-CVE-2022-38128-2.patch \
file://0014-CVE-2022-38128-3.patch \
file://0015-CVE-2022-4285.patch \
+file://0016-CVE-2023-25584.patch \
"
S = "${WORKDIR}/git"
# Already in 2.39 branch
diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch
b/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch
new file mode 100644
index 00..876322b75e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2023-25584.patch
@@ -0,0 +1,534 @@
+From 278ba66aa1d2f1a355940ae2c706ad804becda07 Mon Sep 17 00:00:00 2001
+From: Alan Modra
+Date: Sun, 21 Jan 2024 20:10:49 +0530
+Subject: [PATCH] CVE-2023-25584
+
+Lack of bounds checking in vms-alpha.c parse_module
+
+ PR 29873
+ PR 29874
+ PR 29875
+ PR 29876
+ PR 29877
+ PR 29878
+ PR 29879
+ PR 29880
+ PR 29881
+ PR 29882
+ PR 29883
+ PR 29884
+ PR 29885
+ PR 29886
+ PR 29887
+ PR 29888
+ PR 29889
+ PR 29890
+ PR 29891
+ * vms-alpha.c (parse_module): Make length param bfd_size_type.
+ Delete length == -1 checks. Sanity check record_length.
+ Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
+ Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
+ before accessing.
+ (build_module_list): Pass dst_section size to parse_modu
+
+Closes: CVE-2023-25584
+
+Upstream-Status: Backport
[https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=77c225bdeb410cf60da804879ad41622f5f1aa44]
+
+Signed-off-by: Ashish Kumar Mishra
+---
+ bfd/vms-alpha.c | 213 ++--
+ 1 file changed, 168 insertions(+), 45 deletions(-)
+
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
+index 5a867f71..9b0b2a51 100644
+--- a/bfd/vms-alpha.c
b/bfd/vms-alpha.c
+@@ -4340,7 +4340,7 @@ new_module (bfd *abfd)
+
+ static bool
+ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+-int length)
++bfd_size_type length)
+ {
+ unsigned char *maxptr = ptr + length;
+ unsigned char *src_ptr, *pcl_ptr;
+@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned
char *ptr,
+ return false;
+ module->line_table = curr_line;
+
+- while (length == -1 || ptr < maxptr)
++ while (ptr + 3 < maxptr)
+ {
+ /* The first byte is not counted in the recorded length. */
+ int rec_length = bfd_getl16 (ptr) + 1;
+@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module,
unsigned char *ptr,
+
+ vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length,
rec_type));
+
+- if (length == -1 && rec_type == DST__K_MODEND)
++ if (rec_length > maxptr - ptr)
++ break;
++ if (rec_type == DST__K_MODEND)
+ break;
+
+ switch (rec_type)
+ {
+ case DST__K_MODBEG:
++if (rec_length <= DST_S_B_MODBEG_NAME)
++ break;
+ module->name
+ = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME,
+- maxptr - (ptr +
DST_S_B_MODBEG_NAME));
++ rec_length - DST_S_B_MODBEG_NAME);
+
+ curr_pc = 0;
+ prev_pc = 0;
+@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module,
unsigned char *ptr,
+ break;
+
+ case DST__K_RTNBEG:
++if (rec_length <= DST_S_B_RTNBEG_NAME)
++ break;
+ funcinfo = (struct funcinfo *)
+ bfd_zalloc (abfd, sizeof (struct funcinfo));
+ if (!funcinfo)
+ return false;
+ funcinfo->name
+ = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
+- maxptr - (ptr +
DST_S_B_RTNBEG_NAME));
++ rec_length - DST_S_B_RTNBEG_NAME);
+ funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
+ funcinfo->next = module->func_table;
+ module->func_table = funcinfo;
+@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned
char *ptr,
+ break;
+
+ case DST__K_RTNEND:
++if (rec_length < DST_S
[OE-core] Inputs to share CVE patch for binutils CVE-2023-25584
Hi Members , I am trying to submit an CVE patch CVE-2023-25584 for binutils *This is my first patch in community so apologies if any basic info is missed* Can members please help me for 1) Do i need to share only specific CVE patch with community or Patch with updates meta/recipes-devtools/binutils/binutils-2.39.inc & CVE both files being updated in same patch (Currently this is what i have created ) 2) Is there any known place where i can share that i am looking at this CVE so we save effort duplication 3) Can i share the patch as attachment here or i need to send via " git send-email " only. Currently i am facing some issue with git send-email at my end 4) I have validated the patch for (langdale) : # devtool build binutils # devtool build-image core-image-minimal # bitbake binutils (after cleanall ) # bitbake core-image-minimal Is there any other test i need to do to ensure the sanity ? Thanks , Ashish. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#194093): https://lists.openembedded.org/g/openembedded-core/message/194093 Mute This Topic: https://lists.openembedded.org/mt/103869223/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
