@@ -59,5 +59,6 @@ SRC_URI = "\
file://0029-CVE-2022-48065-1.patch \
file://0029-CVE-2022-48065-2.patch \
file://0029-CVE-2022-48065-3.patch \
+ file://0030-CVE-2022-44840.patch \
"
S = "${WORKDIR}/git"
new file mode 100644
@@ -0,0 +1,151 @@
+From 56e74b51b905bf169315107a280b5c2632e13c07 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 30 Oct 2022 19:08:51 +1030
+Subject: [PATCH] Pool section entries for DWP version 1
+
+Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3
+
+Fuzzers have found a weakness in the code stashing pool section
+entries. With random nonsensical values in the index entries (rather
+than each index pointing to its own set distinct from other sets),
+it's possible to overflow the space allocated, losing the NULL
+terminator. Without a terminator, find_section_in_set can run off the
+end of the shndx_pool buffer. Fix this by scanning the pool directly.
+
+binutils/
+ * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check.
+ (end_cu_tu_entry): Likewise.
+ (process_cu_tu_index): Fill shndx_pool by directly scanning
+ pool, rather than indirectly from index entries.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=28750e3b967da2207d51cbce9fc8be262817ee59]
+
+CVE: CVE-2022-44840
+
+Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
+---
+ binutils/dwarf.c | 90 ++++++++++++++++++++++--------------------------
+ 1 file changed, 41 insertions(+), 49 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index f8fa2f68387..28b296f54dd 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -10705,22 +10705,12 @@ prealloc_cu_tu_list (unsigned int nshndx)
+ static void
+ add_shndx_to_cu_tu_entry (unsigned int shndx)
+ {
+- if (shndx_pool_used >= shndx_pool_size)
+- {
+- error (_("Internal error: out of space in the shndx pool.\n"));
+- return;
+- }
+ shndx_pool [shndx_pool_used++] = shndx;
+ }
+
+ static void
+ end_cu_tu_entry (void)
+ {
+- if (shndx_pool_used >= shndx_pool_size)
+- {
+- error (_("Internal error: out of space in the shndx pool.\n"));
+- return;
+- }
+ shndx_pool [shndx_pool_used++] = 0;
+ }
+
+@@ -10826,53 +10816,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
+
+ if (version == 1)
+ {
++ unsigned char *shndx_list;
++ unsigned int shndx;
++
+ if (!do_display)
+- prealloc_cu_tu_list ((limit - ppool) / 4);
+- for (i = 0; i < nslots; i++)
+ {
+- unsigned char *shndx_list;
+- unsigned int shndx;
+-
+- SAFE_BYTE_GET (signature, phash, 8, limit);
+- if (signature != 0)
++ prealloc_cu_tu_list ((limit - ppool) / 4);
++ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
+ {
+- SAFE_BYTE_GET (j, pindex, 4, limit);
+- shndx_list = ppool + j * 4;
+- /* PR 17531: file: 705e010d. */
+- if (shndx_list < ppool)
+- {
+- warn (_("Section index pool located before start of section\n"));
+- return 0;
+- }
++ shndx = byte_get (shndx_list, 4);
++ add_shndx_to_cu_tu_entry (shndx);
++ }
++ end_cu_tu_entry ();
++ }
++ else
++ for (i = 0; i < nslots; i++)
++ {
++ SAFE_BYTE_GET (signature, phash, 8, limit);
++ if (signature != 0)
++ {
++ SAFE_BYTE_GET (j, pindex, 4, limit);
++ shndx_list = ppool + j * 4;
++ /* PR 17531: file: 705e010d. */
++ if (shndx_list < ppool)
++ {
++ warn (_("Section index pool located before start of section\n"));
++ return 0;
++ }
+
+- if (do_display)
+ printf (_(" [%3d] Signature: 0x%s Sections: "),
+ i, dwarf_vmatoa ("x", signature));
+- for (;;)
+- {
+- if (shndx_list >= limit)
+- {
+- warn (_("Section %s too small for shndx pool\n"),
+- section->name);
+- return 0;
+- }
+- SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
+- if (shndx == 0)
+- break;
+- if (do_display)
++ for (;;)
++ {
++ if (shndx_list >= limit)
++ {
++ warn (_("Section %s too small for shndx pool\n"),
++ section->name);
++ return 0;
++ }
++ SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
++ if (shndx == 0)
++ break;
+ printf (" %d", shndx);
+- else
+- add_shndx_to_cu_tu_entry (shndx);
+- shndx_list += 4;
+- }
+- if (do_display)
++ shndx_list += 4;
++ }
+ printf ("\n");
+- else
+- end_cu_tu_entry ();
+- }
+- phash += 8;
+- pindex += 4;
+- }
++ }
++ phash += 8;
++ pindex += 4;
++ }
+ }
+ else if (version == 2)
+ {
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=28750e3b967da2207d51cbce9fc8be262817ee59] Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> --- .../binutils/binutils-2.38.inc | 1 + .../binutils/0030-CVE-2022-44840.patch | 151 ++++++++++++++++++ 2 files changed, 152 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch