@@ -61,5 +61,7 @@ SRC_URI = "\
file://0029-CVE-2022-48065-3.patch \
file://0030-CVE-2022-44840.patch \
file://0031-CVE-2022-47695.patch \
+ file://0032-CVE-2022-45703-1.patch \
+ file://0032-CVE-2022-45703-2.patch \
"
S = "${WORKDIR}/git"
new file mode 100644
@@ -0,0 +1,146 @@
+From 02c8847ad5686f77a842cdb395a41240445f90de Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 24 May 2022 09:32:14 +0930
+Subject: [PATCH] PR29169, invalid read displaying fuzzed .gdb_index
+
+ PR 29169
+ * dwarf.c (display_gdb_index): Combine sanity checks. Calculate
+ element counts, not word counts.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636]
+
+CVE: CVE-2022-45703
+
+Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
+---
+ binutils/dwarf.c | 80 +++++++++++++-----------------------------------
+ 1 file changed, 22 insertions(+), 58 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 2d151c60817..5e802ac78cd 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -10463,7 +10463,7 @@ display_gdb_index (struct dwarf_section *section,
+ uint32_t cu_list_offset, tu_list_offset;
+ uint32_t address_table_offset, symbol_table_offset, constant_pool_offset;
+ unsigned int cu_list_elements, tu_list_elements;
+- unsigned int address_table_size, symbol_table_slots;
++ unsigned int address_table_elements, symbol_table_slots;
+ unsigned char *cu_list, *tu_list;
+ unsigned char *address_table, *symbol_table, *constant_pool;
+ unsigned int i;
+@@ -10511,48 +10511,19 @@ display_gdb_index (struct dwarf_section *section,
+ || tu_list_offset > section->size
+ || address_table_offset > section->size
+ || symbol_table_offset > section->size
+- || constant_pool_offset > section->size)
++ || constant_pool_offset > section->size
++ || tu_list_offset < cu_list_offset
++ || address_table_offset < tu_list_offset
++ || symbol_table_offset < address_table_offset
++ || constant_pool_offset < symbol_table_offset)
+ {
+ warn (_("Corrupt header in the %s section.\n"), section->name);
+ return 0;
+ }
+
+- /* PR 17531: file: 418d0a8a. */
+- if (tu_list_offset < cu_list_offset)
+- {
+- warn (_("TU offset (%x) is less than CU offset (%x)\n"),
+- tu_list_offset, cu_list_offset);
+- return 0;
+- }
+-
+- cu_list_elements = (tu_list_offset - cu_list_offset) / 8;
+-
+- if (address_table_offset < tu_list_offset)
+- {
+- warn (_("Address table offset (%x) is less than TU offset (%x)\n"),
+- address_table_offset, tu_list_offset);
+- return 0;
+- }
+-
+- tu_list_elements = (address_table_offset - tu_list_offset) / 8;
+-
+- /* PR 17531: file: 18a47d3d. */
+- if (symbol_table_offset < address_table_offset)
+- {
+- warn (_("Symbol table offset (%x) is less then Address table offset (%x)\n"),
+- symbol_table_offset, address_table_offset);
+- return 0;
+- }
+-
+- address_table_size = symbol_table_offset - address_table_offset;
+-
+- if (constant_pool_offset < symbol_table_offset)
+- {
+- warn (_("Constant pool offset (%x) is less than symbol table offset (%x)\n"),
+- constant_pool_offset, symbol_table_offset);
+- return 0;
+- }
+-
++ cu_list_elements = (tu_list_offset - cu_list_offset) / 16;
++ tu_list_elements = (address_table_offset - tu_list_offset) / 24;
++ address_table_elements = (symbol_table_offset - address_table_offset) / 20;
+ symbol_table_slots = (constant_pool_offset - symbol_table_offset) / 8;
+
+ cu_list = start + cu_list_offset;
+@@ -10561,31 +10532,25 @@ display_gdb_index (struct dwarf_section *section,
+ symbol_table = start + symbol_table_offset;
+ constant_pool = start + constant_pool_offset;
+
+- if (address_table_offset + address_table_size > section->size)
+- {
+- warn (_("Address table extends beyond end of section.\n"));
+- return 0;
+- }
+-
+ printf (_("\nCU table:\n"));
+- for (i = 0; i < cu_list_elements; i += 2)
++ for (i = 0; i < cu_list_elements; i++)
+ {
+- uint64_t cu_offset = byte_get_little_endian (cu_list + i * 8, 8);
+- uint64_t cu_length = byte_get_little_endian (cu_list + i * 8 + 8, 8);
++ uint64_t cu_offset = byte_get_little_endian (cu_list + i * 16, 8);
++ uint64_t cu_length = byte_get_little_endian (cu_list + i * 16 + 8, 8);
+
+- printf (_("[%3u] 0x%lx - 0x%lx\n"), i / 2,
++ printf (_("[%3u] 0x%lx - 0x%lx\n"), i,
+ (unsigned long) cu_offset,
+ (unsigned long) (cu_offset + cu_length - 1));
+ }
+
+ printf (_("\nTU table:\n"));
+- for (i = 0; i < tu_list_elements; i += 3)
++ for (i = 0; i < tu_list_elements; i++)
+ {
+- uint64_t tu_offset = byte_get_little_endian (tu_list + i * 8, 8);
+- uint64_t type_offset = byte_get_little_endian (tu_list + i * 8 + 8, 8);
+- uint64_t signature = byte_get_little_endian (tu_list + i * 8 + 16, 8);
++ uint64_t tu_offset = byte_get_little_endian (tu_list + i * 24, 8);
++ uint64_t type_offset = byte_get_little_endian (tu_list + i * 24 + 8, 8);
++ uint64_t signature = byte_get_little_endian (tu_list + i * 24 + 16, 8);
+
+- printf (_("[%3u] 0x%lx 0x%lx "), i / 3,
++ printf (_("[%3u] 0x%lx 0x%lx "), i,
+ (unsigned long) tu_offset,
+ (unsigned long) type_offset);
+ print_dwarf_vma (signature, 8);
+@@ -10593,12 +10558,11 @@ display_gdb_index (struct dwarf_section *section,
+ }
+
+ printf (_("\nAddress table:\n"));
+- for (i = 0; i < address_table_size && i <= address_table_size - (2 * 8 + 4);
+- i += 2 * 8 + 4)
++ for (i = 0; i < address_table_elements; i++)
+ {
+- uint64_t low = byte_get_little_endian (address_table + i, 8);
+- uint64_t high = byte_get_little_endian (address_table + i + 8, 8);
+- uint32_t cu_index = byte_get_little_endian (address_table + i + 16, 4);
++ uint64_t low = byte_get_little_endian (address_table + i * 20, 8);
++ uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8);
++ uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4);
+
+ print_dwarf_vma (low, 8);
+ print_dwarf_vma (high, 8);
new file mode 100644
@@ -0,0 +1,31 @@
+From 37a35dc3c13957a55d83350a28279a9ea4218648 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 18 Nov 2022 11:29:13 +1030
+Subject: [PATCH] PR29799 heap buffer overflow in display_gdb_index
+ dwarf.c:10548
+
+ PR 29799
+ * dwarf.c (display_gdb_index): Typo fix.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=69bfd1759db41c8d369f9dcc98a135c5a5d97299]
+
+CVE: CVE-2022-45703
+
+Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
+---
+ binutils/dwarf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 5e802ac78cd..a6a33b29c80 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -10562,7 +10562,7 @@ display_gdb_index (struct dwarf_section *section,
+ {
+ uint64_t low = byte_get_little_endian (address_table + i * 20, 8);
+ uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8);
+- uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4);
++ uint32_t cu_index = byte_get_little_endian (address_table + i * 20 + 16, 4);
+
+ print_dwarf_vma (low, 8);
+ print_dwarf_vma (high, 8);
Upstream-Status: Backport following * https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636 * https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=69bfd1759db41c8d369f9dcc98a135c5a5d97299 Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> --- .../binutils/binutils-2.38.inc | 2 + .../binutils/0032-CVE-2022-45703-1.patch | 146 ++++++++++++++++++ .../binutils/0032-CVE-2022-45703-2.patch | 31 ++++ 3 files changed, 179 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0032-CVE-2022-45703-1.patch create mode 100644 meta/recipes-devtools/binutils/binutils/0032-CVE-2022-45703-2.patch