@@ -61,6 +61,7 @@ SRC_URI = "\
file://CVE-2022-47010.patch \
file://CVE-2022-47011.patch \
file://CVE-2022-48063.patch \
+ file://CVE-2022-48065.patch \
file://CVE-2022-47695.patch \
file://CVE-2022-44840.patch \
file://CVE-2022-45703-0.patch \
new file mode 100644
@@ -0,0 +1,115 @@
+From: Nick Galanis <nick.galanis@canonical.com>
+Subject: [SECURITY UPDATE] Memory leak in find_abstract_instance (CVE-2022-48065)
+Description:
+
+ Origin: backport, https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a
+
+ [Canonical note: (nickgalanis) Minor backports were needed for almost every hunk
+ in order to apply to current code. Those backports do not change the functionality
+ of the code or alter the patch, whose goal is to not use the `name` var.
+ Moreover, in scan_unit_for_symbols(), the if statement originally present in the
+ patch was removed, as its introudction by PR28691 needed an intrusive backport
+ to apply. Again, the nature of the fix is not changed, as its goal is to free the
+ variables before their re-assignment, something that is being achieved]
+
+ From d28fbc7197ba0e021a43f873eff90b05dcdcff6a Mon Sep 17 00:00:00 2001
+ From: Alan Modra <amodra@gmail.com>
+ Date: Wed, 21 Dec 2022 21:40:12 +1030
+ Subject: [PATCH] PR29925, Memory leak in find_abstract_instance
+
+ The testcase in the PR had a variable with both DW_AT_decl_file and
+ DW_AT_specification, where the DW_AT_specification also specified
+ DW_AT_decl_file. This leads to a memory leak as the file name is
+ malloced and duplicates are not expected.
+
+ I've also changed find_abstract_instance to not use a temp for "name",
+ because that can result in a change in behaviour from the usual last
+ of duplicate attributes wins.
+
+ PR 29925
+ * dwarf2.c (find_abstract_instance): Delete "name" variable.
+ Free *filename_ptr before assigning new file name.
+ (scan_unit_for_symbols): Similarly free func->file and
+ var->file before assigning.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a]
+
+CVE: CVE-2022-48065
+
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+ ---
+ bfd/dwarf2.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+Index: binutils-2.34/bfd/dwarf2.c
+===================================================================
+--- binutils-2.34.orig/bfd/dwarf2.c
++++ binutils-2.34/bfd/dwarf2.c
+@@ -2910,7 +2910,6 @@ find_abstract_instance (struct comp_unit
+ struct abbrev_info *abbrev;
+ bfd_uint64_t die_ref = attr_ptr->u.val;
+ struct attribute attr;
+- const char *name = NULL;
+
+ if (recur_count == 100)
+ {
+@@ -3077,16 +3076,16 @@ find_abstract_instance (struct comp_unit
+ case DW_AT_name:
+ /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name
+ over DW_AT_name. */
+- if (name == NULL && is_str_attr (attr.form))
++ if (*pname == NULL && is_str_attr (attr.form))
+ {
+- name = attr.u.str;
++ *pname = attr.u.str;
+ if (non_mangled (unit->lang))
+ *is_linkage = TRUE;
+ }
+ break;
+ case DW_AT_specification:
+ if (!find_abstract_instance (unit, &attr, recur_count + 1,
+- &name, is_linkage,
++ pname, is_linkage,
+ filename_ptr, linenumber_ptr))
+ return FALSE;
+ break;
+@@ -3096,13 +3095,14 @@ find_abstract_instance (struct comp_unit
+ non-string forms into these attributes. */
+ if (is_str_attr (attr.form))
+ {
+- name = attr.u.str;
++ *pname = attr.u.str;
+ *is_linkage = TRUE;
+ }
+ break;
+ case DW_AT_decl_file:
+ if (!comp_unit_maybe_decode_line_info (unit))
+ return FALSE;
++ free (*filename_ptr);
+ *filename_ptr = concat_filename (unit->line_table,
+ attr.u.val);
+ break;
+@@ -3115,7 +3115,6 @@ find_abstract_instance (struct comp_unit
+ }
+ }
+ }
+- *pname = name;
+ return TRUE;
+ }
+
+@@ -3346,6 +3345,7 @@ scan_unit_for_symbols (struct comp_unit
+ break;
+
+ case DW_AT_decl_file:
++ free (func->file);
+ func->file = concat_filename (unit->line_table,
+ attr.u.val);
+ break;
+@@ -3368,6 +3368,7 @@ scan_unit_for_symbols (struct comp_unit
+ break;
+
+ case DW_AT_decl_file:
++ free (var->file);
+ var->file = concat_filename (unit->line_table,
+ attr.u.val);
+ break;
Add patch file to fix CVE-2022-48065 Reference: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/binutils/2.34-6ubuntu1.9/binutils_2.34-6ubuntu1.9.debian.tar.xz Signed-off-by: virendra thakur <virendrak@kpit.com> --- .../binutils/binutils-2.34.inc | 1 + .../binutils/binutils/CVE-2022-48065.patch | 115 ++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-48065.patch