From patchwork Thu Dec 12 14:37:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yash Shinde X-Patchwork-Id: 53999 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A50E4E7717F for ; Thu, 12 Dec 2024 14:37:31 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.20999.1734014251480634363 for ; Thu, 12 Dec 2024 06:37:31 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=207616a842=yash.shinde@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4BC6brXS002193 for ; Thu, 12 Dec 2024 06:37:31 -0800 Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2040.outbound.protection.outlook.com [104.47.57.40]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 43cx1u5p98-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 12 Dec 2024 06:37:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=An+Fw8Zt/USh51kcOig5ym2EgLNFzkLr/OhUu6ld/ugQvhkRli14eIu8dqJANFW+sIAzv7jWXbeZe2IUtwFdXIJ0wOXO927VdZRF81TvMHw84Dbt50YHiMAOV25JJwCHx9I0oILbb7L5n3Jz6OLQ2vbElb9J30aACrZisPSt0vvToHmDuNWtOjypKrX1a1vCYm68ksnhrlqZTClrNmsA94b19byKMu1HcNJLihS6lo054UqkhXnwy9GyYgdQ7nvm7yyEV7a9YxdI9CAXvGkLTT+ucVMl2VfRh5PEkUrDcLj64Q09PNfqDmo1bV22lCnyJkekhSR+2DO0f/hYBKRqtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oEwgcrmBO/PC1PpXR9C6r9Bb5X5NH3ISE1xm5Q0ERoM=; b=QgDkhFcvXRi3EqbaCKJSYolqXfhyQU8kt54Q49NX+kmLJwHduiFheoLAbJfBOdRowF4Qeap9tk7H2TOy+HC0uSvNvTYD8IwBdWmqMHM8ntbdWTf3U7/GDZAd3xcMr6poX7308FxVW4fUjRHb0Jjdi0YmaJ8tPvbXCr8X+Eq45pnLeMVBX9T9iSmeyd0DYxqPKWgsdJKwsLxieS1jXY+Q269dnRQM33n00KJWAd4bBqz8ZT15L83Ak3dFiEkZC/SwAz3GW/HzhoXF3/vC9JBSjvoW6z+FkqnjhtmQ53KjMO69p8/rQi7TcIGul+INbX2/53xj7X+Xap+jk5cVy1c9cQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from PH7PR11MB7593.namprd11.prod.outlook.com (2603:10b6:510:27f::9) by PH8PR11MB6831.namprd11.prod.outlook.com (2603:10b6:510:22d::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8251.16; Thu, 12 Dec 2024 14:37:28 +0000 Received: from PH7PR11MB7593.namprd11.prod.outlook.com ([fe80::2688:e731:421b:5ebc]) by PH7PR11MB7593.namprd11.prod.outlook.com ([fe80::2688:e731:421b:5ebc%4]) with mapi id 15.20.8230.016; Thu, 12 Dec 2024 14:37:27 +0000 From: Yash.Shinde@windriver.com To: openembedded-core@lists.openembedded.org Cc: Randy.MacLeod@windriver.com, Sundeep.Kokkonda@windriver.com, Yash.Shinde@windriver.com Subject: [scarthgap][PATCH] binutils: Fix CVE-2024-53589 Date: Thu, 12 Dec 2024 06:37:15 -0800 Message-ID: <20241212143715.3626117-1-Yash.Shinde@windriver.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: BYAPR21CA0021.namprd21.prod.outlook.com (2603:10b6:a03:114::31) To PH7PR11MB7593.namprd11.prod.outlook.com (2603:10b6:510:27f::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR11MB7593:EE_|PH8PR11MB6831:EE_ X-MS-Office365-Filtering-Correlation-Id: 6c1643c5-9d65-4579-16ea-08dd1aba8060 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|52116014|366016|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?BmoB94vPeEuhLg2EeeeBm2VZ0LK5M0z?= =?utf-8?q?Si1s+qy7mvwDJKCq6C3xdZSd7dIY4D05Vsb/cm/8ah9SrvVXzwdIp6/beSKvzOBFq?= =?utf-8?q?Qi4gyAbzNCneHarnG4ciGlliCFtlZpGKEmo0NFL7n0keHaiV/0E9cQ6SeIeugG9cT?= =?utf-8?q?/7XuahfKmy6TRMtNESPoSe5Ochv5XEMoIoEJqh0agpKkuzNRWWnTVZ09NQvGewbaX?= =?utf-8?q?q4ytXo7WQfuK4lxJyGPQyguuw5vuisxkJL36NDPlnF3NcUjziVRGH/fC3Fs+7H2cK?= =?utf-8?q?Pg+MEMauHeIOeRK1frhtzg/QNzlWgssiqI9Z5SO4jrxA6tp54Ei6dAx8ogWXfftsF?= =?utf-8?q?/XwjzbuGvfjCAHfXCFnf96/VJw9ZqQk4YAPM5IYTpdI+CrCQREDaz5tnQDh0tDhbe?= =?utf-8?q?rh8dyXTHgdVA964RWGGw4341fnRX+HL0iTMSsb0Gfc3Nqs52l8GV2L2mDKbfTFCCV?= =?utf-8?q?K65bJR9L2vI8bzcUosNBBn2sSeC+vQ6gwkcIiMg8W700H3sllYEjuiwpEX20OHAcI?= =?utf-8?q?GfepRGt4Z/ZYAGUFSZW+TtXsSZSVgmpVpcMoZShSh9sdwyEtZgs6EDNefRTghscWd?= =?utf-8?q?qWEtmqkMEh2vZ6Gr/Wul7lqwRSgk0ijhy9SMag+QgFdJQiO7yF+slYzFmYhTuog18?= =?utf-8?q?j08rbe0qnLN/J1tePuWjrZRe/V+hiS/br4CNK+qal+xWAXUamTMd3MuWyz8Zp48YZ?= =?utf-8?q?wDPTLX1pBkeQ5J3xLkt51mzIM4DqL3iZ/GaLoviQScgZ2n9PBSdOKc1lSJYhluECk?= =?utf-8?q?mK6t9587yDEjjLgG6ViIOjmayAZRZrcXeyYaH1NQ8b4/8wEWwMmXiA9/H6JtV3nLp?= =?utf-8?q?/qj0pJ78jPe32NdjqIoSRbJU4QtGtS9lu9g0hX+AkUpE5ORkFk29+agBADShhYNHI?= =?utf-8?q?BAuWZjm3+nAthauvr/1Zp2Pav/wbsKmoGLXJTEpFShOHmO2mVAIOEMPm030lyVqDl?= =?utf-8?q?ALu16RXtIFzzwaqFSNR8Uaar8n/8gdAYOqICDCIOqFcjkURU8breMAnN9RCWf5nrG?= =?utf-8?q?gkW5EECHJgEUDSWzzyoKu4fPsAkcIt3X7ShhWRUaFF8G/RksuPpDr1fMNFACkz7m2?= =?utf-8?q?KiLVutjN1gC1FunZ2cT4QgGEv2s3X3AgB4Q1nlBlhERTCZAYWBBkWUqMDJOXkdKy6?= =?utf-8?q?b05kRXPZffLn/7S2tP9G8e5k9YuJHan2MFj9+MBxFQk/0F9YG4fYq27aTNrc69a4h?= =?utf-8?q?S39uigmAp4zytDZWLTyXpErFOhS843LsYSNlvrVbqnh/AERJWuZZI7d1CA9zblAMg?= =?utf-8?q?iSH1EXCThvZkgNFWsGewtOZfCCz0CE+Asug9UfGBB0bQRer74EH7wsVQ=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR11MB7593.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(52116014)(366016)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?XLCGPMN/jjFjNjXqzctRkrBeYj5E?= =?utf-8?q?mkxNMLBQsTtrwkXVeS99jVIdvf3bkBNd9Hh5XQm/kXpeBWD6xMgDldgEhaGRbxDRt?= =?utf-8?q?qxpDNgjuIU288P6JvmsPU/tB5EYmNNZ6PKmPLVFmNITIvu9zKVsvynrmRryhRz0ag?= =?utf-8?q?qRZsMjYp/LdxC1otVI5MXSJoJVC8juHrB7khMH3ark0X6UXDM8IGq7BeUzPQnPaa1?= =?utf-8?q?Xlzo63WpoI4Fy29mt5wp9ORPXCvYEJ0LwQEORgpTM52aci/797p2vnBCdKsnjRz1N?= =?utf-8?q?kRbA46JMpFZ/fvwvLDitiz9rK8sGDYaL+az05dhQ22uiNPXWUR1KDurax1uQ2xVqW?= =?utf-8?q?4s0yPmonMRYJb4D81eSHus6+zn0/F+FfQNtmGXbmOWo8YvqkFCnlm5kuoe+pr5cn9?= =?utf-8?q?roTGJFCriKISYianka+hlZcuUydl8gituxb+Qb5uTCWEG/AKsYksDrbJtExNGAxUn?= =?utf-8?q?wh1m473Eza43dynSuLTRIT4TKHgX1mn1jhrpLWl+SnoUkie8hk6l58sRnabvGLLHr?= =?utf-8?q?qk307ZvY4QbEMJl7s54VWAQvYn4gEHf5YgO0bQXhT8mf9ZlUxEfqgHiYGHS5pFnmo?= =?utf-8?q?c3wdU8dS2umXcD0Xe0EBRdNQ++20Atb4Qr11IEol3a7xMx9itYf74n2/SkR0u/vMH?= =?utf-8?q?ruMNVJNIYixqvTb6ZXA3puoOtZEXLviN7AUBBksMvArL7Yx/dihu12nXO7K6oLO+y?= =?utf-8?q?iWa5rqiwLcGLcpWWoe0dD0QmvC/gm8Ax7Zi3jlqTpysDy3+DaTtaktCvC/FMWUm6c?= =?utf-8?q?mCjh7GGEI5e/cL1uXt6LH5/Lev63lf+BgJdZ8eC5aZYLYu6I/uh9cJuBHJY/U0/sm?= =?utf-8?q?HWHcleJ/2eqSHGfZnL/mf/8IeNNyFFriUAblYZ3760pdhYvL3NfKl5Gh8wqszgoq/?= =?utf-8?q?0ZL/aiWAI8r9xzJARxVncYRlhSwHCku/R2KxzcqxUuenaBtwL9S9yZiESa3M5+6QO?= =?utf-8?q?FUF7zJpv7kJZ2GaIdrNG8Re3fG16gQCQkfAi+bhrfRzj8vaBT7c3A3P/NbupP5H+/?= =?utf-8?q?GlRVf7KWhs61mMUtWnVxcVG49gZl7Bd3B5B2MiYmHzKf8z24ICVX6SYnE9BAKG4ew?= =?utf-8?q?gfD3Jgz+T88ciHdJMJ7N1vKxKfdvFO5EMaJX8jPl+wWjoBJIVV1F4yof3v4sPamyp?= =?utf-8?q?XTjfrJ0CCBdUoUgIGyZpjgSYQ2tlTZLS47CoHNw9MWiJJ1cxP/4+XRCniatVEui9w?= =?utf-8?q?h0q2hDDGSjxNUvWUq1JIE9GDAQ1r9qG3NTAGg3GQnqxXtxyH4AL+Yt15N7YibNNpA?= =?utf-8?q?9H8NwzzQ2H6ydGOIOFw6sJsdC9vJCDPFOtb+kQgUXu1/2k/KRiRQrgb5ROK4QxNNv?= =?utf-8?q?Rlun3Bny8V1fQ6th1tV51N80ZWuiMqC0Q/ytMcZMcy4Zr5I18LRt4szVD4F36RJh2?= =?utf-8?q?/XChVy4xyvSlHRDPALcggQ3Ij8harl8uDxtsEnvVLfFc930+hkayh/mxJOn+K6kZ4?= =?utf-8?q?3x756zIjMfotFB2R+J0gNXciDZ1f0LTi1weZ0fxflvayRpf+xf1fzB89HQNJDGD7G?= =?utf-8?q?VwSLM8Fppw5ST8Wl0/wi5ZfT/vNVGfmT0Q=3D=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6c1643c5-9d65-4579-16ea-08dd1aba8060 X-MS-Exchange-CrossTenant-AuthSource: PH7PR11MB7593.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Dec 2024 14:37:27.8028 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: s/TfY91BXhq0N0nThHuUgu2bWDeBtT7qzm7mya5e80sbsDQDveshy1aoE2P5U1Rts9Jo33KXSIHLVqfiW8xnzywEz/QjWghjVhyctOzwdDo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB6831 X-Authority-Analysis: v=2.4 cv=H/shw/Yi c=1 sm=1 tr=0 ts=675af52a cx=c_pps a=6DIaztarb0XTwjBPIWoXxQ==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=RZcAm9yDv7YA:10 a=bRTqI5nwn0kA:10 a=CCpqsmhAAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=QkpFdd30EMMon_xh91kA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=ul9cdbp4aOFLsgKbc677:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: EfwutRt5t2Dzi1frZ-tdtp3zvq6N4wbV X-Proofpoint-GUID: EfwutRt5t2Dzi1frZ-tdtp3zvq6N4wbV X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2024-12-12_09,2024-12-12_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 clxscore=1015 impostorscore=0 adultscore=0 priorityscore=1501 malwarescore=0 bulkscore=0 mlxscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2411120000 definitions=main-2412120105 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 4BC6brXS002193 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 12 Dec 2024 14:37:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/208650 From: Yash Shinde A buffer overflow vulnerability exists in GNU Binutils’ objdump utility when processing tekhex format files. The vulnerability occurs in the Binary File Descriptor (BFD) library’s tekhex parser during format identification. Specifically, the issue manifests when attempting to read 8 bytes at an address that precedes the global variable ‘_bfd_std_section’, resulting in an out-of-bounds read. Backport a patch from upstream to fix CVE-2024-53589. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88] Signed-off-by: Yash Shinde --- .../binutils/binutils-2.42.inc | 1 + .../binutils/0016-CVE-2024-53589.patch | 92 +++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index bff97b50c3..41ed39632d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -36,5 +36,6 @@ SRC_URI = "\ file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ file://0015-gprofng-change-use-of-bignum-to-bigint.patch \ + file://0016-CVE-2024-53589.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch new file mode 100644 index 0000000000..380112a3ba --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch @@ -0,0 +1,92 @@ +Author: Alan Modra +Date: Mon Nov 11 10:24:09 2024 +1030 + + Re: tekhex object file output fixes + + Commit 8b5a212495 supported *ABS* symbols by allowing "section" to be + bfd_abs_section, but bfd_abs_section needs to be treated specially. + In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr) + is invalid. + + PR 32347 + * tekhex.c (first_phase): Guard against modification of + _bfd_std_section[] entries. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88] +CVE: CVE-2024-53589 + +Signed-off-by: Yash Shinde + +diff --git a/bfd/tekhex.c b/bfd/tekhex.c +index aea2ebb23df..b305c1f96f1 100644 +--- a/bfd/tekhex.c ++++ b/bfd/tekhex.c +@@ -361,6 +361,7 @@ first_phase (bfd *abfd, int type, char *src, char * src_end) + { + asection *section, *alt_section; + unsigned int len; ++ bfd_vma addr; + bfd_vma val; + char sym[17]; /* A symbol can only be 16chars long. */ + +@@ -368,20 +369,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end) + { + case '6': + /* Data record - read it and store it. */ +- { +- bfd_vma addr; +- +- if (!getvalue (&src, &addr, src_end)) +- return false; +- +- while (*src && src < src_end - 1) +- { +- insert_byte (abfd, HEX (src), addr); +- src += 2; +- addr++; +- } +- return true; +- } ++ if (!getvalue (&src, &addr, src_end)) ++ return false; ++ ++ while (*src && src < src_end - 1) ++ { ++ insert_byte (abfd, HEX (src), addr); ++ src += 2; ++ addr++; ++ } ++ return true; + + case '3': + /* Symbol record, read the segment. */ +@@ -406,13 +403,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end) + { + case '1': /* Section range. */ + src++; +- if (!getvalue (&src, §ion->vma, src_end)) ++ if (!getvalue (&src, &addr, src_end)) + return false; + if (!getvalue (&src, &val, src_end)) + return false; +- if (val < section->vma) +- val = section->vma; +- section->size = val - section->vma; ++ if (bfd_is_const_section (section)) ++ break; ++ section->vma = addr; ++ if (val < addr) ++ val = addr; ++ section->size = val - addr; + /* PR 17512: file: objdump-s-endless-loop.tekhex. + Check for overlarge section sizes. */ + if (section->size & 0x80000000) +@@ -455,6 +455,8 @@ first_phase (bfd *abfd, int type, char *src, char * src_end) + new_symbol->symbol.flags = BSF_LOCAL; + if (stype == '2' || stype == '6') + new_symbol->symbol.section = bfd_abs_section_ptr; ++ else if (bfd_is_const_section (section)) ++ ; + else if (stype == '3' || stype == '7') + { + if ((section->flags & SEC_DATA) == 0)