binutils: Fix CVE-2024-53589

A buffer overflow vulnerability exists in GNU Binutils’ objdump utility when processing tekhex format files. The vulnerability occurs in the Binary File Descriptor (BFD) library’s tekhex parser during format identification. Specifically, the issue manifests when attempting to read 8 bytes at an address that precedes the global variable ‘_bfd_std_section’, resulting in an out-of-bounds read. Backport a patch from upstream to fix CVE-2024-53589. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88] (From OE-Core rev: 04c6b181bf9b1babd647c642ba8598b837f1263b) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yash Shinde <Yash.Shinde@windriver.com> 2024-12-12 06:35:05 -0800
committer: Steve Sakoman <steve@sakoman.com> 2025-01-09 06:02:48 -0800
commit: 44c8d98587e478703dec3de6ed2e929233fab5c8 (patch)
tree: bb38d5bfbf9980a60edf9cc7fdc454135bf234da
parent: d0a0b075749c0aa2fa796fdcf856ffac7ecfcb85 (diff)
download: poky-44c8d98587e478703dec3de6ed2e929233fab5c8.tar.gz
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.43.1.inc b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
index 1ce19fbdc6..94e7d7f7e6 100644
--- a/meta/recipes-devtools/binutils/binutils-2.43.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
@@ -35,5 +35,6 @@ SRC_URI = "\
     file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
     file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
     file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
+     file://0015-CVE-2024-53589.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch b/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch
new file mode 100644
index 0000000000..380112a3ba
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch
@@ -0,0 +1,92 @@
+Author: Alan Modra <amodra@gmail.com>
+Date:   Mon Nov 11 10:24:09 2024 +1030
+    Re: tekhex object file output fixes
+    Commit 8b5a212495 supported *ABS* symbols by allowing "section" to be
+    bfd_abs_section, but bfd_abs_section needs to be treated specially.
+    In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
+    is invalid.
+            PR 32347
+            * tekhex.c (first_phase): Guard against modification of
+            _bfd_std_section[] entries.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]
+CVE: CVE-2024-53589
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+diff --git a/bfd/tekhex.c b/bfd/tekhex.c
+index aea2ebb23df..b305c1f96f1 100644
+--- a/bfd/tekhex.c
+++ b/bfd/tekhex.c
+@@ -361,6 +361,7 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+ {
+   asection *section, *alt_section;
+   unsigned int len;
+  bfd_vma addr;
+   bfd_vma val;
+   char sym[17];                        /* A symbol can only be 16chars long.  */
+@@ -368,20 +369,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+     {
+     case '6':
+       /* Data record - read it and store it.  */
+-      {
+-       bfd_vma addr;
+-
+-       if (!getvalue (&src, &addr, src_end))
+-         return false;
+-
+-       while (*src && src < src_end - 1)
+-         {
+-           insert_byte (abfd, HEX (src), addr);
+-           src += 2;
+-           addr++;
+-         }
+-       return true;
+-      }
+      if (!getvalue (&src, &addr, src_end))
+       return false;
+
+      while (*src && src < src_end - 1)
+       {
+         insert_byte (abfd, HEX (src), addr);
+         src += 2;
+         addr++;
+       }
+      return true;
+     case '3':
+       /* Symbol record, read the segment.  */
+@@ -406,13 +403,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+            {
+            case '1':           /* Section range.  */
+              src++;
+-             if (!getvalue (&src, &section->vma, src_end))
+             if (!getvalue (&src, &addr, src_end))
+                return false;
+              if (!getvalue (&src, &val, src_end))
+                return false;
+-             if (val < section->vma)
+-               val = section->vma;
+-             section->size = val - section->vma;
+             if (bfd_is_const_section (section))
+               break;
+             section->vma = addr;
+             if (val < addr)
+               val = addr;
+             section->size = val - addr;
+              /* PR 17512: file: objdump-s-endless-loop.tekhex.
+                 Check for overlarge section sizes.  */
+              if (section->size & 0x80000000)
+@@ -455,6 +455,8 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+                  new_symbol->symbol.flags = BSF_LOCAL;
+                if (stype == '2' || stype == '6')
+                  new_symbol->symbol.section = bfd_abs_section_ptr;
+               else if (bfd_is_const_section (section))
+                 ;
+                else if (stype == '3' || stype == '7')
+                  {
+                    if ((section->flags & SEC_DATA) == 0)
author	Yash Shinde <Yash.Shinde@windriver.com>	2024-12-12 06:35:05 -0800
committer	Steve Sakoman <steve@sakoman.com>	2025-01-09 06:02:48 -0800
commit	44c8d98587e478703dec3de6ed2e929233fab5c8 (patch)
tree	bb38d5bfbf9980a60edf9cc7fdc454135bf234da
parent	d0a0b075749c0aa2fa796fdcf856ffac7ecfcb85 (diff)
download	poky-44c8d98587e478703dec3de6ed2e929233fab5c8.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.43.1.inc b/meta/recipes-devtools/binutils/binutils-2.43.1.inc index 1ce19fbdc6..94e7d7f7e6 100644 --- a/meta/recipes-devtools/binutils/binutils-2.43.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
@@ -35,5 +35,6 @@ SRC_URI = "\
35	file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \	35	file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
36	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \	36	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
37	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \	37	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
		38	file://0015-CVE-2024-53589.patch \
38	"	39	"
39	S = "${WORKDIR}/git"	40	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch b/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch new file mode 100644 index 0000000000..380112a3ba --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2024-53589.patch
@@ -0,0 +1,92 @@
		1	Author: Alan Modra <amodra@gmail.com>
		2	Date: Mon Nov 11 10:24:09 2024 +1030
		3
		4	Re: tekhex object file output fixes
		5
		6	Commit 8b5a212495 supported ABS symbols by allowing "section" to be
		7	bfd_abs_section, but bfd_abs_section needs to be treated specially.
		8	In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
		9	is invalid.
		10
		11	PR 32347
		12	* tekhex.c (first_phase): Guard against modification of
		13	_bfd_std_section[] entries.
		14
		15	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]
		16	CVE: CVE-2024-53589
		17
		18	Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
		19
		20	diff --git a/bfd/tekhex.c b/bfd/tekhex.c
		21	index aea2ebb23df..b305c1f96f1 100644
		22	--- a/bfd/tekhex.c
		23	+++ b/bfd/tekhex.c
		24	@@ -361,6 +361,7 @@ first_phase (bfd abfd, int type, char src, char * src_end)
		25	{
		26	asection section, alt_section;
		27	unsigned int len;
		28	+ bfd_vma addr;
		29	bfd_vma val;
		30	char sym[17]; /* A symbol can only be 16chars long. */
		31
		32	@@ -368,20 +369,16 @@ first_phase (bfd abfd, int type, char src, char * src_end)
		33	{
		34	case '6':
		35	/* Data record - read it and store it. */
		36	- {
		37	- bfd_vma addr;
		38	-
		39	- if (!getvalue (&src, &addr, src_end))
		40	- return false;
		41	-
		42	- while (*src && src < src_end - 1)
		43	- {
		44	- insert_byte (abfd, HEX (src), addr);
		45	- src += 2;
		46	- addr++;
		47	- }
		48	- return true;
		49	- }
		50	+ if (!getvalue (&src, &addr, src_end))
		51	+ return false;
		52	+
		53	+ while (*src && src < src_end - 1)
		54	+ {
		55	+ insert_byte (abfd, HEX (src), addr);
		56	+ src += 2;
		57	+ addr++;
		58	+ }
		59	+ return true;
		60
		61	case '3':
		62	/* Symbol record, read the segment. */
		63	@@ -406,13 +403,16 @@ first_phase (bfd abfd, int type, char src, char * src_end)
		64	{
		65	case '1': /* Section range. */
		66	src++;
		67	- if (!getvalue (&src, &section->vma, src_end))
		68	+ if (!getvalue (&src, &addr, src_end))
		69	return false;
		70	if (!getvalue (&src, &val, src_end))
		71	return false;
		72	- if (val < section->vma)
		73	- val = section->vma;
		74	- section->size = val - section->vma;
		75	+ if (bfd_is_const_section (section))
		76	+ break;
		77	+ section->vma = addr;
		78	+ if (val < addr)
		79	+ val = addr;
		80	+ section->size = val - addr;
		81	/* PR 17512: file: objdump-s-endless-loop.tekhex.
		82	Check for overlarge section sizes. */
		83	if (section->size & 0x80000000)
		84	@@ -455,6 +455,8 @@ first_phase (bfd abfd, int type, char src, char * src_end)
		85	new_symbol->symbol.flags = BSF_LOCAL;
		86	if (stype == '2' \|\| stype == '6')
		87	new_symbol->symbol.section = bfd_abs_section_ptr;
		88	+ else if (bfd_is_const_section (section))
		89	+ ;
		90	else if (stype == '3' \|\| stype == '7')
		91	{
		92	if ((section->flags & SEC_DATA) == 0)