sys-libs/binutils-libs: fix multiple CVEs
Cherry-picked and backported upstream fixes for the following CVEs:
- CVE-2022-47007
- CVE-2022-47008
- CVE-2022-47010
- CVE-2022-47011
- CVE-2022-48063
- CVE-2022-48064
- CVE-2022-48065
BUG=b/297745230,b/297743392,b/297708917,b/297711989,b/297745000,b/297745409,b/297744548
TEST=presubmit
RELEASE_NOTE=Fixed the following CVEs in sys-libs/binutils-libs: CVE-2022-47007
CVE-2022-47008, CVE-2022-47010, CVE-2022-47011, CVE-2022-48063, CVE-2022-48064,
CVE-2022-48065
cos-patch: security-moderate
Change-Id: Ie3f3d8e7598978b51f9d2f3e73ebf16ba42aea96
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/56449
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Anil Altinay <aaltinay@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/sys-libs/binutils-libs/binutils-libs-2.35.2-r2.ebuild b/sys-libs/binutils-libs/binutils-libs-2.35.2-r3.ebuild
similarity index 92%
rename from sys-libs/binutils-libs/binutils-libs-2.35.2-r2.ebuild
rename to sys-libs/binutils-libs/binutils-libs-2.35.2-r3.ebuild
index e561cf9..81a15f5 100644
--- a/sys-libs/binutils-libs/binutils-libs-2.35.2-r2.ebuild
+++ b/sys-libs/binutils-libs/binutils-libs-2.35.2-r3.ebuild
@@ -43,10 +43,17 @@
einfo "Applying binutils-${PATCH_BINUTILS_VER} patchset ${PATCH_VER}"
eapply "${WORKDIR}/patch"/*.patch
fi
- # Fix CVE-2022-4285
+ # Fix CVE-2022-4285
eapply "${FILESDIR}"/CVE-2022-4285.patch
# Fix CVE-2023-1972
eapply "${FILESDIR}"/CVE-2023-1972.patch
+ eapply "${FILESDIR}"/CVE-2022-47007.patch
+ eapply "${FILESDIR}"/CVE-2022-47008.patch
+ eapply "${FILESDIR}"/CVE-2022-47010.patch
+ eapply "${FILESDIR}"/CVE-2022-47011.patch
+ eapply "${FILESDIR}"/CVE-2022-48063.patch
+ eapply "${FILESDIR}"/CVE-2022-48064.patch
+ eapply "${FILESDIR}"/CVE-2022-48065.patch
# Fix cross-compile relinking issue, bug #626402
elibtoolize
diff --git a/sys-libs/binutils-libs/files/CVE-2022-47007.patch b/sys-libs/binutils-libs/files/CVE-2022-47007.patch
new file mode 100644
index 0000000..aa05168
--- /dev/null
+++ b/sys-libs/binutils-libs/files/CVE-2022-47007.patch
@@ -0,0 +1,30 @@
+From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Jun 2022 09:00:41 +0930
+Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg
+
+ PR 29254
+ * stabs.c (stab_demangle_v3_arg): Free dt on failure path.
+---
+ binutils/stabs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 2b5241637c1..796ff85b86a 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -5467,7 +5467,10 @@ stab_demangle_v3_arg (void *dhandle, struct stab_handle *info,
+ dc->u.s_binary.right,
+ &varargs);
+ if (pargs == NULL)
+- return NULL;
++ {
++ free (dt);
++ return NULL;
++ }
+
+ return debug_make_function_type (dhandle, dt, pargs, varargs);
+ }
+--
+2.39.3
+
diff --git a/sys-libs/binutils-libs/files/CVE-2022-47008.patch b/sys-libs/binutils-libs/files/CVE-2022-47008.patch
new file mode 100644
index 0000000..a5bbc37
--- /dev/null
+++ b/sys-libs/binutils-libs/files/CVE-2022-47008.patch
@@ -0,0 +1,62 @@
+From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Jun 2022 09:13:38 +0930
+Subject: [PATCH] PR29255, memory leak in make_tempdir
+
+ PR 29255
+ * bucomm.c (make_tempdir, make_tempname): Free template on all
+ failure paths.
+---
+ binutils/bucomm.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/binutils/bucomm.c b/binutils/bucomm.c
+index fdc2209df9c..4395cb9f7f5 100644
+--- a/binutils/bucomm.c
++++ b/binutils/bucomm.c
+@@ -537,8 +537,9 @@ make_tempname (const char *filename, int *ofd)
+ #else
+ tmpname = mktemp (tmpname);
+ if (tmpname == NULL)
+- return NULL;
+- fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
++ fd = -1;
++ else
++ fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
+ #endif
+ if (fd == -1)
+ {
+@@ -556,22 +557,23 @@ char *
+ make_tempdir (const char *filename)
+ {
+ char *tmpname = template_in_dir (filename);
++ char *ret;
+
+ #ifdef HAVE_MKDTEMP
+- return mkdtemp (tmpname);
++ ret = mkdtemp (tmpname);
+ #else
+- tmpname = mktemp (tmpname);
+- if (tmpname == NULL)
+- return NULL;
++ ret = mktemp (tmpname);
+ #if defined (_WIN32) && !defined (__CYGWIN32__)
+ if (mkdir (tmpname) != 0)
+- return NULL;
++ ret = NULL;
+ #else
+ if (mkdir (tmpname, 0700) != 0)
+- return NULL;
++ ret = NULL;
+ #endif
+- return tmpname;
+ #endif
++ if (ret == NULL)
++ free (tmpname);
++ return ret;
+ }
+
+ /* Parse a string into a VMA, with a fatal error if it can't be
+--
+2.39.3
+
diff --git a/sys-libs/binutils-libs/files/CVE-2022-47010.patch b/sys-libs/binutils-libs/files/CVE-2022-47010.patch
new file mode 100644
index 0000000..9e0f415
--- /dev/null
+++ b/sys-libs/binutils-libs/files/CVE-2022-47010.patch
@@ -0,0 +1,33 @@
+From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 20 Jun 2022 10:39:31 +0930
+Subject: [PATCH] PR29262, memory leak in pr_function_type
+
+ PR 29262
+ * prdbg.c (pr_function_type): Free "s" on failure path.
+---
+ binutils/prdbg.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/binutils/prdbg.c b/binutils/prdbg.c
+index c1e41628d26..bb42a5b6c2d 100644
+--- a/binutils/prdbg.c
++++ b/binutils/prdbg.c
+@@ -742,12 +742,9 @@ pr_function_type (void *p, int argcount, bool varargs)
+
+ strcat (s, ")");
+
+- if (! substitute_type (info, s))
+- return FALSE;
+-
++ bfd_boolean ret = substitute_type (info, s);
+ free (s);
+-
+- return TRUE;
++ return ret;
+ }
+
+ /* Turn the top type on the stack into a reference to that type. */
+--
+2.39.3
+
diff --git a/sys-libs/binutils-libs/files/CVE-2022-47011.patch b/sys-libs/binutils-libs/files/CVE-2022-47011.patch
new file mode 100644
index 0000000..d18d93c
--- /dev/null
+++ b/sys-libs/binutils-libs/files/CVE-2022-47011.patch
@@ -0,0 +1,30 @@
+From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 20 Jun 2022 10:39:13 +0930
+Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields
+
+ PR 29261
+ * stabs.c (parse_stab_struct_fields): Free "fields" on failure path.
+---
+ binutils/stabs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 796ff85b86a..bf3f578cbcc 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -2367,7 +2367,10 @@ parse_stab_struct_fields (void *dhandle,
+
+ if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c,
+ staticsp, p_end))
+- return FALSE;
++ {
++ free (fields);
++ return FALSE;
++ }
+
+ ++c;
+ }
+--
+2.39.3
+
diff --git a/sys-libs/binutils-libs/files/CVE-2022-48063.patch b/sys-libs/binutils-libs/files/CVE-2022-48063.patch
new file mode 100644
index 0000000..fd9c115
--- /dev/null
+++ b/sys-libs/binutils-libs/files/CVE-2022-48063.patch
@@ -0,0 +1,32 @@
+From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 21 Dec 2022 11:51:23 +0000
+Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of
+ memory when parsing a corrupt ELF file.
+
+ PR 29924
+ * objdump.c (load_specific_debug_section): Check for excessively
+ large sections.
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/objdump.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index d51abbe3858..2eb02de0e76 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -4225,7 +4225,9 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
+ section->size = bfd_section_size (sec);
+ /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
+ alloced = amt = section->size + 1;
+- if (alloced != amt || alloced == 0)
++ if (alloced != amt
++ || alloced == 0
++ || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd)))
+ {
+ section->start = NULL;
+ free_debug_section (debug);
+--
+2.39.3
+
diff --git a/sys-libs/binutils-libs/files/CVE-2022-48064.patch b/sys-libs/binutils-libs/files/CVE-2022-48064.patch
new file mode 100644
index 0000000..5b04aeb
--- /dev/null
+++ b/sys-libs/binutils-libs/files/CVE-2022-48064.patch
@@ -0,0 +1,55 @@
+From acf5af41a787ebbe4a72f0d723953d943ba28328 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 20 Dec 2022 23:47:03 +1030
+Subject: [PATCH] PR29922, SHT_NOBITS section avoids section size sanity check
+
+ PR 29922
+ * dwarf2.c (find_debug_info): Ignore sections without
+ SEC_HAS_CONTENTS.
+---
+ bfd/dwarf2.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 767e97311996..df6a3802ccdb 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4099,19 +4099,22 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections,
+ {
+ look = debug_sections[debug_info].uncompressed_name;
+ msec = bfd_get_section_by_name (abfd, look);
+- if (msec != NULL)
++ /* Testing SEC_HAS_CONTENTS is an anti-fuzzer measure. Of
++ course debug sections always have contents. */
++ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0)
+ return msec;
+
+ look = debug_sections[debug_info].compressed_name;
+ if (look != NULL)
+ {
+ msec = bfd_get_section_by_name (abfd, look);
+- if (msec != NULL)
++ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0)
+ return msec;
+ }
+
+ for (msec = abfd->sections; msec != NULL; msec = msec->next)
+- if (CONST_STRNEQ (msec->name, GNU_LINKONCE_INFO))
++ if ((msec->flags & SEC_HAS_CONTENTS) != 0
++ && CONST_STRNEQ (msec->name, GNU_LINKONCE_INFO))
+ return msec;
+
+ return NULL;
+@@ -4119,6 +4122,9 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections,
+
+ for (msec = after_sec->next; msec != NULL; msec = msec->next)
+ {
++ if ((msec->flags & SEC_HAS_CONTENTS) == 0)
++ continue;
++
+ look = debug_sections[debug_info].uncompressed_name;
+ if (strcmp (msec->name, look) == 0)
+ return msec;
+--
+2.42.0.rc2.253.gd59a3bf2b4-goog
+
diff --git a/sys-libs/binutils-libs/files/CVE-2022-48065.patch b/sys-libs/binutils-libs/files/CVE-2022-48065.patch
new file mode 100644
index 0000000..daeeace
--- /dev/null
+++ b/sys-libs/binutils-libs/files/CVE-2022-48065.patch
@@ -0,0 +1,98 @@
+From b611d85114a3f1bb0351312f7c4df57d21dd9934 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 21 Dec 2022 21:40:12 +1030
+Subject: [PATCH] PR29925, Memory leak in find_abstract_instance
+
+The testcase in the PR had a variable with both DW_AT_decl_file and
+DW_AT_specification, where the DW_AT_specification also specified
+DW_AT_decl_file. This leads to a memory leak as the file name is
+malloced and duplicates are not expected.
+
+I've also changed find_abstract_instance to not use a temp for "name",
+because that can result in a change in behaviour from the usual last
+of duplicate attributes wins.
+
+ PR 29925
+ * dwarf2.c (find_abstract_instance): Delete "name" variable.
+ Free *filename_ptr before assigning new file name.
+ (scan_unit_for_symbols): Similarly free func->file and
+ var->file before assigning.
+---
+ bfd/dwarf2.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 83ca8a36329c..414c2d259e90 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2873,7 +2873,6 @@ find_abstract_instance (struct comp_unit *unit,
+ struct abbrev_info *abbrev;
+ bfd_uint64_t die_ref = attr_ptr->u.val;
+ struct attribute attr;
+- const char *name = NULL;
+
+ if (recur_count == 100)
+ {
+@@ -3038,16 +3037,16 @@ find_abstract_instance (struct comp_unit *unit,
+ case DW_AT_name:
+ /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name
+ over DW_AT_name. */
+- if (name == NULL && is_str_attr (attr.form))
++ if (*pname == NULL && is_str_attr (attr.form))
+ {
+- name = attr.u.str;
++ *pname = attr.u.str;
+ if (non_mangled (unit->lang))
+ *is_linkage = TRUE;
+ }
+ break;
+ case DW_AT_specification:
+ if (!find_abstract_instance (unit, &attr, recur_count + 1,
+- &name, is_linkage,
++ pname, is_linkage,
+ filename_ptr, linenumber_ptr))
+ return FALSE;
+ break;
+@@ -3057,13 +3056,14 @@ find_abstract_instance (struct comp_unit *unit,
+ non-string forms into these attributes. */
+ if (is_str_attr (attr.form))
+ {
+- name = attr.u.str;
++ *pname = attr.u.str;
+ *is_linkage = TRUE;
+ }
+ break;
+ case DW_AT_decl_file:
+ if (!comp_unit_maybe_decode_line_info (unit))
+ return FALSE;
++ free (*filename_ptr);
+ *filename_ptr = concat_filename (unit->line_table,
+ attr.u.val);
+ break;
+@@ -3076,7 +3076,6 @@ find_abstract_instance (struct comp_unit *unit,
+ }
+ }
+ }
+- *pname = name;
+ return TRUE;
+ }
+
+@@ -3510,6 +3509,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ break;
+
+ case DW_AT_decl_file:
++ free (func->file);
+ func->file = concat_filename (unit->line_table,
+ attr.u.val);
+ break;
+@@ -3559,6 +3559,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ break;
+
+ case DW_AT_decl_file:
++ free (var->file);
+ var->file = concat_filename (unit->line_table,
+ attr.u.val);
+ break;
+--
+2.42.0.rc2.253.gd59a3bf2b4-goog
+
