fix CVE-2024-57360, CVE-2025-0840

2025-01-30 16:48:33 +08:00 · 2025-01-30 16:48:33 +08:00 · ba08166531
commit ba08166531
parent a0b73aaaad
3 changed files with 132 additions and 1 deletions
--- a/backport-CVE-2024-57630.patch
+++ b/backport-CVE-2024-57630.patch
@ -0,0 +1,71 @@
+From 5f8987d3999edb26e757115fe87be55787d510b9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 17 Dec 2024 09:18:57 +0000
+Subject: [PATCH] nm: Avoid potential segmentation fault when displaying
+ symbols without version info.
+
+PR 32467
+---
+ binutils/nm.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/binutils/nm.c b/binutils/nm.c
+index faf27c59b4d..0ba7604d34f 100644
+--- a/binutils/nm.c
+++ b/binutils/nm.c
+@@ -682,7 +682,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
+ 	       const char *name, bfd *abfd)
+ {
+   char *alloc = NULL;
+-  char *atver = NULL;
+  char *atname = NULL;
+ 
+   if (name == NULL)
+     name = info->sinfo->name;
+@@ -690,9 +690,19 @@ print_symname (const char *form, struct extended_symbol_info *info,
+   if (!with_symbol_versions
+       && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+     {
+-      atver = strchr (name, '@');
+      char *atver = strchr (name, '@');
+
+       if (atver)
+-	*atver = 0;
+	{
+	  /* PR 32467 - Corrupt binaries might include an @ character in a
+	     symbol name.  Since non-versioned symbol names can be in
+	     read-only memory (via memory mapping of a file's contents) we
+	     cannot just replace the @ character with a NUL.  Instead we
+	     create a truncated copy of the name.  */
+	  atname = xstrdup (name);
+	  atname [atver - name] = 0;
+	  name = atname;
+	}
+     }
+ 
+   if (do_demangle && *name)
+@@ -703,9 +713,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
+     }
+ 
+   if (unicode_display != unicode_default)
+-    {
+-      name = convert_utf8 (name);
+-    }
+    name = convert_utf8 (name);
+ 
+   if (info != NULL && info->elfinfo && with_symbol_versions)
+     {
+@@ -726,8 +734,8 @@ print_symname (const char *form, struct extended_symbol_info *info,
+ 	}
+     }
+   printf (form, name);
+-  if (atver)
+-    *atver = '@';
+
+  free (atname);
+   free (alloc);
+ }
+ 
+-- 
+2.43.5
+
--- a/backport-CVE-2025-0840.patch
+++ b/backport-CVE-2025-0840.patch
@ -0,0 +1,53 @@
+From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Jan 2025 19:13:43 +1030
+Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
+
+There's always someone pushing the boundaries.
+
+	PR 32560
+	* objdump.c (MAX_INSN_WIDTH): Define.
+	(insn_width): Make it an unsigned long.
+	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index ecbe39e942e..80044dea580 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -109,7 +109,8 @@ static bool disassemble_all;		/* -D */
+ static int disassemble_zeroes;		/* --disassemble-zeroes */
+ static bool formats_info;		/* -i */
+ static int wide_output;			/* -w */
+-static int insn_width;			/* --insn-width */
+#define MAX_INSN_WIDTH 49
+static unsigned long insn_width;	/* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;		/* --debugging */
+@@ -2900,7 +2901,7 @@ disassemble_bytes (struct disassemble_info *inf,
+ 	}
+       else
+ 	{
+-	  char buf[50];
+	  char buf[MAX_INSN_WIDTH + 1];
+ 	  unsigned int bpc = 0;
+ 	  unsigned int pb = 0;
+ 
+@@ -5453,8 +5454,9 @@ main (int argc, char **argv)
+ 	  break;
+ 	case OPTION_INSN_WIDTH:
+ 	  insn_width = strtoul (optarg, NULL, 0);
+-	  if (insn_width <= 0)
+-	    fatal (_("error: instruction width must be positive"));
+	  if (insn_width - 1 >= MAX_INSN_WIDTH)
+	    fatal (_("error: instruction width must be in the range 1 to "
+		     XSTRING (MAX_INSN_WIDTH)));
+ 	  break;
+ 	case OPTION_INLINES:
+ 	  unwind_inlines = true;
+2.43.5
+
--- a/binutils.spec
+++ b/binutils.spec
@ -1,7 +1,7 @@
 Summary: Binary utilities
 Name:    binutils
 Version: 2.37
-Release: 28
+Release: 29
 License: GPLv3+
 URL:     https://sourceware.org/binutils

@ -89,6 +89,8 @@ Patch3062: SME-0008-aarch64-SME-SVE2-instructions-added-to-support-SME.patch
 Patch3063: SME-0009-aarch64-Check-for-register-aliases-before-mnemonics.patch
 Patch3064: SME-0010-aarch64-Add-support-for-new-SME-instructions.patch
 Patch3065: backport-libctf-fix-ref-leak-of-names-of-newly-inserted-non-r.patch
+Patch3066: backport-CVE-2024-57630.patch
+Patch3067: backport-CVE-2025-0840.patch

 %ifarch loongarch64
 # LoongArch
@ -465,6 +467,11 @@ fi
 %{_infodir}/bfd*info*

 %changelog
+* Sat Jan 25 2025 Funda Wang <fundawang@yeah.net> - 2.37-29
+- Fix CVE-2024-57360: nm: Avoid potential segmentation fault when displaying
+  symbols without version info.
+- Fix CVE-2025-0840: stack-buffer-overflow at objdump disassemble_bytes
+
 * Sat Oct 12 2024 liningjie <liningjie@xfusion.com> - 2.37-28
 - DESC:fix ref leak of names of newly-inserted non-root-visible types