packages/binutils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-57360, CVE-2025-0840

Browse Source
This commit is contained in:
Funda Wang 2025-01-30 16:48:33 +08:00
parent a0b73aaaad
commit ba08166531
3 changed files with 132 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
backport-CVE-2024-57630.patch Normal file
View File

@ -0,0 +1,71 @@
From 5f8987d3999edb26e757115fe87be55787d510b9 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 17 Dec 2024 09:18:57 +0000
Subject: [PATCH] nm: Avoid potential segmentation fault when displaying
symbols without version info.
PR 32467
---
binutils/nm.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/binutils/nm.c b/binutils/nm.c
index faf27c59b4d..0ba7604d34f 100644
--- a/binutils/nm.c
+++ b/binutils/nm.c
@@ -682,7 +682,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
const char *name, bfd *abfd)
{
char *alloc = NULL;
- char *atver = NULL;
+ char *atname = NULL;
if (name == NULL)
name = info->sinfo->name;
@@ -690,9 +690,19 @@ print_symname (const char *form, struct extended_symbol_info *info,
if (!with_symbol_versions
&& bfd_get_flavour (abfd) == bfd_target_elf_flavour)
{
- atver = strchr (name, '@');
+ char *atver = strchr (name, '@');
+
if (atver)
- *atver = 0;
+ {
+ /* PR 32467 - Corrupt binaries might include an @ character in a
+ symbol name. Since non-versioned symbol names can be in
+ read-only memory (via memory mapping of a file's contents) we
+ cannot just replace the @ character with a NUL. Instead we
+ create a truncated copy of the name. */
+ atname = xstrdup (name);
+ atname [atver - name] = 0;
+ name = atname;
+ }
}
if (do_demangle && *name)
@@ -703,9 +713,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
}
if (unicode_display != unicode_default)
- {
- name = convert_utf8 (name);
- }
+ name = convert_utf8 (name);
if (info != NULL && info->elfinfo && with_symbol_versions)
{
@@ -726,8 +734,8 @@ print_symname (const char *form, struct extended_symbol_info *info,
}
}
printf (form, name);
- if (atver)
- *atver = '@';
+
+ free (atname);
free (alloc);
}
--
2.43.5

53
backport-CVE-2025-0840.patch Normal file
View File

@ -0,0 +1,53 @@
From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 15 Jan 2025 19:13:43 +1030
Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
There's always someone pushing the boundaries.
PR 32560
* objdump.c (MAX_INSN_WIDTH): Define.
(insn_width): Make it an unsigned long.
(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
---
binutils/objdump.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/binutils/objdump.c b/binutils/objdump.c
index ecbe39e942e..80044dea580 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -109,7 +109,8 @@ static bool disassemble_all; /* -D */
static int disassemble_zeroes; /* --disassemble-zeroes */
static bool formats_info; /* -i */
static int wide_output; /* -w */
-static int insn_width; /* --insn-width */
+#define MAX_INSN_WIDTH 49
+static unsigned long insn_width; /* --insn-width */
static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
static bfd_vma stop_address = (bfd_vma) -1; /* --stop-address */
static int dump_debugging; /* --debugging */
@@ -2900,7 +2901,7 @@ disassemble_bytes (struct disassemble_info *inf,
}
else
{
- char buf[50];
+ char buf[MAX_INSN_WIDTH + 1];
unsigned int bpc = 0;
unsigned int pb = 0;
@@ -5453,8 +5454,9 @@ main (int argc, char **argv)
break;
case OPTION_INSN_WIDTH:
insn_width = strtoul (optarg, NULL, 0);
- if (insn_width <= 0)
- fatal (_("error: instruction width must be positive"));
+ if (insn_width - 1 >= MAX_INSN_WIDTH)
+ fatal (_("error: instruction width must be in the range 1 to "
+ XSTRING (MAX_INSN_WIDTH)));
break;
case OPTION_INLINES:
unwind_inlines = true;
2.43.5

9
binutils.spec
View File

@ -1,7 +1,7 @@
Summary: Binary utilities Summary: Binary utilities
Name: binutils Name: binutils
Version: 2.37 Version: 2.37
Release: 28 Release: 29
License: GPLv3+ License: GPLv3+
URL: https://sourceware.org/binutils URL: https://sourceware.org/binutils
@ -89,6 +89,8 @@ Patch3062: SME-0008-aarch64-SME-SVE2-instructions-added-to-support-SME.patch
Patch3063: SME-0009-aarch64-Check-for-register-aliases-before-mnemonics.patch Patch3063: SME-0009-aarch64-Check-for-register-aliases-before-mnemonics.patch
Patch3064: SME-0010-aarch64-Add-support-for-new-SME-instructions.patch Patch3064: SME-0010-aarch64-Add-support-for-new-SME-instructions.patch
Patch3065: backport-libctf-fix-ref-leak-of-names-of-newly-inserted-non-r.patch Patch3065: backport-libctf-fix-ref-leak-of-names-of-newly-inserted-non-r.patch
Patch3066: backport-CVE-2024-57630.patch
Patch3067: backport-CVE-2025-0840.patch
%ifarch loongarch64 %ifarch loongarch64
# LoongArch # LoongArch
@ -465,6 +467,11 @@ fi
%{_infodir}/bfd*info* %{_infodir}/bfd*info*
%changelog %changelog
* Sat Jan 25 2025 Funda Wang <fundawang@yeah.net> - 2.37-29
- Fix CVE-2024-57360: nm: Avoid potential segmentation fault when displaying
symbols without version info.
- Fix CVE-2025-0840: stack-buffer-overflow at objdump disassemble_bytes
* Sat Oct 12 2024 liningjie <liningjie@xfusion.com> - 2.37-28 * Sat Oct 12 2024 liningjie <liningjie@xfusion.com> - 2.37-28
- DESC:fix ref leak of names of newly-inserted non-root-visible types - DESC:fix ref leak of names of newly-inserted non-root-visible types