On Thu, 2021-10-28 at 02:58 -0700, Pgowda wrote: > CVE: CVE-2015-3530 Did you mean CVE-2021-3530 here and in the patches below as well?
Thanks, Anuj > Upstream-Status: > Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=25162c795b1a2becf936bb3581d86a307ea491eb > ] > Upstream-Status: > Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=999566402e3 > ] > > Signed-off-by: Pgowda <pgowda....@gmail.com> > --- > .../binutils/binutils-2.36.inc | 2 + > .../binutils/0017-CVE-2021-3530.patch | 102 > ++++++++++++++++++ > .../binutils/0018-CVE-2021-3530.patch | 64 +++++++++++ > 3 files changed, 168 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/0017-CVE- > 2021-3530.patch > create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE- > 2021-3530.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc > b/meta/recipes-devtools/binutils/binutils-2.36.inc > index 9d770db5a8..7d0824e060 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.36.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.36.inc > @@ -44,5 +44,7 @@ SRC_URI = "\ > file://0001-CVE-2021-20197.patch \ > file://0002-CVE-2021-20197.patch \ > file://0003-CVE-2021-20197.patch \ > + file://0017-CVE-2021-3530.patch \ > + file://0018-CVE-2021-3530.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2021- > 3530.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021- > 3530.patch > new file mode 100644 > index 0000000000..3eba99132b > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021- > 3530.patch > @@ -0,0 +1,102 @@ > +From 25162c795b1a2becf936bb3581d86a307ea491eb Mon Sep 17 00:00:00 > 2001 > +From: Nick Clifton <ni...@redhat.com> > +Date: Thu, 15 Jul 2021 16:51:56 +0100 > +Subject: [PATCH] Fix a stack exhaustion problem in the Rust > demangling code in > + the libiberty library. > + > + PR 99935 > + * rust-demangle.c: Add recursion limit. > + > +CVE: CVE-2015-3530 > +Upstream-Status: > Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=25162c795b1a2becf936bb3581d86a307ea491eb > ] > +Signed-off-by: Pgowda <pgowda....@gmail.com> > + > +--- > + libiberty/ChangeLog | 5 +++++ > + libiberty/rust-demangle.c | 31 +++++++++++++++++++++++++------ > + 2 files changed, 30 insertions(+), 6 deletions(-) > + > +diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog > +index bc1b35b97c4..8e39fd28eba 100644 > +--- a/libiberty/ChangeLog > ++++ b/libiberty/ChangeLog > +@@ -1,3 +1,8 @@ > ++2021-07-15 Nick Clifton <ni...@redhat.com> > ++ > ++ PR 99935 > ++ * rust-demangle.c: Add recursion limit. > ++ > + 2021-01-04 Martin Liska <mli...@suse.cz> > + > + * strverscmp.c: Convert to utf8 from iso8859. > +diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c > +index 449941b56dc..df09b7b8fdd 100644 > +--- a/libiberty/rust-demangle.c > ++++ b/libiberty/rust-demangle.c > +@@ -74,6 +74,12 @@ struct rust_demangler > + /* Rust mangling version, with legacy mangling being -1. */ > + int version; > + > ++ /* Recursion depth. */ > ++ uint recursion; > ++ /* Maximum number of times demangle_path may be called > recursively. */ > ++#define RUST_MAX_RECURSION_COUNT 1024 > ++#define RUST_NO_RECURSION_LIMIT ((uint) -1) > ++ > + uint64_t bound_lifetime_depth; > + }; > + > +@@ -671,6 +677,15 @@ demangle_path (struct rust_demangler *rd > + if (rdm->errored) > + return; > + > ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) > ++ { > ++ ++ rdm->recursion; > ++ if (rdm->recursion > RUST_MAX_RECURSION_COUNT) > ++ /* FIXME: There ought to be a way to report > ++ that the recursion limit has been reached. */ > ++ goto fail_return; > ++ } > ++ > + switch (tag = next (rdm)) > + { > + case 'C': > +@@ -688,10 +703,7 @@ demangle_path (struct rust_demangler *rd > + case 'N': > + ns = next (rdm); > + if (!ISLOWER (ns) && !ISUPPER (ns)) > +- { > +- rdm->errored = 1; > +- return; > +- } > ++ goto fail_return; > + > + demangle_path (rdm, in_value); > + > +@@ -776,9 +788,15 @@ demangle_path (struct rust_demangler *rd > + } > + break; > + default: > +- rdm->errored = 1; > +- return; > ++ goto fail_return; > + } > ++ goto pass_return; > ++ > ++ fail_return: > ++ rdm->errored = 1; > ++ pass_return: > ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) > ++ -- rdm->recursion; > + } > + > + static void > +@@ -1317,6 +1335,7 @@ rust_demangle_callback (const char *mang > + rdm.skipping_printing = 0; > + rdm.verbose = (options & DMGL_VERBOSE) != 0; > + rdm.version = 0; > ++ rdm.recursion = (options & DMGL_NO_RECURSE_LIMIT) ? > RUST_NO_RECURSION_LIMIT : 0; > + rdm.bound_lifetime_depth = 0; > + > + /* Rust symbols always start with _R (v0) or _ZN (legacy). */ > diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2021- > 3530.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2021- > 3530.patch > new file mode 100644 > index 0000000000..857ac5b3d0 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2021- > 3530.patch > @@ -0,0 +1,64 @@ > +From 999566402e3d7c69032bbf47e28b44fc0926fe62 Mon Sep 17 00:00:00 > 2001 > +From: Christopher Wellons <well...@nullprogram.com> > +Date: Sun, 18 Jul 2021 16:57:19 -0400 > +Subject: [PATCH] Change "uint" to "unsigned" > + > +This fixes a defect introduced in 25162c795. The "uint" type has not > +been explicitly defined here on mingw, causing compilation to fail. > + > +On linux we have this in /usr/include/sys/types.h > + > +/* Old compatibility names for C types. */ > +typedef unsigned long int ulong; > +typedef unsigned short int ushort; > +typedef unsigned int uint; > + > +So it's easy to see how such bugs can creep in. > + > + * rust-demangle.c (struct rust_demangler): Change type of > + "recursion" to unsigned. > + (RUST_NO_RECURSION_LIMIT): Similarly in cast. > + > +CVE: CVE-2015-3530 > +Upstream-Status: > Backport[https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=999566402e3 > ] > +Signed-off-by: Pgowda <pgowda....@gmail.com> > + > +--- > + libiberty/ChangeLog | 6 ++++++ > + libiberty/rust-demangle.c | 4 ++-- > + 2 files changed, 8 insertions(+), 2 deletions(-) > + > +diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog > +index 8e39fd28eba..3f749455f05 100644 > +--- a/libiberty/ChangeLog > ++++ b/libiberty/ChangeLog > +@@ -1,3 +1,9 @@ > ++2021-07-19 Christopher Wellons <well...@nullprogram.com> > ++ > ++ * rust-demangle.c (struct rust_demangler): Change type of > ++ "recursion" to unsigned. > ++ (RUST_NO_RECURSION_LIMIT): Similarly in cast. > ++ > + 2021-07-15 Nick Clifton <ni...@redhat.com> > + > + PR 99935 > +diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c > +index df09b7b8fdd..ac1eb8eb02c 100644 > +--- a/libiberty/rust-demangle.c > ++++ b/libiberty/rust-demangle.c > +@@ -75,10 +75,10 @@ struct rust_demangler > + int version; > + > + /* Recursion depth. */ > +- uint recursion; > ++ unsigned recursion; > + /* Maximum number of times demangle_path may be called > recursively. */ > + #define RUST_MAX_RECURSION_COUNT 1024 > +-#define RUST_NO_RECURSION_LIMIT ((uint) -1) > ++#define RUST_NO_RECURSION_LIMIT ((unsigned) -1) > + > + uint64_t bound_lifetime_depth; > + }; > +-- > +2.27.0 > +
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#157589): https://lists.openembedded.org/g/openembedded-core/message/157589 Mute This Topic: https://lists.openembedded.org/mt/86648678/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
