[OE-core][scarthgap 01/10] binutils: Fix CVE-2024-53589

Wed, 18 Dec 2024 14:19:32 -0800 

From: Yash Shinde <yash.shi...@windriver.com>

A buffer overflow vulnerability exists in GNU Binutils’ objdump utility
when processing tekhex format files. The vulnerability occurs in the
Binary File Descriptor (BFD) library’s tekhex parser during format 
identification.
Specifically, the issue manifests when attempting to read 8 bytes at an address
that precedes the global variable ‘_bfd_std_section’, resulting in an 
out-of-bounds read.

Backport a patch from upstream to fix CVE-2024-53589.
Upstream-Status: Backport 
[https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]

Signed-off-by: Yash Shinde <yash.shi...@windriver.com>
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 .../binutils/binutils-2.42.inc                |  1 +
 .../binutils/0016-CVE-2024-53589.patch        | 92 +++++++++++++++++++
 2 files changed, 93 insertions(+)
 create mode 100644 
meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc 
b/meta/recipes-devtools/binutils/binutils-2.42.inc
index bff97b50c3..41ed39632d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
      file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
      file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
      file://0015-gprofng-change-use-of-bignum-to-bigint.patch \
+     file://0016-CVE-2024-53589.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch 
b/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch
new file mode 100644
index 0000000000..380112a3ba
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2024-53589.patch
@@ -0,0 +1,92 @@
+Author: Alan Modra <amo...@gmail.com>
+Date:   Mon Nov 11 10:24:09 2024 +1030
+
+    Re: tekhex object file output fixes
+
+    Commit 8b5a212495 supported *ABS* symbols by allowing "section" to be
+    bfd_abs_section, but bfd_abs_section needs to be treated specially.
+    In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
+    is invalid.
+
+            PR 32347
+            * tekhex.c (first_phase): Guard against modification of
+            _bfd_std_section[] entries.
+
+Upstream-Status: Backport 
[https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]
+CVE: CVE-2024-53589
+
+Signed-off-by: Yash Shinde <yash.shi...@windriver.com>
+
+diff --git a/bfd/tekhex.c b/bfd/tekhex.c
+index aea2ebb23df..b305c1f96f1 100644
+--- a/bfd/tekhex.c
++++ b/bfd/tekhex.c
+@@ -361,6 +361,7 @@ first_phase (bfd *abfd, int type, char *src, char * 
src_end)
+ {
+   asection *section, *alt_section;
+   unsigned int len;
++  bfd_vma addr;
+   bfd_vma val;
+   char sym[17];                       /* A symbol can only be 16chars long.  
*/
+
+@@ -368,20 +369,16 @@ first_phase (bfd *abfd, int type, char *src, char * 
src_end)
+     {
+     case '6':
+       /* Data record - read it and store it.  */
+-      {
+-      bfd_vma addr;
+-
+-      if (!getvalue (&src, &addr, src_end))
+-        return false;
+-
+-      while (*src && src < src_end - 1)
+-        {
+-          insert_byte (abfd, HEX (src), addr);
+-          src += 2;
+-          addr++;
+-        }
+-      return true;
+-      }
++      if (!getvalue (&src, &addr, src_end))
++       return false;
++
++      while (*src && src < src_end - 1)
++       {
++         insert_byte (abfd, HEX (src), addr);
++         src += 2;
++         addr++;
++       }
++      return true;
+
+     case '3':
+       /* Symbol record, read the segment.  */
+@@ -406,13 +403,16 @@ first_phase (bfd *abfd, int type, char *src, char * 
src_end)
+           {
+           case '1':           /* Section range.  */
+             src++;
+-            if (!getvalue (&src, &section->vma, src_end))
++             if (!getvalue (&src, &addr, src_end))
+               return false;
+             if (!getvalue (&src, &val, src_end))
+               return false;
+-            if (val < section->vma)
+-              val = section->vma;
+-            section->size = val - section->vma;
++             if (bfd_is_const_section (section))
++               break;
++             section->vma = addr;
++             if (val < addr)
++               val = addr;
++             section->size = val - addr;
+             /* PR 17512: file: objdump-s-endless-loop.tekhex.
+                Check for overlarge section sizes.  */
+             if (section->size & 0x80000000)
+@@ -455,6 +455,8 @@ first_phase (bfd *abfd, int type, char *src, char * 
src_end)
+                 new_symbol->symbol.flags = BSF_LOCAL;
+               if (stype == '2' || stype == '6')
+                 new_symbol->symbol.section = bfd_abs_section_ptr;
++               else if (bfd_is_const_section (section))
++                 ;
+               else if (stype == '3' || stype == '7')
+                 {
+                   if ((section->flags & SEC_DATA) == 0)
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#208881): 
https://lists.openembedded.org/g/openembedded-core/message/208881
Mute This Topic: https://lists.openembedded.org/mt/110188786/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to