[mickledore][PATCH] binutils: Fix CVE-2023-39128

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [mickledore][PATCH] binutils: Fix CVE-2023-39128
@ 2023-09-08 12:41 Sanjana
  2023-09-11  7:25 ` Siddharth
  0 siblings, 1 reply; 2+ messages in thread
From: Sanjana @ 2023-09-08 12:41 UTC (permalink / raw)
  To: openembedded-core
  Cc: rwmacleod, umesh.kalappa0, pgowda.cve, shivams, sundeep.kokkonda,
	Sanjana

Avoid buffer overflow in ada_decode.

Signed-off-by: Sanjana <sanjanasanju1608@gmail.com>
---
 .../binutils/binutils-2.40.inc                |  1 +
 .../binutils/0017-CVE-2023-39128.patch        | 74 +++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.40.inc b/meta/recipes-devtools/binutils/binutils-2.40.inc
index 33e7f4198d..424cfc48fc 100644
--- a/meta/recipes-devtools/binutils/binutils-2.40.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.40.inc
@@ -35,5 +35,6 @@ SRC_URI = "\
      file://0015-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
      file://0016-CVE-2023-25586.patch \
      file://0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch \
+     file://0017-CVE-2023-39128.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch
new file mode 100644
index 0000000000..cd81a52b15
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch
@@ -0,0 +1,74 @@
+From: Tom Tromey <tromey@adacore.com>
+Date: Wed, 16 Aug 2023 17:29:19 +0000 (-0600)
+Subject: Avoid buffer overflow in ada_decode
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=033bc52bb6190393c8eed80925fa78cc35b40c6d
+
+Avoid buffer overflow in ada_decode
+
+A bug report pointed out a buffer overflow in ada_decode, which Keith
+helpfully analyzed.  ada_decode had a logic error when the input was
+all digits.  While this isn't valid -- and would probably only appear
+in fuzzer tests -- it still should be handled properly.
+
+This patch adds a missing bounds check.  Tested with the self-tests in
+an asan build.
+
+Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639
+Reviewed-by: Keith Seitz <keiths@redhat.com>
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=033bc52bb6190393c8eed80925fa78cc35b40c6d]    
+
+CVE: CVE-2023-39128    
+
+Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com>
+
+---
+
+diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c
+index 4a9a6e0f38f..2f934b1e79a 100644
+--- a/gdb/ada-lang.c
++++ b/gdb/ada-lang.c
+@@ -57,6 +57,7 @@
+ #include "cli/cli-utils.h"
+ #include "gdbsupport/function-view.h"
+ #include "gdbsupport/byte-vector.h"
++#include "gdbsupport/selftest.h"
+ #include <algorithm>
+ #include "ada-exp.h"
+ #include "charset.h"
+@@ -1377,7 +1378,7 @@ ada_decode (const char *encoded, bool wrap, bool operators)
+ 	i -= 1;
+       if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_')
+ 	len0 = i - 1;
+-      else if (encoded[i] == '$')
++      else if (i >= 0 && encoded[i] == '$')
+ 	len0 = i;
+     }
+ 
+@@ -1574,6 +1575,18 @@ Suppress:
+   return decoded;
+ }
+ 
++#ifdef GDB_SELF_TEST
++
++static void
++ada_decode_tests ()
++{
++  /* This isn't valid, but used to cause a crash.  PR gdb/30639.  The
++     result does not really matter very much.  */
++  SELF_CHECK (ada_decode ("44") == "44");
++}
++
++#endif
++
+ /* Table for keeping permanent unique copies of decoded names.  Once
+    allocated, names in this table are never released.  While this is a
+    storage leak, it should not be significant unless there are massive
+@@ -13984,4 +13997,8 @@ DWARF attribute."),
+   gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang");
+   gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang");
+   gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang");
++
++#ifdef GDB_SELF_TEST
++  selftests::register_test ("ada-decode", ada_decode_tests);
++#endif
+ }
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [mickledore][PATCH] binutils: Fix CVE-2023-39128
  2023-09-08 12:41 [mickledore][PATCH] binutils: Fix CVE-2023-39128 Sanjana
@ 2023-09-11  7:25 ` Siddharth
  0 siblings, 0 replies; 2+ messages in thread
From: Siddharth @ 2023-09-11  7:25 UTC (permalink / raw)
  To: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 545 bytes --]

Hi Sanjana,

Thank-you for this patch.

But, i feel this is not the right way to patch this vulnerability. No doubts the patch is released for binutils-gdb, but that is because the sources are merged.

However, in our systems, the command gdb comes from gdb package and not from bintuils-gdb.

Additional confirmation can also be obtained from bintuils configuration where we are disabling gdb from bintuils.

So even after patching the vulnerability will exists as it not patched in gdb and where it is patched, the gdb is diasbled.

[-- Attachment #2: Type: text/html, Size: 583 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-09-11  7:25 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-08 12:41 [mickledore][PATCH] binutils: Fix CVE-2023-39128 Sanjana
2023-09-11  7:25 ` Siddharth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox