diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch new file mode 100644 index 0000000000..04d06ed6b6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch @@ -0,0 +1,95 @@ +From 695c6dfe7e85006b98c8b746f3fd5f913c94ebff Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 21 Jul 2022 09:56:15 +0930 +Subject: [PATCH] PR29370, infinite loop in display_debug_abbrev + +The PR29370 testcase is a fuzzed object file with multiple +.trace_abbrev sections. Multiple .trace_abbrev or .debug_abbrev +sections are not a violation of the DWARF standard. The DWARF5 +standard even gives an example of multiple .debug_abbrev sections +contained in groups. Caching and lookup of processed abbrevs thus +needs to be done by section and offset rather than base and offset. +(Why base anyway?) Or, since section contents are kept, by a pointer +into the contents. + + PR 29370 + * dwarf.c (struct abbrev_list): Replace abbrev_base and + abbrev_offset with raw field. + (find_abbrev_list_by_abbrev_offset): Delete. + (find_abbrev_list_by_raw_abbrev): New function. + (process_abbrev_set): Set list->raw and list->next. + (find_and_process_abbrev_set): Replace abbrev list lookup with + new function. Don't set list abbrev_base, abbrev_offset or next. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=695c6dfe7e85006b98c8b746f3fd5f913c94ebff] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 2fc352f74c5..99fb3566994 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -856,8 +856,7 @@ typedef struct abbrev_list + { + abbrev_entry * first_abbrev; + abbrev_entry * last_abbrev; +- dwarf_vma abbrev_base; +- dwarf_vma abbrev_offset; ++ unsigned char * raw; + struct abbrev_list * next; + unsigned char * start_of_next_abbrevs; + } +@@ -946,14 +945,12 @@ free_all_abbrevs (void) + } + + static abbrev_list * +-find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base, +- dwarf_vma abbrev_offset) ++find_abbrev_list_by_raw_abbrev (unsigned char *raw) + { + abbrev_list * list; + + for (list = abbrev_lists; list != NULL; list = list->next) +- if (list->abbrev_base == abbrev_base +- && list->abbrev_offset == abbrev_offset) ++ if (list->raw == raw) + return list; + + return NULL; +@@ -1040,6 +1037,7 @@ process_abbrev_set (struct dwarf_section + abbrev_list *list = xmalloc (sizeof (*list)); + list->first_abbrev = NULL; + list->last_abbrev = NULL; ++ list->raw = start; + + while (start < end) + { +@@ -1055,6 +1053,7 @@ process_abbrev_set (struct dwarf_section + the caller. */ + if (start == end || entry == 0) + { ++ list->next = NULL; + list->start_of_next_abbrevs = start != end ? start : NULL; + return list; + } +@@ -1144,16 +1143,10 @@ find_and_process_abbrev_set (struct dwar + unsigned char *end = section->start + abbrev_base + abbrev_size; + abbrev_list *list = NULL; + if (free_list) +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset); ++ list = find_abbrev_list_by_raw_abbrev (start); + if (list == NULL) + { + list = process_abbrev_set (section, start, end); +- if (list) +- { +- list->abbrev_base = abbrev_base; +- list->abbrev_offset = abbrev_offset; +- list->next = NULL; +- } + if (free_list) + *free_list = list; + } |