diff options
Diffstat (limited to 'meta/recipes-devtools/binutils')
31 files changed, 5744 insertions, 4 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 0a4a0d7bc1..4a8831b534 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -18,7 +18,7 @@ SRCBRANCH ?= "binutils-2_38-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)" -SRCREV ?= "dc2474e7d204c124ab5a21b4490aa46eb7e1d4c3" +SRCREV ?= "ea5fe5d01e5a182ee7a0eddb54a702109a9f5931" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=git" SRC_URI = "\ ${BINUTILS_GIT_URI} \ @@ -34,7 +34,7 @@ SRC_URI = "\ file://0013-Avoid-as-info-race-condition.patch \ file://0014-CVE-2019-1010204.patch \ file://0015-CVE-2022-38533.patch \ - file://0016-CVE-2022-38126.patch \ + file://0016-CVE-2022-35205.patch \ file://0017-CVE-2022-38127-1.patch \ file://0017-CVE-2022-38127-2.patch \ file://0017-CVE-2022-38127-3.patch \ @@ -43,5 +43,33 @@ SRC_URI = "\ file://0018-CVE-2022-38128-2.patch \ file://0018-CVE-2022-38128-3.patch \ file://0019-CVE-2022-4285.patch \ + file://0020-CVE-2023-22608-1.patch \ + file://0020-CVE-2023-22608-2.patch \ + file://0020-CVE-2023-22608-3.patch \ + file://0021-CVE-2023-1579-1.patch \ + file://0021-CVE-2023-1579-2.patch \ + file://0021-CVE-2023-1579-3.patch \ + file://0021-CVE-2023-1579-4.patch \ + file://0022-CVE-2023-25584-1.patch \ + file://0022-CVE-2023-25584-2.patch \ + file://0022-CVE-2023-25584-3.patch \ + file://0023-CVE-2023-25585.patch \ + file://0026-CVE-2023-1972.patch \ + file://0025-CVE-2023-25588.patch \ + file://0027-CVE-2022-47008.patch \ + file://0028-CVE-2022-47011.patch \ + file://0029-CVE-2022-48065-1.patch \ + file://0029-CVE-2022-48065-2.patch \ + file://0029-CVE-2022-48065-3.patch \ + file://0030-CVE-2022-44840.patch \ + file://0031-CVE-2022-45703-1.patch \ + file://0031-CVE-2022-45703-2.patch \ + file://0031-CVE-2022-47695.patch \ + file://CVE-2022-48063.patch \ + file://0032-CVE-2022-47010.patch \ + file://0033-CVE-2022-47007.patch \ + file://0034-CVE-2022-48064.patch \ + file://0035-CVE-2023-39129.patch \ + file://0036-CVE-2023-39130.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch b/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch index 59a97c13c7..8a5f4a8d79 100644 --- a/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch +++ b/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch @@ -65,7 +65,7 @@ index 121c25d948f..34cbc60e5e9 100644 info.path = NULL; info.len = info.alloc = 0; - tmppath = concat (ld_sysroot, prefix, "/etc/ld.so.conf", -+ tmppath = concat (ld_sysconfdir, "/etc/ld.so.conf", ++ tmppath = concat (ld_sysconfdir, "/ld.so.conf", (const char *) NULL); if (!ldelf_parse_ld_so_conf (&info, tmppath)) { diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-35205.patch index 8200e28a81..a582df4466 100644 --- a/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch +++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-35205.patch @@ -9,8 +9,9 @@ Subject: [PATCH] Replace a run-time assertion failure with a warning message message. Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e3e5ae049371a27fd1737aba946fe26d06e029b5] - +CVE: CVE-2022-35205 Signed-off-by: Pgowda <pgowda.cve@gmail.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> --- binutils/dwarf.c | 7 ++++++- diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch new file mode 100644 index 0000000000..18d4ac5f9d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch @@ -0,0 +1,506 @@ +From 116aac1447ee92df25599859293752648e3c6ea0 Mon Sep 17 00:00:00 2001 +From: "Steinar H. Gunderson" <sesse@google.com> +Date: Fri, 20 May 2022 16:10:34 +0200 +Subject: [PATCH] add a trie to map quickly from address range to compilation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + unit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When using perf to profile large binaries, _bfd_dwarf2_find_nearest_line() +becomes a hotspot, as perf wants to get line number information +(for inline-detection purposes) for each and every sample. In Chromium +in particular (the content_shell binary), this entails going through +475k address ranges, which takes a long time when done repeatedly. + +Add a radix-256 trie over the address space to quickly map address to +compilation unit spaces; for content_shell, which is 1.6 GB when some +(but not full) debug information turned is on, we go from 6 ms to +0.006 ms (6 µs) for each lookup from address to compilation unit, a 1000x +speedup. + +There is a modest RAM increase of 180 MB in this binary (the existing +linked list over ranges uses about 10 MB, and the entire perf job uses +between 2-3 GB for a medium-size profile); for smaller binaries with few +ranges, there should be hardly any extra RAM usage at all. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=b43771b045fb5616da3964f2994eefbe8ae70d32] + +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 326 ++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 312 insertions(+), 14 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index fdf071c3..0ae50a37 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -82,6 +82,77 @@ struct adjusted_section + bfd_vma adj_vma; + }; + ++/* A trie to map quickly from address range to compilation unit. ++ ++ This is a fairly standard radix-256 trie, used to quickly locate which ++ compilation unit any given address belongs to. Given that each compilation ++ unit may register hundreds of very small and unaligned ranges (which may ++ potentially overlap, due to inlining and other concerns), and a large ++ program may end up containing hundreds of thousands of such ranges, we cannot ++ scan through them linearly without undue slowdown. ++ ++ We use a hybrid trie to avoid memory explosion: There are two types of trie ++ nodes, leaves and interior nodes. (Almost all nodes are leaves, so they ++ take up the bulk of the memory usage.) Leaves contain a simple array of ++ ranges (high/low address) and which compilation unit contains those ranges, ++ and when we get to a leaf, we scan through it linearly. Interior nodes ++ contain pointers to 256 other nodes, keyed by the next byte of the address. ++ So for a 64-bit address like 0x1234567abcd, we would start at the root and go ++ down child[0x00]->child[0x00]->child[0x01]->child[0x23]->child[0x45] etc., ++ until we hit a leaf. (Nodes are, in general, leaves until they exceed the ++ default allocation of 16 elements, at which point they are converted to ++ interior node if possible.) This gives us near-constant lookup times; ++ the only thing that can be costly is if there are lots of overlapping ranges ++ within a single 256-byte segment of the binary, in which case we have to ++ scan through them all to find the best match. ++ ++ For a binary with few ranges, we will in practice only have a single leaf ++ node at the root, containing a simple array. Thus, the scheme is efficient ++ for both small and large binaries. ++ */ ++ ++/* Experiments have shown 16 to be a memory-efficient default leaf size. ++ The only case where a leaf will hold more memory than this, is at the ++ bottomost level (covering 256 bytes in the binary), where we'll expand ++ the leaf to be able to hold more ranges if needed. ++ */ ++#define TRIE_LEAF_SIZE 16 ++ ++/* All trie_node pointers will really be trie_leaf or trie_interior, ++ but they have this common head. */ ++struct trie_node ++{ ++ /* If zero, we are an interior node. ++ Otherwise, how many ranges we have room for in this leaf. */ ++ unsigned int num_room_in_leaf; ++}; ++ ++struct trie_leaf ++{ ++ struct trie_node head; ++ unsigned int num_stored_in_leaf; ++ struct { ++ struct comp_unit *unit; ++ bfd_vma low_pc, high_pc; ++ } ranges[TRIE_LEAF_SIZE]; ++}; ++ ++struct trie_interior ++{ ++ struct trie_node head; ++ struct trie_node *children[256]; ++}; ++ ++static struct trie_node *alloc_trie_leaf (bfd *abfd) ++{ ++ struct trie_leaf *leaf = ++ bfd_zalloc (abfd, sizeof (struct trie_leaf)); ++ if (leaf == NULL) ++ return NULL; ++ leaf->head.num_room_in_leaf = TRIE_LEAF_SIZE; ++ return &leaf->head; ++} ++ + struct dwarf2_debug_file + { + /* The actual bfd from which debug info was loaded. Might be +@@ -139,6 +210,9 @@ struct dwarf2_debug_file + /* A list of all previously read comp_units. */ + struct comp_unit *all_comp_units; + ++ /* A list of all previously read comp_units with no ranges (yet). */ ++ struct comp_unit *all_comp_units_without_ranges; ++ + /* Last comp unit in list above. */ + struct comp_unit *last_comp_unit; + +@@ -147,6 +221,9 @@ struct dwarf2_debug_file + + /* Hash table to map offsets to decoded abbrevs. */ + htab_t abbrev_offsets; ++ ++ /* Root of a trie to map addresses to compilation units. */ ++ struct trie_node *trie_root; + }; + + struct dwarf2_debug +@@ -220,6 +297,11 @@ struct comp_unit + /* Chain the previously read compilation units. */ + struct comp_unit *next_unit; + ++ /* Chain the previously read compilation units that have no ranges yet. ++ We scan these separately when we have a trie over the ranges. ++ Unused if arange.high != 0. */ ++ struct comp_unit *next_unit_without_ranges; ++ + /* Likewise, chain the compilation unit read after this one. + The comp units are stored in reversed reading order. */ + struct comp_unit *prev_unit; +@@ -296,6 +378,10 @@ struct comp_unit + + /* TRUE if symbols are cached in hash table for faster lookup by name. */ + bool cached; ++ ++ /* Used when iterating over trie leaves to know which units we have ++ already seen in this iteration. */ ++ bool mark; + }; + + /* This data structure holds the information of an abbrev. */ +@@ -1766,9 +1852,189 @@ concat_filename (struct line_info_table *table, unsigned int file) + return strdup (filename); + } + ++/* Number of bits in a bfd_vma. */ ++#define VMA_BITS (8 * sizeof (bfd_vma)) ++ ++/* Check whether [low1, high1) can be combined with [low2, high2), ++ i.e., they touch or overlap. */ ++static bool ranges_overlap (bfd_vma low1, ++ bfd_vma high1, ++ bfd_vma low2, ++ bfd_vma high2) ++{ ++ if (low1 == low2 || high1 == high2) ++ return true; ++ ++ /* Sort so that low1 is below low2. */ ++ if (low1 > low2) ++ { ++ bfd_vma tmp; ++ ++ tmp = low1; ++ low1 = low2; ++ low2 = tmp; ++ ++ tmp = high1; ++ high1 = high2; ++ high2 = tmp; ++ } ++ ++ /* We touch iff low2 == high1. ++ We overlap iff low2 is within [low1, high1). */ ++ return (low2 <= high1); ++} ++ ++/* Insert an address range in the trie mapping addresses to compilation units. ++ Will return the new trie node (usually the same as is being sent in, but ++ in case of a leaf-to-interior conversion, or expansion of a leaf, it may be ++ different), or NULL on failure. ++ */ ++static struct trie_node *insert_arange_in_trie(bfd *abfd, ++ struct trie_node *trie, ++ bfd_vma trie_pc, ++ unsigned int trie_pc_bits, ++ struct comp_unit *unit, ++ bfd_vma low_pc, ++ bfd_vma high_pc) ++{ ++ bfd_vma clamped_low_pc, clamped_high_pc; ++ int ch, from_ch, to_ch; ++ bool is_full_leaf = false; ++ ++ /* See if we can extend any of the existing ranges. This merging ++ isn't perfect (if merging opens up the possibility of merging two existing ++ ranges, we won't find them), but it takes the majority of the cases. */ ++ if (trie->num_room_in_leaf > 0) ++ { ++ struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int i; ++ ++ for (i = 0; i < leaf->num_stored_in_leaf; ++i) ++ { ++ if (leaf->ranges[i].unit == unit && ++ ranges_overlap(low_pc, high_pc, ++ leaf->ranges[i].low_pc, leaf->ranges[i].high_pc)) ++ { ++ if (low_pc < leaf->ranges[i].low_pc) ++ leaf->ranges[i].low_pc = low_pc; ++ if (high_pc > leaf->ranges[i].high_pc) ++ leaf->ranges[i].high_pc = high_pc; ++ return trie; ++ } ++ } ++ ++ is_full_leaf = leaf->num_stored_in_leaf == trie->num_room_in_leaf; ++ } ++ ++ /* If we're a leaf with no more room and we're _not_ at the bottom, ++ convert to an interior node. */ ++ if (is_full_leaf && trie_pc_bits < VMA_BITS) ++ { ++ const struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int i; ++ ++ trie = bfd_zalloc (abfd, sizeof (struct trie_interior)); ++ if (!trie) ++ return NULL; ++ is_full_leaf = false; ++ ++ /* TODO: If we wanted to save a little more memory at the cost of ++ complexity, we could have reused the old leaf node as one of the ++ children of the new interior node, instead of throwing it away. */ ++ for (i = 0; i < leaf->num_stored_in_leaf; ++i) ++ { ++ if (!insert_arange_in_trie (abfd, trie, trie_pc, trie_pc_bits, ++ leaf->ranges[i].unit, leaf->ranges[i].low_pc, ++ leaf->ranges[i].high_pc)) ++ return NULL; ++ } ++ } ++ ++ /* If we're a leaf with no more room and we _are_ at the bottom, ++ we have no choice but to just make it larger. */ ++ if (is_full_leaf) ++ { ++ const struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int new_room_in_leaf = trie->num_room_in_leaf * 2; ++ struct trie_leaf *new_leaf; ++ ++ new_leaf = bfd_zalloc (abfd, ++ sizeof (struct trie_leaf) + ++ (new_room_in_leaf - TRIE_LEAF_SIZE) * sizeof (leaf->ranges[0])); ++ new_leaf->head.num_room_in_leaf = new_room_in_leaf; ++ new_leaf->num_stored_in_leaf = leaf->num_stored_in_leaf; ++ ++ memcpy (new_leaf->ranges, ++ leaf->ranges, ++ leaf->num_stored_in_leaf * sizeof (leaf->ranges[0])); ++ trie = &new_leaf->head; ++ is_full_leaf = false; ++ ++ /* Now the insert below will go through. */ ++ } ++ ++ /* If we're a leaf (now with room), we can just insert at the end. */ ++ if (trie->num_room_in_leaf > 0) ++ { ++ struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ ++ unsigned int i = leaf->num_stored_in_leaf++; ++ leaf->ranges[i].unit = unit; ++ leaf->ranges[i].low_pc = low_pc; ++ leaf->ranges[i].high_pc = high_pc; ++ return trie; ++ } ++ ++ /* Now we are definitely an interior node, so recurse into all ++ the relevant buckets. */ ++ ++ /* Clamp the range to the current trie bucket. */ ++ clamped_low_pc = low_pc; ++ clamped_high_pc = high_pc; ++ if (trie_pc_bits > 0) ++ { ++ bfd_vma bucket_high_pc = ++ trie_pc + ((bfd_vma)-1 >> trie_pc_bits); /* Inclusive. */ ++ if (clamped_low_pc < trie_pc) ++ clamped_low_pc = trie_pc; ++ if (clamped_high_pc > bucket_high_pc) ++ clamped_high_pc = bucket_high_pc; ++ } ++ ++ /* Insert the ranges in all buckets that it spans. */ ++ from_ch = (clamped_low_pc >> (VMA_BITS - trie_pc_bits - 8)) & 0xff; ++ to_ch = ((clamped_high_pc - 1) >> (VMA_BITS - trie_pc_bits - 8)) & 0xff; ++ for (ch = from_ch; ch <= to_ch; ++ch) ++ { ++ struct trie_interior *interior = (struct trie_interior *) trie; ++ struct trie_node *child = interior->children[ch]; ++ ++ if (child == NULL) ++ { ++ child = alloc_trie_leaf (abfd); ++ if (!child) ++ return NULL; ++ } ++ child = insert_arange_in_trie (abfd, ++ child, ++ trie_pc + ((bfd_vma)ch << (VMA_BITS - trie_pc_bits - 8)), ++ trie_pc_bits + 8, ++ unit, ++ low_pc, ++ high_pc); ++ if (!child) ++ return NULL; ++ ++ interior->children[ch] = child; ++ } ++ ++ return trie; ++} ++ ++ + static bool +-arange_add (const struct comp_unit *unit, struct arange *first_arange, +- bfd_vma low_pc, bfd_vma high_pc) ++arange_add (struct comp_unit *unit, struct arange *first_arange, ++ struct trie_node **trie_root, bfd_vma low_pc, bfd_vma high_pc) + { + struct arange *arange; + +@@ -1776,6 +2042,19 @@ arange_add (const struct comp_unit *unit, struct arange *first_arange, + if (low_pc == high_pc) + return true; + ++ if (trie_root != NULL) ++ { ++ *trie_root = insert_arange_in_trie (unit->file->bfd_ptr, ++ *trie_root, ++ 0, ++ 0, ++ unit, ++ low_pc, ++ high_pc); ++ if (*trie_root == NULL) ++ return false; ++ } ++ + /* If the first arange is empty, use it. */ + if (first_arange->high == 0) + { +@@ -2410,7 +2689,8 @@ decode_line_info (struct comp_unit *unit) + low_pc = address; + if (address > high_pc) + high_pc = address; +- if (!arange_add (unit, &unit->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &unit->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + goto line_fail; + break; + case DW_LNE_set_address: +@@ -3134,7 +3414,7 @@ find_abstract_instance (struct comp_unit *unit, + + static bool + read_ranges (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + bfd_byte *ranges_ptr; + bfd_byte *ranges_end; +@@ -3169,7 +3449,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + base_address = high_pc; + else + { +- if (!arange_add (unit, arange, ++ if (!arange_add (unit, arange, trie_root, + base_address + low_pc, base_address + high_pc)) + return false; + } +@@ -3179,7 +3459,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + + static bool + read_rnglists (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + bfd_byte *rngs_ptr; + bfd_byte *rngs_end; +@@ -3253,19 +3533,19 @@ read_rnglists (struct comp_unit *unit, struct arange *arange, + return false; + } + +- if (!arange_add (unit, arange, low_pc, high_pc)) ++ if (!arange_add (unit, arange, trie_root, low_pc, high_pc)) + return false; + } + } + + static bool + read_rangelist (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + if (unit->version <= 4) +- return read_ranges (unit, arange, offset); ++ return read_ranges (unit, arange, trie_root, offset); + else +- return read_rnglists (unit, arange, offset); ++ return read_rnglists (unit, arange, trie_root, offset); + } + + static struct funcinfo * +@@ -3563,7 +3843,8 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_ranges: + if (is_int_form (&attr) +- && !read_rangelist (unit, &func->arange, attr.u.val)) ++ && !read_rangelist (unit, &func->arange, ++ &unit->file->trie_root, attr.u.val)) + goto fail; + break; + +@@ -3679,7 +3960,8 @@ scan_unit_for_symbols (struct comp_unit *unit) + + if (func && high_pc != 0) + { +- if (!arange_add (unit, &func->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &func->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + goto fail; + } + } +@@ -3874,7 +4156,8 @@ parse_comp_unit (struct dwarf2_debug *stash, + + case DW_AT_ranges: + if (is_int_form (&attr) +- && !read_rangelist (unit, &unit->arange, attr.u.val)) ++ && !read_rangelist (unit, &unit->arange, ++ &unit->file->trie_root, attr.u.val)) + return NULL; + break; + +@@ -3916,7 +4199,8 @@ parse_comp_unit (struct dwarf2_debug *stash, + high_pc += low_pc; + if (high_pc != 0) + { +- if (!arange_add (unit, &unit->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &unit->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + return NULL; + } + +@@ -4747,6 +5031,14 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, + if (!stash->alt.abbrev_offsets) + return false; + ++ stash->f.trie_root = alloc_trie_leaf (abfd); ++ if (!stash->f.trie_root) ++ return false; ++ ++ stash->alt.trie_root = alloc_trie_leaf (abfd); ++ if (!stash->alt.trie_root) ++ return false; ++ + *pinfo = stash; + + if (debug_bfd == NULL) +@@ -4918,6 +5210,12 @@ stash_comp_unit (struct dwarf2_debug *stash, struct dwarf2_debug_file *file) + each->next_unit = file->all_comp_units; + file->all_comp_units = each; + ++ if (each->arange.high == 0) ++ { ++ each->next_unit_without_ranges = file->all_comp_units_without_ranges; ++ file->all_comp_units_without_ranges = each->next_unit_without_ranges; ++ } ++ + file->info_ptr += length; + return each; + } diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch new file mode 100644 index 0000000000..a58b8dccdc --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch @@ -0,0 +1,210 @@ +From 1e716c1b160d56c2ab8711e199cad5b4db47cedf Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 30 Aug 2022 16:01:20 +0100 +Subject: [PATCH] BFD library: Use entry 0 in directory and filename tables of + + DWARF-5 debug info. + + PR 29529 + * dwarf2.c (struct line_info_table): Add new field: + use_dir_and_file_0. + (concat_filename): Use new field to help select the correct table + slot. + (read_formatted_entries): Do not skip entry 0. + (decode_line_info): Set new field depending upon the version of + DWARF being parsed. Initialise filename based upon the setting of + the new field. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=37833b966576c5d25e797ea3b6c33d0459a71892] +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 86 ++++++++++++++++++++---------- + ld/testsuite/ld-x86-64/pr27587.err | 2 +- + 2 files changed, 59 insertions(+), 29 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 0ae50a37..b7839ad6 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1571,6 +1571,7 @@ struct line_info_table + unsigned int num_files; + unsigned int num_dirs; + unsigned int num_sequences; ++ bool use_dir_and_file_0; + char * comp_dir; + char ** dirs; + struct fileinfo* files; +@@ -1791,16 +1792,30 @@ concat_filename (struct line_info_table *table, unsigned int file) + { + char *filename; + +- if (table == NULL || file - 1 >= table->num_files) ++ /* Pre DWARF-5 entry 0 in the directory and filename tables was not used. ++ So in order to save space in the tables used here the info for, eg ++ directory 1 is stored in slot 0 of the directory table, directory 2 ++ in slot 1 and so on. ++ ++ Starting with DWARF-5 the 0'th entry is used so there is a one to one ++ mapping between DWARF slots and internal table entries. */ ++ if (! table->use_dir_and_file_0) + { +- /* FILE == 0 means unknown. */ +- if (file) +- _bfd_error_handler +- (_("DWARF error: mangled line number section (bad file number)")); ++ /* Pre DWARF-5, FILE == 0 means unknown. */ ++ if (file == 0) ++ return strdup ("<unknown>"); ++ -- file; ++ } ++ ++ if (table == NULL || file >= table->num_files) ++ { ++ _bfd_error_handler ++ (_("DWARF error: mangled line number section (bad file number)")); + return strdup ("<unknown>"); + } + +- filename = table->files[file - 1].name; ++ filename = table->files[file].name; ++ + if (filename == NULL) + return strdup ("<unknown>"); + +@@ -1811,12 +1826,17 @@ concat_filename (struct line_info_table *table, unsigned int file) + char *name; + size_t len; + +- if (table->files[file - 1].dir ++ if (table->files[file].dir + /* PR 17512: file: 0317e960. */ +- && table->files[file - 1].dir <= table->num_dirs ++ && table->files[file].dir <= table->num_dirs + /* PR 17512: file: 7f3d2e4b. */ + && table->dirs != NULL) +- subdir_name = table->dirs[table->files[file - 1].dir - 1]; ++ { ++ if (table->use_dir_and_file_0) ++ subdir_name = table->dirs[table->files[file].dir]; ++ else ++ subdir_name = table->dirs[table->files[file].dir - 1]; ++ } + + if (!subdir_name || !IS_ABSOLUTE_PATH (subdir_name)) + dir_name = table->comp_dir; +@@ -1857,10 +1877,12 @@ concat_filename (struct line_info_table *table, unsigned int file) + + /* Check whether [low1, high1) can be combined with [low2, high2), + i.e., they touch or overlap. */ +-static bool ranges_overlap (bfd_vma low1, +- bfd_vma high1, +- bfd_vma low2, +- bfd_vma high2) ++ ++static bool ++ranges_overlap (bfd_vma low1, ++ bfd_vma high1, ++ bfd_vma low2, ++ bfd_vma high2) + { + if (low1 == low2 || high1 == high2) + return true; +@@ -1887,15 +1909,16 @@ static bool ranges_overlap (bfd_vma low1, + /* Insert an address range in the trie mapping addresses to compilation units. + Will return the new trie node (usually the same as is being sent in, but + in case of a leaf-to-interior conversion, or expansion of a leaf, it may be +- different), or NULL on failure. +- */ +-static struct trie_node *insert_arange_in_trie(bfd *abfd, +- struct trie_node *trie, +- bfd_vma trie_pc, +- unsigned int trie_pc_bits, +- struct comp_unit *unit, +- bfd_vma low_pc, +- bfd_vma high_pc) ++ different), or NULL on failure. */ ++ ++static struct trie_node * ++insert_arange_in_trie (bfd *abfd, ++ struct trie_node *trie, ++ bfd_vma trie_pc, ++ unsigned int trie_pc_bits, ++ struct comp_unit *unit, ++ bfd_vma low_pc, ++ bfd_vma high_pc) + { + bfd_vma clamped_low_pc, clamped_high_pc; + int ch, from_ch, to_ch; +@@ -2031,7 +2054,6 @@ static struct trie_node *insert_arange_in_trie(bfd *abfd, + return trie; + } + +- + static bool + arange_add (struct comp_unit *unit, struct arange *first_arange, + struct trie_node **trie_root, bfd_vma low_pc, bfd_vma high_pc) +@@ -2412,10 +2434,8 @@ read_formatted_entries (struct comp_unit *unit, bfd_byte **bufp, + } + } + +- /* Skip the first "zero entry", which is the compilation dir/file. */ +- if (datai != 0) +- if (!callback (table, fe.name, fe.dir, fe.time, fe.size)) +- return false; ++ if (!callback (table, fe.name, fe.dir, fe.time, fe.size)) ++ return false; + } + + *bufp = buf; +@@ -2592,6 +2612,7 @@ decode_line_info (struct comp_unit *unit) + if (!read_formatted_entries (unit, &line_ptr, line_end, table, + line_info_add_file_name)) + goto fail; ++ table->use_dir_and_file_0 = true; + } + else + { +@@ -2614,6 +2635,7 @@ decode_line_info (struct comp_unit *unit) + if (!line_info_add_file_name (table, cur_file, dir, xtime, size)) + goto fail; + } ++ table->use_dir_and_file_0 = false; + } + + /* Read the statement sequences until there's nothing left. */ +@@ -2622,7 +2644,7 @@ decode_line_info (struct comp_unit *unit) + /* State machine registers. */ + bfd_vma address = 0; + unsigned char op_index = 0; +- char * filename = table->num_files ? concat_filename (table, 1) : NULL; ++ char * filename = NULL; + unsigned int line = 1; + unsigned int column = 0; + unsigned int discriminator = 0; +@@ -2637,6 +2659,14 @@ decode_line_info (struct comp_unit *unit) + bfd_vma low_pc = (bfd_vma) -1; + bfd_vma high_pc = 0; + ++ if (table->num_files) ++ { ++ if (table->use_dir_and_file_0) ++ filename = concat_filename (table, 0); ++ else ++ filename = concat_filename (table, 1); ++ } ++ + /* Decode the table. */ + while (!end_sequence && line_ptr < line_end) + { +diff --git a/ld/testsuite/ld-x86-64/pr27587.err b/ld/testsuite/ld-x86-64/pr27587.err +index fa870790..807750ca 100644 +--- a/ld/testsuite/ld-x86-64/pr27587.err ++++ b/ld/testsuite/ld-x86-64/pr27587.err +@@ -1,3 +1,3 @@ + #... +-.*pr27587.i:4: undefined reference to `stack_size' ++.*pr27587/<artificial>:4: undefined reference to `stack_size' + #... diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch new file mode 100644 index 0000000000..a1b74248ce --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch @@ -0,0 +1,32 @@ +From 4b8386a90802ed8e43eac2266f6e03c92b4462ed Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 23 Dec 2022 13:02:04 +0000 +Subject: [PATCH] Fix illegal memory access parsing corrupt DWARF information. + + PR 29936 + * dwarf2.c (concat_filename): Fix check for a directory index off + the end of the directory table. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09] +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index b7839ad6..8b07a24c 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1828,7 +1828,8 @@ concat_filename (struct line_info_table *table, unsigned int file) + + if (table->files[file].dir + /* PR 17512: file: 0317e960. */ +- && table->files[file].dir <= table->num_dirs ++ && table->files[file].dir ++ <= (table->use_dir_and_file_0 ? table->num_dirs - 1 : table->num_dirs) + /* PR 17512: file: 7f3d2e4b. */ + && table->dirs != NULL) + { diff --git a/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch new file mode 100644 index 0000000000..1e9c03e70e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch @@ -0,0 +1,459 @@ +From f67741e172bf342291fe3abd2b395899ce6433a0 Mon Sep 17 00:00:00 2001 +From: "Potharla, Rupesh" <Rupesh.Potharla@amd.com> +Date: Tue, 24 May 2022 00:01:49 +0000 +Subject: [PATCH] bfd: Add Support for DW_FORM_strx* and DW_FORM_addrx* + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f67741e172bf342291fe3abd2b395899ce6433a0] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 282 ++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 268 insertions(+), 14 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index f6b0183720b..45e286754e4 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -189,6 +189,18 @@ struct dwarf2_debug_file + /* Length of the loaded .debug_str section. */ + bfd_size_type dwarf_str_size; + ++ /* Pointer to the .debug_str_offsets section loaded into memory. */ ++ bfd_byte *dwarf_str_offsets_buffer; ++ ++ /* Length of the loaded .debug_str_offsets section. */ ++ bfd_size_type dwarf_str_offsets_size; ++ ++ /* Pointer to the .debug_addr section loaded into memory. */ ++ bfd_byte *dwarf_addr_buffer; ++ ++ /* Length of the loaded .debug_addr section. */ ++ bfd_size_type dwarf_addr_size; ++ + /* Pointer to the .debug_line_str section loaded into memory. */ + bfd_byte *dwarf_line_str_buffer; + +@@ -382,6 +394,12 @@ struct comp_unit + /* Used when iterating over trie leaves to know which units we have + already seen in this iteration. */ + bool mark; ++ ++ /* Base address of debug_addr section. */ ++ size_t dwarf_addr_offset; ++ ++ /* Base address of string offset table. */ ++ size_t dwarf_str_offset; + }; + + /* This data structure holds the information of an abbrev. */ +@@ -424,6 +442,8 @@ const struct dwarf_debug_section dwarf_debug_sections[] = + { ".debug_static_vars", ".zdebug_static_vars" }, + { ".debug_str", ".zdebug_str", }, + { ".debug_str", ".zdebug_str", }, ++ { ".debug_str_offsets", ".zdebug_str_offsets", }, ++ { ".debug_addr", ".zdebug_addr", }, + { ".debug_line_str", ".zdebug_line_str", }, + { ".debug_types", ".zdebug_types" }, + /* GNU DWARF 1 extensions */ +@@ -458,6 +478,8 @@ enum dwarf_debug_section_enum + debug_static_vars, + debug_str, + debug_str_alt, ++ debug_str_offsets, ++ debug_addr, + debug_line_str, + debug_types, + debug_sfnames, +@@ -1307,12 +1329,92 @@ is_int_form (const struct attribute *attr) + } + } + ++/* Returns true if the form is strx[1-4]. */ ++ ++static inline bool ++is_strx_form (enum dwarf_form form) ++{ ++ return (form == DW_FORM_strx ++ || form == DW_FORM_strx1 ++ || form == DW_FORM_strx2 ++ || form == DW_FORM_strx3 ++ || form == DW_FORM_strx4); ++} ++ ++/* Return true if the form is addrx[1-4]. */ ++ ++static inline bool ++is_addrx_form (enum dwarf_form form) ++{ ++ return (form == DW_FORM_addrx ++ || form == DW_FORM_addrx1 ++ || form == DW_FORM_addrx2 ++ || form == DW_FORM_addrx3 ++ || form == DW_FORM_addrx4); ++} ++ ++/* Returns the address in .debug_addr section using DW_AT_addr_base. ++ Used to implement DW_FORM_addrx*. */ ++static bfd_vma ++read_indexed_address (bfd_uint64_t idx, ++ struct comp_unit *unit) ++{ ++ struct dwarf2_debug *stash = unit->stash; ++ struct dwarf2_debug_file *file = unit->file; ++ size_t addr_base = unit->dwarf_addr_offset; ++ bfd_byte *info_ptr; ++ ++ if (stash == NULL) ++ return 0; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_addr], ++ file->syms, 0, ++ &file->dwarf_addr_buffer, &file->dwarf_addr_size)) ++ return 0; ++ ++ info_ptr = file->dwarf_addr_buffer + addr_base + idx * unit->offset_size; ++ ++ if (unit->offset_size == 4) ++ return bfd_get_32 (unit->abfd, info_ptr); ++ else ++ return bfd_get_64 (unit->abfd, info_ptr); ++} ++ ++/* Returns the string using DW_AT_str_offsets_base. ++ Used to implement DW_FORM_strx*. */ + static const char * +-read_indexed_string (bfd_uint64_t idx ATTRIBUTE_UNUSED, +- struct comp_unit * unit ATTRIBUTE_UNUSED) ++read_indexed_string (bfd_uint64_t idx, ++ struct comp_unit *unit) + { +- /* FIXME: Add support for indexed strings. */ +- return "<indexed strings not yet supported>"; ++ struct dwarf2_debug *stash = unit->stash; ++ struct dwarf2_debug_file *file = unit->file; ++ bfd_byte *info_ptr; ++ unsigned long str_offset; ++ ++ if (stash == NULL) ++ return NULL; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_str], ++ file->syms, 0, ++ &file->dwarf_str_buffer, &file->dwarf_str_size)) ++ return NULL; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_str_offsets], ++ file->syms, 0, ++ &file->dwarf_str_offsets_buffer, ++ &file->dwarf_str_offsets_size)) ++ return NULL; ++ ++ info_ptr = (file->dwarf_str_offsets_buffer ++ + unit->dwarf_str_offset ++ + idx * unit->offset_size); ++ ++ if (unit->offset_size == 4) ++ str_offset = bfd_get_32 (unit->abfd, info_ptr); ++ else ++ str_offset = bfd_get_64 (unit->abfd, info_ptr); ++ ++ return (const char *) file->dwarf_str_buffer + str_offset; + } + + /* Read and fill in the value of attribute ATTR as described by FORM. +@@ -1381,21 +1483,37 @@ read_attribute_value (struct attribute * attr, + case DW_FORM_ref1: + case DW_FORM_flag: + case DW_FORM_data1: ++ attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); ++ break; + case DW_FORM_addrx1: + attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); ++ /* dwarf_addr_offset value 0 indicates the attribute DW_AT_addr_base ++ is not yet read. */ ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_data2: +- case DW_FORM_addrx2: + case DW_FORM_ref2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); + break; ++ case DW_FORM_addrx2: ++ attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); ++ break; + case DW_FORM_addrx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address(attr->u.val, unit); + break; + case DW_FORM_ref4: + case DW_FORM_data4: ++ attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); ++ break; + case DW_FORM_addrx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_data8: + case DW_FORM_ref8: +@@ -1416,24 +1534,31 @@ read_attribute_value (struct attribute * attr, + break; + case DW_FORM_strx1: + attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ /* dwarf_str_offset value 0 indicates the attribute DW_AT_str_offsets_base ++ is not yet read. */ ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_exprloc: + case DW_FORM_block: +@@ -1455,9 +1580,14 @@ read_attribute_value (struct attribute * attr, + break; + case DW_FORM_ref_udata: + case DW_FORM_udata: ++ attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, ++ false, info_ptr_end); ++ break; + case DW_FORM_addrx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_indirect: + form = _bfd_safe_read_leb128 (abfd, &info_ptr, +@@ -2396,6 +2526,11 @@ read_formatted_entries (struct comp_unit *unit, bfd_byte **bufp, + { + case DW_FORM_string: + case DW_FORM_line_strp: ++ case DW_FORM_strx: ++ case DW_FORM_strx1: ++ case DW_FORM_strx2: ++ case DW_FORM_strx3: ++ case DW_FORM_strx4: + *stringp = attr.u.str; + break; + +@@ -4031,6 +4166,80 @@ scan_unit_for_symbols (struct comp_unit *unit) + return false; + } + ++/* Read the attributes of the form strx and addrx. */ ++ ++static void ++reread_attribute (struct comp_unit *unit, ++ struct attribute *attr, ++ bfd_vma *low_pc, ++ bfd_vma *high_pc, ++ bool *high_pc_relative, ++ bool compunit) ++{ ++ if (is_strx_form (attr->form)) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (is_addrx_form (attr->form)) ++ attr->u.val = read_indexed_address (attr->u.val, unit); ++ ++ switch (attr->name) ++ { ++ case DW_AT_stmt_list: ++ unit->stmtlist = 1; ++ unit->line_offset = attr->u.val; ++ break; ++ ++ case DW_AT_name: ++ if (is_str_form (attr)) ++ unit->name = attr->u.str; ++ break; ++ ++ case DW_AT_low_pc: ++ *low_pc = attr->u.val; ++ if (compunit) ++ unit->base_address = *low_pc; ++ break; ++ ++ case DW_AT_high_pc: ++ *high_pc = attr->u.val; ++ *high_pc_relative = attr->form != DW_FORM_addr; ++ break; ++ ++ case DW_AT_ranges: ++ if (!read_rangelist (unit, &unit->arange, ++ &unit->file->trie_root, attr->u.val)) ++ return; ++ break; ++ ++ case DW_AT_comp_dir: ++ { ++ char *comp_dir = attr->u.str; ++ ++ if (!is_str_form (attr)) ++ { ++ _bfd_error_handler ++ (_("DWARF error: DW_AT_comp_dir attribute encountered " ++ "with a non-string form")); ++ comp_dir = NULL; ++ } ++ ++ if (comp_dir) ++ { ++ char *cp = strchr (comp_dir, ':'); ++ ++ if (cp && cp != comp_dir && cp[-1] == '.' && cp[1] == '/') ++ comp_dir = cp + 1; ++ } ++ unit->comp_dir = comp_dir; ++ break; ++ } ++ ++ case DW_AT_language: ++ unit->lang = attr->u.val; ++ default: ++ break; ++ } ++} ++ + /* Parse a DWARF2 compilation unit starting at INFO_PTR. UNIT_LENGTH + includes the compilation unit header that proceeds the DIE's, but + does not include the length field that precedes each compilation +@@ -4064,6 +4273,10 @@ parse_comp_unit (struct dwarf2_debug *stash, + bfd *abfd = file->bfd_ptr; + bool high_pc_relative = false; + enum dwarf_unit_type unit_type; ++ struct attribute *str_addrp = NULL; ++ size_t str_count = 0; ++ size_t str_alloc = 0; ++ bool compunit_flag = false; + + version = read_2_bytes (abfd, &info_ptr, end_ptr); + if (version < 2 || version > 5) +@@ -4168,11 +4381,33 @@ parse_comp_unit (struct dwarf2_debug *stash, + unit->file = file; + unit->info_ptr_unit = info_ptr_unit; + ++ if (abbrev->tag == DW_TAG_compile_unit) ++ compunit_flag = true; ++ + for (i = 0; i < abbrev->num_attrs; ++i) + { + info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, end_ptr); + if (info_ptr == NULL) +- return NULL; ++ goto err_exit; ++ ++ /* Identify attributes of the form strx* and addrx* which come before ++ DW_AT_str_offsets_base and DW_AT_addr_base respectively in the CU. ++ Store the attributes in an array and process them later. */ ++ if ((unit->dwarf_str_offset == 0 && is_strx_form (attr.form)) ++ || (unit->dwarf_addr_offset == 0 && is_addrx_form (attr.form))) ++ { ++ if (str_count <= str_alloc) ++ { ++ str_alloc = 2 * str_alloc + 200; ++ str_addrp = bfd_realloc (str_addrp, ++ str_alloc * sizeof (*str_addrp)); ++ if (str_addrp == NULL) ++ goto err_exit; ++ } ++ str_addrp[str_count] = attr; ++ str_count++; ++ continue; ++ } + + /* Store the data if it is of an attribute we want to keep in a + partial symbol table. */ +@@ -4198,7 +4433,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + /* If the compilation unit DIE has a DW_AT_low_pc attribute, + this is the base address to use when reading location + lists or range lists. */ +- if (abbrev->tag == DW_TAG_compile_unit) ++ if (compunit_flag) + unit->base_address = low_pc; + } + break; +@@ -4215,7 +4450,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + if (is_int_form (&attr) + && !read_rangelist (unit, &unit->arange, + &unit->file->trie_root, attr.u.val)) +- return NULL; ++ goto err_exit; + break; + + case DW_AT_comp_dir: +@@ -4248,21 +4483,40 @@ parse_comp_unit (struct dwarf2_debug *stash, + unit->lang = attr.u.val; + break; + ++ case DW_AT_addr_base: ++ unit->dwarf_addr_offset = attr.u.val; ++ break; ++ ++ case DW_AT_str_offsets_base: ++ unit->dwarf_str_offset = attr.u.val; ++ break; ++ + default: + break; + } + } ++ ++ for (i = 0; i < str_count; ++i) ++ reread_attribute (unit, &str_addrp[i], &low_pc, &high_pc, ++ &high_pc_relative, compunit_flag); ++ + if (high_pc_relative) + high_pc += low_pc; + if (high_pc != 0) + { + if (!arange_add (unit, &unit->arange, &unit->file->trie_root, + low_pc, high_pc)) +- return NULL; ++ goto err_exit; + } + + unit->first_child_die_ptr = info_ptr; ++ ++ free (str_addrp); + return unit; ++ ++ err_exit: ++ free (str_addrp); ++ return NULL; + } + + /* Return TRUE if UNIT may contain the address given by ADDR. When +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch new file mode 100644 index 0000000000..be698ef5c1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch @@ -0,0 +1,2127 @@ +From 0e3c1eebb22e0ade28b619fb41f42d66ed6fb145 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 27 May 2022 12:37:21 +0930 +Subject: [PATCH] Remove use of bfd_uint64_t and similar + +Requiring C99 means that uses of bfd_uint64_t can be replaced with +uint64_t, and similarly for bfd_int64_t, BFD_HOST_U_64_BIT, and +BFD_HOST_64_BIT. This patch does that, removes #ifdef BFD_HOST_* +and tidies a few places that print 64-bit values. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=0e3c1eebb22e0ade28b619fb41f42d66ed6fb145] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/aix386-core.c | 6 +-- + bfd/bfd-in.h | 24 ++++++------ + bfd/bfd-in2.h | 36 +++++++++--------- + bfd/coff-rs6000.c | 10 +---- + bfd/coff-x86_64.c | 2 +- + bfd/cpu-ia64-opc.c | 22 +++++------ + bfd/dwarf2.c | 83 ++++++++++++++++++++--------------------- + bfd/elf32-score.c | 16 ++++---- + bfd/elf64-ia64-vms.c | 8 ++-- + bfd/elflink.c | 16 +------- + bfd/elfxx-ia64.c | 6 +-- + bfd/hppabsd-core.c | 6 +-- + bfd/hpux-core.c | 6 +-- + bfd/irix-core.c | 6 +-- + bfd/libbfd.c | 65 +++++++++----------------------- + bfd/mach-o.c | 2 +- + bfd/mach-o.h | 8 ++-- + bfd/netbsd-core.c | 6 +-- + bfd/osf-core.c | 6 +-- + bfd/ptrace-core.c | 6 +-- + bfd/sco5-core.c | 6 +-- + bfd/targets.c | 12 +++--- + bfd/trad-core.c | 6 +-- + bfd/vms-alpha.c | 2 +- + binutils/nm.c | 49 +++--------------------- + binutils/od-macho.c | 50 ++++++++----------------- + binutils/prdbg.c | 39 +++---------------- + binutils/readelf.c | 21 +++++------ + gas/config/tc-arm.c | 28 ++++---------- + gas/config/tc-csky.c | 10 ++--- + gas/config/tc-sparc.c | 35 +++++++++-------- + gas/config/tc-tilegx.c | 20 +++++----- + gas/config/tc-tilepro.c | 20 +++++----- + gas/config/tc-z80.c | 8 ++-- + gas/config/te-vms.c | 2 +- + gas/config/te-vms.h | 2 +- + gdb/findcmd.c | 2 +- + gdb/tilegx-tdep.c | 2 +- + gprof/gmon_io.c | 44 ++++++---------------- + include/elf/nfp.h | 2 +- + include/opcode/csky.h | 62 +++++++++++++++--------------- + include/opcode/ia64.h | 2 +- + opcodes/csky-dis.c | 2 +- + opcodes/csky-opc.h | 4 +- + opcodes/ia64-dis.c | 2 +- + 45 files changed, 297 insertions(+), 475 deletions(-) + +diff --git a/bfd/aix386-core.c b/bfd/aix386-core.c +index 3443e49ed46..977a6bd1fb4 100644 +--- a/bfd/aix386-core.c ++++ b/bfd/aix386-core.c +@@ -220,9 +220,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_aix386_vec = + { +diff --git a/bfd/bfd-in.h b/bfd/bfd-in.h +index a1c4bf139fc..09c5728e944 100644 +--- a/bfd/bfd-in.h ++++ b/bfd/bfd-in.h +@@ -116,10 +116,10 @@ typedef struct bfd bfd; + #error No 64 bit integer type available + #endif /* ! defined (BFD_HOST_64_BIT) */ + +-typedef BFD_HOST_U_64_BIT bfd_vma; +-typedef BFD_HOST_64_BIT bfd_signed_vma; +-typedef BFD_HOST_U_64_BIT bfd_size_type; +-typedef BFD_HOST_U_64_BIT symvalue; ++typedef uint64_t bfd_vma; ++typedef int64_t bfd_signed_vma; ++typedef uint64_t bfd_size_type; ++typedef uint64_t symvalue; + + #if BFD_HOST_64BIT_LONG + #define BFD_VMA_FMT "l" +@@ -447,10 +447,10 @@ extern bool bfd_record_phdr + + /* Byte swapping routines. */ + +-bfd_uint64_t bfd_getb64 (const void *); +-bfd_uint64_t bfd_getl64 (const void *); +-bfd_int64_t bfd_getb_signed_64 (const void *); +-bfd_int64_t bfd_getl_signed_64 (const void *); ++uint64_t bfd_getb64 (const void *); ++uint64_t bfd_getl64 (const void *); ++int64_t bfd_getb_signed_64 (const void *); ++int64_t bfd_getl_signed_64 (const void *); + bfd_vma bfd_getb32 (const void *); + bfd_vma bfd_getl32 (const void *); + bfd_signed_vma bfd_getb_signed_32 (const void *); +@@ -459,8 +459,8 @@ bfd_vma bfd_getb16 (const void *); + bfd_vma bfd_getl16 (const void *); + bfd_signed_vma bfd_getb_signed_16 (const void *); + bfd_signed_vma bfd_getl_signed_16 (const void *); +-void bfd_putb64 (bfd_uint64_t, void *); +-void bfd_putl64 (bfd_uint64_t, void *); ++void bfd_putb64 (uint64_t, void *); ++void bfd_putl64 (uint64_t, void *); + void bfd_putb32 (bfd_vma, void *); + void bfd_putl32 (bfd_vma, void *); + void bfd_putb24 (bfd_vma, void *); +@@ -470,8 +470,8 @@ void bfd_putl16 (bfd_vma, void *); + + /* Byte swapping routines which take size and endiannes as arguments. */ + +-bfd_uint64_t bfd_get_bits (const void *, int, bool); +-void bfd_put_bits (bfd_uint64_t, void *, int, bool); ++uint64_t bfd_get_bits (const void *, int, bool); ++void bfd_put_bits (uint64_t, void *, int, bool); + + + /* mmap hacks */ +diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h +index 50e26fc691d..d50885e76cf 100644 +--- a/bfd/bfd-in2.h ++++ b/bfd/bfd-in2.h +@@ -123,10 +123,10 @@ typedef struct bfd bfd; + #error No 64 bit integer type available + #endif /* ! defined (BFD_HOST_64_BIT) */ + +-typedef BFD_HOST_U_64_BIT bfd_vma; +-typedef BFD_HOST_64_BIT bfd_signed_vma; +-typedef BFD_HOST_U_64_BIT bfd_size_type; +-typedef BFD_HOST_U_64_BIT symvalue; ++typedef uint64_t bfd_vma; ++typedef int64_t bfd_signed_vma; ++typedef uint64_t bfd_size_type; ++typedef uint64_t symvalue; + + #if BFD_HOST_64BIT_LONG + #define BFD_VMA_FMT "l" +@@ -454,10 +454,10 @@ extern bool bfd_record_phdr + + /* Byte swapping routines. */ + +-bfd_uint64_t bfd_getb64 (const void *); +-bfd_uint64_t bfd_getl64 (const void *); +-bfd_int64_t bfd_getb_signed_64 (const void *); +-bfd_int64_t bfd_getl_signed_64 (const void *); ++uint64_t bfd_getb64 (const void *); ++uint64_t bfd_getl64 (const void *); ++int64_t bfd_getb_signed_64 (const void *); ++int64_t bfd_getl_signed_64 (const void *); + bfd_vma bfd_getb32 (const void *); + bfd_vma bfd_getl32 (const void *); + bfd_signed_vma bfd_getb_signed_32 (const void *); +@@ -466,8 +466,8 @@ bfd_vma bfd_getb16 (const void *); + bfd_vma bfd_getl16 (const void *); + bfd_signed_vma bfd_getb_signed_16 (const void *); + bfd_signed_vma bfd_getl_signed_16 (const void *); +-void bfd_putb64 (bfd_uint64_t, void *); +-void bfd_putl64 (bfd_uint64_t, void *); ++void bfd_putb64 (uint64_t, void *); ++void bfd_putl64 (uint64_t, void *); + void bfd_putb32 (bfd_vma, void *); + void bfd_putl32 (bfd_vma, void *); + void bfd_putb24 (bfd_vma, void *); +@@ -477,8 +477,8 @@ void bfd_putl16 (bfd_vma, void *); + + /* Byte swapping routines which take size and endiannes as arguments. */ + +-bfd_uint64_t bfd_get_bits (const void *, int, bool); +-void bfd_put_bits (bfd_uint64_t, void *, int, bool); ++uint64_t bfd_get_bits (const void *, int, bool); ++void bfd_put_bits (uint64_t, void *, int, bool); + + + /* mmap hacks */ +@@ -7416,9 +7416,9 @@ typedef struct bfd_target + /* Entries for byte swapping for data. These are different from the + other entry points, since they don't take a BFD as the first argument. + Certain other handlers could do the same. */ +- bfd_uint64_t (*bfd_getx64) (const void *); +- bfd_int64_t (*bfd_getx_signed_64) (const void *); +- void (*bfd_putx64) (bfd_uint64_t, void *); ++ uint64_t (*bfd_getx64) (const void *); ++ int64_t (*bfd_getx_signed_64) (const void *); ++ void (*bfd_putx64) (uint64_t, void *); + bfd_vma (*bfd_getx32) (const void *); + bfd_signed_vma (*bfd_getx_signed_32) (const void *); + void (*bfd_putx32) (bfd_vma, void *); +@@ -7427,9 +7427,9 @@ typedef struct bfd_target + void (*bfd_putx16) (bfd_vma, void *); + + /* Byte swapping for the headers. */ +- bfd_uint64_t (*bfd_h_getx64) (const void *); +- bfd_int64_t (*bfd_h_getx_signed_64) (const void *); +- void (*bfd_h_putx64) (bfd_uint64_t, void *); ++ uint64_t (*bfd_h_getx64) (const void *); ++ int64_t (*bfd_h_getx_signed_64) (const void *); ++ void (*bfd_h_putx64) (uint64_t, void *); + bfd_vma (*bfd_h_getx32) (const void *); + bfd_signed_vma (*bfd_h_getx_signed_32) (const void *); + void (*bfd_h_putx32) (bfd_vma, void *); +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c +index 8819187ab42..48ce5c0516b 100644 +--- a/bfd/coff-rs6000.c ++++ b/bfd/coff-rs6000.c +@@ -1890,18 +1890,12 @@ xcoff_write_armap_old (bfd *abfd, unsigned int elength ATTRIBUTE_UNUSED, + } + + static char buff20[XCOFFARMAGBIG_ELEMENT_SIZE + 1]; +-#if BFD_HOST_64BIT_LONG +-#define FMT20 "%-20ld" +-#elif defined (__MSVCRT__) +-#define FMT20 "%-20I64d" +-#else +-#define FMT20 "%-20lld" +-#endif ++#define FMT20 "%-20" PRId64 + #define FMT12 "%-12d" + #define FMT12_OCTAL "%-12o" + #define FMT4 "%-4d" + #define PRINT20(d, v) \ +- sprintf (buff20, FMT20, (bfd_uint64_t)(v)), \ ++ sprintf (buff20, FMT20, (uint64_t) (v)), \ + memcpy ((void *) (d), buff20, 20) + + #define PRINT12(d, v) \ +diff --git a/bfd/coff-x86_64.c b/bfd/coff-x86_64.c +index e8e16d3ce4b..cf339c93215 100644 +--- a/bfd/coff-x86_64.c ++++ b/bfd/coff-x86_64.c +@@ -201,7 +201,7 @@ coff_amd64_reloc (bfd *abfd, + + case 4: + { +- bfd_uint64_t x = bfd_get_64 (abfd, addr); ++ uint64_t x = bfd_get_64 (abfd, addr); + DOIT (x); + bfd_put_64 (abfd, x, addr); + } +diff --git a/bfd/cpu-ia64-opc.c b/bfd/cpu-ia64-opc.c +index e2b5c2694b6..01e3c3f476a 100644 +--- a/bfd/cpu-ia64-opc.c ++++ b/bfd/cpu-ia64-opc.c +@@ -99,14 +99,14 @@ ins_immu (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + static const char* + ext_immu (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { +- BFD_HOST_U_64_BIT value = 0; ++ uint64_t value = 0; + int i, bits = 0, total = 0; + + for (i = 0; i < NELEMS (self->field) && self->field[i].bits; ++i) + { + bits = self->field[i].bits; + value |= ((code >> self->field[i].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << bits) - 1)) << total; ++ & (((uint64_t) 1 << bits) - 1)) << total; + total += bits; + } + *valuep = value; +@@ -161,7 +161,7 @@ static const char* + ins_imms_scaled (const struct ia64_operand *self, ia64_insn value, + ia64_insn *code, int scale) + { +- BFD_HOST_64_BIT svalue = value, sign_bit = 0; ++ int64_t svalue = value, sign_bit = 0; + ia64_insn new_insn = 0; + int i; + +@@ -186,17 +186,17 @@ ext_imms_scaled (const struct ia64_operand *self, ia64_insn code, + ia64_insn *valuep, int scale) + { + int i, bits = 0, total = 0; +- BFD_HOST_U_64_BIT val = 0, sign; ++ uint64_t val = 0, sign; + + for (i = 0; i < NELEMS (self->field) && self->field[i].bits; ++i) + { + bits = self->field[i].bits; + val |= ((code >> self->field[i].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << bits) - 1)) << total; ++ & (((uint64_t) 1 << bits) - 1)) << total; + total += bits; + } + /* sign extend: */ +- sign = (BFD_HOST_U_64_BIT) 1 << (total - 1); ++ sign = (uint64_t) 1 << (total - 1); + val = (val ^ sign) - sign; + + *valuep = val << scale; +@@ -312,7 +312,7 @@ static const char* + ins_cnt (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + { + --value; +- if (value >= ((BFD_HOST_U_64_BIT) 1) << self->field[0].bits) ++ if (value >= (uint64_t) 1 << self->field[0].bits) + return "count out of range"; + + *code |= value << self->field[0].shift; +@@ -323,7 +323,7 @@ static const char* + ext_cnt (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { + *valuep = ((code >> self->field[0].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << self->field[0].bits) - 1)) + 1; ++ & (((uint64_t) 1 << self->field[0].bits) - 1)) + 1; + return 0; + } + +@@ -421,8 +421,8 @@ ext_strd5b (const struct ia64_operand *self, ia64_insn code, + static const char* + ins_inc3 (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + { +- BFD_HOST_64_BIT val = value; +- BFD_HOST_U_64_BIT sign = 0; ++ int64_t val = value; ++ uint64_t sign = 0; + + if (val < 0) + { +@@ -444,7 +444,7 @@ ins_inc3 (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + static const char* + ext_inc3 (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { +- BFD_HOST_64_BIT val; ++ int64_t val; + int negate; + + val = (code >> self->field[0].shift) & 0x7; +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 45e286754e4..6a728fc38b0 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -63,8 +63,8 @@ struct attribute + { + char *str; + struct dwarf_block *blk; +- bfd_uint64_t val; +- bfd_int64_t sval; ++ uint64_t val; ++ int64_t sval; + } + u; + }; +@@ -632,12 +632,12 @@ lookup_info_hash_table (struct info_hash_table *hash_table, const char *key) + the located section does not contain at least OFFSET bytes. */ + + static bool +-read_section (bfd * abfd, ++read_section (bfd *abfd, + const struct dwarf_debug_section *sec, +- asymbol ** syms, +- bfd_uint64_t offset, +- bfd_byte ** section_buffer, +- bfd_size_type * section_size) ++ asymbol **syms, ++ uint64_t offset, ++ bfd_byte **section_buffer, ++ bfd_size_type *section_size) + { + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; +@@ -848,7 +848,7 @@ read_indirect_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + char *str; +@@ -882,7 +882,7 @@ read_indirect_line_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + char *str; +@@ -919,7 +919,7 @@ read_alt_indirect_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + char *str; + +@@ -975,8 +975,7 @@ read_alt_indirect_string (struct comp_unit *unit, + or NULL upon failure. */ + + static bfd_byte * +-read_alt_indirect_ref (struct comp_unit * unit, +- bfd_uint64_t offset) ++read_alt_indirect_ref (struct comp_unit *unit, uint64_t offset) + { + struct dwarf2_debug *stash = unit->stash; + +@@ -1012,7 +1011,7 @@ read_alt_indirect_ref (struct comp_unit * unit, + return stash->alt.dwarf_info_buffer + offset; + } + +-static bfd_uint64_t ++static uint64_t + read_address (struct comp_unit *unit, bfd_byte **ptr, bfd_byte *buf_end) + { + bfd_byte *buf = *ptr; +@@ -1131,7 +1130,7 @@ del_abbrev (void *p) + in a hash table. */ + + static struct abbrev_info** +-read_abbrevs (bfd *abfd, bfd_uint64_t offset, struct dwarf2_debug *stash, ++read_abbrevs (bfd *abfd, uint64_t offset, struct dwarf2_debug *stash, + struct dwarf2_debug_file *file) + { + struct abbrev_info **abbrevs; +@@ -1356,8 +1355,7 @@ is_addrx_form (enum dwarf_form form) + /* Returns the address in .debug_addr section using DW_AT_addr_base. + Used to implement DW_FORM_addrx*. */ + static bfd_vma +-read_indexed_address (bfd_uint64_t idx, +- struct comp_unit *unit) ++read_indexed_address (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +@@ -1383,8 +1381,7 @@ read_indexed_address (bfd_uint64_t idx, + /* Returns the string using DW_AT_str_offsets_base. + Used to implement DW_FORM_strx*. */ + static const char * +-read_indexed_string (bfd_uint64_t idx, +- struct comp_unit *unit) ++read_indexed_string (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +@@ -1717,39 +1714,39 @@ struct line_info_table + struct funcinfo + { + /* Pointer to previous function in list of all functions. */ +- struct funcinfo * prev_func; ++ struct funcinfo *prev_func; + /* Pointer to function one scope higher. */ +- struct funcinfo * caller_func; ++ struct funcinfo *caller_func; + /* Source location file name where caller_func inlines this func. */ +- char * caller_file; ++ char *caller_file; + /* Source location file name. */ +- char * file; ++ char *file; + /* Source location line number where caller_func inlines this func. */ +- int caller_line; ++ int caller_line; + /* Source location line number. */ +- int line; +- int tag; +- bool is_linkage; +- const char * name; +- struct arange arange; ++ int line; ++ int tag; ++ bool is_linkage; ++ const char *name; ++ struct arange arange; + /* Where the symbol is defined. */ +- asection * sec; ++ asection *sec; + /* The offset of the funcinfo from the start of the unit. */ +- bfd_uint64_t unit_offset; ++ uint64_t unit_offset; + }; + + struct lookup_funcinfo + { + /* Function information corresponding to this lookup table entry. */ +- struct funcinfo * funcinfo; ++ struct funcinfo *funcinfo; + + /* The lowest address for this specific function. */ +- bfd_vma low_addr; ++ bfd_vma low_addr; + + /* The highest address of this function before the lookup table is sorted. + The highest address of all prior functions after the lookup table is + sorted, which is used for binary search. */ +- bfd_vma high_addr; ++ bfd_vma high_addr; + /* Index of this function, used to ensure qsort is stable. */ + unsigned int idx; + }; +@@ -1759,7 +1756,7 @@ struct varinfo + /* Pointer to previous variable in list of all variables. */ + struct varinfo *prev_var; + /* The offset of the varinfo from the start of the unit. */ +- bfd_uint64_t unit_offset; ++ uint64_t unit_offset; + /* Source location file name. */ + char *file; + /* Source location line number. */ +@@ -3335,7 +3332,7 @@ find_abstract_instance (struct comp_unit *unit, + bfd_byte *info_ptr_end; + unsigned int abbrev_number, i; + struct abbrev_info *abbrev; +- bfd_uint64_t die_ref = attr_ptr->u.val; ++ uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; + const char *name = NULL; + +@@ -3549,7 +3546,7 @@ find_abstract_instance (struct comp_unit *unit, + + static bool + read_ranges (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + bfd_byte *ranges_ptr; + bfd_byte *ranges_end; +@@ -3594,7 +3591,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + + static bool + read_rnglists (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + bfd_byte *rngs_ptr; + bfd_byte *rngs_end; +@@ -3675,7 +3672,7 @@ read_rnglists (struct comp_unit *unit, struct arange *arange, + + static bool + read_rangelist (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + if (unit->version <= 4) + return read_ranges (unit, arange, trie_root, offset); +@@ -3684,7 +3681,7 @@ read_rangelist (struct comp_unit *unit, struct arange *arange, + } + + static struct funcinfo * +-lookup_func_by_offset (bfd_uint64_t offset, struct funcinfo * table) ++lookup_func_by_offset (uint64_t offset, struct funcinfo * table) + { + for (; table != NULL; table = table->prev_func) + if (table->unit_offset == offset) +@@ -3693,7 +3690,7 @@ lookup_func_by_offset (bfd_uint64_t offset, struct funcinfo * table) + } + + static struct varinfo * +-lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table) ++lookup_var_by_offset (uint64_t offset, struct varinfo * table) + { + while (table) + { +@@ -3775,7 +3772,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + struct abbrev_info *abbrev; + struct funcinfo *func; + struct varinfo *var; +- bfd_uint64_t current_offset; ++ uint64_t current_offset; + + /* PR 17512: file: 9f405d9d. */ + if (info_ptr >= info_ptr_end) +@@ -3909,7 +3906,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + bfd_vma low_pc = 0; + bfd_vma high_pc = 0; + bool high_pc_relative = false; +- bfd_uint64_t current_offset; ++ uint64_t current_offset; + + /* PR 17512: file: 9f405d9d. */ + if (info_ptr >= info_ptr_end) +@@ -4259,7 +4256,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + { + struct comp_unit* unit; + unsigned int version; +- bfd_uint64_t abbrev_offset = 0; ++ uint64_t abbrev_offset = 0; + /* Initialize it just to avoid a GCC false warning. */ + unsigned int addr_size = -1; + struct abbrev_info** abbrevs; +diff --git a/bfd/elf32-score.c b/bfd/elf32-score.c +index c868707347c..5bc78d523ea 100644 +--- a/bfd/elf32-score.c ++++ b/bfd/elf32-score.c +@@ -230,14 +230,14 @@ static bfd_vma + score3_bfd_getl48 (const void *p) + { + const bfd_byte *addr = p; +- bfd_uint64_t v; +- +- v = (bfd_uint64_t) addr[4]; +- v |= (bfd_uint64_t) addr[5] << 8; +- v |= (bfd_uint64_t) addr[2] << 16; +- v |= (bfd_uint64_t) addr[3] << 24; +- v |= (bfd_uint64_t) addr[0] << 32; +- v |= (bfd_uint64_t) addr[1] << 40; ++ uint64_t v; ++ ++ v = (uint64_t) addr[4]; ++ v |= (uint64_t) addr[5] << 8; ++ v |= (uint64_t) addr[2] << 16; ++ v |= (uint64_t) addr[3] << 24; ++ v |= (uint64_t) addr[0] << 32; ++ v |= (uint64_t) addr[1] << 40; + return v; + } + +diff --git a/bfd/elf64-ia64-vms.c b/bfd/elf64-ia64-vms.c +index 59cc6b6fe85..4d8f98550a3 100644 +--- a/bfd/elf64-ia64-vms.c ++++ b/bfd/elf64-ia64-vms.c +@@ -179,7 +179,7 @@ struct elf64_ia64_vms_obj_tdata + struct elf_obj_tdata root; + + /* Ident for shared library. */ +- bfd_uint64_t ident; ++ uint64_t ident; + + /* Used only during link: offset in the .fixups section for this bfd. */ + bfd_vma fixups_off; +@@ -2791,7 +2791,7 @@ elf64_ia64_size_dynamic_sections (bfd *output_bfd ATTRIBUTE_UNUSED, + if (!_bfd_elf_add_dynamic_entry (info, DT_IA_64_VMS_IDENT, 0)) + return false; + if (!_bfd_elf_add_dynamic_entry (info, DT_IA_64_VMS_LINKTIME, +- (((bfd_uint64_t)time_hi) << 32) ++ ((uint64_t) time_hi << 32) + + time_lo)) + return false; + +@@ -4720,7 +4720,7 @@ elf64_vms_close_and_cleanup (bfd *abfd) + if ((isize & 7) != 0) + { + int ishort = 8 - (isize & 7); +- bfd_uint64_t pad = 0; ++ uint64_t pad = 0; + + bfd_seek (abfd, isize, SEEK_SET); + bfd_bwrite (&pad, ishort, abfd); +@@ -4853,7 +4853,7 @@ elf64_vms_link_add_object_symbols (bfd *abfd, struct bfd_link_info *info) + bed->s->swap_dyn_in (abfd, extdyn, &dyn); + if (dyn.d_tag == DT_IA_64_VMS_IDENT) + { +- bfd_uint64_t tagv = dyn.d_un.d_val; ++ uint64_t tagv = dyn.d_un.d_val; + elf_ia64_vms_ident (abfd) = tagv; + break; + } +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 96eb36aa5bf..fc3a335c72d 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -6354,15 +6354,11 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + size_t best_size = 0; + unsigned long int i; + +- /* We have a problem here. The following code to optimize the table +- size requires an integer type with more the 32 bits. If +- BFD_HOST_U_64_BIT is set we know about such a type. */ +-#ifdef BFD_HOST_U_64_BIT + if (info->optimize) + { + size_t minsize; + size_t maxsize; +- BFD_HOST_U_64_BIT best_chlen = ~((BFD_HOST_U_64_BIT) 0); ++ uint64_t best_chlen = ~((uint64_t) 0); + bfd *dynobj = elf_hash_table (info)->dynobj; + size_t dynsymcount = elf_hash_table (info)->dynsymcount; + const struct elf_backend_data *bed = get_elf_backend_data (dynobj); +@@ -6399,7 +6395,7 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + for (i = minsize; i < maxsize; ++i) + { + /* Walk through the array of hashcodes and count the collisions. */ +- BFD_HOST_U_64_BIT max; ++ uint64_t max; + unsigned long int j; + unsigned long int fact; + +@@ -6464,11 +6460,7 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + free (counts); + } + else +-#endif /* defined (BFD_HOST_U_64_BIT) */ + { +- /* This is the fallback solution if no 64bit type is available or if we +- are not supposed to spend much time on optimizations. We select the +- bucket count using a fixed set of numbers. */ + for (i = 0; elf_buckets[i] != 0; i++) + { + best_size = elf_buckets[i]; +@@ -9354,7 +9346,6 @@ ext32b_r_offset (const void *p) + return aval; + } + +-#ifdef BFD_HOST_64_BIT + static bfd_vma + ext64l_r_offset (const void *p) + { +@@ -9398,7 +9389,6 @@ ext64b_r_offset (const void *p) + | (uint64_t) a->c[7]); + return aval; + } +-#endif + + /* When performing a relocatable link, the input relocations are + preserved. But, if they reference global symbols, the indices +@@ -9502,13 +9492,11 @@ elf_link_adjust_relocs (bfd *abfd, + } + else + { +-#ifdef BFD_HOST_64_BIT + if (abfd->xvec->header_byteorder == BFD_ENDIAN_LITTLE) + ext_r_off = ext64l_r_offset; + else if (abfd->xvec->header_byteorder == BFD_ENDIAN_BIG) + ext_r_off = ext64b_r_offset; + else +-#endif + abort (); + } + +diff --git a/bfd/elfxx-ia64.c b/bfd/elfxx-ia64.c +index c126adf6890..a108324ca39 100644 +--- a/bfd/elfxx-ia64.c ++++ b/bfd/elfxx-ia64.c +@@ -555,11 +555,7 @@ ia64_elf_install_value (bfd_byte *hit_addr, bfd_vma v, unsigned int r_type) + enum ia64_opnd opnd; + const char *err; + size_t size = 8; +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT val = (BFD_HOST_U_64_BIT) v; +-#else +- bfd_vma val = v; +-#endif ++ uint64_t val = v; + + opnd = IA64_OPND_NIL; + switch (r_type) +diff --git a/bfd/hppabsd-core.c b/bfd/hppabsd-core.c +index acfa5f69a95..d87af955838 100644 +--- a/bfd/hppabsd-core.c ++++ b/bfd/hppabsd-core.c +@@ -213,9 +213,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_hppabsd_vec = + { +diff --git a/bfd/hpux-core.c b/bfd/hpux-core.c +index 4f03b84909a..654532c6bb9 100644 +--- a/bfd/hpux-core.c ++++ b/bfd/hpux-core.c +@@ -362,9 +362,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_hpux_vec = + { +diff --git a/bfd/irix-core.c b/bfd/irix-core.c +index 694fe2e2e07..b12aef9ce8b 100644 +--- a/bfd/irix-core.c ++++ b/bfd/irix-core.c +@@ -275,9 +275,9 @@ swap_abort(void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_irix_vec = + { +diff --git a/bfd/libbfd.c b/bfd/libbfd.c +index 2781671ddba..d33f3416206 100644 +--- a/bfd/libbfd.c ++++ b/bfd/libbfd.c +@@ -617,7 +617,7 @@ DESCRIPTION + #define COERCE16(x) (((bfd_vma) (x) ^ 0x8000) - 0x8000) + #define COERCE32(x) (((bfd_vma) (x) ^ 0x80000000) - 0x80000000) + #define COERCE64(x) \ +- (((bfd_uint64_t) (x) ^ ((bfd_uint64_t) 1 << 63)) - ((bfd_uint64_t) 1 << 63)) ++ (((uint64_t) (x) ^ ((uint64_t) 1 << 63)) - ((uint64_t) 1 << 63)) + + bfd_vma + bfd_getb16 (const void *p) +@@ -757,12 +757,11 @@ bfd_getl_signed_32 (const void *p) + return COERCE32 (v); + } + +-bfd_uint64_t +-bfd_getb64 (const void *p ATTRIBUTE_UNUSED) ++uint64_t ++bfd_getb64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[0]; v <<= 8; + v |= addr[1]; v <<= 8; +@@ -774,18 +773,13 @@ bfd_getb64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[7]; + + return v; +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + +-bfd_uint64_t +-bfd_getl64 (const void *p ATTRIBUTE_UNUSED) ++uint64_t ++bfd_getl64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[7]; v <<= 8; + v |= addr[6]; v <<= 8; +@@ -797,19 +791,13 @@ bfd_getl64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[0]; + + return v; +-#else +- BFD_FAIL(); +- return 0; +-#endif +- + } + +-bfd_int64_t +-bfd_getb_signed_64 (const void *p ATTRIBUTE_UNUSED) ++int64_t ++bfd_getb_signed_64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[0]; v <<= 8; + v |= addr[1]; v <<= 8; +@@ -821,18 +809,13 @@ bfd_getb_signed_64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[7]; + + return COERCE64 (v); +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + +-bfd_int64_t +-bfd_getl_signed_64 (const void *p ATTRIBUTE_UNUSED) ++int64_t ++bfd_getl_signed_64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[7]; v <<= 8; + v |= addr[6]; v <<= 8; +@@ -844,10 +827,6 @@ bfd_getl_signed_64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[0]; + + return COERCE64 (v); +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + + void +@@ -871,9 +850,8 @@ bfd_putl32 (bfd_vma data, void *p) + } + + void +-bfd_putb64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) ++bfd_putb64 (uint64_t data, void *p) + { +-#ifdef BFD_HOST_64_BIT + bfd_byte *addr = (bfd_byte *) p; + addr[0] = (data >> (7*8)) & 0xff; + addr[1] = (data >> (6*8)) & 0xff; +@@ -883,15 +861,11 @@ bfd_putb64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) + addr[5] = (data >> (2*8)) & 0xff; + addr[6] = (data >> (1*8)) & 0xff; + addr[7] = (data >> (0*8)) & 0xff; +-#else +- BFD_FAIL(); +-#endif + } + + void +-bfd_putl64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) ++bfd_putl64 (uint64_t data, void *p) + { +-#ifdef BFD_HOST_64_BIT + bfd_byte *addr = (bfd_byte *) p; + addr[7] = (data >> (7*8)) & 0xff; + addr[6] = (data >> (6*8)) & 0xff; +@@ -901,13 +875,10 @@ bfd_putl64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) + addr[2] = (data >> (2*8)) & 0xff; + addr[1] = (data >> (1*8)) & 0xff; + addr[0] = (data >> (0*8)) & 0xff; +-#else +- BFD_FAIL(); +-#endif + } + + void +-bfd_put_bits (bfd_uint64_t data, void *p, int bits, bool big_p) ++bfd_put_bits (uint64_t data, void *p, int bits, bool big_p) + { + bfd_byte *addr = (bfd_byte *) p; + int i; +@@ -926,11 +897,11 @@ bfd_put_bits (bfd_uint64_t data, void *p, int bits, bool big_p) + } + } + +-bfd_uint64_t ++uint64_t + bfd_get_bits (const void *p, int bits, bool big_p) + { + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t data; ++ uint64_t data; + int i; + int bytes; + +diff --git a/bfd/mach-o.c b/bfd/mach-o.c +index e32b7873cef..9f3f1f13e4e 100644 +--- a/bfd/mach-o.c ++++ b/bfd/mach-o.c +@@ -4773,7 +4773,7 @@ bfd_mach_o_read_source_version (bfd *abfd, bfd_mach_o_load_command *command) + { + bfd_mach_o_source_version_command *cmd = &command->command.source_version; + struct mach_o_source_version_command_external raw; +- bfd_uint64_t ver; ++ uint64_t ver; + + if (command->len < sizeof (raw) + 8) + return false; +diff --git a/bfd/mach-o.h b/bfd/mach-o.h +index 5a068d8d970..f7418ad8d40 100644 +--- a/bfd/mach-o.h ++++ b/bfd/mach-o.h +@@ -545,8 +545,8 @@ bfd_mach_o_encryption_info_command; + + typedef struct bfd_mach_o_main_command + { +- bfd_uint64_t entryoff; +- bfd_uint64_t stacksize; ++ uint64_t entryoff; ++ uint64_t stacksize; + } + bfd_mach_o_main_command; + +@@ -563,8 +563,8 @@ bfd_mach_o_source_version_command; + typedef struct bfd_mach_o_note_command + { + char data_owner[16]; +- bfd_uint64_t offset; +- bfd_uint64_t size; ++ uint64_t offset; ++ uint64_t size; + } + bfd_mach_o_note_command; + +diff --git a/bfd/netbsd-core.c b/bfd/netbsd-core.c +index cb215937da6..ffc8e50842c 100644 +--- a/bfd/netbsd-core.c ++++ b/bfd/netbsd-core.c +@@ -257,9 +257,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_netbsd_vec = + { +diff --git a/bfd/osf-core.c b/bfd/osf-core.c +index 09a04a07624..04434b2045c 100644 +--- a/bfd/osf-core.c ++++ b/bfd/osf-core.c +@@ -169,9 +169,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_osf_vec = + { +diff --git a/bfd/ptrace-core.c b/bfd/ptrace-core.c +index 3d077d21200..c4afffbfb95 100644 +--- a/bfd/ptrace-core.c ++++ b/bfd/ptrace-core.c +@@ -160,9 +160,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_ptrace_vec = + { +diff --git a/bfd/sco5-core.c b/bfd/sco5-core.c +index d1f80c9079f..7807ac86a65 100644 +--- a/bfd/sco5-core.c ++++ b/bfd/sco5-core.c +@@ -340,9 +340,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_sco5_vec = + { +diff --git a/bfd/targets.c b/bfd/targets.c +index 05dd8236d91..f44b5c67724 100644 +--- a/bfd/targets.c ++++ b/bfd/targets.c +@@ -226,9 +226,9 @@ DESCRIPTION + . {* Entries for byte swapping for data. These are different from the + . other entry points, since they don't take a BFD as the first argument. + . Certain other handlers could do the same. *} +-. bfd_uint64_t (*bfd_getx64) (const void *); +-. bfd_int64_t (*bfd_getx_signed_64) (const void *); +-. void (*bfd_putx64) (bfd_uint64_t, void *); ++. uint64_t (*bfd_getx64) (const void *); ++. int64_t (*bfd_getx_signed_64) (const void *); ++. void (*bfd_putx64) (uint64_t, void *); + . bfd_vma (*bfd_getx32) (const void *); + . bfd_signed_vma (*bfd_getx_signed_32) (const void *); + . void (*bfd_putx32) (bfd_vma, void *); +@@ -237,9 +237,9 @@ DESCRIPTION + . void (*bfd_putx16) (bfd_vma, void *); + . + . {* Byte swapping for the headers. *} +-. bfd_uint64_t (*bfd_h_getx64) (const void *); +-. bfd_int64_t (*bfd_h_getx_signed_64) (const void *); +-. void (*bfd_h_putx64) (bfd_uint64_t, void *); ++. uint64_t (*bfd_h_getx64) (const void *); ++. int64_t (*bfd_h_getx_signed_64) (const void *); ++. void (*bfd_h_putx64) (uint64_t, void *); + . bfd_vma (*bfd_h_getx32) (const void *); + . bfd_signed_vma (*bfd_h_getx_signed_32) (const void *); + . void (*bfd_h_putx32) (bfd_vma, void *); +diff --git a/bfd/trad-core.c b/bfd/trad-core.c +index 92a279b6a72..8e9ee0d6667 100644 +--- a/bfd/trad-core.c ++++ b/bfd/trad-core.c +@@ -249,9 +249,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_trad_vec = + { +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 1129c98f0e2..fd0762811df 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -522,7 +522,7 @@ _bfd_vms_slurp_eisd (bfd *abfd, unsigned int offset) + struct vms_eisd *eisd; + unsigned int rec_size; + unsigned int size; +- bfd_uint64_t vaddr; ++ uint64_t vaddr; + unsigned int flags; + unsigned int vbn; + char *name = NULL; +diff --git a/binutils/nm.c b/binutils/nm.c +index 60e4d850885..539c5688425 100644 +--- a/binutils/nm.c ++++ b/binutils/nm.c +@@ -1557,29 +1557,15 @@ get_print_format (void) + padding = "016"; + } + +- const char * length = "l"; +- if (print_width == 64) +- { +-#if BFD_HOST_64BIT_LONG +- ; +-#elif BFD_HOST_64BIT_LONG_LONG +-#ifndef __MSVCRT__ +- length = "ll"; +-#else +- length = "I64"; +-#endif +-#endif +- } +- + const char * radix = NULL; + switch (print_radix) + { +- case 8: radix = "o"; break; +- case 10: radix = "d"; break; +- case 16: radix = "x"; break; ++ case 8: radix = PRIo64; break; ++ case 10: radix = PRId64; break; ++ case 16: radix = PRIx64; break; + } + +- return concat ("%", padding, length, radix, NULL); ++ return concat ("%", padding, radix, NULL); + } + + static void +@@ -1874,33 +1860,8 @@ print_value (bfd *abfd ATTRIBUTE_UNUSED, bfd_vma val) + switch (print_width) + { + case 32: +- printf (print_format_string, (unsigned long) val); +- break; +- + case 64: +-#if BFD_HOST_64BIT_LONG || BFD_HOST_64BIT_LONG_LONG +- printf (print_format_string, val); +-#else +- /* We have a 64 bit value to print, but the host is only 32 bit. */ +- if (print_radix == 16) +- bfd_fprintf_vma (abfd, stdout, val); +- else +- { +- char buf[30]; +- char *s; +- +- s = buf + sizeof buf; +- *--s = '\0'; +- while (val > 0) +- { +- *--s = (val % print_radix) + '0'; +- val /= print_radix; +- } +- while ((buf + sizeof buf - 1) - s < 16) +- *--s = '0'; +- printf ("%s", s); +- } +-#endif ++ printf (print_format_string, (uint64_t) val); + break; + + default: +diff --git a/binutils/od-macho.c b/binutils/od-macho.c +index 56d448ac3bd..e91c87d2acf 100644 +--- a/binutils/od-macho.c ++++ b/binutils/od-macho.c +@@ -283,15 +283,6 @@ bfd_mach_o_print_flags (const bfd_mach_o_xlat_name *table, + printf ("-"); + } + +-/* Print a bfd_uint64_t, using a platform independent style. */ +- +-static void +-printf_uint64 (bfd_uint64_t v) +-{ +- printf ("0x%08lx%08lx", +- (unsigned long)((v >> 16) >> 16), (unsigned long)(v & 0xffffffffUL)); +-} +- + static const char * + bfd_mach_o_get_name_or_null (const bfd_mach_o_xlat_name *table, + unsigned long val) +@@ -1729,26 +1720,20 @@ dump_load_command (bfd *abfd, bfd_mach_o_load_command *cmd, + } + case BFD_MACH_O_LC_MAIN: + { +- bfd_mach_o_main_command *entry = &cmd->command.main; +- printf (" entry offset: "); +- printf_uint64 (entry->entryoff); +- printf ("\n" +- " stack size: "); +- printf_uint64 (entry->stacksize); +- printf ("\n"); +- break; ++ bfd_mach_o_main_command *entry = &cmd->command.main; ++ printf (" entry offset: %#016" PRIx64 "\n" ++ " stack size: %#016" PRIx64 "\n", ++ entry->entryoff, entry->stacksize); ++ break; + } + case BFD_MACH_O_LC_NOTE: + { +- bfd_mach_o_note_command *note = &cmd->command.note; +- printf (" data owner: %.16s\n", note->data_owner); +- printf (" offset: "); +- printf_uint64 (note->offset); +- printf ("\n" +- " size: "); +- printf_uint64 (note->size); +- printf ("\n"); +- break; ++ bfd_mach_o_note_command *note = &cmd->command.note; ++ printf (" data owner: %.16s\n" ++ " offset: %#016" PRIx64 "\n" ++ " size: %#016" PRIx64 "\n", ++ note->data_owner, note->offset, note->size); ++ break; + } + case BFD_MACH_O_LC_BUILD_VERSION: + dump_build_version (abfd, cmd); +@@ -2013,14 +1998,11 @@ dump_obj_compact_unwind (bfd *abfd, + { + e = (struct mach_o_compact_unwind_64 *) p; + +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->start)); +- printf (" %08lx", (unsigned long)bfd_get_32 (abfd, e->length)); +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->personality)); +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->lsda)); +- putchar ('\n'); ++ printf (" %#016" PRIx64 " %#08x %#016" PRIx64 " %#016" PRIx64 "\n", ++ (uint64_t) bfd_get_64 (abfd, e->start), ++ (unsigned int) bfd_get_32 (abfd, e->length), ++ (uint64_t) bfd_get_64 (abfd, e->personality), ++ (uint64_t) bfd_get_64 (abfd, e->lsda)); + + printf (" encoding: "); + dump_unwind_encoding (mdata, bfd_get_32 (abfd, e->encoding)); +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index d6cbab8578b..c1e41628d26 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -485,41 +485,12 @@ pop_type (struct pr_handle *info) + static void + print_vma (bfd_vma vma, char *buf, bool unsignedp, bool hexp) + { +- if (sizeof (vma) <= sizeof (unsigned long)) +- { +- if (hexp) +- sprintf (buf, "0x%lx", (unsigned long) vma); +- else if (unsignedp) +- sprintf (buf, "%lu", (unsigned long) vma); +- else +- sprintf (buf, "%ld", (long) vma); +- } +-#if BFD_HOST_64BIT_LONG_LONG +- else if (sizeof (vma) <= sizeof (unsigned long long)) +- { +-#ifndef __MSVCRT__ +- if (hexp) +- sprintf (buf, "0x%llx", (unsigned long long) vma); +- else if (unsignedp) +- sprintf (buf, "%llu", (unsigned long long) vma); +- else +- sprintf (buf, "%lld", (long long) vma); +-#else +- if (hexp) +- sprintf (buf, "0x%I64x", (unsigned long long) vma); +- else if (unsignedp) +- sprintf (buf, "%I64u", (unsigned long long) vma); +- else +- sprintf (buf, "%I64d", (long long) vma); +-#endif +- } +-#endif ++ if (hexp) ++ sprintf (buf, "%#" PRIx64, (uint64_t) vma); ++ else if (unsignedp) ++ sprintf (buf, "%" PRIu64, (uint64_t) vma); + else +- { +- buf[0] = '0'; +- buf[1] = 'x'; +- sprintf_vma (buf + 2, vma); +- } ++ sprintf (buf, "%" PRId64, (int64_t) vma); + } + + /* Start a new compilation unit. */ +diff --git a/binutils/readelf.c b/binutils/readelf.c +index c35bfc12366..4c0a2a34767 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -10729,7 +10729,7 @@ dynamic_section_parisc_val (Elf_Internal_Dyn * entry) + /* Display a VMS time in a human readable format. */ + + static void +-print_vms_time (bfd_int64_t vmstime) ++print_vms_time (int64_t vmstime) + { + struct tm *tm = NULL; + time_t unxtime; +@@ -20764,7 +20764,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + /* FIXME: Generate an error if descsz > 8 ? */ + + printf ("0x%016" BFD_VMA_FMT "x\n", +- (bfd_vma) byte_get ((unsigned char *)pnote->descdata, 8)); ++ (bfd_vma) byte_get ((unsigned char *) pnote->descdata, 8)); + break; + + case NT_VMS_LINKTIME: +@@ -20773,8 +20773,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + /* FIXME: Generate an error if descsz > 8 ? */ + +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata, 8)); + printf ("\n"); + break; + +@@ -20784,8 +20783,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + /* FIXME: Generate an error if descsz > 8 ? */ + +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata, 8)); + printf ("\n"); + break; + +@@ -20794,16 +20792,15 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + + printf (_(" Major id: %u, minor id: %u\n"), +- (unsigned) byte_get ((unsigned char *)pnote->descdata, 4), +- (unsigned) byte_get ((unsigned char *)pnote->descdata + 4, 4)); ++ (unsigned) byte_get ((unsigned char *) pnote->descdata, 4), ++ (unsigned) byte_get ((unsigned char *) pnote->descdata + 4, 4)); + printf (_(" Last modified : ")); +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata + 8, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata + 8, 8)); + printf (_("\n Link flags : ")); + printf ("0x%016" BFD_VMA_FMT "x\n", +- (bfd_vma) byte_get ((unsigned char *)pnote->descdata + 16, 8)); ++ (bfd_vma) byte_get ((unsigned char *) pnote->descdata + 16, 8)); + printf (_(" Header flags: 0x%08x\n"), +- (unsigned) byte_get ((unsigned char *)pnote->descdata + 24, 4)); ++ (unsigned) byte_get ((unsigned char *) pnote->descdata + 24, 4)); + printf (_(" Image id : %.*s\n"), maxlen - 32, pnote->descdata + 32); + break; + #endif +diff --git a/gas/config/tc-arm.c b/gas/config/tc-arm.c +index 1721097cfca..2e6d175482e 100644 +--- a/gas/config/tc-arm.c ++++ b/gas/config/tc-arm.c +@@ -3565,7 +3565,7 @@ add_to_lit_pool (unsigned int nbytes) + imm1 = inst.operands[1].imm; + imm2 = (inst.operands[1].regisimm ? inst.operands[1].reg + : inst.relocs[0].exp.X_unsigned ? 0 +- : ((bfd_int64_t) inst.operands[1].imm) >> 32); ++ : (int64_t) inst.operands[1].imm >> 32); + if (target_big_endian) + { + imm1 = imm2; +@@ -8819,15 +8819,14 @@ neon_cmode_for_move_imm (unsigned immlo, unsigned immhi, int float_p, + return FAIL; + } + +-#if defined BFD_HOST_64_BIT + /* Returns TRUE if double precision value V may be cast + to single precision without loss of accuracy. */ + + static bool +-is_double_a_single (bfd_uint64_t v) ++is_double_a_single (uint64_t v) + { + int exp = (v >> 52) & 0x7FF; +- bfd_uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; ++ uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; + + return ((exp == 0 || exp == 0x7FF + || (exp >= 1023 - 126 && exp <= 1023 + 127)) +@@ -8838,11 +8837,11 @@ is_double_a_single (bfd_uint64_t v) + (ignoring the least significant bits in exponent and mantissa). */ + + static int +-double_to_single (bfd_uint64_t v) ++double_to_single (uint64_t v) + { + unsigned int sign = (v >> 63) & 1; + int exp = (v >> 52) & 0x7FF; +- bfd_uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; ++ uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; + + if (exp == 0x7FF) + exp = 0xFF; +@@ -8865,7 +8864,6 @@ double_to_single (bfd_uint64_t v) + mantissa >>= 29; + return (sign << 31) | (exp << 23) | mantissa; + } +-#endif /* BFD_HOST_64_BIT */ + + enum lit_type + { +@@ -8914,11 +8912,7 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + if (inst.relocs[0].exp.X_op == O_constant + || inst.relocs[0].exp.X_op == O_big) + { +-#if defined BFD_HOST_64_BIT +- bfd_uint64_t v; +-#else +- valueT v; +-#endif ++ uint64_t v; + if (inst.relocs[0].exp.X_op == O_big) + { + LITTLENUM_TYPE w[X_PRECISION]; +@@ -8933,7 +8927,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + else + l = generic_bignum; + +-#if defined BFD_HOST_64_BIT + v = l[3] & LITTLENUM_MASK; + v <<= LITTLENUM_NUMBER_OF_BITS; + v |= l[2] & LITTLENUM_MASK; +@@ -8941,11 +8934,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + v |= l[1] & LITTLENUM_MASK; + v <<= LITTLENUM_NUMBER_OF_BITS; + v |= l[0] & LITTLENUM_MASK; +-#else +- v = l[1] & LITTLENUM_MASK; +- v <<= LITTLENUM_NUMBER_OF_BITS; +- v |= l[0] & LITTLENUM_MASK; +-#endif + } + else + v = inst.relocs[0].exp.X_add_number; +@@ -9041,7 +9029,7 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + ? inst.operands[1].reg + : inst.relocs[0].exp.X_unsigned + ? 0 +- : ((bfd_int64_t)((int) immlo)) >> 32; ++ : (int64_t) (int) immlo >> 32; + int cmode = neon_cmode_for_move_imm (immlo, immhi, false, &immbits, + &op, 64, NT_invtype); + +@@ -9090,7 +9078,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + discrepancy between the output produced by an assembler built for + a 32-bit-only host and the output produced from a 64-bit host, but + this cannot be helped. */ +-#if defined BFD_HOST_64_BIT + else if (!inst.operands[1].issingle + && ARM_CPU_HAS_FEATURE (cpu_variant, fpu_vfp_ext_v3)) + { +@@ -9103,7 +9090,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + return true; + } + } +-#endif + } + } + +diff --git a/gas/config/tc-csky.c b/gas/config/tc-csky.c +index 2371eeb747e..5b824d89af0 100644 +--- a/gas/config/tc-csky.c ++++ b/gas/config/tc-csky.c +@@ -215,7 +215,7 @@ enum + unsigned int mach_flag = 0; + unsigned int arch_flag = 0; + unsigned int other_flag = 0; +-BFD_HOST_U_64_BIT isa_flag = 0; ++uint64_t isa_flag = 0; + unsigned int dsp_flag = 0; + + typedef struct stack_size_entry +@@ -245,7 +245,7 @@ struct csky_macro_info + const char *name; + /* How many operands : if operands == 5, all of 1,2,3,4 are ok. */ + long oprnd_num; +- BFD_HOST_U_64_BIT isa_flag; ++ uint64_t isa_flag; + /* Do the work. */ + void (*handle_func)(void); + }; +@@ -591,14 +591,14 @@ struct csky_cpu_feature + { + const char unique; + unsigned int arch_flag; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + }; + + struct csky_cpu_version + { + int r; + int p; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + }; + + #define CSKY_FEATURE_MAX 10 +@@ -608,7 +608,7 @@ struct csky_cpu_info + { + const char *name; + unsigned int arch_flag; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + struct csky_cpu_feature features[CSKY_FEATURE_MAX]; + struct csky_cpu_version ver[CSKY_CPU_REVERISON_MAX]; + }; +diff --git a/gas/config/tc-sparc.c b/gas/config/tc-sparc.c +index 222223f3549..4e443b1d28d 100644 +--- a/gas/config/tc-sparc.c ++++ b/gas/config/tc-sparc.c +@@ -75,10 +75,10 @@ static enum { MM_TSO, MM_PSO, MM_RMO } sparc_memory_model = MM_RMO; + #ifndef TE_SOLARIS + /* Bitmask of instruction types seen so far, used to populate the + GNU attributes section with hwcap information. */ +-static bfd_uint64_t hwcap_seen; ++static uint64_t hwcap_seen; + #endif + +-static bfd_uint64_t hwcap_allowed; ++static uint64_t hwcap_allowed; + + static int architecture_requested; + static int warn_on_bump; +@@ -498,15 +498,15 @@ md_parse_option (int c, const char *arg) + || opcode_arch > max_architecture) + max_architecture = opcode_arch; + +- /* The allowed hardware capabilities are the implied by the +- opcodes arch plus any extra capabilities defined in the GAS +- arch. */ +- hwcap_allowed +- = (hwcap_allowed +- | (((bfd_uint64_t) sparc_opcode_archs[opcode_arch].hwcaps2) << 32) +- | (((bfd_uint64_t) sa->hwcap2_allowed) << 32) +- | sparc_opcode_archs[opcode_arch].hwcaps +- | sa->hwcap_allowed); ++ /* The allowed hardware capabilities are the implied by the ++ opcodes arch plus any extra capabilities defined in the GAS ++ arch. */ ++ hwcap_allowed ++ = (hwcap_allowed ++ | ((uint64_t) sparc_opcode_archs[opcode_arch].hwcaps2 << 32) ++ | ((uint64_t) sa->hwcap2_allowed << 32) ++ | sparc_opcode_archs[opcode_arch].hwcaps ++ | sa->hwcap_allowed); + architecture_requested = 1; + } + break; +@@ -1607,7 +1607,7 @@ md_assemble (char *str) + } + + static const char * +-get_hwcap_name (bfd_uint64_t mask) ++get_hwcap_name (uint64_t mask) + { + if (mask & HWCAP_MUL32) + return "mul32"; +@@ -3171,8 +3171,7 @@ sparc_ip (char *str, const struct sparc_opcode **pinsn) + msg_str = sasi->name; + } + +- bfd_uint64_t hwcaps +- = (((bfd_uint64_t) insn->hwcaps2) << 32) | insn->hwcaps; ++ uint64_t hwcaps = ((uint64_t) insn->hwcaps2 << 32) | insn->hwcaps; + + #ifndef TE_SOLARIS + if (hwcaps) +@@ -3211,10 +3210,10 @@ sparc_ip (char *str, const struct sparc_opcode **pinsn) + } + current_architecture = needed_architecture; + hwcap_allowed +- = (hwcap_allowed +- | hwcaps +- | (((bfd_uint64_t) sparc_opcode_archs[current_architecture].hwcaps2) << 32) +- | sparc_opcode_archs[current_architecture].hwcaps); ++ = (hwcap_allowed ++ | hwcaps ++ | ((uint64_t) sparc_opcode_archs[current_architecture].hwcaps2 << 32) ++ | sparc_opcode_archs[current_architecture].hwcaps); + } + /* Conflict. */ + /* ??? This seems to be a bit fragile. What if the next entry in +diff --git a/gas/config/tc-tilegx.c b/gas/config/tc-tilegx.c +index b627b7080e5..4fcc38c9034 100644 +--- a/gas/config/tc-tilegx.c ++++ b/gas/config/tc-tilegx.c +@@ -789,16 +789,16 @@ emit_tilegx_instruction (tilegx_bundle_bits bits, + static void + check_illegal_reg_writes (void) + { +- BFD_HOST_U_64_BIT all_regs_written = 0; ++ uint64_t all_regs_written = 0; + int j; + + for (j = 0; j < current_bundle_index; j++) + { + const struct tilegx_instruction *instr = ¤t_bundle[j]; + int k; +- BFD_HOST_U_64_BIT regs = +- ((BFD_HOST_U_64_BIT)1) << instr->opcode->implicitly_written_register; +- BFD_HOST_U_64_BIT conflict; ++ uint64_t regs = ++ (uint64_t) 1 << instr->opcode->implicitly_written_register; ++ uint64_t conflict; + + for (k = 0; k < instr->opcode->num_operands; k++) + { +@@ -808,12 +808,12 @@ check_illegal_reg_writes (void) + if (operand->is_dest_reg) + { + int regno = instr->operand_values[k].X_add_number; +- BFD_HOST_U_64_BIT mask = ((BFD_HOST_U_64_BIT)1) << regno; ++ uint64_t mask = (uint64_t) 1 << regno; + +- if ((mask & ( (((BFD_HOST_U_64_BIT)1) << TREG_IDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN2) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN3))) != 0 ++ if ((mask & ( ((uint64_t) 1 << TREG_IDN1) ++ | ((uint64_t) 1 << TREG_UDN1) ++ | ((uint64_t) 1 << TREG_UDN2) ++ | ((uint64_t) 1 << TREG_UDN3))) != 0 + && !allow_suspicious_bundles) + { + as_bad (_("Writes to register '%s' are not allowed."), +@@ -825,7 +825,7 @@ check_illegal_reg_writes (void) + } + + /* Writing to the zero register doesn't count. */ +- regs &= ~(((BFD_HOST_U_64_BIT)1) << TREG_ZERO); ++ regs &= ~((uint64_t) 1 << TREG_ZERO); + + conflict = all_regs_written & regs; + if (conflict != 0 && !allow_suspicious_bundles) +diff --git a/gas/config/tc-tilepro.c b/gas/config/tc-tilepro.c +index af0be422f98..ca092d77a4b 100644 +--- a/gas/config/tc-tilepro.c ++++ b/gas/config/tc-tilepro.c +@@ -677,16 +677,16 @@ emit_tilepro_instruction (tilepro_bundle_bits bits, + static void + check_illegal_reg_writes (void) + { +- BFD_HOST_U_64_BIT all_regs_written = 0; ++ uint64_t all_regs_written = 0; + int j; + + for (j = 0; j < current_bundle_index; j++) + { + const struct tilepro_instruction *instr = ¤t_bundle[j]; + int k; +- BFD_HOST_U_64_BIT regs = +- ((BFD_HOST_U_64_BIT)1) << instr->opcode->implicitly_written_register; +- BFD_HOST_U_64_BIT conflict; ++ uint64_t regs = ++ (uint64_t) 1 << instr->opcode->implicitly_written_register; ++ uint64_t conflict; + + for (k = 0; k < instr->opcode->num_operands; k++) + { +@@ -696,12 +696,12 @@ check_illegal_reg_writes (void) + if (operand->is_dest_reg) + { + int regno = instr->operand_values[k].X_add_number; +- BFD_HOST_U_64_BIT mask = ((BFD_HOST_U_64_BIT)1) << regno; ++ uint64_t mask = (uint64_t) 1 << regno; + +- if ((mask & ( (((BFD_HOST_U_64_BIT)1) << TREG_IDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN2) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN3))) != 0 ++ if ((mask & ( ((uint64_t) 1 << TREG_IDN1) ++ | ((uint64_t) 1 << TREG_UDN1) ++ | ((uint64_t) 1 << TREG_UDN2) ++ | ((uint64_t) 1 << TREG_UDN3))) != 0 + && !allow_suspicious_bundles) + { + as_bad (_("Writes to register '%s' are not allowed."), +@@ -713,7 +713,7 @@ check_illegal_reg_writes (void) + } + + /* Writing to the zero register doesn't count. */ +- regs &= ~(((BFD_HOST_U_64_BIT)1) << TREG_ZERO); ++ regs &= ~((uint64_t) 1 << TREG_ZERO); + + conflict = all_regs_written & regs; + if (conflict != 0 && !allow_suspicious_bundles) +diff --git a/gas/config/tc-z80.c b/gas/config/tc-z80.c +index 81fbfe3b0ae..714e704e24a 100644 +--- a/gas/config/tc-z80.c ++++ b/gas/config/tc-z80.c +@@ -3910,11 +3910,11 @@ z80_tc_label_is_local (const char *name) + #define EXP_MIN -0x10000 + #define EXP_MAX 0x10000 + static int +-str_to_broken_float (bool *signP, bfd_uint64_t *mantissaP, int *expP) ++str_to_broken_float (bool *signP, uint64_t *mantissaP, int *expP) + { + char *p; + bool sign; +- bfd_uint64_t mantissa = 0; ++ uint64_t mantissa = 0; + int exponent = 0; + int i; + +@@ -4029,7 +4029,7 @@ str_to_broken_float (bool *signP, bfd_uint64_t *mantissaP, int *expP) + static const char * + str_to_zeda32(char *litP, int *sizeP) + { +- bfd_uint64_t mantissa; ++ uint64_t mantissa; + bool sign; + int exponent; + unsigned i; +@@ -4088,7 +4088,7 @@ str_to_zeda32(char *litP, int *sizeP) + static const char * + str_to_float48(char *litP, int *sizeP) + { +- bfd_uint64_t mantissa; ++ uint64_t mantissa; + bool sign; + int exponent; + unsigned i; +diff --git a/gas/config/te-vms.c b/gas/config/te-vms.c +index 015c95867f0..6661a3b6a72 100644 +--- a/gas/config/te-vms.c ++++ b/gas/config/te-vms.c +@@ -339,7 +339,7 @@ vms_file_stats_name (const char *dirname, + return 0; + } + +-bfd_uint64_t ++uint64_t + vms_dwarf2_file_time_name (const char *filename, const char *dirname) + { + long long cdt; +diff --git a/gas/config/te-vms.h b/gas/config/te-vms.h +index ffe7f5e8f37..08f218502de 100644 +--- a/gas/config/te-vms.h ++++ b/gas/config/te-vms.h +@@ -20,7 +20,7 @@ + #define TE_VMS + #include "obj-format.h" + +-extern bfd_uint64_t vms_dwarf2_file_time_name (const char *, const char *); ++extern uint64_t vms_dwarf2_file_time_name (const char *, const char *); + extern long vms_dwarf2_file_size_name (const char *, const char *); + extern char *vms_dwarf2_file_name (const char *, const char *); + +diff --git a/gdb/findcmd.c b/gdb/findcmd.c +index ff13f22e970..ed2cea7b74d 100644 +--- a/gdb/findcmd.c ++++ b/gdb/findcmd.c +@@ -30,7 +30,7 @@ + /* Copied from bfd_put_bits. */ + + static void +-put_bits (bfd_uint64_t data, gdb::byte_vector &buf, int bits, bfd_boolean big_p) ++put_bits (uint64_t data, gdb::byte_vector &buf, int bits, bfd_boolean big_p) + { + int i; + int bytes; +diff --git a/gdb/tilegx-tdep.c b/gdb/tilegx-tdep.c +index 7930db72779..9668aa80b53 100644 +--- a/gdb/tilegx-tdep.c ++++ b/gdb/tilegx-tdep.c +@@ -375,7 +375,7 @@ tilegx_analyze_prologue (struct gdbarch* gdbarch, + CORE_ADDR instbuf_start; + unsigned int instbuf_size; + int status; +- bfd_uint64_t bundle; ++ uint64_t bundle; + struct tilegx_decoded_instruction + decoded[TILEGX_MAX_INSTRUCTIONS_PER_BUNDLE]; + int num_insns; +diff --git a/gprof/gmon_io.c b/gprof/gmon_io.c +index c613809d396..2b4dd26375b 100644 +--- a/gprof/gmon_io.c ++++ b/gprof/gmon_io.c +@@ -48,10 +48,8 @@ enum gmon_ptr_signedness { + static enum gmon_ptr_size gmon_get_ptr_size (void); + static enum gmon_ptr_signedness gmon_get_ptr_signedness (void); + +-#ifdef BFD_HOST_U_64_BIT +-static int gmon_io_read_64 (FILE *, BFD_HOST_U_64_BIT *); +-static int gmon_io_write_64 (FILE *, BFD_HOST_U_64_BIT); +-#endif ++static int gmon_io_read_64 (FILE *, uint64_t *); ++static int gmon_io_write_64 (FILE *, uint64_t); + static int gmon_read_raw_arc + (FILE *, bfd_vma *, bfd_vma *, unsigned long *); + static int gmon_write_raw_arc +@@ -109,9 +107,8 @@ gmon_io_read_32 (FILE *ifp, unsigned int *valp) + return 0; + } + +-#ifdef BFD_HOST_U_64_BIT + static int +-gmon_io_read_64 (FILE *ifp, BFD_HOST_U_64_BIT *valp) ++gmon_io_read_64 (FILE *ifp, uint64_t *valp) + { + char buf[8]; + +@@ -120,15 +117,12 @@ gmon_io_read_64 (FILE *ifp, BFD_HOST_U_64_BIT *valp) + *valp = bfd_get_64 (core_bfd, buf); + return 0; + } +-#endif + + int + gmon_io_read_vma (FILE *ifp, bfd_vma *valp) + { + unsigned int val32; +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT val64; +-#endif ++ uint64_t val64; + + switch (gmon_get_ptr_size ()) + { +@@ -136,23 +130,19 @@ gmon_io_read_vma (FILE *ifp, bfd_vma *valp) + if (gmon_io_read_32 (ifp, &val32)) + return 1; + if (gmon_get_ptr_signedness () == ptr_signed) +- *valp = (int) val32; ++ *valp = (int) val32; + else +- *valp = val32; ++ *valp = val32; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: + if (gmon_io_read_64 (ifp, &val64)) + return 1; +-#ifdef BFD_HOST_64_BIT + if (gmon_get_ptr_signedness () == ptr_signed) +- *valp = (BFD_HOST_64_BIT) val64; ++ *valp = (int64_t) val64; + else +-#endif +- *valp = val64; ++ *valp = val64; + break; +-#endif + } + return 0; + } +@@ -176,9 +166,8 @@ gmon_io_write_32 (FILE *ofp, unsigned int val) + return 0; + } + +-#ifdef BFD_HOST_U_64_BIT + static int +-gmon_io_write_64 (FILE *ofp, BFD_HOST_U_64_BIT val) ++gmon_io_write_64 (FILE *ofp, uint64_t val) + { + char buf[8]; + +@@ -187,7 +176,6 @@ gmon_io_write_64 (FILE *ofp, BFD_HOST_U_64_BIT val) + return 1; + return 0; + } +-#endif + + int + gmon_io_write_vma (FILE *ofp, bfd_vma val) +@@ -200,12 +188,10 @@ gmon_io_write_vma (FILE *ofp, bfd_vma val) + return 1; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: +- if (gmon_io_write_64 (ofp, (BFD_HOST_U_64_BIT) val)) ++ if (gmon_io_write_64 (ofp, (uint64_t) val)) + return 1; + break; +-#endif + } + return 0; + } +@@ -232,9 +218,7 @@ gmon_io_write (FILE *ofp, char *buf, size_t n) + static int + gmon_read_raw_arc (FILE *ifp, bfd_vma *fpc, bfd_vma *spc, unsigned long *cnt) + { +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT cnt64; +-#endif ++ uint64_t cnt64; + unsigned int cnt32; + + if (gmon_io_read_vma (ifp, fpc) +@@ -249,13 +233,11 @@ gmon_read_raw_arc (FILE *ifp, bfd_vma *fpc, bfd_vma *spc, unsigned long *cnt) + *cnt = cnt32; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: + if (gmon_io_read_64 (ifp, &cnt64)) + return 1; + *cnt = cnt64; + break; +-#endif + + default: + return 1; +@@ -278,12 +260,10 @@ gmon_write_raw_arc (FILE *ofp, bfd_vma fpc, bfd_vma spc, unsigned long cnt) + return 1; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: +- if (gmon_io_write_64 (ofp, (BFD_HOST_U_64_BIT) cnt)) ++ if (gmon_io_write_64 (ofp, (uint64_t) cnt)) + return 1; + break; +-#endif + } + return 0; + } +diff --git a/include/elf/nfp.h b/include/elf/nfp.h +index 5a06051196c..c89cefff27b 100644 +--- a/include/elf/nfp.h ++++ b/include/elf/nfp.h +@@ -102,7 +102,7 @@ extern "C" + #define SHF_NFP_INIT 0x80000000 + #define SHF_NFP_INIT2 0x40000000 + #define SHF_NFP_SCS(shf) (((shf) >> 32) & 0xFF) +-#define SHF_NFP_SET_SCS(v) (((BFD_HOST_U_64_BIT)((v) & 0xFF)) << 32) ++#define SHF_NFP_SET_SCS(v) ((uint64_t) ((v) & 0xFF) << 32) + + /* NFP Section Info + For PROGBITS and NOBITS sections: +diff --git a/include/opcode/csky.h b/include/opcode/csky.h +index ed00bfd7cd6..faecba11611 100644 +--- a/include/opcode/csky.h ++++ b/include/opcode/csky.h +@@ -22,46 +22,46 @@ + #include "dis-asm.h" + + /* The following bitmasks control instruction set architecture. */ +-#define CSKYV1_ISA_E1 ((bfd_uint64_t)1 << 0) +-#define CSKYV2_ISA_E1 ((bfd_uint64_t)1 << 1) +-#define CSKYV2_ISA_1E2 ((bfd_uint64_t)1 << 2) +-#define CSKYV2_ISA_2E3 ((bfd_uint64_t)1 << 3) +-#define CSKYV2_ISA_3E7 ((bfd_uint64_t)1 << 4) +-#define CSKYV2_ISA_7E10 ((bfd_uint64_t)1 << 5) +-#define CSKYV2_ISA_3E3R1 ((bfd_uint64_t)1 << 6) +-#define CSKYV2_ISA_3E3R2 ((bfd_uint64_t)1 << 7) +-#define CSKYV2_ISA_10E60 ((bfd_uint64_t)1 << 8) +-#define CSKYV2_ISA_3E3R3 ((bfd_uint64_t)1 << 9) +- +-#define CSKY_ISA_TRUST ((bfd_uint64_t)1 << 11) +-#define CSKY_ISA_CACHE ((bfd_uint64_t)1 << 12) +-#define CSKY_ISA_NVIC ((bfd_uint64_t)1 << 13) +-#define CSKY_ISA_CP ((bfd_uint64_t)1 << 14) +-#define CSKY_ISA_MP ((bfd_uint64_t)1 << 15) +-#define CSKY_ISA_MP_1E2 ((bfd_uint64_t)1 << 16) +-#define CSKY_ISA_JAVA ((bfd_uint64_t)1 << 17) +-#define CSKY_ISA_MAC ((bfd_uint64_t)1 << 18) +-#define CSKY_ISA_MAC_DSP ((bfd_uint64_t)1 << 19) ++#define CSKYV1_ISA_E1 ((uint64_t) 1 << 0) ++#define CSKYV2_ISA_E1 ((uint64_t) 1 << 1) ++#define CSKYV2_ISA_1E2 ((uint64_t) 1 << 2) ++#define CSKYV2_ISA_2E3 ((uint64_t) 1 << 3) ++#define CSKYV2_ISA_3E7 ((uint64_t) 1 << 4) ++#define CSKYV2_ISA_7E10 ((uint64_t) 1 << 5) ++#define CSKYV2_ISA_3E3R1 ((uint64_t) 1 << 6) ++#define CSKYV2_ISA_3E3R2 ((uint64_t) 1 << 7) ++#define CSKYV2_ISA_10E60 ((uint64_t) 1 << 8) ++#define CSKYV2_ISA_3E3R3 ((uint64_t) 1 << 9) ++ ++#define CSKY_ISA_TRUST ((uint64_t) 1 << 11) ++#define CSKY_ISA_CACHE ((uint64_t) 1 << 12) ++#define CSKY_ISA_NVIC ((uint64_t) 1 << 13) ++#define CSKY_ISA_CP ((uint64_t) 1 << 14) ++#define CSKY_ISA_MP ((uint64_t) 1 << 15) ++#define CSKY_ISA_MP_1E2 ((uint64_t) 1 << 16) ++#define CSKY_ISA_JAVA ((uint64_t) 1 << 17) ++#define CSKY_ISA_MAC ((uint64_t) 1 << 18) ++#define CSKY_ISA_MAC_DSP ((uint64_t) 1 << 19) + + /* Base ISA for csky v1 and v2. */ +-#define CSKY_ISA_DSP ((bfd_uint64_t)1 << 20) +-#define CSKY_ISA_DSP_1E2 ((bfd_uint64_t)1 << 21) +-#define CSKY_ISA_DSP_ENHANCE ((bfd_uint64_t)1 << 22) +-#define CSKY_ISA_DSPE60 ((bfd_uint64_t)1 << 23) ++#define CSKY_ISA_DSP ((uint64_t) 1 << 20) ++#define CSKY_ISA_DSP_1E2 ((uint64_t) 1 << 21) ++#define CSKY_ISA_DSP_ENHANCE ((uint64_t) 1 << 22) ++#define CSKY_ISA_DSPE60 ((uint64_t) 1 << 23) + + /* Base float instruction (803f & 810f). */ +-#define CSKY_ISA_FLOAT_E1 ((bfd_uint64_t)1 << 25) ++#define CSKY_ISA_FLOAT_E1 ((uint64_t) 1 << 25) + /* M_FLOAT support (810f). */ +-#define CSKY_ISA_FLOAT_1E2 ((bfd_uint64_t)1 << 26) ++#define CSKY_ISA_FLOAT_1E2 ((uint64_t) 1 << 26) + /* 803 support (803f). */ +-#define CSKY_ISA_FLOAT_1E3 ((bfd_uint64_t)1 << 27) ++#define CSKY_ISA_FLOAT_1E3 ((uint64_t) 1 << 27) + /* 807 support (803f & 807f). */ +-#define CSKY_ISA_FLOAT_3E4 ((bfd_uint64_t)1 << 28) ++#define CSKY_ISA_FLOAT_3E4 ((uint64_t) 1 << 28) + /* 860 support. */ +-#define CSKY_ISA_FLOAT_7E60 ((bfd_uint64_t)1 << 36) ++#define CSKY_ISA_FLOAT_7E60 ((uint64_t) 1 << 36) + /* Vector DSP support. */ +-#define CSKY_ISA_VDSP ((bfd_uint64_t)1 << 29) +-#define CSKY_ISA_VDSP_2 ((bfd_uint64_t)1 << 30) ++#define CSKY_ISA_VDSP ((uint64_t) 1 << 29) ++#define CSKY_ISA_VDSP_2 ((uint64_t) 1 << 30) + + /* The following bitmasks control cpu architecture for CSKY. */ + #define CSKY_ABI_V1 (1 << 28) +diff --git a/include/opcode/ia64.h b/include/opcode/ia64.h +index fbdd8f14e65..42a6812c3f8 100644 +--- a/include/opcode/ia64.h ++++ b/include/opcode/ia64.h +@@ -29,7 +29,7 @@ + extern "C" { + #endif + +-typedef BFD_HOST_U_64_BIT ia64_insn; ++typedef uint64_t ia64_insn; + + enum ia64_insn_type + { +diff --git a/opcodes/csky-dis.c b/opcodes/csky-dis.c +index b7c833623e5..99103ff57b5 100644 +--- a/opcodes/csky-dis.c ++++ b/opcodes/csky-dis.c +@@ -49,7 +49,7 @@ struct csky_dis_info + disassemble_info *info; + /* Opcode information. */ + struct csky_opcode_info const *opinfo; +- BFD_HOST_U_64_BIT isa; ++ uint64_t isa; + /* The value of operand to show. */ + int value; + /* Whether to look up/print a symbol name. */ +diff --git a/opcodes/csky-opc.h b/opcodes/csky-opc.h +index b65efe19d9f..d2db90ede95 100644 +--- a/opcodes/csky-opc.h ++++ b/opcodes/csky-opc.h +@@ -271,8 +271,8 @@ struct csky_opcode + /* Encodings for 32-bit opcodes. */ + struct csky_opcode_info op32[OP_TABLE_NUM]; + /* Instruction set flag. */ +- BFD_HOST_U_64_BIT isa_flag16; +- BFD_HOST_U_64_BIT isa_flag32; ++ uint64_t isa_flag16; ++ uint64_t isa_flag32; + /* Whether this insn needs relocation, 0: no, !=0: yes. */ + signed int reloc16; + signed int reloc32; +diff --git a/opcodes/ia64-dis.c b/opcodes/ia64-dis.c +index 5eb37277a5d..e76f40393c6 100644 +--- a/opcodes/ia64-dis.c ++++ b/opcodes/ia64-dis.c +@@ -73,7 +73,7 @@ print_insn_ia64 (bfd_vma memaddr, struct disassemble_info *info) + const struct ia64_operand *odesc; + const struct ia64_opcode *idesc; + const char *err, *str, *tname; +- BFD_HOST_U_64_BIT value; ++ uint64_t value; + bfd_byte bundle[16]; + enum ia64_unit unit; + char regname[16]; +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch new file mode 100644 index 0000000000..6a838ea3ea --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch @@ -0,0 +1,156 @@ +From 31d6c13defeba7716ebc9d5c8f81f2f35fe39980 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 14 Jun 2022 12:46:42 +0930 +Subject: [PATCH] PR29230, segv in lookup_symbol_in_variable_table + +The PR23230 testcase uses indexed strings without specifying +SW_AT_str_offsets_base. In this case we left u.str with garbage (from +u.val) which then led to a segfault when attempting to access the +string. Fix that by clearing u.str. The patch also adds missing +sanity checks in the recently committed read_indexed_address and +read_indexed_string functions. + + PR 29230 + * dwarf2.c (read_indexed_address): Return uint64_t. Sanity check idx. + (read_indexed_string): Use uint64_t for str_offset. Sanity check idx. + (read_attribute_value): Clear u.str for indexed string forms when + DW_AT_str_offsets_base is not yet read or missing. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=31d6c13defeba7716ebc9d5c8f81f2f35fe39980] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 42 insertions(+), 9 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 51018e1ab45..aaa2d84887f 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1353,13 +1353,13 @@ is_addrx_form (enum dwarf_form form) + + /* Returns the address in .debug_addr section using DW_AT_addr_base. + Used to implement DW_FORM_addrx*. */ +-static bfd_vma ++static uint64_t + read_indexed_address (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +- size_t addr_base = unit->dwarf_addr_offset; + bfd_byte *info_ptr; ++ size_t offset; + + if (stash == NULL) + return 0; +@@ -1369,12 +1369,23 @@ read_indexed_address (uint64_t idx, struct comp_unit *unit) + &file->dwarf_addr_buffer, &file->dwarf_addr_size)) + return 0; + +- info_ptr = file->dwarf_addr_buffer + addr_base + idx * unit->offset_size; ++ if (_bfd_mul_overflow (idx, unit->offset_size, &offset)) ++ return 0; ++ ++ offset += unit->dwarf_addr_offset; ++ if (offset < unit->dwarf_addr_offset ++ || offset > file->dwarf_addr_size ++ || file->dwarf_addr_size - offset < unit->offset_size) ++ return 0; ++ ++ info_ptr = file->dwarf_addr_buffer + offset; + + if (unit->offset_size == 4) + return bfd_get_32 (unit->abfd, info_ptr); +- else ++ else if (unit->offset_size == 8) + return bfd_get_64 (unit->abfd, info_ptr); ++ else ++ return 0; + } + + /* Returns the string using DW_AT_str_offsets_base. +@@ -1385,7 +1396,8 @@ read_indexed_string (uint64_t idx, struct comp_unit *unit) + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + bfd_byte *info_ptr; +- unsigned long str_offset; ++ uint64_t str_offset; ++ size_t offset; + + if (stash == NULL) + return NULL; +@@ -1401,15 +1413,26 @@ read_indexed_string (uint64_t idx, struct comp_unit *unit) + &file->dwarf_str_offsets_size)) + return NULL; + +- info_ptr = (file->dwarf_str_offsets_buffer +- + unit->dwarf_str_offset +- + idx * unit->offset_size); ++ if (_bfd_mul_overflow (idx, unit->offset_size, &offset)) ++ return NULL; ++ ++ offset += unit->dwarf_str_offset; ++ if (offset < unit->dwarf_str_offset ++ || offset > file->dwarf_str_offsets_size ++ || file->dwarf_str_offsets_size - offset < unit->offset_size) ++ return NULL; ++ ++ info_ptr = file->dwarf_str_offsets_buffer + offset; + + if (unit->offset_size == 4) + str_offset = bfd_get_32 (unit->abfd, info_ptr); +- else ++ else if (unit->offset_size == 8) + str_offset = bfd_get_64 (unit->abfd, info_ptr); ++ else ++ return NULL; + ++ if (str_offset >= file->dwarf_str_size) ++ return NULL; + return (const char *) file->dwarf_str_buffer + str_offset; + } + +@@ -1534,27 +1557,37 @@ read_attribute_value (struct attribute * attr, + is not yet read. */ + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_exprloc: + case DW_FORM_block: +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch new file mode 100644 index 0000000000..c5a869ca9d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch @@ -0,0 +1,37 @@ +From 3e307d538c351aa9327cbad672c884059ecc20dd Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 11 Jan 2023 12:13:46 +0000 +Subject: [PATCH] Fix a potential illegal memory access in the BFD library when + parsing a corrupt DWARF file. + + PR 29988 + * dwarf2.c (read_indexed_address): Fix check for an out of range + offset. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3e307d538c351aa9327cbad672c884059ecc20dd] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 6eb6e04e6e5..4ec0053a111 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1412,7 +1412,7 @@ read_indexed_address (uint64_t idx, struct comp_unit *unit) + offset += unit->dwarf_addr_offset; + if (offset < unit->dwarf_addr_offset + || offset > file->dwarf_addr_size +- || file->dwarf_addr_size - offset < unit->offset_size) ++ || file->dwarf_addr_size - offset < unit->addr_size) + return 0; + + info_ptr = file->dwarf_addr_buffer + offset; +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch new file mode 100644 index 0000000000..990243f5c9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch @@ -0,0 +1,56 @@ +From: Alan Modra <amodra@gmail.com> +Date: Thu, 17 Mar 2022 09:35:39 +0000 (+1030) +Subject: ubsan: Null dereference in parse_module +X-Git-Tag: gdb-12.1-release~59 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2 + +ubsan: Null dereference in parse_module + + * vms-alpha.c (parse_module): Sanity check that DST__K_RTNBEG + has set module->func_table for DST__K_RTNEND. Check return + of bfd_zalloc. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2] + +CVE: CVE-2023-25584 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 4a92574c850..1129c98f0e2 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4352,9 +4352,13 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + /* Initialize tables with zero element. */ + curr_srec = (struct srecinfo *) bfd_zalloc (abfd, sizeof (struct srecinfo)); ++ if (!curr_srec) ++ return false; + module->srec_table = curr_srec; + + curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo)); ++ if (!curr_line) ++ return false; + module->line_table = curr_line; + + while (length == -1 || ptr < maxptr) +@@ -4389,6 +4393,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + case DST__K_RTNBEG: + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); ++ if (!funcinfo) ++ return false; + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, + maxptr - (ptr + DST_S_B_RTNBEG_NAME)); +@@ -4401,6 +4407,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNEND: ++ if (!module->func_table) ++ return false; + module->func_table->high = module->func_table->low + + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1; + diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch new file mode 100644 index 0000000000..f4c5ed2aff --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch @@ -0,0 +1,38 @@ +From da928f639002002dfc649ed9f50492d5d6cb4cee Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 5 Dec 2022 11:11:44 +0000 +Subject: [PATCH] Fix an illegal memory access when parsing a corrupt VMS Alpha + file. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix an illegal memory access when parsing a corrupt VMS Alpha file. + + PR 29848 + * vms-alpha.c (parse_module): Fix potential out of bounds memory + access. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=942fa4fb32738ecbb447546d54f1e5f0312d2ed4] + +CVE: CVE-2023-25584 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + bfd/vms-alpha.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index c548722c..53b3f1bf 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + return false; + module->line_table = curr_line; + +- while (length == -1 || ptr < maxptr) ++ while (length == -1 || (ptr + 3) < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch new file mode 100644 index 0000000000..47cc3f310b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch @@ -0,0 +1,536 @@ +From: Alan Modra <amodra@gmail.com> +Date: Mon, 12 Dec 2022 07:58:49 +0000 (+1030) +Subject: Lack of bounds checking in vms-alpha.c parse_module +X-Git-Tag: gdb-13-branchpoint~87 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44 + +Lack of bounds checking in vms-alpha.c parse_module + + PR 29873 + PR 29874 + PR 29875 + PR 29876 + PR 29877 + PR 29878 + PR 29879 + PR 29880 + PR 29881 + PR 29882 + PR 29883 + PR 29884 + PR 29885 + PR 29886 + PR 29887 + PR 29888 + PR 29889 + PR 29890 + PR 29891 + * vms-alpha.c (parse_module): Make length param bfd_size_type. + Delete length == -1 checks. Sanity check record_length. + Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. + Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements + before accessing. + (build_module_list): Pass dst_section size to parse_module. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44] + +CVE: CVE-2023-25584 +CVE: CVE-2022-47673 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index c0eb5bc5a2a..3b63259cc81 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4340,7 +4340,7 @@ new_module (bfd *abfd) + + static bool + parse_module (bfd *abfd, struct module *module, unsigned char *ptr, +- int length) ++ bfd_size_type length) + { + unsigned char *maxptr = ptr + length; + unsigned char *src_ptr, *pcl_ptr; +@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + return false; + module->line_table = curr_line; + +- while (length == -1 || (ptr + 3) < maxptr) ++ while (ptr + 3 < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; +@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type)); + +- if (length == -1 && rec_type == DST__K_MODEND) ++ if (rec_length > maxptr - ptr) ++ break; ++ if (rec_type == DST__K_MODEND) + break; + + switch (rec_type) + { + case DST__K_MODBEG: ++ if (rec_length <= DST_S_B_MODBEG_NAME) ++ break; + module->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME, +- maxptr - (ptr + DST_S_B_MODBEG_NAME)); ++ rec_length - DST_S_B_MODBEG_NAME); + + curr_pc = 0; + prev_pc = 0; +@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNBEG: ++ if (rec_length <= DST_S_B_RTNBEG_NAME) ++ break; + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); + if (!funcinfo) + return false; + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, +- maxptr - (ptr + DST_S_B_RTNBEG_NAME)); ++ rec_length - DST_S_B_RTNBEG_NAME); + funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS); + funcinfo->next = module->func_table; + module->func_table = funcinfo; +@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNEND: ++ if (rec_length < DST_S_L_RTNEND_SIZE + 4) ++ break; + if (!module->func_table) + return false; + module->func_table->high = module->func_table->low +@@ -4439,10 +4447,63 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((3, "source info\n")); + +- while (src_ptr < ptr + rec_length) ++ while (src_ptr - ptr < rec_length) + { + int cmd = src_ptr[0], cmd_length, data; + ++ switch (cmd) ++ { ++ case DST__K_SRC_DECLFILE: ++ if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length) ++ cmd_length = 0x10000; ++ else ++ cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; ++ break; ++ ++ case DST__K_SRC_DEFLINES_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SRC_DEFLINES_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_INCRLNUM_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SRC_SETFILE: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_SETLNUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SRC_SETLNUM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_SETREC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SRC_SETREC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_FORMFEED: ++ cmd_length = 1; ++ break; ++ ++ default: ++ cmd_length = 2; ++ break; ++ } ++ ++ if (src_ptr - ptr + cmd_length > rec_length) ++ break; ++ + switch (cmd) + { + case DST__K_SRC_DECLFILE: +@@ -4467,7 +4528,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + module->file_table [fileid].name = filename; + module->file_table [fileid].srec = 1; +- cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; + vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n", + fileid, module->file_table [fileid].name)); + } +@@ -4484,7 +4544,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + srec->sfile = curr_srec->sfile; + curr_srec->next = srec; + curr_srec = srec; +- cmd_length = 2; + vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data)); + break; + +@@ -4499,14 +4558,12 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + srec->sfile = curr_srec->sfile; + curr_srec->next = srec; + curr_srec = srec; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data)); + break; + + case DST__K_SRC_INCRLNUM_B: + data = src_ptr[DST_S_B_SRC_UNSBYTE]; + curr_srec->line += data; +- cmd_length = 2; + vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data)); + break; + +@@ -4514,21 +4571,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->sfile = data; + curr_srec->srec = module->file_table[data].srec; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data)); + break; + + case DST__K_SRC_SETLNUM_L: + data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); + curr_srec->line = data; +- cmd_length = 5; + vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data)); + break; + + case DST__K_SRC_SETLNUM_W: + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->line = data; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data)); + break; + +@@ -4536,7 +4590,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); + curr_srec->srec = data; + module->file_table[curr_srec->sfile].srec = data; +- cmd_length = 5; + vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data)); + break; + +@@ -4544,19 +4597,16 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->srec = data; + module->file_table[curr_srec->sfile].srec = data; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data)); + break; + + case DST__K_SRC_FORMFEED: +- cmd_length = 1; + vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n")); + break; + + default: + _bfd_error_handler (_("unknown source command %d"), + cmd); +- cmd_length = 2; + break; + } + +@@ -4569,18 +4619,114 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((3, "line info\n")); + +- while (pcl_ptr < ptr + rec_length) ++ while (pcl_ptr - ptr < rec_length) + { + /* The command byte is signed so we must sign-extend it. */ + int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data; + ++ switch (cmd) ++ { ++ case DST__K_DELTA_PC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_DELTA_PC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_INCR_LINUM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_INCR_LINUM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_INCR_LINUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_LINUM_INCR: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_LINUM_INCR_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_RESET_LINUM_INCR: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_BEG_STMT_MODE: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_END_STMT_MODE: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_SET_LINUM_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_LINUM: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SET_LINUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_PC: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_PC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SET_PC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_STMTNUM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_TERM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_TERM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_TERM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_ABS_PC: ++ cmd_length = 5; ++ break; ++ ++ default: ++ if (cmd <= 0) ++ cmd_length = 1; ++ else ++ cmd_length = 2; ++ break; ++ } ++ ++ if (pcl_ptr - ptr + cmd_length > rec_length) ++ break; ++ + switch (cmd) + { + case DST__K_DELTA_PC_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_pc += data; + curr_linenum += 1; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data)); + break; + +@@ -4588,131 +4734,111 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc += data; + curr_linenum += 1; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data)); + break; + + case DST__K_INCR_LINUM: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_linenum += data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data)); + break; + + case DST__K_INCR_LINUM_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_linenum += data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data)); + break; + + case DST__K_INCR_LINUM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_linenum += data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data)); + break; + + case DST__K_SET_LINUM_INCR: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_LINUM_INCR"); +- cmd_length = 2; + break; + + case DST__K_SET_LINUM_INCR_W: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W"); +- cmd_length = 3; + break; + + case DST__K_RESET_LINUM_INCR: + _bfd_error_handler + (_("%s not implemented"), "DST__K_RESET_LINUM_INCR"); +- cmd_length = 1; + break; + + case DST__K_BEG_STMT_MODE: + _bfd_error_handler + (_("%s not implemented"), "DST__K_BEG_STMT_MODE"); +- cmd_length = 1; + break; + + case DST__K_END_STMT_MODE: + _bfd_error_handler + (_("%s not implemented"), "DST__K_END_STMT_MODE"); +- cmd_length = 1; + break; + + case DST__K_SET_LINUM_B: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_linenum = data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data)); + break; + + case DST__K_SET_LINUM: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_linenum = data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data)); + break; + + case DST__K_SET_LINUM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_linenum = data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data)); + break; + + case DST__K_SET_PC: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC"); +- cmd_length = 2; + break; + + case DST__K_SET_PC_W: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC_W"); +- cmd_length = 3; + break; + + case DST__K_SET_PC_L: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC_L"); +- cmd_length = 5; + break; + + case DST__K_SET_STMTNUM: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_STMTNUM"); +- cmd_length = 2; + break; + + case DST__K_TERM: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_pc += data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_TERM: %d\n", data)); + break; + + case DST__K_TERM_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_pc += data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_TERM_W: %d\n", data)); + break; + + case DST__K_TERM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc += data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_TERM_L: %d\n", data)); + break; + + case DST__K_SET_ABS_PC: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc = data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data)); + break; + +@@ -4721,15 +4847,11 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + { + curr_pc -= cmd; + curr_linenum += 1; +- cmd_length = 1; + vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n", + (unsigned long)curr_pc, curr_linenum)); + } + else +- { +- _bfd_error_handler (_("unknown line command %d"), cmd); +- cmd_length = 2; +- } ++ _bfd_error_handler (_("unknown line command %d"), cmd); + break; + } + +@@ -4859,7 +4981,8 @@ build_module_list (bfd *abfd) + return NULL; + + module = new_module (abfd); +- if (!parse_module (abfd, module, PRIV (dst_section)->contents, -1)) ++ if (!parse_module (abfd, module, PRIV (dst_section)->contents, ++ PRIV (dst_section)->size)) + return NULL; + list = module; + } diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch new file mode 100644 index 0000000000..e31a027b9f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch @@ -0,0 +1,54 @@ +From: Alan Modra <amodra@gmail.com> +Date: Mon, 12 Dec 2022 08:31:08 +0000 (+1030) +Subject: PR29892, Field file_table of struct module is uninitialized +X-Git-Tag: gdb-13-branchpoint~86 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7 + +PR29892, Field file_table of struct module is uninitialized + + PR 29892 + * vms-alphs.c (new_module): Use bfd_zmalloc to alloc file_table. + (parse_module): Rewrite file_table reallocation code and clear. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7] + +CVE: CVE-2023-25585 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 3b63259cc81..6ee7060b0b2 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4337,7 +4337,7 @@ new_module (bfd *abfd) + = (struct module *) bfd_zalloc (abfd, sizeof (struct module)); + module->file_table_count = 16; /* Arbitrary. */ + module->file_table +- = bfd_malloc (module->file_table_count * sizeof (struct fileinfo)); ++ = bfd_zmalloc (module->file_table_count * sizeof (struct fileinfo)); + return module; + } + +@@ -4520,15 +4520,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + src_ptr + DST_S_B_SRC_DF_FILENAME, + ptr + rec_length - (src_ptr + DST_S_B_SRC_DF_FILENAME)); + +- while (fileid >= module->file_table_count) ++ if (fileid >= module->file_table_count) + { +- module->file_table_count *= 2; ++ unsigned int old_count = module->file_table_count; ++ module->file_table_count += fileid; + module->file_table + = bfd_realloc_or_free (module->file_table, + module->file_table_count + * sizeof (struct fileinfo)); + if (module->file_table == NULL) + return false; ++ memset (module->file_table + old_count, 0, ++ fileid * sizeof (struct fileinfo)); + } + + module->file_table [fileid].name = filename; diff --git a/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch new file mode 100644 index 0000000000..9b5825037f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch @@ -0,0 +1,149 @@ +From: Alan Modra <amodra@gmail.com> +Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030) +Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised +X-Git-Tag: gdb-13-branchpoint~871 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1 + +PR29677, Field `the_bfd` of `asymbol` is uninitialised + +Besides not initialising the_bfd of synthetic symbols, counting +symbols when sizing didn't match symbols created if there were any +dynsyms named "". We don't want synthetic symbols without names +anyway, so get rid of them. Also, simplify and correct sanity checks. + + PR 29677 + * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] + +CVE: CVE-2023-25588 +CVE: CVE-2022-47696 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> + +--- + +diff --git a/bfd/mach-o.c b/bfd/mach-o.c +index acb35e7f0c6..5279343768c 100644 +--- a/bfd/mach-o.c ++++ b/bfd/mach-o.c +@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + bfd_mach_o_symtab_command *symtab = mdata->symtab; + asymbol *s; + char * s_start; +- char * s_end; + unsigned long count, i, j, n; + size_t size; + char *names; +- char *nul_name; + const char stub [] = "$stub"; + + *ret = NULL; +@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + /* We need to allocate a bfd symbol for every indirect symbol and to + allocate the memory for its name. */ + count = dysymtab->nindirectsyms; +- size = count * sizeof (asymbol) + 1; +- ++ size = 0; + for (j = 0; j < count; j++) + { +- const char * strng; + unsigned int isym = dysymtab->indirect_syms[j]; ++ const char *str; + + /* Some indirect symbols are anonymous. */ +- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name)) +- /* PR 17512: file: f5b8eeba. */ +- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub); ++ if (isym < symtab->nsyms ++ && (str = symtab->symbols[isym].symbol.name) != NULL) ++ { ++ /* PR 17512: file: f5b8eeba. */ ++ size += strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ size += sizeof (stub); ++ } + } + +- s_start = bfd_malloc (size); ++ s_start = bfd_malloc (size + count * sizeof (asymbol)); + s = *ret = (asymbol *) s_start; + if (s == NULL) + return -1; + names = (char *) (s + count); +- nul_name = names; +- *names++ = 0; +- s_end = s_start + size; + + n = 0; + for (i = 0; i < mdata->nsects; i++) +@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + entry_size = bfd_mach_o_section_get_entry_size (abfd, sec); + + /* PR 17512: file: 08e15eec. */ +- if (first >= count || last >= count || first > last) ++ if (first >= count || last > count || first > last) + goto fail; + + for (j = first; j < last; j++) + { + unsigned int isym = dysymtab->indirect_syms[j]; +- +- /* PR 17512: file: 04d64d9b. */ +- if (((char *) s) + sizeof (* s) > s_end) +- goto fail; +- +- s->flags = BSF_GLOBAL | BSF_SYNTHETIC; +- s->section = sec->bfdsection; +- s->value = addr - sec->addr; +- s->udata.p = NULL; ++ const char *str; ++ size_t len; + + if (isym < symtab->nsyms +- && symtab->symbols[isym].symbol.name) ++ && (str = symtab->symbols[isym].symbol.name) != NULL) + { +- const char *sym = symtab->symbols[isym].symbol.name; +- size_t len; +- +- s->name = names; +- len = strlen (sym); +- /* PR 17512: file: 47dfd4d2. */ +- if (names + len >= s_end) ++ /* PR 17512: file: 04d64d9b. */ ++ if (n >= count) + goto fail; +- memcpy (names, sym, len); +- names += len; +- /* PR 17512: file: 18f340a4. */ +- if (names + sizeof (stub) >= s_end) ++ len = strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ /* PR 17512: file: 47dfd4d2, 18f340a4. */ ++ if (size < len + sizeof (stub)) + goto fail; +- memcpy (names, stub, sizeof (stub)); +- names += sizeof (stub); ++ memcpy (names, str, len); ++ memcpy (names + len, stub, sizeof (stub)); ++ s->name = names; ++ names += len + sizeof (stub); ++ size -= len + sizeof (stub); ++ s->the_bfd = symtab->symbols[isym].symbol.the_bfd; ++ s->flags = BSF_GLOBAL | BSF_SYNTHETIC; ++ s->section = sec->bfdsection; ++ s->value = addr - sec->addr; ++ s->udata.p = NULL; ++ s++; ++ n++; + } +- else +- s->name = nul_name; +- + addr += entry_size; +- s++; +- n++; + } + break; + default: diff --git a/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch b/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch new file mode 100644 index 0000000000..f86adad217 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch @@ -0,0 +1,41 @@ +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 30 Mar 2023 09:10:09 +0000 (+0100) +Subject: Fix an illegal memory access when an accessing a zer0-lengthverdef table. +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57 + +Fix an illegal memory access when an accessing a zer0-lengthverdef table. + + PR 30285 + * elf.c (_bfd_elf_slurp_version_tables): Fail if no version definitions are allocated. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57] + +CVE: CVE-2023-1972 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/elf.c b/bfd/elf.c +index 027d0143735..185028cbd97 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -9030,6 +9030,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verdef; + } ++ ++ if (amt == 0) ++ goto error_return_verdef; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return_verdef; +@@ -9133,6 +9136,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return; + } ++ if (amt == 0) ++ goto error_return; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return; diff --git a/meta/recipes-devtools/binutils/binutils/0027-CVE-2022-47008.patch b/meta/recipes-devtools/binutils/binutils/0027-CVE-2022-47008.patch new file mode 100644 index 0000000000..a3fff65409 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0027-CVE-2022-47008.patch @@ -0,0 +1,67 @@ +From: Alan Modra <amodra@gmail.com> +Date: Thu, 16 Jun 2022 23:43:38 +0000 (+0930) +Subject: PR29255, memory leak in make_tempdir +X-Git-Tag: binutils-2_39~236 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682 + +PR29255, memory leak in make_tempdir + + PR 29255 + * bucomm.c (make_tempdir, make_tempname): Free template on all + failure paths. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682] + +CVE: CVE-2022-47008 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/binutils/bucomm.c b/binutils/bucomm.c +index fdc2209df9c..4395cb9f7f5 100644 +--- a/binutils/bucomm.c ++++ b/binutils/bucomm.c +@@ -537,8 +537,9 @@ make_tempname (const char *filename, int *ofd) + #else + tmpname = mktemp (tmpname); + if (tmpname == NULL) +- return NULL; +- fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600); ++ fd = -1; ++ else ++ fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600); + #endif + if (fd == -1) + { +@@ -556,22 +557,23 @@ char * + make_tempdir (const char *filename) + { + char *tmpname = template_in_dir (filename); ++ char *ret; + + #ifdef HAVE_MKDTEMP +- return mkdtemp (tmpname); ++ ret = mkdtemp (tmpname); + #else +- tmpname = mktemp (tmpname); +- if (tmpname == NULL) +- return NULL; ++ ret = mktemp (tmpname); + #if defined (_WIN32) && !defined (__CYGWIN32__) + if (mkdir (tmpname) != 0) +- return NULL; ++ ret = NULL; + #else + if (mkdir (tmpname, 0700) != 0) +- return NULL; ++ ret = NULL; + #endif +- return tmpname; + #endif ++ if (ret == NULL) ++ free (tmpname); ++ return ret; + } + + /* Parse a string into a VMA, with a fatal error if it can't be diff --git a/meta/recipes-devtools/binutils/binutils/0028-CVE-2022-47011.patch b/meta/recipes-devtools/binutils/binutils/0028-CVE-2022-47011.patch new file mode 100644 index 0000000000..73ae46e218 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0028-CVE-2022-47011.patch @@ -0,0 +1,35 @@ +From: Alan Modra <amodra@gmail.com> +Date: Mon, 20 Jun 2022 01:09:13 +0000 (+0930) +Subject: PR29261, memory leak in parse_stab_struct_fields +X-Git-Tag: binutils-2_39~225 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35 + +PR29261, memory leak in parse_stab_struct_fields + + PR 29261 + * stabs.c (parse_stab_struct_fields): Free "fields" on failure path. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35] + +CVE: CVE-2022-47011 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/binutils/stabs.c b/binutils/stabs.c +index 796ff85b86a..bf3f578cbcc 100644 +--- a/binutils/stabs.c ++++ b/binutils/stabs.c +@@ -2367,7 +2367,10 @@ parse_stab_struct_fields (void *dhandle, + + if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c, + staticsp, p_end)) +- return false; ++ { ++ free (fields); ++ return false; ++ } + + ++c; + } diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch new file mode 100644 index 0000000000..4642251f9b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch @@ -0,0 +1,31 @@ +From: Jan Beulich <jbeulich@suse.com> +Date: Tue, 29 Mar 2022 06:19:14 +0000 (+0200) +Subject: bfd/Dwarf2: gas doesn't mangle names +X-Git-Tag: binutils-2_39~1287 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=ddfc2f56d5782af79c696d7fef7c73bba11e8b09 + +bfd/Dwarf2: gas doesn't mangle names + +Include the language identifier emitted by gas in the set of ones where +no mangled names are expected. Even if there could be "hand-mangled" +names, gas doesn't emit DW_AT_linkage_name in the first place. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=ddfc2f56d5782af79c696d7fef7c73bba11e8b09] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 8cd0ce9d425..9aa4e955a5e 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1441,6 +1441,7 @@ non_mangled (int lang) + case DW_LANG_PLI: + case DW_LANG_UPC: + case DW_LANG_C11: ++ case DW_LANG_Mips_Assembler: + return true; + } + } diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch new file mode 100644 index 0000000000..8aa21f2716 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch @@ -0,0 +1,115 @@ +From: Alan Modra <amodra@gmail.com> +Date: Wed, 21 Sep 2022 05:15:44 +0000 (+0930) +Subject: dwarf2.c: mangle_style +X-Git-Tag: gdb-13-branchpoint~1165 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=4609af80c29db6015ce01b67c48f237c210da9b4 + +dwarf2.c: mangle_style + +non_mangled incorrectly returned "true" for Ada. Correct that, and +add a few more non-mangled entries. Return a value suitable for +passing to cplus_demangle to control demangling. + + * dwarf2.c: Include demangle.h. + (mangle_style): Rename from non_mangled. Return DMGL_* value + to suit lang. Adjust all callers. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=4609af80c29db6015ce01b67c48f237c210da9b4] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index e7c12c3e9de..138cdbb00bb 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -32,6 +32,7 @@ + #include "sysdep.h" + #include "bfd.h" + #include "libiberty.h" ++#include "demangle.h" + #include "libbfd.h" + #include "elf-bfd.h" + #include "dwarf2.h" +@@ -1711,31 +1712,52 @@ read_attribute (struct attribute * attr, + return info_ptr; + } + +-/* Return whether DW_AT_name will return the same as DW_AT_linkage_name +- for a function. */ ++/* Return mangling style given LANG. */ + +-static bool +-non_mangled (int lang) ++static int ++mangle_style (int lang) + { + switch (lang) + { ++ case DW_LANG_Ada83: ++ case DW_LANG_Ada95: ++ return DMGL_GNAT; ++ ++ case DW_LANG_C_plus_plus: ++ case DW_LANG_C_plus_plus_03: ++ case DW_LANG_C_plus_plus_11: ++ case DW_LANG_C_plus_plus_14: ++ return DMGL_GNU_V3; ++ ++ case DW_LANG_Java: ++ return DMGL_JAVA; ++ ++ case DW_LANG_D: ++ return DMGL_DLANG; ++ ++ case DW_LANG_Rust: ++ case DW_LANG_Rust_old: ++ return DMGL_RUST; ++ + default: +- return false; ++ return DMGL_AUTO; + + case DW_LANG_C89: + case DW_LANG_C: +- case DW_LANG_Ada83: + case DW_LANG_Cobol74: + case DW_LANG_Cobol85: + case DW_LANG_Fortran77: + case DW_LANG_Pascal83: +- case DW_LANG_C99: +- case DW_LANG_Ada95: + case DW_LANG_PLI: ++ case DW_LANG_C99: + case DW_LANG_UPC: + case DW_LANG_C11: + case DW_LANG_Mips_Assembler: +- return true; ++ case DW_LANG_Upc: ++ case DW_LANG_HP_Basic91: ++ case DW_LANG_HP_IMacro: ++ case DW_LANG_HP_Assembler: ++ return 0; + } + } + +@@ -3599,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit, + if (name == NULL && is_str_form (&attr)) + { + name = attr.u.str; +- if (non_mangled (unit->lang)) ++ if (mangle_style (unit->lang) == 0) + *is_linkage = true; + } + break; +@@ -4095,7 +4117,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + if (func->name == NULL && is_str_form (&attr)) + { + func->name = attr.u.str; +- if (non_mangled (unit->lang)) ++ if (mangle_style (unit->lang) == 0) + func->is_linkage = true; + } + break; diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch new file mode 100644 index 0000000000..35a658a22c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch @@ -0,0 +1,122 @@ +From: Alan Modra <amodra@gmail.com> +Date: Wed, 21 Dec 2022 11:10:12 +0000 (+1030) +Subject: PR29925, Memory leak in find_abstract_instance +X-Git-Tag: binutils-2_40~192 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a + +PR29925, Memory leak in find_abstract_instance + +The testcase in the PR had a variable with both DW_AT_decl_file and +DW_AT_specification, where the DW_AT_specification also specified +DW_AT_decl_file. This leads to a memory leak as the file name is +malloced and duplicates are not expected. + +I've also changed find_abstract_instance to not use a temp for "name", +because that can result in a change in behaviour from the usual last +of duplicate attributes wins. + + PR 29925 + * dwarf2.c (find_abstract_instance): Delete "name" variable. + Free *filename_ptr before assigning new file name. + (scan_unit_for_symbols): Similarly free func->file and + var->file before assigning. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 0cd8152ee6e..b608afbc0cf 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -3441,7 +3441,6 @@ find_abstract_instance (struct comp_unit *unit, + struct abbrev_info *abbrev; + uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; +- const char *name = NULL; + + if (recur_count == 100) + { +@@ -3602,9 +3601,9 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_name: + /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name + over DW_AT_name. */ +- if (name == NULL && is_str_form (&attr)) ++ if (*pname == NULL && is_str_form (&attr)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + if (mangle_style (unit->lang) == 0) + *is_linkage = true; + } +@@ -3612,7 +3611,7 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_specification: + if (is_int_form (&attr) + && !find_abstract_instance (unit, &attr, recur_count + 1, +- &name, is_linkage, ++ pname, is_linkage, + filename_ptr, linenumber_ptr)) + return false; + break; +@@ -3622,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit, + non-string forms into these attributes. */ + if (is_str_form (&attr)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + *is_linkage = true; + } + break; +@@ -3630,8 +3629,11 @@ find_abstract_instance (struct comp_unit *unit, + if (!comp_unit_maybe_decode_line_info (unit)) + return false; + if (is_int_form (&attr)) +- *filename_ptr = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (*filename_ptr); ++ *filename_ptr = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + case DW_AT_decl_line: + if (is_int_form (&attr)) +@@ -3643,7 +3645,6 @@ find_abstract_instance (struct comp_unit *unit, + } + } + } +- *pname = name; + return true; + } + +@@ -4139,8 +4140,11 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_decl_file: + if (is_int_form (&attr)) +- func->file = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (func->file); ++ func->file = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + + case DW_AT_decl_line: +@@ -4182,8 +4186,11 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_decl_file: + if (is_int_form (&attr)) +- var->file = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (var->file); ++ var->file = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + + case DW_AT_decl_line: diff --git a/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch b/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch new file mode 100644 index 0000000000..2f4c38044b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch @@ -0,0 +1,151 @@ +From: Alan Modra <amodra@gmail.com> +Date: Sun, 30 Oct 2022 08:38:51 +0000 (+1030) +Subject: Pool section entries for DWP version 1 +X-Git-Tag: gdb-13-branchpoint~664 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=28750e3b967da2207d51cbce9fc8be262817ee59 + +Pool section entries for DWP version 1 + +Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 + +Fuzzers have found a weakness in the code stashing pool section +entries. With random nonsensical values in the index entries (rather +than each index pointing to its own set distinct from other sets), +it's possible to overflow the space allocated, losing the NULL +terminator. Without a terminator, find_section_in_set can run off the +end of the shndx_pool buffer. Fix this by scanning the pool directly. + +binutils/ + * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. + (end_cu_tu_entry): Likewise. + (process_cu_tu_index): Fill shndx_pool by directly scanning + pool, rather than indirectly from index entries. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils/dwarf.c;h=7730293326ac1049451eb4a037ac86d827030700;hp=c6340a28906114e9df29d7401472c7dc0a98c2b1;hb=28750e3b967da2207d51cbce9fc8be262817ee59;hpb=60095ba3b8f8ba26a6389dded732fa446422c98f] + +CVE: CVE-2022-44840 + +Signed-off-by: yash shinde <yash.shinde@windriver.com> + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index c6340a28906..7730293326a 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx) + static void + add_shndx_to_cu_tu_entry (unsigned int shndx) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = shndx; + } + + static void + end_cu_tu_entry (void) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = 0; + } + +@@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) + + if (version == 1) + { ++ unsigned char *shndx_list; ++ unsigned int shndx; ++ + if (!do_display) +- prealloc_cu_tu_list ((limit - ppool) / 4); +- for (i = 0; i < nslots; i++) + { +- unsigned char *shndx_list; +- unsigned int shndx; +- +- SAFE_BYTE_GET (signature, phash, 8, limit); +- if (signature != 0) ++ prealloc_cu_tu_list ((limit - ppool) / 4); ++ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4) + { +- SAFE_BYTE_GET (j, pindex, 4, limit); +- shndx_list = ppool + j * 4; +- /* PR 17531: file: 705e010d. */ +- if (shndx_list < ppool) +- { +- warn (_("Section index pool located before start of section\n")); +- return 0; +- } ++ shndx = byte_get (shndx_list, 4); ++ add_shndx_to_cu_tu_entry (shndx); ++ } ++ end_cu_tu_entry (); ++ } ++ else ++ for (i = 0; i < nslots; i++) ++ { ++ SAFE_BYTE_GET (signature, phash, 8, limit); ++ if (signature != 0) ++ { ++ SAFE_BYTE_GET (j, pindex, 4, limit); ++ shndx_list = ppool + j * 4; ++ /* PR 17531: file: 705e010d. */ ++ if (shndx_list < ppool) ++ { ++ warn (_("Section index pool located before start of section\n")); ++ return 0; ++ } + +- if (do_display) + printf (_(" [%3d] Signature: 0x%s Sections: "), + i, dwarf_vmatoa ("x", signature)); +- for (;;) +- { +- if (shndx_list >= limit) +- { +- warn (_("Section %s too small for shndx pool\n"), +- section->name); +- return 0; +- } +- SAFE_BYTE_GET (shndx, shndx_list, 4, limit); +- if (shndx == 0) +- break; +- if (do_display) ++ for (;;) ++ { ++ if (shndx_list >= limit) ++ { ++ warn (_("Section %s too small for shndx pool\n"), ++ section->name); ++ return 0; ++ } ++ SAFE_BYTE_GET (shndx, shndx_list, 4, limit); ++ if (shndx == 0) ++ break; + printf (" %d", shndx); +- else +- add_shndx_to_cu_tu_entry (shndx); +- shndx_list += 4; +- } +- if (do_display) ++ shndx_list += 4; ++ } + printf ("\n"); +- else +- end_cu_tu_entry (); +- } +- phash += 8; +- pindex += 4; +- } ++ } ++ phash += 8; ++ pindex += 4; ++ } + } + else if (version == 2) + { diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch new file mode 100644 index 0000000000..3db4385e13 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch @@ -0,0 +1,147 @@ +From: Alan Modra <amodra@gmail.com> +Date: Tue, 24 May 2022 00:02:14 +0000 (+0930) +Subject: PR29169, invalid read displaying fuzzed .gdb_index +X-Git-Tag: binutils-2_39~530 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636 + +PR29169, invalid read displaying fuzzed .gdb_index + + PR 29169 + * dwarf.c (display_gdb_index): Combine sanity checks. Calculate + element counts, not word counts. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636] + +CVE: CVE-2022-45703 + +Signed-off-by: yash shinde <yash.shinde@windriver.com> + +--- + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 7de6f28161f..c855972a12f 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -10406,7 +10406,7 @@ display_gdb_index (struct dwarf_section *section, + uint32_t cu_list_offset, tu_list_offset; + uint32_t address_table_offset, symbol_table_offset, constant_pool_offset; + unsigned int cu_list_elements, tu_list_elements; +- unsigned int address_table_size, symbol_table_slots; ++ unsigned int address_table_elements, symbol_table_slots; + unsigned char *cu_list, *tu_list; + unsigned char *address_table, *symbol_table, *constant_pool; + unsigned int i; +@@ -10454,48 +10454,19 @@ display_gdb_index (struct dwarf_section *section, + || tu_list_offset > section->size + || address_table_offset > section->size + || symbol_table_offset > section->size +- || constant_pool_offset > section->size) ++ || constant_pool_offset > section->size ++ || tu_list_offset < cu_list_offset ++ || address_table_offset < tu_list_offset ++ || symbol_table_offset < address_table_offset ++ || constant_pool_offset < symbol_table_offset) + { + warn (_("Corrupt header in the %s section.\n"), section->name); + return 0; + } + +- /* PR 17531: file: 418d0a8a. */ +- if (tu_list_offset < cu_list_offset) +- { +- warn (_("TU offset (%x) is less than CU offset (%x)\n"), +- tu_list_offset, cu_list_offset); +- return 0; +- } +- +- cu_list_elements = (tu_list_offset - cu_list_offset) / 8; +- +- if (address_table_offset < tu_list_offset) +- { +- warn (_("Address table offset (%x) is less than TU offset (%x)\n"), +- address_table_offset, tu_list_offset); +- return 0; +- } +- +- tu_list_elements = (address_table_offset - tu_list_offset) / 8; +- +- /* PR 17531: file: 18a47d3d. */ +- if (symbol_table_offset < address_table_offset) +- { +- warn (_("Symbol table offset (%x) is less then Address table offset (%x)\n"), +- symbol_table_offset, address_table_offset); +- return 0; +- } +- +- address_table_size = symbol_table_offset - address_table_offset; +- +- if (constant_pool_offset < symbol_table_offset) +- { +- warn (_("Constant pool offset (%x) is less than symbol table offset (%x)\n"), +- constant_pool_offset, symbol_table_offset); +- return 0; +- } +- ++ cu_list_elements = (tu_list_offset - cu_list_offset) / 16; ++ tu_list_elements = (address_table_offset - tu_list_offset) / 24; ++ address_table_elements = (symbol_table_offset - address_table_offset) / 20; + symbol_table_slots = (constant_pool_offset - symbol_table_offset) / 8; + + cu_list = start + cu_list_offset; +@@ -10504,31 +10475,25 @@ display_gdb_index (struct dwarf_section *section, + symbol_table = start + symbol_table_offset; + constant_pool = start + constant_pool_offset; + +- if (address_table_offset + address_table_size > section->size) +- { +- warn (_("Address table extends beyond end of section.\n")); +- return 0; +- } +- + printf (_("\nCU table:\n")); +- for (i = 0; i < cu_list_elements; i += 2) ++ for (i = 0; i < cu_list_elements; i++) + { +- uint64_t cu_offset = byte_get_little_endian (cu_list + i * 8, 8); +- uint64_t cu_length = byte_get_little_endian (cu_list + i * 8 + 8, 8); ++ uint64_t cu_offset = byte_get_little_endian (cu_list + i * 16, 8); ++ uint64_t cu_length = byte_get_little_endian (cu_list + i * 16 + 8, 8); + +- printf (_("[%3u] 0x%lx - 0x%lx\n"), i / 2, ++ printf (_("[%3u] 0x%lx - 0x%lx\n"), i, + (unsigned long) cu_offset, + (unsigned long) (cu_offset + cu_length - 1)); + } + + printf (_("\nTU table:\n")); +- for (i = 0; i < tu_list_elements; i += 3) ++ for (i = 0; i < tu_list_elements; i++) + { +- uint64_t tu_offset = byte_get_little_endian (tu_list + i * 8, 8); +- uint64_t type_offset = byte_get_little_endian (tu_list + i * 8 + 8, 8); +- uint64_t signature = byte_get_little_endian (tu_list + i * 8 + 16, 8); ++ uint64_t tu_offset = byte_get_little_endian (tu_list + i * 24, 8); ++ uint64_t type_offset = byte_get_little_endian (tu_list + i * 24 + 8, 8); ++ uint64_t signature = byte_get_little_endian (tu_list + i * 24 + 16, 8); + +- printf (_("[%3u] 0x%lx 0x%lx "), i / 3, ++ printf (_("[%3u] 0x%lx 0x%lx "), i, + (unsigned long) tu_offset, + (unsigned long) type_offset); + print_dwarf_vma (signature, 8); +@@ -10536,12 +10501,11 @@ display_gdb_index (struct dwarf_section *section, + } + + printf (_("\nAddress table:\n")); +- for (i = 0; i < address_table_size && i <= address_table_size - (2 * 8 + 4); +- i += 2 * 8 + 4) ++ for (i = 0; i < address_table_elements; i++) + { +- uint64_t low = byte_get_little_endian (address_table + i, 8); +- uint64_t high = byte_get_little_endian (address_table + i + 8, 8); +- uint32_t cu_index = byte_get_little_endian (address_table + i + 16, 4); ++ uint64_t low = byte_get_little_endian (address_table + i * 20, 8); ++ uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8); ++ uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4); + + print_dwarf_vma (low, 8); + print_dwarf_vma (high, 8); diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch new file mode 100644 index 0000000000..1fac9739dd --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch @@ -0,0 +1,31 @@ +From 69bfd1759db41c8d369f9dcc98a135c5a5d97299 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 18 Nov 2022 11:29:13 +1030 +Subject: [PATCH] PR29799 heap buffer overflow in display_gdb_index + dwarf.c:10548 + + PR 29799 + * dwarf.c (display_gdb_index): Typo fix. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils/dwarf.c;h=4bba8dfb81a6df49f5e61b3fae99dd545cc5c7dd;hp=7730293326ac1049451eb4a037ac86d827030700;hb=69bfd1759db41c8d369f9dcc98a135c5a5d97299;hpb=7828dfa93b210b6bbc6596e6e096cc150a9f8aa4] + +CVE: CVE-2022-45703 + +Signed-off-by: yash shinde <yash.shinde@windriver.com> + +--- + binutils/dwarf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 7730293326a..4bba8dfb81a 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -10562,7 +10562,7 @@ display_gdb_index (struct dwarf_section + { + uint64_t low = byte_get_little_endian (address_table + i * 20, 8); + uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8); +- uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4); ++ uint32_t cu_index = byte_get_little_endian (address_table + i * 20 + 16, 4); + + print_dwarf_vma (low, 8); + print_dwarf_vma (high, 8); diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch new file mode 100644 index 0000000000..f2e9cea027 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch @@ -0,0 +1,58 @@ +From 2f7426b9bb2d2450b32cad3d79fab9abe3ec42bb Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 4 Dec 2022 22:15:40 +1030 +Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols + +Fixes a fuzzed object file problem where plt relocs were manipulated +in such a way that two synthetic symbols were generated at the same +plt location. Won't occur in real object files. + + PR 29846 + PR 20337 + * objdump.c (compare_symbols): Test symbol flags to exclude + section and synthetic symbols before attempting to check flavour. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386] + +CVE: CVE-2022-47695 + +Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> +--- + binutils/objdump.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index 08a0fe521d8..21f75f4db40 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -1165,20 +1165,17 @@ compare_symbols (const void *ap, const void *bp) + return 1; + } + +- if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour ++ /* Sort larger size ELF symbols before smaller. See PR20337. */ ++ bfd_vma asz = 0; ++ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 ++ && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour) ++ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; ++ bfd_vma bsz = 0; ++ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 + && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour) +- { +- bfd_vma asz, bsz; +- +- asz = 0; +- if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) +- asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; +- bsz = 0; +- if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) +- bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; +- if (asz != bsz) +- return asz > bsz ? -1 : 1; +- } ++ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; ++ if (asz != bsz) ++ return asz > bsz ? -1 : 1; + + /* Symbols that start with '.' might be section names, so sort them + after symbols that don't start with '.'. */ diff --git a/meta/recipes-devtools/binutils/binutils/0032-CVE-2022-47010.patch b/meta/recipes-devtools/binutils/binutils/0032-CVE-2022-47010.patch new file mode 100644 index 0000000000..9648033e67 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0032-CVE-2022-47010.patch @@ -0,0 +1,38 @@ +From: Alan Modra <amodra@gmail.com> +Date: Mon, 20 Jun 2022 01:09:31 +0000 (+0930) +Subject: PR29262, memory leak in pr_function_type +X-Git-Tag: binutils-2_39~224 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab + +PR29262, memory leak in pr_function_type + + PR 29262 + * prdbg.c (pr_function_type): Free "s" on failure path. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab] + +CVE: CVE-2022-47010 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index c1e41628d26..bb42a5b6c2d 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -742,12 +742,9 @@ pr_function_type (void *p, int argcount, bool varargs) + + strcat (s, ")"); + +- if (! substitute_type (info, s)) +- return false; +- ++ bool ret = substitute_type (info, s); + free (s); +- +- return true; ++ return ret; + } + + /* Turn the top type on the stack into a reference to that type. */ diff --git a/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch b/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch new file mode 100644 index 0000000000..cc6dfe684b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch @@ -0,0 +1,34 @@ +From: Alan Modra <amodra@gmail.com> +Date: Thu, 16 Jun 2022 23:30:41 +0000 (+0930) +Subject: PR29254, memory leak in stab_demangle_v3_arg +X-Git-Tag: binutils-2_39~237 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb + +PR29254, memory leak in stab_demangle_v3_arg + + PR 29254 + * stabs.c (stab_demangle_v3_arg): Free dt on failure path. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb] + +CVE: CVE-2022-47007 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +--- + +diff --git a/binutils/stabs.c b/binutils/stabs.c +index 2b5241637c1..796ff85b86a 100644 +--- a/binutils/stabs.c ++++ b/binutils/stabs.c +@@ -5467,7 +5467,10 @@ stab_demangle_v3_arg (void *dhandle, struct stab_handle *info, + dc->u.s_binary.right, + &varargs); + if (pargs == NULL) +- return NULL; ++ { ++ free (dt); ++ return NULL; ++ } + + return debug_make_function_type (dhandle, dt, pargs, varargs); + } diff --git a/meta/recipes-devtools/binutils/binutils/0034-CVE-2022-48064.patch b/meta/recipes-devtools/binutils/binutils/0034-CVE-2022-48064.patch new file mode 100644 index 0000000000..b0840366c7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0034-CVE-2022-48064.patch @@ -0,0 +1,57 @@ +From: Alan Modra <amodra@gmail.com> +Date: Tue, 20 Dec 2022 13:17:03 +0000 (+1030) +Subject: PR29922, SHT_NOBITS section avoids section size sanity check +X-Git-Tag: binutils-2_40~202 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8f2c64de86bc3d7556121fe296dd679000283931 + +PR29922, SHT_NOBITS section avoids section size sanity check + + PR 29922 + * dwarf2.c (find_debug_info): Ignore sections without + SEC_HAS_CONTENTS. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8f2c64de86bc3d7556121fe296dd679000283931] + +CVE: CVE-2022-48064 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 95f45708e9d..0cd8152ee6e 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -4831,16 +4831,19 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections, + { + look = debug_sections[debug_info].uncompressed_name; + msec = bfd_get_section_by_name (abfd, look); +- if (msec != NULL) ++ /* Testing SEC_HAS_CONTENTS is an anti-fuzzer measure. Of ++ course debug sections always have contents. */ ++ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0) + return msec; + + look = debug_sections[debug_info].compressed_name; + msec = bfd_get_section_by_name (abfd, look); +- if (msec != NULL) ++ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0) + return msec; + + for (msec = abfd->sections; msec != NULL; msec = msec->next) +- if (startswith (msec->name, GNU_LINKONCE_INFO)) ++ if ((msec->flags & SEC_HAS_CONTENTS) != 0 ++ && startswith (msec->name, GNU_LINKONCE_INFO)) + return msec; + + return NULL; +@@ -4848,6 +4851,9 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections, + + for (msec = after_sec->next; msec != NULL; msec = msec->next) + { ++ if ((msec->flags & SEC_HAS_CONTENTS) == 0) ++ continue; ++ + look = debug_sections[debug_info].uncompressed_name; + if (strcmp (msec->name, look) == 0) + return msec; diff --git a/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch b/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch new file mode 100644 index 0000000000..63fb44d59a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch @@ -0,0 +1,50 @@ +From: Keith Seitz <keiths@...> +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) +Subject: Verify COFF symbol stringtab offset +X-Git-Tag: gdb-14-branchpoint~473 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a + +Verify COFF symbol stringtab offset + +This patch addresses an issue with malformed/fuzzed debug information that +was recently reported in gdb/30639. That bug specifically deals with +an ASAN issue, but the reproducer provided by the reporter causes a +another failure outside of ASAN: + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] + +CVE: CVE-2023-39129 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; + static file_ptr linetab_size; + + static char *stringtab = NULL; ++static long stringtab_length = 0; + + extern void stabsread_clear_cache (void); + +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora + /* This is in target format (probably not very useful, and not + currently used), not host format. */ + memcpy (stringtab, lengthbuf, sizeof lengthbuf); ++ stringtab_length = length; + if (length == sizeof length) /* Empty table -- just the count. */ + return 0; + +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) + + if (symbol_entry->_n._n_n._n_zeroes == 0) + { +- /* FIXME: Probably should be detecting corrupt symbol files by +- seeing whether offset points to within the stringtab. */ ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), ++ symbol_entry->_n._n_n._n_offset, stringtab_length); + result = stringtab + symbol_entry->_n._n_n._n_offset; + } + else diff --git a/meta/recipes-devtools/binutils/binutils/0036-CVE-2023-39130.patch b/meta/recipes-devtools/binutils/binutils/0036-CVE-2023-39130.patch new file mode 100644 index 0000000000..bfd5b18d7d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0036-CVE-2023-39130.patch @@ -0,0 +1,326 @@ +From 2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 9 Aug 2023 09:58:36 +0930 +Subject: [PATCH] gdb: warn unused result for bfd IO functions + +This fixes the compilation warnings introduced by my bfdio.c patch. + +The removed bfd_seeks in coff_symfile_read date back to 1994, commit +7f4c859520, prior to which the file used stdio rather than bfd to read +symbols. Since it now uses bfd to read the file there should be no +need to synchronise to bfd's idea of the file position. I also fixed +a potential uninitialised memory access. + +Approved-By: Andrew Burgess <aburgess@redhat.com> + +Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80] +CVE: CVE-2023-39130 +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +--- + gdb/coff-pe-read.c | 114 +++++++++++++++++++++++++++++---------------- + gdb/coffread.c | 27 ++--------- + gdb/dbxread.c | 7 +-- + gdb/xcoffread.c | 5 +- + 4 files changed, 85 insertions(+), 68 deletions(-) + +diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c +--- a/gdb/coff-pe-read.c ++++ b/gdb/coff-pe-read.c +@@ -291,23 +291,31 @@ read_pe_truncate_name (char *dll_name) + + /* Low-level support functions, direct from the ld module pe-dll.c. */ + static unsigned int +-pe_get16 (bfd *abfd, int where) ++pe_get16 (bfd *abfd, int where, bool *fail) + { + unsigned char b[2]; + +- bfd_seek (abfd, (file_ptr) where, SEEK_SET); +- bfd_bread (b, (bfd_size_type) 2, abfd); ++ if (bfd_seek (abfd, where, SEEK_SET) != 0 ++ || bfd_bread (b, 2, abfd) != 2) ++ { ++ *fail = true; ++ return 0; ++ } + return b[0] + (b[1] << 8); + } + + static unsigned int +-pe_get32 (bfd *abfd, int where) ++pe_get32 (bfd *abfd, int where, bool *fail) + { + unsigned char b[4]; + +- bfd_seek (abfd, (file_ptr) where, SEEK_SET); +- bfd_bread (b, (bfd_size_type) 4, abfd); +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24); ++ if (bfd_seek (abfd, where, SEEK_SET) != 0 ++ || bfd_bread (b, 4, abfd) != 4) ++ { ++ *fail = true; ++ return 0; ++ } ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24); + } + + static unsigned int +@@ -323,7 +331,7 @@ pe_as32 (void *ptr) + { + unsigned char *b = (unsigned char *) ptr; + +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24); ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24); + } + + /* Read the (non-debug) export symbol table from a portable +@@ -376,37 +384,50 @@ read_pe_exported_syms (minimal_symbol_re + || strcmp (target, "pei-i386") == 0 + || strcmp (target, "pe-arm-wince-little") == 0 + || strcmp (target, "pei-arm-wince-little") == 0); ++ ++ /* Possibly print a debug message about DLL not having a valid format. */ ++ auto maybe_print_debug_msg = [&] () -> void { ++ if (debug_coff_pe_read) ++ fprintf_unfiltered (gdb_stdlog, _("%s doesn't appear to be a DLL\n"), ++ bfd_get_filename (dll)); ++ }; ++ + if (!is_pe32 && !is_pe64) +- { +- /* This is not a recognized PE format file. Abort now, because +- the code is untested on anything else. *FIXME* test on +- further architectures and loosen or remove this test. */ +- return; +- } ++ return maybe_print_debug_msg (); + + /* Get pe_header, optional header and numbers of export entries. */ +- pe_header_offset = pe_get32 (dll, 0x3c); ++ bool fail = false; ++ pe_header_offset = pe_get32 (dll, 0x3c, &fail); ++ if (fail) ++ return maybe_print_debug_msg (); + opthdr_ofs = pe_header_offset + 4 + 20; + if (is_pe64) +- num_entries = pe_get32 (dll, opthdr_ofs + 108); ++ num_entries = pe_get32 (dll, opthdr_ofs + 108, &fail); + else +- num_entries = pe_get32 (dll, opthdr_ofs + 92); ++ num_entries = pe_get32 (dll, opthdr_ofs + 92, &fail); ++ if (fail) ++ return maybe_print_debug_msg (); + + if (num_entries < 1) /* No exports. */ + return; + if (is_pe64) + { +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112); +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116); ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112, &fail); ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116, &fail); + } + else + { +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96); +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100); ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96, &fail); ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100, &fail); + } +- nsections = pe_get16 (dll, pe_header_offset + 4 + 2); ++ if (fail) ++ return maybe_print_debug_msg (); ++ ++ nsections = pe_get16 (dll, pe_header_offset + 4 + 2, &fail); + secptr = (pe_header_offset + 4 + 20 + +- pe_get16 (dll, pe_header_offset + 4 + 16)); ++ pe_get16 (dll, pe_header_offset + 4 + 16, &fail)); ++ if (fail) ++ return maybe_print_debug_msg (); + expptr = 0; + export_size = 0; + +@@ -415,12 +436,13 @@ read_pe_exported_syms (minimal_symbol_re + { + char sname[8]; + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12); +- unsigned long vsize = pe_get32 (dll, secptr1 + 16); +- unsigned long fptr = pe_get32 (dll, secptr1 + 20); +- +- bfd_seek (dll, (file_ptr) secptr1, SEEK_SET); +- bfd_bread (sname, (bfd_size_type) sizeof (sname), dll); ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail); ++ unsigned long vsize = pe_get32 (dll, secptr1 + 16, &fail); ++ unsigned long fptr = pe_get32 (dll, secptr1 + 20, &fail); ++ ++ if (fail ++ || bfd_seek (dll, secptr1, SEEK_SET) != 0 ++ || bfd_bread (sname, sizeof (sname), dll) != sizeof (sname)) + + if ((strcmp (sname, ".edata") == 0) + || (vaddr <= export_opthdrrva && export_opthdrrva < vaddr + vsize)) +@@ -461,16 +483,18 @@ read_pe_exported_syms (minimal_symbol_re + for (i = 0; i < nsections; i++) + { + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vsize = pe_get32 (dll, secptr1 + 8); +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12); +- unsigned long characteristics = pe_get32 (dll, secptr1 + 36); ++ unsigned long vsize = pe_get32 (dll, secptr1 + 8, &fail); ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail); ++ unsigned long characteristics = pe_get32 (dll, secptr1 + 36, &fail); + char sec_name[SCNNMLEN + 1]; + int sectix; + unsigned int bfd_section_index; + asection *section; + +- bfd_seek (dll, (file_ptr) secptr1 + 0, SEEK_SET); +- bfd_bread (sec_name, (bfd_size_type) SCNNMLEN, dll); ++ if (fail ++ || bfd_seek (dll, secptr1 + 0, SEEK_SET) != 0 ++ || bfd_bread (sec_name, SCNNMLEN, dll) != SCNNMLEN) ++ return maybe_print_debug_msg (); + sec_name[SCNNMLEN] = '\0'; + + sectix = read_pe_section_index (sec_name); +@@ -509,8 +533,9 @@ read_pe_exported_syms (minimal_symbol_re + gdb::def_vector<unsigned char> expdata_storage (export_size); + expdata = expdata_storage.data (); + +- bfd_seek (dll, (file_ptr) expptr, SEEK_SET); +- bfd_bread (expdata, (bfd_size_type) export_size, dll); ++ if (bfd_seek (dll, expptr, SEEK_SET) != 0 ++ || bfd_bread (expdata, export_size, dll) != export_size) ++ return maybe_print_debug_msg (); + erva = expdata - export_rva; + + nexp = pe_as32 (expdata + 24); +@@ -658,20 +683,27 @@ pe_text_section_offset (struct bfd *abfd + } + + /* Get pe_header, optional header and numbers of sections. */ +- pe_header_offset = pe_get32 (abfd, 0x3c); +- nsections = pe_get16 (abfd, pe_header_offset + 4 + 2); ++ bool fail = false; ++ pe_header_offset = pe_get32 (abfd, 0x3c, &fail); ++ if (fail) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; ++ nsections = pe_get16 (abfd, pe_header_offset + 4 + 2, &fail); + secptr = (pe_header_offset + 4 + 20 + +- pe_get16 (abfd, pe_header_offset + 4 + 16)); ++ pe_get16 (abfd, pe_header_offset + 4 + 16, &fail)); ++ if (fail) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; + + /* Get the rva and size of the export section. */ + for (i = 0; i < nsections; i++) + { + char sname[SCNNMLEN + 1]; + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vaddr = pe_get32 (abfd, secptr1 + 12); ++ unsigned long vaddr = pe_get32 (abfd, secptr1 + 12, &fail); + +- bfd_seek (abfd, (file_ptr) secptr1, SEEK_SET); +- bfd_bread (sname, (bfd_size_type) SCNNMLEN, abfd); ++ if (fail ++ || bfd_seek (abfd, secptr1, SEEK_SET) != 0 ++ || bfd_bread (sname, SCNNMLEN, abfd) != SCNNMLEN) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; + sname[SCNNMLEN] = '\0'; + if (strcmp (sname, ".text") == 0) + return vaddr; +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -690,8 +690,6 @@ coff_symfile_read (struct objfile *objfi + + /* FIXME: dubious. Why can't we use something normal like + bfd_get_section_contents? */ +- bfd_seek (abfd, abfd->where, 0); +- + stabstrsize = bfd_section_size (info->stabstrsect); + + coffstab_build_psymtabs (objfile, +@@ -780,22 +778,6 @@ coff_symtab_read (minimal_symbol_reader + + scoped_free_pendings free_pending; + +- /* Work around a stdio bug in SunOS4.1.1 (this makes me nervous.... +- it's hard to know I've really worked around it. The fix should +- be harmless, anyway). The symptom of the bug is that the first +- fread (in read_one_sym), will (in my example) actually get data +- from file offset 268, when the fseek was to 264 (and ftell shows +- 264). This causes all hell to break loose. I was unable to +- reproduce this on a short test program which operated on the same +- file, performing (I think) the same sequence of operations. +- +- It stopped happening when I put in this (former) rewind(). +- +- FIXME: Find out if this has been reported to Sun, whether it has +- been fixed in a later release, etc. */ +- +- bfd_seek (objfile->obfd, 0, 0); +- + /* Position to read the symbol table. */ + val = bfd_seek (objfile->obfd, symtab_offset, 0); + if (val < 0) +@@ -1285,12 +1267,13 @@ init_stringtab (bfd *abfd, file_ptr offs + if (bfd_seek (abfd, offset, 0) < 0) + return -1; + +- val = bfd_bread ((char *) lengthbuf, sizeof lengthbuf, abfd); +- length = bfd_h_get_32 (symfile_bfd, lengthbuf); +- ++ val = bfd_bread (lengthbuf, sizeof lengthbuf, abfd); + /* If no string table is needed, then the file may end immediately + after the symbols. Just return with `stringtab' set to null. */ +- if (val != sizeof lengthbuf || length < sizeof lengthbuf) ++ if (val != sizeof lengthbuf) ++ return 0; ++ length = bfd_h_get_32 (symfile_bfd, lengthbuf); ++ if (length < sizeof lengthbuf) + return 0; + + storage->reset ((char *) xmalloc (length)); +diff --git a/gdb/dbxread.c b/gdb/dbxread.c +--- a/gdb/dbxread.c ++++ b/gdb/dbxread.c +@@ -812,7 +812,8 @@ stabs_seek (int sym_offset) + symbuf_left -= sym_offset; + } + else +- bfd_seek (symfile_bfd, sym_offset, SEEK_CUR); ++ if (bfd_seek (symfile_bfd, sym_offset, SEEK_CUR) != 0) ++ perror_with_name (bfd_get_filename (symfile_bfd)); + } + + #define INTERNALIZE_SYMBOL(intern, extern, abfd) \ +@@ -2095,8 +2096,8 @@ dbx_expand_psymtab (legacy_psymtab *pst, + symbol_size = SYMBOL_SIZE (pst); + + /* Read in this file's symbols. */ +- bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET); +- read_ofile_symtab (objfile, pst); ++ if (bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET) == 0) ++ read_ofile_symtab (objfile, pst); + } + + pst->readin = true; +diff --git a/gdb/xcoffread.c b/gdb/xcoffread.c +--- a/gdb/xcoffread.c ++++ b/gdb/xcoffread.c +@@ -865,8 +865,9 @@ enter_line_range (struct subfile *subfil + + while (curoffset <= limit_offset) + { +- bfd_seek (abfd, curoffset, SEEK_SET); +- bfd_bread (ext_lnno, linesz, abfd); ++ if (bfd_seek (abfd, curoffset, SEEK_SET) != 0 ++ || bfd_bread (ext_lnno, linesz, abfd) != linesz) ++ return; + bfd_coff_swap_lineno_in (abfd, ext_lnno, &int_lnno); + + /* Find the address this line represents. */ +-- +2.39.3 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch new file mode 100644 index 0000000000..ea2e030503 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch @@ -0,0 +1,48 @@ +From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 21 Dec 2022 11:51:23 +0000 +Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of + memory when parsing a corrupt ELF file. + + PR 29924 + * objdump.c (load_specific_debug_section): Check for excessively + large sections. + +Upstream-Status: Backport +CVE: CVE-2022-48063 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/objdump.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -3768,7 +3768,9 @@ load_specific_debug_section (enum dwarf_ + section->size = bfd_section_size (sec); + /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */ + alloced = amt = section->size + 1; +- if (alloced != amt || alloced == 0) ++ if (alloced != amt ++ || alloced == 0 ++ || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd))) + { + section->start = NULL; + free_debug_section (debug); +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2022-12-21 Nick Clifton <nickc@redhat.com> ++ ++ PR 29924 ++ * objdump.c (load_specific_debug_section): Check for excessively ++ large sections. ++ + 2022-03-23 Nick Clifton <nickc@redhat.com> + + Import patch from mainline: |