* [hardknott][PATCH] binutils: Fix CVE-2021-3530
@ 2021-10-27 10:47 Pgowda
2021-10-27 15:09 ` Mittal, Anuj
0 siblings, 1 reply; 3+ messages in thread
From: Pgowda @ 2021-10-27 10:47 UTC (permalink / raw)
To: openembedded-core
Cc: anuj.mittal, richard.purdie, rwmacleod, umesh.kalappa0, Pgowda
Backport from binutils-2_37
Signed-off-by: Pgowda <pgowda.cve@gmail.com>
---
.../binutils/binutils-2.36.inc | 1 +
.../binutils/0017-CVE-2021-3530.patch | 97 +++++++++++++++++++
2 files changed, 98 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc b/meta/recipes-devtools/binutils/binutils-2.36.inc
index 9d770db5a8..981692e457 100644
--- a/meta/recipes-devtools/binutils/binutils-2.36.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.36.inc
@@ -44,5 +44,6 @@ SRC_URI = "\
file://0001-CVE-2021-20197.patch \
file://0002-CVE-2021-20197.patch \
file://0003-CVE-2021-20197.patch \
+ file://0017-CVE-2021-3530.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch
new file mode 100644
index 0000000000..f1934aa600
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch
@@ -0,0 +1,97 @@
+From 25162c795b1a2becf936bb3581d86a307ea491eb Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 15 Jul 2021 16:51:56 +0100
+Subject: [PATCH] Fix a stack exhaustion problem in the Rust demangling code in
+ the libiberty library.
+
+ PR 99935
+ * rust-demangle.c: Add recursion limit.
+---
+ libiberty/ChangeLog | 5 +++++
+ libiberty/rust-demangle.c | 31 +++++++++++++++++++++++++------
+ 2 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index bc1b35b97c4..8e39fd28eba 100644
+--- a/libiberty/ChangeLog
++++ b/libiberty/ChangeLog
+@@ -1,3 +1,8 @@
++2021-07-15 Nick Clifton <nickc@redhat.com>
++
++ PR 99935
++ * rust-demangle.c: Add recursion limit.
++
+ 2021-01-04 Martin Liska <mliska@suse.cz>
+
+ * strverscmp.c: Convert to utf8 from iso8859.
+diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c
+index 449941b56dc..df09b7b8fdd 100644
+--- a/libiberty/rust-demangle.c
++++ b/libiberty/rust-demangle.c
+@@ -74,6 +74,12 @@ struct rust_demangler
+ /* Rust mangling version, with legacy mangling being -1. */
+ int version;
+
++ /* Recursion depth. */
++ uint recursion;
++ /* Maximum number of times demangle_path may be called recursively. */
++#define RUST_MAX_RECURSION_COUNT 1024
++#define RUST_NO_RECURSION_LIMIT ((uint) -1)
++
+ uint64_t bound_lifetime_depth;
+ };
+
+@@ -671,6 +677,15 @@ demangle_path (struct rust_demangler *rd
+ if (rdm->errored)
+ return;
+
++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
++ {
++ ++ rdm->recursion;
++ if (rdm->recursion > RUST_MAX_RECURSION_COUNT)
++ /* FIXME: There ought to be a way to report
++ that the recursion limit has been reached. */
++ goto fail_return;
++ }
++
+ switch (tag = next (rdm))
+ {
+ case 'C':
+@@ -688,10 +703,7 @@ demangle_path (struct rust_demangler *rd
+ case 'N':
+ ns = next (rdm);
+ if (!ISLOWER (ns) && !ISUPPER (ns))
+- {
+- rdm->errored = 1;
+- return;
+- }
++ goto fail_return;
+
+ demangle_path (rdm, in_value);
+
+@@ -776,9 +788,15 @@ demangle_path (struct rust_demangler *rd
+ }
+ break;
+ default:
+- rdm->errored = 1;
+- return;
++ goto fail_return;
+ }
++ goto pass_return;
++
++ fail_return:
++ rdm->errored = 1;
++ pass_return:
++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
++ -- rdm->recursion;
+ }
+
+ static void
+@@ -1317,6 +1335,7 @@ rust_demangle_callback (const char *mang
+ rdm.skipping_printing = 0;
+ rdm.verbose = (options & DMGL_VERBOSE) != 0;
+ rdm.version = 0;
++ rdm.recursion = (options & DMGL_NO_RECURSE_LIMIT) ? RUST_NO_RECURSION_LIMIT : 0;
+ rdm.bound_lifetime_depth = 0;
+
+ /* Rust symbols always start with _R (v0) or _ZN (legacy). */
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [hardknott][PATCH] binutils: Fix CVE-2021-3530
2021-10-27 10:47 [hardknott][PATCH] binutils: Fix CVE-2021-3530 Pgowda
@ 2021-10-27 15:09 ` Mittal, Anuj
2021-10-28 10:01 ` pgowda cve
0 siblings, 1 reply; 3+ messages in thread
From: Mittal, Anuj @ 2021-10-27 15:09 UTC (permalink / raw)
To: openembedded-core, pgowda.cve; +Cc: richard.purdie, rwmacleod, umesh.kalappa0
On Wed, 2021-10-27 at 03:47 -0700, Pgowda wrote:
> Backport from binutils-2_37
>
> Signed-off-by: Pgowda <pgowda.cve@gmail.com>
> ---
> .../binutils/binutils-2.36.inc | 1 +
> .../binutils/0017-CVE-2021-3530.patch | 97 +++++++++++++++++++
> 2 files changed, 98 insertions(+)
> create mode 100644 meta/recipes-devtools/binutils/binutils/0017-CVE-
> 2021-3530.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc
> b/meta/recipes-devtools/binutils/binutils-2.36.inc
> index 9d770db5a8..981692e457 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.36.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.36.inc
> @@ -44,5 +44,6 @@ SRC_URI = "\
> file://0001-CVE-2021-20197.patch \
> file://0002-CVE-2021-20197.patch \
> file://0003-CVE-2021-20197.patch \
> + file://0017-CVE-2021-3530.patch \
> "
> S = "${WORKDIR}/git"
> diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-
> 3530.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-
> 3530.patch
> new file mode 100644
> index 0000000000..f1934aa600
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2021-3530.patch
> @@ -0,0 +1,97 @@
> +From 25162c795b1a2becf936bb3581d86a307ea491eb Mon Sep 17 00:00:00 2001
> +From: Nick Clifton <nickc@redhat.com>
> +Date: Thu, 15 Jul 2021 16:51:56 +0100
> +Subject: [PATCH] Fix a stack exhaustion problem in the Rust demangling
> code in
> + the libiberty library.
> +
> + PR 99935
> + * rust-demangle.c: Add recursion limit.
This needs a CVE tag, your Signed-off-by and Upstream-Status. Please
see:
https://wiki.yoctoproject.org/wiki/Security#Patch_name_convention_and_commit_message
Also, it looks like this will break MinGW builds and would also need:
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=999566402e3
Please check.
Thanks,
Anuj
> +---
> + libiberty/ChangeLog | 5 +++++
> + libiberty/rust-demangle.c | 31 +++++++++++++++++++++++++------
> + 2 files changed, 30 insertions(+), 6 deletions(-)
> +
> +diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
> +index bc1b35b97c4..8e39fd28eba 100644
> +--- a/libiberty/ChangeLog
> ++++ b/libiberty/ChangeLog
> +@@ -1,3 +1,8 @@
> ++2021-07-15 Nick Clifton <nickc@redhat.com>
> ++
> ++ PR 99935
> ++ * rust-demangle.c: Add recursion limit.
> ++
> + 2021-01-04 Martin Liska <mliska@suse.cz>
> +
> + * strverscmp.c: Convert to utf8 from iso8859.
> +diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c
> +index 449941b56dc..df09b7b8fdd 100644
> +--- a/libiberty/rust-demangle.c
> ++++ b/libiberty/rust-demangle.c
> +@@ -74,6 +74,12 @@ struct rust_demangler
> + /* Rust mangling version, with legacy mangling being -1. */
> + int version;
> +
> ++ /* Recursion depth. */
> ++ uint recursion;
> ++ /* Maximum number of times demangle_path may be called
> recursively. */
> ++#define RUST_MAX_RECURSION_COUNT 1024
> ++#define RUST_NO_RECURSION_LIMIT ((uint) -1)
> ++
> + uint64_t bound_lifetime_depth;
> + };
> +
> +@@ -671,6 +677,15 @@ demangle_path (struct rust_demangler *rd
> + if (rdm->errored)
> + return;
> +
> ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
> ++ {
> ++ ++ rdm->recursion;
> ++ if (rdm->recursion > RUST_MAX_RECURSION_COUNT)
> ++ /* FIXME: There ought to be a way to report
> ++ that the recursion limit has been reached. */
> ++ goto fail_return;
> ++ }
> ++
> + switch (tag = next (rdm))
> + {
> + case 'C':
> +@@ -688,10 +703,7 @@ demangle_path (struct rust_demangler *rd
> + case 'N':
> + ns = next (rdm);
> + if (!ISLOWER (ns) && !ISUPPER (ns))
> +- {
> +- rdm->errored = 1;
> +- return;
> +- }
> ++ goto fail_return;
> +
> + demangle_path (rdm, in_value);
> +
> +@@ -776,9 +788,15 @@ demangle_path (struct rust_demangler *rd
> + }
> + break;
> + default:
> +- rdm->errored = 1;
> +- return;
> ++ goto fail_return;
> + }
> ++ goto pass_return;
> ++
> ++ fail_return:
> ++ rdm->errored = 1;
> ++ pass_return:
> ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
> ++ -- rdm->recursion;
> + }
> +
> + static void
> +@@ -1317,6 +1335,7 @@ rust_demangle_callback (const char *mang
> + rdm.skipping_printing = 0;
> + rdm.verbose = (options & DMGL_VERBOSE) != 0;
> + rdm.version = 0;
> ++ rdm.recursion = (options & DMGL_NO_RECURSE_LIMIT) ?
> RUST_NO_RECURSION_LIMIT : 0;
> + rdm.bound_lifetime_depth = 0;
> +
> + /* Rust symbols always start with _R (v0) or _ZN (legacy). */
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [hardknott][PATCH] binutils: Fix CVE-2021-3530
2021-10-27 15:09 ` Mittal, Anuj
@ 2021-10-28 10:01 ` pgowda cve
0 siblings, 0 replies; 3+ messages in thread
From: pgowda cve @ 2021-10-28 10:01 UTC (permalink / raw)
To: Mittal, Anuj; +Cc: openembedded-core, richard.purdie, rwmacleod, umesh.kalappa0
Hi Anuj,
Thanks for checking the patch and providing your comments.
>> This needs a CVE tag, your Signed-off-by and Upstream-Status.
Done.
>> Also, it looks like this will break MinGW builds and would also need:
Added.
Will check for the CVE tags and other indentations properly.
Please find the modified patch posted at following link:-
https://lists.openembedded.org/g/openembedded-core/message/157582
Thanks,
Pgowda
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-28 10:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-27 10:47 [hardknott][PATCH] binutils: Fix CVE-2021-3530 Pgowda
2021-10-27 15:09 ` Mittal, Anuj
2021-10-28 10:01 ` pgowda cve
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.