pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/devel/binutils



Module Name:    pkgsrc
Committed By:   fcambus
Date:           Fri Jan 14 08:35:59 UTC 2022

Modified Files:
        pkgsrc/devel/binutils: Makefile distinfo
Added Files:
        pkgsrc/devel/binutils/patches: patch-binutils_stabs.c

Log Message:
binutils: add upstream fixes for CVE-2021-45078.

>From upstream commit log:

PR28694, Out-of-bounds write in stab_xcoff_builtin_type

PR 28694
* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
Negate typenum earlier, simplifying bounds checking.  Correct
off-by-one indexing.  Adjust switch cases.


To generate a diff of this commit:
cvs rdiff -u -r1.100 -r1.101 pkgsrc/devel/binutils/Makefile
cvs rdiff -u -r1.44 -r1.45 pkgsrc/devel/binutils/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/binutils/patches/patch-binutils_stabs.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/binutils/Makefile
diff -u pkgsrc/devel/binutils/Makefile:1.100 pkgsrc/devel/binutils/Makefile:1.101
--- pkgsrc/devel/binutils/Makefile:1.100        Sat Sep 11 15:54:39 2021
+++ pkgsrc/devel/binutils/Makefile      Fri Jan 14 08:35:59 2022
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.100 2021/09/11 15:54:39 fcambus Exp $
+# $NetBSD: Makefile,v 1.101 2022/01/14 08:35:59 fcambus Exp $
 
 DISTNAME=      binutils-2.37
+PKGREVISION=   1
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GNU:=binutils/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/devel/binutils/distinfo
diff -u pkgsrc/devel/binutils/distinfo:1.44 pkgsrc/devel/binutils/distinfo:1.45
--- pkgsrc/devel/binutils/distinfo:1.44 Tue Oct 26 10:14:19 2021
+++ pkgsrc/devel/binutils/distinfo      Fri Jan 14 08:35:59 2022
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.44 2021/10/26 10:14:19 nia Exp $
+$NetBSD: distinfo,v 1.45 2022/01/14 08:35:59 fcambus Exp $
 
 BLAKE2s (binutils-2.37.tar.bz2) = cbcd25c08c84f0fca9c77936991cef9b3a2c6f8350ecb98a7877fc0107f34db9
 SHA512 (binutils-2.37.tar.bz2) = b3f5184697f77e94c95d48f6879de214eb5e17aa6ef8e96f65530d157e515b1ae2f290e98453e4ff126462520fa0f63852b6e1c8fbb397ed2e41984336bc78c6
 Size (binutils-2.37.tar.bz2) = 33888611 bytes
 SHA1 (patch-bfd_cache.c) = e2d96bad350552eacdffa83532f9dc9e15ee9be9
+SHA1 (patch-binutils_stabs.c) = 6e7f95d5c3e7fa32196b75876c95fdc2b6aeaee6
 SHA1 (patch-gold_Makefile.in) = e01d973f9625a1653851f796c123efec37102fbd
 SHA1 (patch-gold_options.h) = 03816bbf157d781820d96a4d3af0885dc2bbbaa9
 SHA1 (patch-gold_system.h) = 9b4130b5315763daa66e0a91a8be6d1df0d10344

Added files:

Index: pkgsrc/devel/binutils/patches/patch-binutils_stabs.c
diff -u /dev/null pkgsrc/devel/binutils/patches/patch-binutils_stabs.c:1.1
--- /dev/null   Fri Jan 14 08:35:59 2022
+++ pkgsrc/devel/binutils/patches/patch-binutils_stabs.c        Fri Jan 14 08:35:59 2022
@@ -0,0 +1,243 @@
+$NetBSD: patch-binutils_stabs.c,v 1.1 2022/01/14 08:35:59 fcambus Exp $
+
+Upstream fix for CVE-2021-45078.
+
+PR28694, Out-of-bounds write in stab_xcoff_builtin_type
+
+PR 28694
+* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
+Negate typenum earlier, simplifying bounds checking.  Correct
+off-by-one indexing.  Adjust switch cases.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=28694
+
+--- binutils/stabs.c.orig      2021-07-08 11:37:19.000000000 +0000
++++ binutils/stabs.c
+@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *
+ static bool stab_record_type
+   (void *, struct stab_handle *, const int *, debug_type);
+ static debug_type stab_xcoff_builtin_type
+-  (void *, struct stab_handle *, int);
++  (void *, struct stab_handle *, unsigned int);
+ static debug_type stab_find_tagged_type
+   (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
+ static debug_type *stab_demangle_argtypes
+@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUT
+ 
+ static debug_type
+ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+-                       int typenum)
++                       unsigned int typenum)
+ {
+   debug_type rettype;
+   const char *name;
+ 
+-  if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
++  typenum = -typenum - 1;
++  if (typenum >= XCOFF_TYPE_COUNT)
+     {
+-      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
++      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
+       return DEBUG_TYPE_NULL;
+     }
+-  if (info->xcoff_types[-typenum] != NULL)
+-    return info->xcoff_types[-typenum];
++  if (info->xcoff_types[typenum] != NULL)
++    return info->xcoff_types[typenum];
+ 
+-  switch (-typenum)
++  switch (typenum)
+     {
+-    case 1:
++    case 0:
+       /* The size of this and all the other types are fixed, defined
+        by the debugging format.  */
+       name = "int";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 2:
++    case 1:
+       name = "char";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 3:
++    case 2:
+       name = "short";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 4:
++    case 3:
+       name = "long";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 5:
++    case 4:
+       name = "unsigned char";
+       rettype = debug_make_int_type (dhandle, 1, true);
+       break;
+-    case 6:
++    case 5:
+       name = "signed char";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 7:
++    case 6:
+       name = "unsigned short";
+       rettype = debug_make_int_type (dhandle, 2, true);
+       break;
+-    case 8:
++    case 7:
+       name = "unsigned int";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 9:
++    case 8:
+       name = "unsigned";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 10:
++    case 9:
+       name = "unsigned long";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 11:
++    case 10:
+       name = "void";
+       rettype = debug_make_void_type (dhandle);
+       break;
+-    case 12:
++    case 11:
+       /* IEEE single precision (32 bit).  */
+       name = "float";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 13:
++    case 12:
+       /* IEEE double precision (64 bit).  */
+       name = "double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 14:
++    case 13:
+       /* This is an IEEE double on the RS/6000, and different machines
+        with different sizes for "long double" should use different
+        negative type numbers.  See stabs.texinfo.  */
+       name = "long double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 15:
++    case 14:
+       name = "integer";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 16:
++    case 15:
+       name = "boolean";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 17:
++    case 16:
+       name = "short real";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 18:
++    case 17:
+       name = "real";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 19:
++    case 18:
+       /* FIXME */
+       name = "stringptr";
+       rettype = NULL;
+       break;
+-    case 20:
++    case 19:
+       /* FIXME */
+       name = "character";
+       rettype = debug_make_int_type (dhandle, 1, true);
+       break;
+-    case 21:
++    case 20:
+       name = "logical*1";
+       rettype = debug_make_bool_type (dhandle, 1);
+       break;
+-    case 22:
++    case 21:
+       name = "logical*2";
+       rettype = debug_make_bool_type (dhandle, 2);
+       break;
+-    case 23:
++    case 22:
+       name = "logical*4";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 24:
++    case 23:
+       name = "logical";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 25:
++    case 24:
+       /* Complex type consisting of two IEEE single precision values.  */
+       name = "complex";
+       rettype = debug_make_complex_type (dhandle, 8);
+       break;
+-    case 26:
++    case 25:
+       /* Complex type consisting of two IEEE double precision values.  */
+       name = "double complex";
+       rettype = debug_make_complex_type (dhandle, 16);
+       break;
+-    case 27:
++    case 26:
+       name = "integer*1";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 28:
++    case 27:
+       name = "integer*2";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 29:
++    case 28:
+       name = "integer*4";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 30:
++    case 29:
+       /* FIXME */
+       name = "wchar";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 31:
++    case 30:
+       name = "long long";
+       rettype = debug_make_int_type (dhandle, 8, false);
+       break;
+-    case 32:
++    case 31:
+       name = "unsigned long long";
+       rettype = debug_make_int_type (dhandle, 8, true);
+       break;
+-    case 33:
++    case 32:
+       name = "logical*8";
+       rettype = debug_make_bool_type (dhandle, 8);
+       break;
+-    case 34:
++    case 33:
+       name = "integer*8";
+       rettype = debug_make_int_type (dhandle, 8, false);
+       break;
+@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, 
+     }
+ 
+   rettype = debug_name_type (dhandle, name, rettype);
+-
+-  info->xcoff_types[-typenum] = rettype;
+-
++  info->xcoff_types[typenum] = rettype;
+   return rettype;
+ }
+ 



Home | Main Index | Thread Index | Old Index