fix CVE-2022-44840

CVE-2022-44840.patch

@@ -0,0 +1,156 @@
+[Ubuntu note: commit af2ddf69ab85 is not included in this version of the code,
+ so adjustments had to be made to the 2nd hunk in order for it to apply
+ cleanly and in order to have the added code match correct macro usage for
+ this version of binutils (SAFE_BYTE_GET64 is called with signature_high and
+ signature_low in this version of the code, but not in the added lines of the
+ original patch).
+ -- Camila Camargo de Matos <camila.camargodematos@canonical.com>]
+
+Origin: backport, https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59
+
+From 28750e3b967da2207d51cbce9fc8be262817ee59 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 30 Oct 2022 19:08:51 +1030
+Subject: [PATCH] Pool section entries for DWP version 1
+
+Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3
+
+Fuzzers have found a weakness in the code stashing pool section
+entries.  With random nonsensical values in the index entries (rather
+than each index pointing to its own set distinct from other sets),
+it's possible to overflow the space allocated, losing the NULL
+terminator.  Without a terminator, find_section_in_set can run off the
+end of the shndx_pool buffer.  Fix this by scanning the pool directly.
+
+binutils/
+	* dwarf.c (add_shndx_to_cu_tu_entry): Delete range check.
+	(end_cu_tu_entry): Likewise.
+	(process_cu_tu_index): Fill shndx_pool by directly scanning
+	pool, rather than indirectly from index entries.
+---
+ binutils/dwarf.c | 90 ++++++++++++++++++++++--------------------------
+ 1 file changed, 41 insertions(+), 49 deletions(-)
+
+Index: binutils-2.34/binutils/dwarf.c
+===================================================================
+--- binutils-2.34.orig/binutils/dwarf.c
++++ binutils-2.34/binutils/dwarf.c
+@@ -9454,22 +9454,12 @@ prealloc_cu_tu_list (unsigned int nshndx
+ static void
+ add_shndx_to_cu_tu_entry (unsigned int shndx)
+ {
+-  if (shndx_pool_used >= shndx_pool_size)
+-    {
+-      error (_("Internal error: out of space in the shndx pool.\n"));
+-      return;
+-    }
+   shndx_pool [shndx_pool_used++] = shndx;
+ }
+ 
+ static void
+ end_cu_tu_entry (void)
+ {
+-  if (shndx_pool_used >= shndx_pool_size)
+-    {
+-      error (_("Internal error: out of space in the shndx pool.\n"));
+-      return;
+-    }
+   shndx_pool [shndx_pool_used++] = 0;
+ }
+ 
+@@ -9578,54 +9568,55 @@ process_cu_tu_index (struct dwarf_sectio
+ 
+   if (version == 1)
+     {
++      unsigned char *shndx_list;
++      unsigned int shndx;
++
+       if (!do_display)
+-	prealloc_cu_tu_list ((limit - ppool) / 4);
+-      for (i = 0; i < nslots; i++)
+ 	{
+-	  unsigned char *shndx_list;
+-	  unsigned int shndx;
+-
+-	  SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit);
+-	  if (signature_high != 0 || signature_low != 0)
++         prealloc_cu_tu_list ((limit - ppool) / 4);
++         for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
+ 	    {
+-	      SAFE_BYTE_GET (j, pindex, 4, limit);
+-	      shndx_list = ppool + j * 4;
+-	      /* PR 17531: file: 705e010d.  */
+-	      if (shndx_list < ppool)
+-		{
+-		  warn (_("Section index pool located before start of section\n"));
+-		  return 0;
+-		}
+-
+-	      if (do_display)
++	      shndx = byte_get (shndx_list, 4);
++	      add_shndx_to_cu_tu_entry (shndx);
++	    }
++	  end_cu_tu_entry ();
++	}
++      else
++	for (i = 0; i < nslots; i++)
++	  {
++	    SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit);
++	    if (signature_high != 0 || signature_low != 0)
++	      {
++		SAFE_BYTE_GET (j, pindex, 4, limit);
++		shndx_list = ppool + j * 4;
++		/* PR 17531: file: 705e010d.  */
++		if (shndx_list < ppool)
++		  {
++		    warn (_("Section index pool located before start of section\n"));
++		    return 0;
++		  }
+ 		printf (_("  [%3d] Signature:  0x%s  Sections: "),
+ 			i, dwarf_vmatoa64 (signature_high, signature_low,
+ 					   buf, sizeof (buf)));
+-	      for (;;)
+-		{
+-		  if (shndx_list >= limit)
+-		    {
+-		      warn (_("Section %s too small for shndx pool\n"),
+-			    section->name);
+-		      return 0;
+-		    }
+-		  SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
+-		  if (shndx == 0)
+-		    break;
+-		  if (do_display)
++		for (;;)
++		  {
++		    if (shndx_list >= limit)
++		      {
++			warn (_("Section %s too small for shndx pool\n"),
++			      section->name);
++		        return 0;
++		      }
++		    SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
++		    if (shndx == 0)
++		      break;
+ 		    printf (" %d", shndx);
+-		  else
+-		    add_shndx_to_cu_tu_entry (shndx);
+-		  shndx_list += 4;
+-		}
+-	      if (do_display)
++		    shndx_list += 4;
++		  }
+ 		printf ("\n");
+-	      else
+-		end_cu_tu_entry ();
+-	    }
+-	  phash += 8;
+-	  pindex += 4;
+-	}
++	      }
++	    phash += 8;
++	    pindex += 4;
++	  }
+     }
+   else if (version == 2)
+     {

binutils.spec

@@ -1,7 +1,7 @@
 Summary: Binary utilities
 Name:    binutils
 Version: 2.34
-Release: 31
+Release: 32
 License: GPLv3+
 URL:     https://sourceware.org/binutils
 
@@ -68,6 +68,7 @@ Patch51: backport-asan-print_vms_time-signed-integer-overflow.patch
 Patch52: backport-ubsan-shift-exponent-70-is-too-large.patch
 Patch53: backport-ubsan-shift-exponent-is-too-large.patch
 Patch54: backport-asan-readelf-use-after-free-in-process_archive.patch
+Patch55: CVE-2022-44840.patch
 
 Provides: bundled(libiberty)
 
@@ -322,6 +323,9 @@ fi
 %{_infodir}/bfd*info*
 
 %changelog
+* Fri Oct 25 2024 Linux_zhang <zhangruifang@h-partners.com> - 2.34-32
+- fix CVE-2022-44840
+
 * Sat Nov 18 2023 eastb233 <xiezhiheng@huawei.com> - 2.34-31
 - Delete rpath