!248 [sync] PR-246: Backport some fixes about undefined shift and integer overflow issues

From: @openeuler-sync-bot Reviewed-by: @eastb233 Signed-off-by: @eastb233
2023-10-12 01:13:56 +00:00 · 2023-10-12 01:13:56 +00:00 · c724e6cbf5
commit c724e6cbf5
parent 4ca030ed54 ac3115d8ac
4 changed files with 194 additions and 1 deletions
--- a/backport-asan-print_vms_time-signed-integer-overflow.patch
+++ b/backport-asan-print_vms_time-signed-integer-overflow.patch
@ -0,0 +1,61 @@
+From dccc31dee37b559219708c8d0accc7d512d51c1f Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 24 Dec 2020 16:11:03 +1030
+Subject: [PATCH] asan: print_vms_time signed integer overflow
+
+Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=dccc31dee37b559219708c8d0accc7d512d51c1f
+
+I really don't think anyone cares about underflow of vms time values,
+but the potential segfault on a gmtime failure is worth fixing.
+
+	* readelf.c (INT64_MIN): Define if not already defined.
+	(print_vms_time): Catch 64-bit overflow when converting from
+	vms time to posix time.  Don't segfault if gmtime returns NULL.
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/readelf.c | 21 +++++++++++++++------
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 46fd87a974a..3e3ac2f71d4 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -9886,20 +9886,29 @@ dynamic_section_parisc_val (Elf_Internal_Dyn * entry)
+ 
+ #define VMS_EPOCH_OFFSET 35067168000000000LL
+ #define VMS_GRANULARITY_FACTOR 10000000
+#ifndef INT64_MIN
+#define INT64_MIN (-9223372036854775807LL - 1)
+#endif
+ 
+ /* Display a VMS time in a human readable format.  */
+ 
+ static void
+ print_vms_time (bfd_int64_t vmstime)
+ {
+-  struct tm *tm;
+  struct tm *tm = NULL;
+   time_t unxtime;
+ 
+-  unxtime = (vmstime - VMS_EPOCH_OFFSET) / VMS_GRANULARITY_FACTOR;
+-  tm = gmtime (&unxtime);
+-  printf ("%04u-%02u-%02uT%02u:%02u:%02u",
+-          tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
+-          tm->tm_hour, tm->tm_min, tm->tm_sec);
+  if (vmstime >= INT64_MIN + VMS_EPOCH_OFFSET)
+    {
+      vmstime = (vmstime - VMS_EPOCH_OFFSET) / VMS_GRANULARITY_FACTOR;
+      unxtime = vmstime;
+      if (unxtime == vmstime)
+	tm = gmtime (&unxtime);
+    }
+  if (tm != NULL)
+    printf ("%04u-%02u-%02uT%02u:%02u:%02u",
+	    tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
+	    tm->tm_hour, tm->tm_min, tm->tm_sec);
+ }
+ #endif /* BFD64 */
+ 
+-- 
+2.19.1
+
--- a/backport-ubsan-shift-exponent-70-is-too-large.patch
+++ b/backport-ubsan-shift-exponent-70-is-too-large.patch
@ -0,0 +1,61 @@
+From 60e63c3e9750b036d50e58bc173591fa450601b6 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 16 Mar 2020 08:54:16 +1030
+Subject: [PATCH] ubsan: shift exponent 70 is too large
+
+Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=60e63c3e9750b036d50e58bc173591fa450601b6
+
+	* unwind-ia64.c (unw_decode_uleb128): Prevent overlarge shifts.
+	Detect shift overflows and check that terminating byte is found.
+	Print an error on a bad uleb128.
+---
+ binutils/ChangeLog     |  6 ++++++
+ binutils/unwind-ia64.c | 21 +++++++++++++++++----
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/unwind-ia64.c b/binutils/unwind-ia64.c
+index b59a531e685..b9eae5bb21d 100644
+--- a/binutils/unwind-ia64.c
+++ b/binutils/unwind-ia64.c
+@@ -544,21 +544,34 @@ static unw_word
+ unw_decode_uleb128 (const unsigned char **dpp, const unsigned char * end)
+ {
+   unsigned shift = 0;
+  int status = 1;
+   unw_word byte, result = 0;
+   const unsigned char *bp = *dpp;
+ 
+   while (bp < end)
+     {
+       byte = *bp++;
+-      result |= (byte & 0x7f) << shift;
+      if (shift < sizeof (result) * 8)
+	{
+	  result |= (byte & 0x7f) << shift;
+	  if ((result >> shift) != (byte & 0x7f))
+	    /* Overflow.  */
+	    status |= 2;
+	  shift += 7;
+	}
+      else if ((byte & 0x7f) != 0)
+	status |= 2;
+ 
+       if ((byte & 0x80) == 0)
+-	break;
+-
+-      shift += 7;
+	{
+	  status &= ~1;
+	  break;
+	}
+     }
+ 
+   *dpp = bp;
+  if (status != 0)
+    printf (_("Bad uleb128\n"));
+ 
+   return result;
+ }
+-- 
+2.19.1
+
--- a/backport-ubsan-shift-exponent-is-too-large.patch
+++ b/backport-ubsan-shift-exponent-is-too-large.patch
@ -0,0 +1,65 @@
+From 7b54caddca1013d10219da097e08d4cd4db6b923 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 16 Feb 2021 19:27:24 +1030
+Subject: [PATCH] ubsan: shift exponent is too large
+
+Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=7b54caddca1013d10219da097e08d4cd4db6b923
+
+	* libbfd.c (_bfd_read_unsigned_leb128): Avoid excessive shift.
+	(_bfd_safe_read_leb128, _bfd_read_signed_leb128): Likewise.
+---
+ bfd/ChangeLog |  5 +++++
+ bfd/libbfd.c  | 23 +++++++++++++++--------
+ 2 files changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/bfd/libbfd.c b/bfd/libbfd.c
+index cd94b81bc43..4f3dd5ad53c 100644
+--- a/bfd/libbfd.c
+++ b/bfd/libbfd.c
+@@ -1074,8 +1074,11 @@ _bfd_read_unsigned_leb128 (bfd *abfd ATTRIBUTE_UNUSED,
+       byte = bfd_get_8 (abfd, buf);
+       buf++;
+       num_read++;
+-      result |= (((bfd_vma) byte & 0x7f) << shift);
+-      shift += 7;
+      if (shift < 8 * sizeof (result))
+	{
+	  result |= (((bfd_vma) byte & 0x7f) << shift);
+	  shift += 7;
+	}
+     }
+   while (byte & 0x80);
+   *bytes_read_ptr = num_read;
+@@ -1104,10 +1107,11 @@ _bfd_safe_read_leb128 (bfd *abfd ATTRIBUTE_UNUSED,
+       byte = bfd_get_8 (abfd, data);
+       data++;
+       num_read++;
+-
+-      result |= ((bfd_vma) (byte & 0x7f)) << shift;
+-
+-      shift += 7;
+      if (shift < 8 * sizeof (result))
+	{
+	  result |= ((bfd_vma) (byte & 0x7f)) << shift;
+	  shift += 7;
+	}
+       if ((byte & 0x80) == 0)
+ 	break;
+     }
+@@ -1141,8 +1145,11 @@ _bfd_read_signed_leb128 (bfd *abfd ATTRIBUTE_UNUSED,
+       byte = bfd_get_8 (abfd, buf);
+       buf ++;
+       num_read ++;
+-      result |= (((bfd_vma) byte & 0x7f) << shift);
+-      shift += 7;
+      if (shift < 8 * sizeof (result))
+	{
+	  result |= (((bfd_vma) byte & 0x7f) << shift);
+	  shift += 7;
+	}
+     }
+   while (byte & 0x80);
+   if (shift < 8 * sizeof (result) && (byte & 0x40))
+-- 
+2.19.1
+
--- a/binutils.spec
+++ b/binutils.spec
@ -1,7 +1,7 @@
 Summary: Binary utilities
 Name:    binutils
 Version: 2.34
-Release: 28
+Release: 29
 License: GPLv3+
 URL:     https://sourceware.org/binutils

@ -64,6 +64,9 @@ Patch47: backport-CVE-2022-47011.patch
 Patch48: backport-CVE-2022-47696.patch
 Patch49: backport-CVE-2021-46174.patch
 Patch50: backport-CVE-2022-48064.patch
+Patch51: backport-asan-print_vms_time-signed-integer-overflow.patch
+Patch52: backport-ubsan-shift-exponent-70-is-too-large.patch
+Patch53: backport-ubsan-shift-exponent-is-too-large.patch

 Provides: bundled(libiberty)

@ -315,6 +318,9 @@ fi
 %{_infodir}/bfd*info*

 %changelog
+* Wed Oct 11 2023 eastb233 <xiezhiheng@huawei.com> - 2.34-29
+- Backport some fixes about undefined shift and integer overflow issues
+
 * Tue Sep 05 2023 eastb233 <xiezhiheng@huawei.com> - 2.34-28
 - Delete post, preun, postun for help package