!338 fix CVE-2025-0840

From: @fundawang 
Reviewed-by: @eastb233 
Signed-off-by: @eastb233

CVE-2022-44840.patch

@@ -0,0 +1,156 @@
+[Ubuntu note: commit af2ddf69ab85 is not included in this version of the code,
+ so adjustments had to be made to the 2nd hunk in order for it to apply
+ cleanly and in order to have the added code match correct macro usage for
+ this version of binutils (SAFE_BYTE_GET64 is called with signature_high and
+ signature_low in this version of the code, but not in the added lines of the
+ original patch).
+ -- Camila Camargo de Matos <camila.camargodematos@canonical.com>]
+
+Origin: backport, https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=28750e3b967da2207d51cbce9fc8be262817ee59
+
+From 28750e3b967da2207d51cbce9fc8be262817ee59 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 30 Oct 2022 19:08:51 +1030
+Subject: [PATCH] Pool section entries for DWP version 1
+
+Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3
+
+Fuzzers have found a weakness in the code stashing pool section
+entries.  With random nonsensical values in the index entries (rather
+than each index pointing to its own set distinct from other sets),
+it's possible to overflow the space allocated, losing the NULL
+terminator.  Without a terminator, find_section_in_set can run off the
+end of the shndx_pool buffer.  Fix this by scanning the pool directly.
+
+binutils/
+	* dwarf.c (add_shndx_to_cu_tu_entry): Delete range check.
+	(end_cu_tu_entry): Likewise.
+	(process_cu_tu_index): Fill shndx_pool by directly scanning
+	pool, rather than indirectly from index entries.
+---
+ binutils/dwarf.c | 90 ++++++++++++++++++++++--------------------------
+ 1 file changed, 41 insertions(+), 49 deletions(-)
+
+Index: binutils-2.34/binutils/dwarf.c
+===================================================================
+--- binutils-2.34.orig/binutils/dwarf.c
++++ binutils-2.34/binutils/dwarf.c
+@@ -9454,22 +9454,12 @@ prealloc_cu_tu_list (unsigned int nshndx
+ static void
+ add_shndx_to_cu_tu_entry (unsigned int shndx)
+ {
+-  if (shndx_pool_used >= shndx_pool_size)
+-    {
+-      error (_("Internal error: out of space in the shndx pool.\n"));
+-      return;
+-    }
+   shndx_pool [shndx_pool_used++] = shndx;
+ }
+ 
+ static void
+ end_cu_tu_entry (void)
+ {
+-  if (shndx_pool_used >= shndx_pool_size)
+-    {
+-      error (_("Internal error: out of space in the shndx pool.\n"));
+-      return;
+-    }
+   shndx_pool [shndx_pool_used++] = 0;
+ }
+ 
+@@ -9578,54 +9568,55 @@ process_cu_tu_index (struct dwarf_sectio
+ 
+   if (version == 1)
+     {
++      unsigned char *shndx_list;
++      unsigned int shndx;
++
+       if (!do_display)
+-	prealloc_cu_tu_list ((limit - ppool) / 4);
+-      for (i = 0; i < nslots; i++)
+ 	{
+-	  unsigned char *shndx_list;
+-	  unsigned int shndx;
+-
+-	  SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit);
+-	  if (signature_high != 0 || signature_low != 0)
++         prealloc_cu_tu_list ((limit - ppool) / 4);
++         for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
+ 	    {
+-	      SAFE_BYTE_GET (j, pindex, 4, limit);
+-	      shndx_list = ppool + j * 4;
+-	      /* PR 17531: file: 705e010d.  */
+-	      if (shndx_list < ppool)
+-		{
+-		  warn (_("Section index pool located before start of section\n"));
+-		  return 0;
+-		}
+-
+-	      if (do_display)
++	      shndx = byte_get (shndx_list, 4);
++	      add_shndx_to_cu_tu_entry (shndx);
++	    }
++	  end_cu_tu_entry ();
++	}
++      else
++	for (i = 0; i < nslots; i++)
++	  {
++	    SAFE_BYTE_GET64 (phash, &signature_high, &signature_low, limit);
++	    if (signature_high != 0 || signature_low != 0)
++	      {
++		SAFE_BYTE_GET (j, pindex, 4, limit);
++		shndx_list = ppool + j * 4;
++		/* PR 17531: file: 705e010d.  */
++		if (shndx_list < ppool)
++		  {
++		    warn (_("Section index pool located before start of section\n"));
++		    return 0;
++		  }
+ 		printf (_("  [%3d] Signature:  0x%s  Sections: "),
+ 			i, dwarf_vmatoa64 (signature_high, signature_low,
+ 					   buf, sizeof (buf)));
+-	      for (;;)
+-		{
+-		  if (shndx_list >= limit)
+-		    {
+-		      warn (_("Section %s too small for shndx pool\n"),
+-			    section->name);
+-		      return 0;
+-		    }
+-		  SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
+-		  if (shndx == 0)
+-		    break;
+-		  if (do_display)
++		for (;;)
++		  {
++		    if (shndx_list >= limit)
++		      {
++			warn (_("Section %s too small for shndx pool\n"),
++			      section->name);
++		        return 0;
++		      }
++		    SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
++		    if (shndx == 0)
++		      break;
+ 		    printf (" %d", shndx);
+-		  else
+-		    add_shndx_to_cu_tu_entry (shndx);
+-		  shndx_list += 4;
+-		}
+-	      if (do_display)
++		    shndx_list += 4;
++		  }
+ 		printf ("\n");
+-	      else
+-		end_cu_tu_entry ();
+-	    }
+-	  phash += 8;
+-	  pindex += 4;
+-	}
++	      }
++	    phash += 8;
++	    pindex += 4;
++	  }
+     }
+   else if (version == 2)
+     {

backport-CVE-2025-0840.patch

@@ -0,0 +1,53 @@
+From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Jan 2025 19:13:43 +1030
+Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
+
+There's always someone pushing the boundaries.
+
+	PR 32560
+	* objdump.c (MAX_INSN_WIDTH): Define.
+	(insn_width): Make it an unsigned long.
+	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index ecbe39e942e..80044dea580 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -109,7 +109,8 @@
+ static int disassemble_zeroes;		/* --disassemble-zeroes */
+ static bfd_boolean formats_info;	/* -i */
+ static int wide_output;			/* -w */
+-static int insn_width;			/* --insn-width */
++#define MAX_INSN_WIDTH 49
++static unsigned long insn_width;	/* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;		/* --debugging */
+@@ -2738,7 +2739,7 @@
+ 	}
+       else
+ 	{
+-	  char buf[50];
++	  char buf[MAX_INSN_WIDTH + 1];
+ 	  int bpc = 0;
+ 	  int pb = 0;
+ 
+@@ -5288,8 +5289,9 @@
+ 	  break;
+ 	case OPTION_INSN_WIDTH:
+ 	  insn_width = strtoul (optarg, NULL, 0);
+-	  if (insn_width <= 0)
+-	    fatal (_("error: instruction width must be positive"));
++	  if (insn_width - 1 >= MAX_INSN_WIDTH)
++	    fatal (_("error: instruction width must be in the range 1 to "
++		     XSTRING (MAX_INSN_WIDTH)));
+ 	  break;
+ 	case OPTION_INLINES:
+ 	  unwind_inlines = TRUE;
+-- 
+2.43.5

backport-asan-print_vms_time-signed-integer-overflow.patch

@@ -0,0 +1,61 @@
+From dccc31dee37b559219708c8d0accc7d512d51c1f Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 24 Dec 2020 16:11:03 +1030
+Subject: [PATCH] asan: print_vms_time signed integer overflow
+
+Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=dccc31dee37b559219708c8d0accc7d512d51c1f
+
+I really don't think anyone cares about underflow of vms time values,
+but the potential segfault on a gmtime failure is worth fixing.
+
+	* readelf.c (INT64_MIN): Define if not already defined.
+	(print_vms_time): Catch 64-bit overflow when converting from
+	vms time to posix time.  Don't segfault if gmtime returns NULL.
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/readelf.c | 21 +++++++++++++++------
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 46fd87a974a..3e3ac2f71d4 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -9886,20 +9886,29 @@ dynamic_section_parisc_val (Elf_Internal_Dyn * entry)
+ 
+ #define VMS_EPOCH_OFFSET 35067168000000000LL
+ #define VMS_GRANULARITY_FACTOR 10000000
++#ifndef INT64_MIN
++#define INT64_MIN (-9223372036854775807LL - 1)
++#endif
+ 
+ /* Display a VMS time in a human readable format.  */
+ 
+ static void
+ print_vms_time (bfd_int64_t vmstime)
+ {
+-  struct tm *tm;
++  struct tm *tm = NULL;
+   time_t unxtime;
+ 
+-  unxtime = (vmstime - VMS_EPOCH_OFFSET) / VMS_GRANULARITY_FACTOR;
+-  tm = gmtime (&unxtime);
+-  printf ("%04u-%02u-%02uT%02u:%02u:%02u",
+-          tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
+-          tm->tm_hour, tm->tm_min, tm->tm_sec);
++  if (vmstime >= INT64_MIN + VMS_EPOCH_OFFSET)
++    {
++      vmstime = (vmstime - VMS_EPOCH_OFFSET) / VMS_GRANULARITY_FACTOR;
++      unxtime = vmstime;
++      if (unxtime == vmstime)
++	tm = gmtime (&unxtime);
++    }
++  if (tm != NULL)
++    printf ("%04u-%02u-%02uT%02u:%02u:%02u",
++	    tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
++	    tm->tm_hour, tm->tm_min, tm->tm_sec);
+ }
+ #endif /* BFD64 */
+ 
+-- 
+2.19.1
+

backport-asan-readelf-use-after-free-in-process_archive.patch

@@ -0,0 +1,48 @@
+From cfc16775b7678e1ad8f9fce048652defd78e3787 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 27 Jun 2020 12:47:45 +0930
+Subject: [PATCH] asan: readelf: use after free in process_archive
+
+Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=cfc16775b7678e1ad8f9fce048652defd78e3787
+
+This tidies up in cases where fuzzed thin archives hit the error return
+path in setup_nested_archive.
+
+	* elfcomm.c (setup_nested_archive): Set nested_arch->file to NULL
+	after freeing.
+	(release_archive): Set fields of arch to NULL after freeing.
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/elfcomm.c | 9 ++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/elfcomm.c b/binutils/elfcomm.c
+index 558afa7d056..37f9dbe7eef 100644
+--- a/binutils/elfcomm.c
++++ b/binutils/elfcomm.c
+@@ -727,7 +727,10 @@ setup_nested_archive (struct archive_info *nested_arch,
+ 
+   /* Close previous file and discard cached information.  */
+   if (nested_arch->file != NULL)
+-    fclose (nested_arch->file);
++    {
++      fclose (nested_arch->file);
++      nested_arch->file = NULL;
++    }
+   release_archive (nested_arch);
+ 
+   member_file = fopen (member_file_name, "rb");
+@@ -748,6 +751,10 @@ release_archive (struct archive_info * arch)
+     free (arch->sym_table);
+   if (arch->longnames != NULL)
+     free (arch->longnames);
++  arch->file_name = NULL;
++  arch->index_array = NULL;
++  arch->sym_table = NULL;
++  arch->longnames = NULL;
+ }
+ 
+ /* Get the name of an archive member from the current archive header.
+-- 
+2.19.1
+

backport-ubsan-shift-exponent-70-is-too-large.patch

@@ -0,0 +1,61 @@
+From 60e63c3e9750b036d50e58bc173591fa450601b6 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 16 Mar 2020 08:54:16 +1030
+Subject: [PATCH] ubsan: shift exponent 70 is too large
+
+Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=60e63c3e9750b036d50e58bc173591fa450601b6
+
+	* unwind-ia64.c (unw_decode_uleb128): Prevent overlarge shifts.
+	Detect shift overflows and check that terminating byte is found.
+	Print an error on a bad uleb128.
+---
+ binutils/ChangeLog     |  6 ++++++
+ binutils/unwind-ia64.c | 21 +++++++++++++++++----
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/unwind-ia64.c b/binutils/unwind-ia64.c
+index b59a531e685..b9eae5bb21d 100644
+--- a/binutils/unwind-ia64.c
++++ b/binutils/unwind-ia64.c
+@@ -544,21 +544,34 @@ static unw_word
+ unw_decode_uleb128 (const unsigned char **dpp, const unsigned char * end)
+ {
+   unsigned shift = 0;
++  int status = 1;
+   unw_word byte, result = 0;
+   const unsigned char *bp = *dpp;
+ 
+   while (bp < end)
+     {
+       byte = *bp++;
+-      result |= (byte & 0x7f) << shift;
++      if (shift < sizeof (result) * 8)
++	{
++	  result |= (byte & 0x7f) << shift;
++	  if ((result >> shift) != (byte & 0x7f))
++	    /* Overflow.  */
++	    status |= 2;
++	  shift += 7;
++	}
++      else if ((byte & 0x7f) != 0)
++	status |= 2;
+ 
+       if ((byte & 0x80) == 0)
+-	break;
+-
+-      shift += 7;
++	{
++	  status &= ~1;
++	  break;
++	}
+     }
+ 
+   *dpp = bp;
++  if (status != 0)
++    printf (_("Bad uleb128\n"));
+ 
+   return result;
+ }
+-- 
+2.19.1
+

backport-ubsan-shift-exponent-is-too-large.patch

@@ -0,0 +1,65 @@
+From 7b54caddca1013d10219da097e08d4cd4db6b923 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 16 Feb 2021 19:27:24 +1030
+Subject: [PATCH] ubsan: shift exponent is too large
+
+Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=7b54caddca1013d10219da097e08d4cd4db6b923
+
+	* libbfd.c (_bfd_read_unsigned_leb128): Avoid excessive shift.
+	(_bfd_safe_read_leb128, _bfd_read_signed_leb128): Likewise.
+---
+ bfd/ChangeLog |  5 +++++
+ bfd/libbfd.c  | 23 +++++++++++++++--------
+ 2 files changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/bfd/libbfd.c b/bfd/libbfd.c
+index cd94b81bc43..4f3dd5ad53c 100644
+--- a/bfd/libbfd.c
++++ b/bfd/libbfd.c
+@@ -1074,8 +1074,11 @@ _bfd_read_unsigned_leb128 (bfd *abfd ATTRIBUTE_UNUSED,
+       byte = bfd_get_8 (abfd, buf);
+       buf++;
+       num_read++;
+-      result |= (((bfd_vma) byte & 0x7f) << shift);
+-      shift += 7;
++      if (shift < 8 * sizeof (result))
++	{
++	  result |= (((bfd_vma) byte & 0x7f) << shift);
++	  shift += 7;
++	}
+     }
+   while (byte & 0x80);
+   *bytes_read_ptr = num_read;
+@@ -1104,10 +1107,11 @@ _bfd_safe_read_leb128 (bfd *abfd ATTRIBUTE_UNUSED,
+       byte = bfd_get_8 (abfd, data);
+       data++;
+       num_read++;
+-
+-      result |= ((bfd_vma) (byte & 0x7f)) << shift;
+-
+-      shift += 7;
++      if (shift < 8 * sizeof (result))
++	{
++	  result |= ((bfd_vma) (byte & 0x7f)) << shift;
++	  shift += 7;
++	}
+       if ((byte & 0x80) == 0)
+ 	break;
+     }
+@@ -1141,8 +1145,11 @@ _bfd_read_signed_leb128 (bfd *abfd ATTRIBUTE_UNUSED,
+       byte = bfd_get_8 (abfd, buf);
+       buf ++;
+       num_read ++;
+-      result |= (((bfd_vma) byte & 0x7f) << shift);
+-      shift += 7;
++      if (shift < 8 * sizeof (result))
++	{
++	  result |= (((bfd_vma) byte & 0x7f) << shift);
++	  shift += 7;
++	}
+     }
+   while (byte & 0x80);
+   if (shift < 8 * sizeof (result) && (byte & 0x40))
+-- 
+2.19.1
+

binutils.spec

@@ -1,7 +1,7 @@
 Summary: Binary utilities
 Name:    binutils
 Version: 2.34
-Release: 28
+Release: 33
 License: GPLv3+
 URL:     https://sourceware.org/binutils
 
@@ -64,13 +64,19 @@ Patch47: backport-CVE-2022-47011.patch
 Patch48: backport-CVE-2022-47696.patch
 Patch49: backport-CVE-2021-46174.patch
 Patch50: backport-CVE-2022-48064.patch
+Patch51: backport-asan-print_vms_time-signed-integer-overflow.patch
+Patch52: backport-ubsan-shift-exponent-70-is-too-large.patch
+Patch53: backport-ubsan-shift-exponent-is-too-large.patch
+Patch54: backport-asan-readelf-use-after-free-in-process_archive.patch
+Patch55: CVE-2022-44840.patch
+Patch56: backport-CVE-2025-0840.patch
 
 Provides: bundled(libiberty)
 
 Buildroot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 BuildRequires: gcc, perl, sed, coreutils, dejagnu, zlib-devel, glibc-static, sharutils, bc, libstdc++-static
-BuildRequires: bison, m4, gcc-c++, gettext, flex, zlib-devel, texinfo >= 4.0, perl-podlators
+BuildRequires: bison, m4, gcc-c++, gettext, flex, zlib-devel, texinfo >= 4.0, perl-podlators, chrpath
 Requires(post): info coreutils chkconfig
 Requires(preun):info chkconfig
 
@@ -199,6 +205,9 @@ done
 install -m 644 include/libiberty.h %{buildroot}%{_prefix}/include
 chmod +x %{buildroot}%{_libdir}/lib*.so*
 
+# Delete RPATH
+chrpath -d %{buildroot}%{_bindir}/*
+
 rm -f %{buildroot}%{_libdir}/lib{bfd,opcodes}.{so,la}
 
 %ifarch %{ix86} x86_64 arm
@@ -315,6 +324,21 @@ fi
 %{_infodir}/bfd*info*
 
 %changelog
+* Thu Feb 06 2025 Funda Wang <fundawang@yeah.net> - 2.34-33
+- fix CVE-2025-0840
+
+* Fri Oct 25 2024 Linux_zhang <zhangruifang@h-partners.com> - 2.34-32
+- fix CVE-2022-44840
+
+* Sat Nov 18 2023 eastb233 <xiezhiheng@huawei.com> - 2.34-31
+- Delete rpath
+
+* Wed Oct 11 2023 eastb233 <xiezhiheng@huawei.com> - 2.34-30
+- Backport a fix about use-after-free issue
+
+* Wed Oct 11 2023 eastb233 <xiezhiheng@huawei.com> - 2.34-29
+- Backport some fixes about undefined shift and integer overflow issues
+
 * Tue Sep 05 2023 eastb233 <xiezhiheng@huawei.com> - 2.34-28
 - Delete post, preun, postun for help package