binutils: patch CVE-2025-0840

Backport [1] as listed in [2].

[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-0840

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/recipes-devtools/binutils/binutils-2.43.1.inc b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
index 4a8666b43338e7b7c38aca9056ea5e127ca48750..091fa61cc6e35d990ff0e9db080abe8e792e6b15 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.43.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
      file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
      file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
      file://0015-CVE-2024-53589.patch \
+     file://0016-CVE-2025-0840.patch \
 "
 S  = "${WORKDIR}/git"

diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch
new file mode 100644 (file)
index 0000000..2f60a7a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch
@@ -0,0 +1,55 @@
+From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Jan 2025 19:13:43 +1030
+Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
+
+There's always someone pushing the boundaries.
+
+       PR 32560
+       * objdump.c (MAX_INSN_WIDTH): Define.
+       (insn_width): Make it an unsigned long.
+       (disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+       (main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+
+CVE: CVE-2025-0840
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index ecbe39e942e..80044dea580 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -117,7 +117,8 @@ static bool disassemble_all;               /* -D */
+ static int disassemble_zeroes;                /* --disassemble-zeroes */
+ static bool formats_info;             /* -i */
+ int wide_output;                      /* -w */
+-static int insn_width;                        /* --insn-width */
++#define MAX_INSN_WIDTH 49
++static unsigned long insn_width;      /* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;            /* --debugging */
+@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf,
+       }
+       else
+       {
+-        char buf[50];
++        char buf[MAX_INSN_WIDTH + 1];
+         unsigned int bpc = 0;
+         unsigned int pb = 0;
+ 
+@@ -6091,8 +6092,9 @@ main (int argc, char **argv)
+         break;
+       case OPTION_INSN_WIDTH:
+         insn_width = strtoul (optarg, NULL, 0);
+-        if (insn_width <= 0)
+-          fatal (_("error: instruction width must be positive"));
++        if (insn_width - 1 >= MAX_INSN_WIDTH)
++          fatal (_("error: instruction width must be in the range 1 to "
++                   XSTRING (MAX_INSN_WIDTH)));
+         break;
+       case OPTION_INLINES:
+         unwind_inlines = true;