[pkgsrc/trunk]: pkgsrc/devel/binutils binutils: add upstream fixes for CVE-20...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/devel/binutils binutils: add upstream fixes for CVE-20...
From: fcambus <fcambus%pkgsrc.org@localhost>
Date: Fri, 14 Jan 2022 09:36:20 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/3fd32c26fa5c
branches:  trunk
changeset: 371774:3fd32c26fa5c
user:      fcambus <fcambus%pkgsrc.org@localhost>
date:      Fri Jan 14 08:35:59 2022 +0000

description:
binutils: add upstream fixes for CVE-2021-45078.

>From upstream commit log:

PR28694, Out-of-bounds write in stab_xcoff_builtin_type

PR 28694
* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
Negate typenum earlier, simplifying bounds checking.  Correct
off-by-one indexing.  Adjust switch cases.

diffstat:

 devel/binutils/Makefile                       |    3 +-
 devel/binutils/distinfo                       |    3 +-
 devel/binutils/patches/patch-binutils_stabs.c |  243 ++++++++++++++++++++++++++
 3 files changed, 247 insertions(+), 2 deletions(-)

diffs (274 lines):

diff -r 80319981f679 -r 3fd32c26fa5c devel/binutils/Makefile
--- a/devel/binutils/Makefile   Fri Jan 14 04:43:36 2022 +0000
+++ b/devel/binutils/Makefile   Fri Jan 14 08:35:59 2022 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.100 2021/09/11 15:54:39 fcambus Exp $
+# $NetBSD: Makefile,v 1.101 2022/01/14 08:35:59 fcambus Exp $
 
 DISTNAME=      binutils-2.37
+PKGREVISION=   1
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GNU:=binutils/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 80319981f679 -r 3fd32c26fa5c devel/binutils/distinfo
--- a/devel/binutils/distinfo   Fri Jan 14 04:43:36 2022 +0000
+++ b/devel/binutils/distinfo   Fri Jan 14 08:35:59 2022 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.44 2021/10/26 10:14:19 nia Exp $
+$NetBSD: distinfo,v 1.45 2022/01/14 08:35:59 fcambus Exp $
 
 BLAKE2s (binutils-2.37.tar.bz2) = cbcd25c08c84f0fca9c77936991cef9b3a2c6f8350ecb98a7877fc0107f34db9
 SHA512 (binutils-2.37.tar.bz2) = b3f5184697f77e94c95d48f6879de214eb5e17aa6ef8e96f65530d157e515b1ae2f290e98453e4ff126462520fa0f63852b6e1c8fbb397ed2e41984336bc78c6
 Size (binutils-2.37.tar.bz2) = 33888611 bytes
 SHA1 (patch-bfd_cache.c) = e2d96bad350552eacdffa83532f9dc9e15ee9be9
+SHA1 (patch-binutils_stabs.c) = 6e7f95d5c3e7fa32196b75876c95fdc2b6aeaee6
 SHA1 (patch-gold_Makefile.in) = e01d973f9625a1653851f796c123efec37102fbd
 SHA1 (patch-gold_options.h) = 03816bbf157d781820d96a4d3af0885dc2bbbaa9
 SHA1 (patch-gold_system.h) = 9b4130b5315763daa66e0a91a8be6d1df0d10344
diff -r 80319981f679 -r 3fd32c26fa5c devel/binutils/patches/patch-binutils_stabs.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/binutils/patches/patch-binutils_stabs.c     Fri Jan 14 08:35:59 2022 +0000
@@ -0,0 +1,243 @@
+$NetBSD: patch-binutils_stabs.c,v 1.1 2022/01/14 08:35:59 fcambus Exp $
+
+Upstream fix for CVE-2021-45078.
+
+PR28694, Out-of-bounds write in stab_xcoff_builtin_type
+
+PR 28694
+* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
+Negate typenum earlier, simplifying bounds checking.  Correct
+off-by-one indexing.  Adjust switch cases.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=28694
+
+--- binutils/stabs.c.orig      2021-07-08 11:37:19.000000000 +0000
++++ binutils/stabs.c
+@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *
+ static bool stab_record_type
+   (void *, struct stab_handle *, const int *, debug_type);
+ static debug_type stab_xcoff_builtin_type
+-  (void *, struct stab_handle *, int);
++  (void *, struct stab_handle *, unsigned int);
+ static debug_type stab_find_tagged_type
+   (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
+ static debug_type *stab_demangle_argtypes
+@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUT
+ 
+ static debug_type
+ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+-                       int typenum)
++                       unsigned int typenum)
+ {
+   debug_type rettype;
+   const char *name;
+ 
+-  if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
++  typenum = -typenum - 1;
++  if (typenum >= XCOFF_TYPE_COUNT)
+     {
+-      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
++      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
+       return DEBUG_TYPE_NULL;
+     }
+-  if (info->xcoff_types[-typenum] != NULL)
+-    return info->xcoff_types[-typenum];
++  if (info->xcoff_types[typenum] != NULL)
++    return info->xcoff_types[typenum];
+ 
+-  switch (-typenum)
++  switch (typenum)
+     {
+-    case 1:
++    case 0:
+       /* The size of this and all the other types are fixed, defined
+        by the debugging format.  */
+       name = "int";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 2:
++    case 1:
+       name = "char";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 3:
++    case 2:
+       name = "short";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 4:
++    case 3:
+       name = "long";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 5:
++    case 4:
+       name = "unsigned char";
+       rettype = debug_make_int_type (dhandle, 1, true);
+       break;
+-    case 6:
++    case 5:
+       name = "signed char";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 7:
++    case 6:
+       name = "unsigned short";
+       rettype = debug_make_int_type (dhandle, 2, true);
+       break;
+-    case 8:
++    case 7:
+       name = "unsigned int";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 9:
++    case 8:
+       name = "unsigned";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 10:
++    case 9:
+       name = "unsigned long";
+       rettype = debug_make_int_type (dhandle, 4, true);
+       break;
+-    case 11:
++    case 10:
+       name = "void";
+       rettype = debug_make_void_type (dhandle);
+       break;
+-    case 12:
++    case 11:
+       /* IEEE single precision (32 bit).  */
+       name = "float";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 13:
++    case 12:
+       /* IEEE double precision (64 bit).  */
+       name = "double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 14:
++    case 13:
+       /* This is an IEEE double on the RS/6000, and different machines
+        with different sizes for "long double" should use different
+        negative type numbers.  See stabs.texinfo.  */
+       name = "long double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 15:
++    case 14:
+       name = "integer";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 16:
++    case 15:
+       name = "boolean";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 17:
++    case 16:
+       name = "short real";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 18:
++    case 17:
+       name = "real";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 19:
++    case 18:
+       /* FIXME */
+       name = "stringptr";
+       rettype = NULL;
+       break;
+-    case 20:
++    case 19:
+       /* FIXME */
+       name = "character";
+       rettype = debug_make_int_type (dhandle, 1, true);
+       break;
+-    case 21:
++    case 20:
+       name = "logical*1";
+       rettype = debug_make_bool_type (dhandle, 1);
+       break;
+-    case 22:
++    case 21:
+       name = "logical*2";
+       rettype = debug_make_bool_type (dhandle, 2);
+       break;
+-    case 23:
++    case 22:
+       name = "logical*4";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 24:
++    case 23:
+       name = "logical";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 25:
++    case 24:
+       /* Complex type consisting of two IEEE single precision values.  */
+       name = "complex";
+       rettype = debug_make_complex_type (dhandle, 8);
+       break;
+-    case 26:
++    case 25:
+       /* Complex type consisting of two IEEE double precision values.  */
+       name = "double complex";
+       rettype = debug_make_complex_type (dhandle, 16);
+       break;
+-    case 27:
++    case 26:
+       name = "integer*1";
+       rettype = debug_make_int_type (dhandle, 1, false);
+       break;
+-    case 28:
++    case 27:
+       name = "integer*2";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 29:
++    case 28:
+       name = "integer*4";
+       rettype = debug_make_int_type (dhandle, 4, false);
+       break;
+-    case 30:
++    case 29:
+       /* FIXME */
+       name = "wchar";
+       rettype = debug_make_int_type (dhandle, 2, false);
+       break;
+-    case 31:
++    case 30:
+       name = "long long";
+       rettype = debug_make_int_type (dhandle, 8, false);
+       break;
+-    case 32:
++    case 31:
+       name = "unsigned long long";
+       rettype = debug_make_int_type (dhandle, 8, true);
+       break;
+-    case 33:
++    case 32:
+       name = "logical*8";
+       rettype = debug_make_bool_type (dhandle, 8);
+       break;
+-    case 34:
++    case 33:
+       name = "integer*8";
+       rettype = debug_make_int_type (dhandle, 8, false);
+       break;
+@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, 
+     }
+ 
+   rettype = debug_name_type (dhandle, name, rettype);
+-
+-  info->xcoff_types[-typenum] = rettype;
+-
++  info->xcoff_types[typenum] = rettype;
+   return rettype;
+ }
+
Prev by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated devel/binutils to 2.37nb1
Next by Date: [pkgsrc/trunk]: pkgsrc/security/py-pbkdf2 py-pbkdf2: remove incorrect EGG_NAME
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated devel/binutils to 2.37nb1
Next by Thread: [pkgsrc/trunk]: pkgsrc/security/py-pbkdf2 py-pbkdf2: remove incorrect EGG_NAME
Indexes:
Home | Main Index | Thread Index | Old Index