From d1559c1ebc7cb4e32f078392fc0e90c6e62d8d71 Mon Sep 17 00:00:00 2001 From: yangjinlin01 Date: Tue, 3 Jun 2025 14:16:43 +0800 Subject: [PATCH] [CVE] FIX CVE-2025-0840 to #18868 Commit add patch to fix cve-2025-0840 Project: TC2024080204 Signed-off-by: yangjinlin01 --- ...ffer-overflow-at-objdump-disassemble.patch | 55 +++++++++++++++++++ binutils.spec | 8 ++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 0041-binutils-PR32560-stack-buffer-overflow-at-objdump-disassemble.patch diff --git a/0041-binutils-PR32560-stack-buffer-overflow-at-objdump-disassemble.patch b/0041-binutils-PR32560-stack-buffer-overflow-at-objdump-disassemble.patch new file mode 100644 index 0000000..9c9e8dc --- /dev/null +++ b/0041-binutils-PR32560-stack-buffer-overflow-at-objdump-disassemble.patch @@ -0,0 +1,55 @@ +From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 15 Jan 2025 19:13:43 +1030 +Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes + +There's always someone pushing the boundaries. + + PR 32560 + * objdump.c (MAX_INSN_WIDTH): Define. + (insn_width): Make it an unsigned long. + (disassemble_bytes): Use MAX_INSN_WIDTH to size buffer. + (main ): Restrict size of insn_width. +--- + binutils/objdump.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index ecbe39e942e..80044dea580 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -117,7 +117,8 @@ static bool disassemble_all; /* -D */ + static int disassemble_zeroes; /* --disassemble-zeroes */ + static bool formats_info; /* -i */ + int wide_output; /* -w */ +-static int insn_width; /* --insn-width */ ++#define MAX_INSN_WIDTH 49 ++static unsigned long insn_width; /* --insn-width */ + static bfd_vma start_address = (bfd_vma) -1; /* --start-address */ + static bfd_vma stop_address = (bfd_vma) -1; /* --stop-address */ + static int dump_debugging; /* --debugging */ +@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf, + } + else + { +- char buf[50]; ++ char buf[MAX_INSN_WIDTH + 1]; + unsigned int bpc = 0; + unsigned int pb = 0; + +@@ -6070,8 +6071,9 @@ main (int argc, char **argv) + break; + case OPTION_INSN_WIDTH: + insn_width = strtoul (optarg, NULL, 0); +- if (insn_width <= 0) +- fatal (_("error: instruction width must be positive")); ++ if (insn_width - 1 >= MAX_INSN_WIDTH) ++ fatal (_("error: instruction width must be in the range 1 to " ++ XSTRING (MAX_INSN_WIDTH))); + break; + case OPTION_INLINES: + unwind_inlines = true; +-- +2.46.2.windows.1 + + diff --git a/binutils.spec b/binutils.spec index ce4ad9f..e2e0848 100644 --- a/binutils.spec +++ b/binutils.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 # Determine if this is a native build or a cross build. # # For a cross build add --define "binutils_target " to the command @@ -356,6 +356,9 @@ Patch0039: 0039-binutils-multilib.am.patch # https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e0323071916878e0634a6e24d8250e4faff67e88 Patch0040: 0040-fix-CVE-2024-53589.patch +# Lifetime: Fixed in 2.44 +Patch0041: 0041-binutils-PR32560-stack-buffer-overflow-at-objdump-disassemble.patch + # Purpose: Suppress the x86 linker's p_align-1 tests due to kernel bug on CentOS-10 # Lifetime: TEMPORARY Patch0099: 0099-binutils-suppress-ld-align-tests.patch @@ -1128,6 +1131,9 @@ exit 0 %doc README ChangeLog MAINTAINERS README-maintainer-mode %changelog +* Tue Jun 3 2025 yangjinlin01 - 2.41-6 +- Fix CVE-2025-0840: stack-buffer-overflow at objdump disassemble_bytes + * Mon May 12 2025 mgb01105731 - 2.41-5 - Add patch to fix CVE-2024-53589 -- Gitee