!335 Fix CVE-2024-57360, CVE-2025-0840

From: @fundawang 
Reviewed-by: @eastb233 
Signed-off-by: @eastb233

Fix-gold-linker-relocation-offset.patch

@@ -0,0 +1,52 @@
+From 3d84bd3df6cd5741b575cb454933a3c414c4a5d5 Mon Sep 17 00:00:00 2001
+From: wangding16 <wangding16@huawei.com>
+Date: Sun, 25 Aug 2024 16:51:53 +0800
+Subject: [PATCH] Fix gold linker relocation offset
+
+Reference: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=c441a361287ca98aa7a4ac1ff02d12d138b289dc
+
+---
+ gold/aarch64.cc | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/gold/aarch64.cc b/gold/aarch64.cc
+index 7f95c0cf..6004118a 100644
+--- a/gold/aarch64.cc
++++ b/gold/aarch64.cc
+@@ -2916,6 +2916,7 @@ class Target_aarch64 : public Sized_target<size, big_endian>
+ 			Section_id_hash> AArch64_input_section_map;
+   typedef AArch64_insn_utilities<big_endian> Insn_utilities;
+   const static int TCB_SIZE = size / 8 * 2;
++  static const Address invalid_address = static_cast<Address>(-1);
+ 
+   Target_aarch64(const Target::Target_info* info = &aarch64_info)
+     : Sized_target<size, big_endian>(info),
+@@ -8286,6 +8287,25 @@ Target_aarch64<size, big_endian>::relocate_relocs(
+ 
+   gold_assert(sh_type == elfcpp::SHT_RELA);
+ 
++  if (offset_in_output_section == this->invalid_address) {
++    const Output_relaxed_input_section* poris = 
++      output_section->find_relaxed_input_section(relinfo->object,
++                                                 relinfo->data_shndx);
++    if (poris != NULL) {
++      Address section_address = poris->address();
++      section_size_type section_size = poris->data_size();
++
++      gold_assert(section_address >= view_address
++                  && (section_address + section_size
++                      <= view_address + view_size));
++
++      off_t offset = section_address - view_address;
++      view += offset;
++      view_address += offset;
++      view_size = section_size;
++    }
++  }
++
+   gold::relocate_relocs<size, big_endian, Classify_reloc>(
+     relinfo,
+     prelocs,
+-- 
+2.23.0
+

backport-CVE-2025-0840.patch

@@ -0,0 +1,54 @@
+From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Jan 2025 19:13:43 +1030
+Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
+
+There's always someone pushing the boundaries.
+
+	PR 32560
+	* objdump.c (MAX_INSN_WIDTH): Define.
+	(insn_width): Make it an unsigned long.
+	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index ecbe39e942e..80044dea580 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -117,7 +117,8 @@ static bool disassemble_all;		/* -D */
+ static int disassemble_zeroes;		/* --disassemble-zeroes */
+ static bool formats_info;		/* -i */
+ int wide_output;			/* -w */
+-static int insn_width;			/* --insn-width */
++#define MAX_INSN_WIDTH 49
++static unsigned long insn_width;	/* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;		/* --debugging */
+@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf,
+ 	}
+       else
+ 	{
+-	  char buf[50];
++	  char buf[MAX_INSN_WIDTH + 1];
+ 	  unsigned int bpc = 0;
+ 	  unsigned int pb = 0;
+ 
+@@ -6070,8 +6071,9 @@ main (int argc, char **argv)
+ 	  break;
+ 	case OPTION_INSN_WIDTH:
+ 	  insn_width = strtoul (optarg, NULL, 0);
+-	  if (insn_width <= 0)
+-	    fatal (_("error: instruction width must be positive"));
++	  if (insn_width - 1 >= MAX_INSN_WIDTH)
++	    fatal (_("error: instruction width must be in the range 1 to "
++		     XSTRING (MAX_INSN_WIDTH)));
+ 	  break;
+ 	case OPTION_INLINES:
+ 	  unwind_inlines = true;
+-- 
+2.43.5
+

binutils.spec

@@ -2,7 +2,7 @@
 Summary: A GNU collection of binary utilities
 Name: binutils%{?_with_debug:-debug}
 Version: 2.41
-Release: 6
+Release: 11
 License: GPL-3.0-or-later AND (GPL-3.0-or-later WITH Bison-exception-2.2) AND (LGPL-2.0-or-later WITH GCC-exception-2.0) AND BSD-3-Clause AND GFDL-1.3-or-later AND GPL-2.0-or-later AND LGPL-2.1-or-later AND LGPL-2.0-or-later
 URL: https://sourceware.org/binutils
 
@@ -229,6 +229,19 @@ Patch5007: binutils-update-linker-manual.patch
 # Lifetime: Fixed in 2.42 (maybe)
 Patch5008: binutils-gold-empty-dwp.patch
 
+# Purpose:  Fix gold linker relocation offset.
+# Lifetime: Permanent
+Patch5009: Fix-gold-linker-relocation-offset.patch 
+
+# Purpose: nm: Avoid potential segmentation fault when displaying
+#          symbols without version info.
+# Lifetime: Fixed in 2.44
+Patch5010: nm-Avoid-potential-segmentation-fault-when-displaying.patch
+
+# Purpose: PR32560 stack-buffer-overflow at objdump disassemble_bytes
+# Lifetime: Fixed in 2.44
+Patch5011: backport-CVE-2025-0840.patch
+
 #----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
@@ -252,6 +265,8 @@ BuildRequires: gcc
 %if %{with gold}
 # Gold needs bison in order to build gold/yyscript.c.  The GOLD testsuite needs a static libc++
 BuildRequires: bison, m4, gcc-c++, libstdc++-static
+Provides: binutils-gold = %{version}-%{release}
+Obsoletes: binutils-gold < %{version}-%{release}
 
 %if ! %{with clang}
 BuildRequires: gcc-c++
@@ -260,7 +275,7 @@ Conflicts: gcc-c++ < 4.0.0
 %endif
 
 %if %{without bootstrap}
-BuildRequires: gettext, flex, jansson-devel
+BuildRequires: gettext, flex
 %if %{with systemzlib}
 BuildRequires: zlib-devel
 %endif
@@ -298,15 +313,6 @@ Requires(preun): %{_sbindir}/alternatives
 # We also need rm.
 Requires(post): coreutils
 
-%if %{with gold}
-# For now we make the binutils package require the gold sub-package.
-# That way other packages that have a requirement on "binutils" but
-# actually want gold will not have to be changed.  In the future, if
-# we decide to deprecate gold, we can remove this requirement, and
-# then update other packages as necessary.
-Requires: binutils-gold >= %{version}
-%endif
-
 # On ARM EABI systems, we do want -gnueabi to be part of the
 # target triple.
 %ifnarch %{arm}
@@ -366,18 +372,6 @@ using libelf instead of BFD.
 
 %if %{with gold}
 
-%package gold
-Summary: The GOLD linker, a faster alternative to the BFD linker
-Provides: gold = %{version}-%{release}
-Requires: binutils >= %{version}
-
-%description gold
-This package provides the GOLD linker, which can be used as an alternative to
-the default binutils linker (ld.bfd).  The GOLD is generally faster than the
-BFD linker, and it supports features such as Identical Code Folding and
-Incremental linking.  Unfortunately it is not as well maintained as the BFD
-linker, and it may become deprecated in the future.
-
 # The higher of these two numbers determines the default linker.
 %{!?ld_gold_priority:%global ld_gold_priority   30}
 
@@ -387,6 +381,16 @@ linker, and it may become deprecated in the future.
 
 #----------------------------------------------------------------------------
 
+%if %{with docs}
+%package help
+Summary: Manual and information files
+
+%description help
+This package contains binutils manual and information files.
+%endif
+
+#----------------------------------------------------------------------------
+
 %if %{with gprofng}
 
 %package gprofng
@@ -541,10 +545,6 @@ compute_global_configuration()
 	--enable-64-bit-bfd \
 	--with-bugurl=https://gitee.com/src-openeuler/binutils/issues/"
 
-%if %{without bootstrap}
-    CARGS="$CARGS --enable-jansson=yes"
-%endif
-
 %if %{with debuginfod}
     CARGS="$CARGS --with-debuginfod"
 %endif
@@ -1086,20 +1086,17 @@ export QA_RPATHS=0x0003
 
 #----------------------------------------------------------------------------
 
-%if %{with gold}
-%post gold
-
-%{_sbindir}/alternatives --install %{_bindir}/ld ld \
-  %{_bindir}/ld.gold %{ld_gold_priority}
-exit 0
-%endif
-
 %post
 
 # Remove the /usr/bin/ld file so that the alternatives program
 # can replace it with a symbolic link.
 %__rm -f %{_bindir}/ld
 
+%if %{with gold}
+%{_sbindir}/alternatives --install %{_bindir}/ld ld \
+  %{_bindir}/ld.gold %{ld_gold_priority}
+%endif
+
 %{_sbindir}/alternatives --install %{_bindir}/ld ld \
   %{_bindir}/ld.bfd %{ld_bfd_priority}
 
@@ -1115,18 +1112,13 @@ exit 0
 # Note: $1 == 0 means that there is an uninstall in progress.
 # $1 == 1 means that there is an upgrade in progress.
 
-%if %{with gold}
-%preun gold
-
-if [ $1 = 0 ]; then
-  %{_sbindir}/alternatives --remove ld %{_bindir}/ld.gold
-fi
-exit 0
-%endif
-
 %preun
 if [ $1 = 0 ]; then
   %{_sbindir}/alternatives --remove ld %{_bindir}/ld.bfd
+
+%if %{with gold}
+  %{_sbindir}/alternatives --remove ld %{_bindir}/ld.gold
+%endif
 fi
 
 # Restore the /usr/bin/ld file so that the automatic file
@@ -1172,6 +1164,9 @@ exit 0
 # %%verify(symlink) does not work for some reason, so using "owner" instead.
 %verify(owner) %{_bindir}/ld
 %{_bindir}/ld.bfd
+%if %{with gold}
+%{_bindir}/%{?cross}ld.gold
+%endif
 
 %if %{with gprofng}
 %exclude %{_bindir}/gp-*
@@ -1180,24 +1175,6 @@ exit 0
 
 %exclude %dir %{_exec_prefix}/lib/debug
 
-%if %{with docs}
-%{_mandir}/man1/
-%exclude %{_mandir}/man1/gp-*
-%exclude %{_mandir}/man1/gprofng*
-%{_infodir}/as.info.*
-%{_infodir}/binutils.info.*
-%{_infodir}/ld.info.*
-%{_infodir}/ldint.info.*
-%{_infodir}/bfd.info.*
-%{_infodir}/ctf-spec*.info.*
-%{_infodir}/gprof.info.*
-%{_infodir}/sframe-spec.info.*
-
-%if %{with gprofng}
-%exclude %{_infodir}/gprofng*
-%endif
-%endif
-
 %if %{enable_shared}
 %{_libdir}/lib*.so
 %{_libdir}/lib*.so.*
@@ -1224,18 +1201,26 @@ exit 0
 %exclude %{_libdir}/lib*.la
 %endif
 
-%if %{with gold}
-%files gold
-%{_bindir}/%{?cross}ld.gold
+%if %{with docs}
+%files help
+%{_mandir}/man1/*
+%{_infodir}/as.info.*
+%{_infodir}/binutils.info.*
+%{_infodir}/ld.info.*
+%{_infodir}/ldint.info.*
+%{_infodir}/bfd.info.*
+%{_infodir}/ctf-spec*.info.*
+%{_infodir}/gprof.info.*
+%{_infodir}/sframe-spec.info.*
+%if %{with gprofng}
+%{_infodir}/gprofng.info.*
+%endif
 %endif
 
 %if %{with gprofng}
 %files gprofng
 %{_bindir}/gp-*
 %{_bindir}/gprofng
-%{_mandir}/man1/gp-*
-%{_mandir}/man1/gprofng*
-%{_infodir}/gprofng.info.*
 %dir %{_libdir}/gprofng
 %{_libdir}/gprofng/*
 %{_sysconfdir}/gprofng.rc
@@ -1271,6 +1256,23 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Sat Jan 25 2025 Funda Wang <fundawang@yeah.net> - 2.41-11
+- Fix CVE-2024-57360: nm: Avoid potential segmentation fault when displaying
+  symbols without version info.
+- Fix CVE-2025-0840: stack-buffer-overflow at objdump disassemble_bytes
+
+* Thu Sep 26 2024 wangding <wangding16@huawei.com> - 2.41-10
+- fix gold linker relocation offset
+
+* Thu Sep 19 2024 huyubiao <huyubiao@huawei.com> - 2.41-9
+- add binutils-help to keep consistent with the old version
+
+* Mon Sep 2 2024 huyubiao <huyubiao@huawei.com> - 2.41-8
+- delete binutils-gold package and ld.gold move to binutils package
+
+* Mon Aug 5 2024 huyubiao <huyubiao@huawei.com> - 2.41-7
+- delete jansson
+
 * Thu Jun 20 2024 huyubiao <huyubiao@huawei.com> - 2.41-6
 - fix ld-new compilation failure on 32-bit systems
 

nm-Avoid-potential-segmentation-fault-when-displaying.patch

@@ -0,0 +1,71 @@
+From 5f8987d3999edb26e757115fe87be55787d510b9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 17 Dec 2024 09:18:57 +0000
+Subject: [PATCH] nm: Avoid potential segmentation fault when displaying
+ symbols without version info.
+
+PR 32467
+---
+ binutils/nm.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/binutils/nm.c b/binutils/nm.c
+index faf27c59b4d..0ba7604d34f 100644
+--- a/binutils/nm.c
++++ b/binutils/nm.c
+@@ -682,7 +682,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
+ 	       const char *name, bfd *abfd)
+ {
+   char *alloc = NULL;
+-  char *atver = NULL;
++  char *atname = NULL;
+ 
+   if (name == NULL)
+     name = info->sinfo->name;
+@@ -690,9 +690,19 @@ print_symname (const char *form, struct extended_symbol_info *info,
+   if (!with_symbol_versions
+       && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+     {
+-      atver = strchr (name, '@');
++      char *atver = strchr (name, '@');
++
+       if (atver)
+-	*atver = 0;
++	{
++	  /* PR 32467 - Corrupt binaries might include an @ character in a
++	     symbol name.  Since non-versioned symbol names can be in
++	     read-only memory (via memory mapping of a file's contents) we
++	     cannot just replace the @ character with a NUL.  Instead we
++	     create a truncated copy of the name.  */
++	  atname = xstrdup (name);
++	  atname [atver - name] = 0;
++	  name = atname;
++	}
+     }
+ 
+   if (do_demangle && *name)
+@@ -703,9 +713,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
+     }
+ 
+   if (unicode_display != unicode_default)
+-    {
+-      name = convert_utf8 (name);
+-    }
++    name = convert_utf8 (name);
+ 
+   if (info != NULL && info->elfinfo && with_symbol_versions)
+     {
+@@ -726,8 +734,8 @@ print_symname (const char *form, struct extended_symbol_info *info,
+ 	}
+     }
+   printf (form, name);
+-  if (atver)
+-    *atver = '@';
++
++  free (atname);
+   free (alloc);
+ }
+ 
+-- 
+2.43.5
+