!164 [sync] PR-163: [backport] fix riscv64 aggregate type return value location retrieval …

From: @openeuler-sync-bot 
Reviewed-by: @hubin95 
Signed-off-by: @hubin95

backport-CVE-2025-1352.patch

@@ -0,0 +1,149 @@
+From 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sat, 8 Feb 2025 20:00:12 +0100
+Subject: [PATCH] libdw: Simplify __libdw_getabbrev and fix dwarf_offabbrev
+ issue
+
+__libdw_getabbrev could crash on reading a bad abbrev by trying to
+deallocate memory it didn't allocate itself. This could happen because
+dwarf_offabbrev would supply its own memory when calling
+__libdw_getabbrev. No other caller did this.
+
+Simplify the __libdw_getabbrev common code by not taking external
+memory to put the abbrev result in (this would also not work correctly
+if the abbrev was already cached). And make dwarf_offabbrev explicitly
+copy the result (if there was no error or end of abbrev).
+
+     * libdw/dwarf_getabbrev.c (__libdw_getabbrev): Don't take
+     Dwarf_Abbrev result argument. Always just allocate abb when
+     abbrev not found in cache.
+     (dwarf_getabbrev): Don't pass NULL as last argument to
+     __libdw_getabbrev.
+    * libdw/dwarf_tag.c (__libdw_findabbrev): Likewise.
+    * libdw/dwarf_offabbrev.c (dwarf_offabbrev): Likewise. And copy
+    abbrev into abbrevp on success.
+    * libdw/libdw.h (dwarf_offabbrev): Document return values.
+    * libdw/libdwP.h (__libdw_getabbrev): Don't take Dwarf_Abbrev
+    result argument.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32650
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ libdw/dwarf_getabbrev.c | 12 ++++--------
+ libdw/dwarf_offabbrev.c | 10 +++++++---
+ libdw/dwarf_tag.c       |  3 +--
+ libdw/libdw.h           |  4 +++-
+ libdw/libdwP.h          |  3 +--
+ 5 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/libdw/dwarf_getabbrev.c b/libdw/dwarf_getabbrev.c
+index 5b02333f..d9a6c022 100644
+--- a/libdw/dwarf_getabbrev.c
++++ b/libdw/dwarf_getabbrev.c
+@@ -1,5 +1,6 @@
+ /* Get abbreviation at given offset.
+    Copyright (C) 2003, 2004, 2005, 2006, 2014, 2017 Red Hat, Inc.
++   Copyright (C) 2025 Mark J. Wielaard <mark@klomp.org>
+    This file is part of elfutils.
+    Written by Ulrich Drepper <drepper@redhat.com>, 2003.
+ 
+@@ -38,7 +39,7 @@
+ Dwarf_Abbrev *
+ internal_function
+ __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset,
+-		   size_t *lengthp, Dwarf_Abbrev *result)
++		   size_t *lengthp)
+ {
+   /* Don't fail if there is not .debug_abbrev section.  */
+   if (dbg->sectiondata[IDX_debug_abbrev] == NULL)
+@@ -85,12 +86,7 @@ __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset,
+   Dwarf_Abbrev *abb = NULL;
+   if (cu == NULL
+       || (abb = Dwarf_Abbrev_Hash_find (&cu->abbrev_hash, code)) == NULL)
+-    {
+-      if (result == NULL)
+-	abb = libdw_typed_alloc (dbg, Dwarf_Abbrev);
+-      else
+-	abb = result;
+-    }
++    abb = libdw_typed_alloc (dbg, Dwarf_Abbrev);
+   else
+     {
+       foundit = true;
+@@ -183,5 +179,5 @@ dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, size_t *lengthp)
+       return NULL;
+     }
+ 
+-  return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp, NULL);
++  return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp);
+ }
+diff --git a/libdw/dwarf_offabbrev.c b/libdw/dwarf_offabbrev.c
+index 27cdad64..41df69bf 100644
+--- a/libdw/dwarf_offabbrev.c
++++ b/libdw/dwarf_offabbrev.c
+@@ -41,11 +41,15 @@ dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp,
+   if (dbg == NULL)
+     return -1;
+ 
+-  Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp,
+-					    abbrevp);
++  Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp);
+ 
+   if (abbrev == NULL)
+     return -1;
+ 
+-  return abbrev == DWARF_END_ABBREV ? 1 : 0;
++  if (abbrev == DWARF_END_ABBREV)
++    return 1;
++
++  *abbrevp = *abbrev;
++
++  return 0;
+ }
+diff --git a/libdw/dwarf_tag.c b/libdw/dwarf_tag.c
+index d784970c..218382a1 100644
+--- a/libdw/dwarf_tag.c
++++ b/libdw/dwarf_tag.c
+@@ -53,8 +53,7 @@ __libdw_findabbrev (struct Dwarf_CU *cu, unsigned int code)
+ 
+ 	/* Find the next entry.  It gets automatically added to the
+ 	   hash table.  */
+-	abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length,
+-				 NULL);
++	abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length);
+ 	if (abb == NULL || abb == DWARF_END_ABBREV)
+ 	  {
+ 	    /* Make sure we do not try to search for it again.  */
+diff --git a/libdw/libdw.h b/libdw/libdw.h
+index d53dc787..ec4713a6 100644
+--- a/libdw/libdw.h
++++ b/libdw/libdw.h
+@@ -587,7 +587,9 @@ extern int dwarf_srclang (Dwarf_Die *die);
+ extern Dwarf_Abbrev *dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset,
+ 				      size_t *lengthp);
+ 
+-/* Get abbreviation at given offset in .debug_abbrev section.  */
++/* Get abbreviation at given offset in .debug_abbrev section.  On
++   success return zero and fills in ABBREVP.  When there is no (more)
++   abbrev at offset returns one.  On error returns a negative value.  */
+ extern int dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp,
+ 			    Dwarf_Abbrev *abbrevp)
+      __nonnull_attribute__ (4);
+diff --git a/libdw/libdwP.h b/libdw/libdwP.h
+index d6bab606..0cff5c26 100644
+--- a/libdw/libdwP.h
++++ b/libdw/libdwP.h
+@@ -795,8 +795,7 @@ extern Dwarf_Abbrev *__libdw_findabbrev (struct Dwarf_CU *cu,
+ 
+ /* Get abbreviation at given offset.  */
+ extern Dwarf_Abbrev *__libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu,
+-					Dwarf_Off offset, size_t *lengthp,
+-					Dwarf_Abbrev *result)
++					Dwarf_Off offset, size_t *lengthp)
+      __nonnull_attribute__ (1) internal_function;
+ 
+ /* Get abbreviation of given DIE, and optionally set *READP to the DIE memory
+-- 
+2.27.0
+

backport-CVE-2025-1365.patch

@@ -0,0 +1,147 @@
+From 5e5c0394d82c53e97750fe7b18023e6f84157b81 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sat, 8 Feb 2025 21:44:56 +0100
+Subject: [PATCH] libelf, readelf: Use validate_str also to check dynamic
+ symstr data
+
+When dynsym/str was read through eu-readelf --dynamic by readelf
+process_symtab the string data was not validated, possibly printing
+unallocated memory past the end of the symstr data. Fix this by
+turning the elf_strptr validate_str function into a generic
+lib/system.h helper function and use it in readelf to validate the
+strings before use.
+
+	* libelf/elf_strptr.c (validate_str): Remove to...
+	* lib/system.h (validate_str): ... here. Make inline, simplify
+	check and document.
+	* src/readelf.c (process_symtab): Use validate_str on symstr_data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32654
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ lib/system.h        | 27 +++++++++++++++++++++++++++
+ libelf/elf_strptr.c | 18 ------------------
+ src/readelf.c       | 18 +++++++++++++++---
+ 3 files changed, 42 insertions(+), 21 deletions(-)
+
+diff --git a/lib/system.h b/lib/system.h
+index 0db12d99..0698e5ff 100644
+--- a/lib/system.h
++++ b/lib/system.h
+@@ -34,6 +34,7 @@
+ #include <config.h>
+ 
+ #include <errno.h>
++#include <stdbool.h>
+ #include <stddef.h>
+ #include <stdint.h>
+ #include <string.h>
+@@ -117,6 +118,32 @@ startswith (const char *str, const char *prefix)
+   return strncmp (str, prefix, strlen (prefix)) == 0;
+ }
+ 
++/* Return TRUE if STR[FROM] is a valid string with a zero terminator
++   at or before STR[TO - 1].  Note FROM is an index into the STR
++   array, while TO is the maximum size of the STR array.  This
++   function returns FALSE when TO is zero or FROM >= TO.  */
++static inline bool
++validate_str (const char *str, size_t from, size_t to)
++{
++#if HAVE_DECL_MEMRCHR
++  // Check end first, which is likely a zero terminator,
++  // to prevent function call
++  return (to > 0
++	  && (str[to - 1] == '\0'
++	      || (to > from
++		  && memrchr (&str[from], '\0', to - from - 1) != NULL)));
++#else
++  do {
++    if (to <= from)
++      return false;
++
++    to--;
++  } while (str[to]);
++
++  return true;
++#endif
++}
++
+ /* A special gettext function we use if the strings are too short.  */
+ #define sgettext(Str) \
+   ({ const char *__res = strrchr (_(Str), '|');			      \
+diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c
+index 79a24d25..c5a94f82 100644
+--- a/libelf/elf_strptr.c
++++ b/libelf/elf_strptr.c
+@@ -53,24 +53,6 @@ get_zdata (Elf_Scn *strscn)
+   return zdata;
+ }
+ 
+-static bool validate_str (const char *str, size_t from, size_t to)
+-{
+-#if HAVE_DECL_MEMRCHR
+-  // Check end first, which is likely a zero terminator, to prevent function call
+-  return ((to > 0 && str[to - 1]  == '\0')
+-	  || (to - from > 0 && memrchr (&str[from], '\0', to - from - 1) != NULL));
+-#else
+-  do {
+-    if (to <= from)
+-      return false;
+-
+-    to--;
+-  } while (str[to]);
+-
+-  return true;
+-#endif
+-}
+-
+ char *
+ elf_strptr (Elf *elf, size_t idx, size_t offset)
+ {
+diff --git a/src/readelf.c b/src/readelf.c
+index 6526db07..c43fda35 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -2639,6 +2639,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
+       char typebuf[64];
+       char bindbuf[64];
+       char scnbuf[64];
++      const char *sym_name;
+       Elf32_Word xndx;
+       GElf_Sym sym_mem;
+       GElf_Sym *sym
+@@ -2650,6 +2651,19 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
+       /* Determine the real section index.  */
+       if (likely (sym->st_shndx != SHN_XINDEX))
+         xndx = sym->st_shndx;
++      if (use_dynamic_segment == true)
++	{
++	  if (validate_str (symstr_data->d_buf, sym->st_name,
++			    symstr_data->d_size))
++	    sym_name = (char *)symstr_data->d_buf + sym->st_name;
++	  else
++	    sym_name = NULL;
++	}
++      else
++	sym_name = elf_strptr (ebl->elf, idx, sym->st_name);
++
++      if (sym_name == NULL)
++	sym_name = "???";
+ 
+       printf (_ ("\
+ %5u: %0*" PRIx64 " %6" PRId64 " %-7s %-6s %-9s %6s %s"),
+@@ -2662,9 +2676,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
+               get_visibility_type (GELF_ST_VISIBILITY (sym->st_other)),
+               ebl_section_name (ebl, sym->st_shndx, xndx, scnbuf,
+                                 sizeof (scnbuf), NULL, shnum),
+-              use_dynamic_segment == true
+-                  ? (char *)symstr_data->d_buf + sym->st_name
+-                  : elf_strptr (ebl->elf, idx, sym->st_name));
++              sym_name);
+ 
+       if (versym_data != NULL)
+         {
+-- 
+2.27.0
+

backport-CVE-2025-1371.patch

@@ -0,0 +1,37 @@
+From b38e562a4c907e08171c76b8b2def8464d5a104a Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 9 Feb 2025 00:07:13 +0100
+Subject: [PATCH] readelf: Handle NULL phdr in handle_dynamic_symtab
+
+A corrupt ELF file can have broken program headers, in which case
+gelf_getphdr returns NULL. This could crash handle_dynamic_symtab
+while searching for the PT_DYNAMIC phdr. Fix this by checking whether
+gelf_phdr returns NULL.
+
+	  * src/readelf.c (handle_dynamic_symtab): Check whether
+          gelf_getphdr returns NULL.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32655
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ src/readelf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index c43fda35..21b92a08 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -2912,7 +2912,7 @@ handle_dynamic_symtab (Ebl *ebl)
+   for (size_t i = 0; i < phnum; ++i)
+     {
+       phdr = gelf_getphdr (ebl->elf, i, &phdr_mem);
+-      if (phdr->p_type == PT_DYNAMIC)
++      if (phdr == NULL || phdr->p_type == PT_DYNAMIC)
+ 	break;
+     }
+   if (phdr == NULL)
+-- 
+2.33.0
+
+

backport-CVE-2025-1372.patch

@@ -0,0 +1,47 @@
+From 73db9d2021cab9e23fd734b0a76a612d52a6f1db Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 9 Feb 2025 00:07:39 +0100
+Subject: [PATCH] readelf: Skip trying to uncompress sections without a name
+
+When combining eu-readelf -z with -x or -p to dump the data or strings
+in an (corrupted ELF) unnamed numbered section eu-readelf could crash
+trying to check whether the section name starts with .zdebug. Fix this
+by skipping sections without a name.
+
+   * src/readelf.c (dump_data_section): Don't try to gnu decompress a
+   section without a name.
+   (print_string_section): Likewise.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32656
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ src/readelf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index 21b92a08..da379216 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -13327,7 +13327,7 @@ dump_data_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name)
+ 			_("Couldn't uncompress section"),
+ 			elf_ndxscn (scn));
+ 	    }
+-	  else if (startswith (name, ".zdebug"))
++	  else if (name && startswith (name, ".zdebug"))
+ 	    {
+ 	      if (elf_compress_gnu (scn, 0, 0) < 0)
+ 		printf ("WARNING: %s [%zd]\n",
+@@ -13378,7 +13378,7 @@ print_string_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name)
+ 			_("Couldn't uncompress section"),
+ 			elf_ndxscn (scn));
+ 	    }
+-	  else if (startswith (name, ".zdebug"))
++	  else if (name && startswith (name, ".zdebug"))
+ 	    {
+ 	      if (elf_compress_gnu (scn, 0, 0) < 0)
+ 		printf ("WARNING: %s [%zd]\n",
+-- 
+2.33.0
+
+

backport-CVE-2025-1376.patch

@@ -0,0 +1,53 @@
+From b16f441cca0a4841050e3215a9f120a6d8aea918 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 13 Feb 2025 00:02:32 +0100
+Subject: [PATCH] libelf: Handle elf_strptr on section without any data
+
+In the unlikely situation that elf_strptr was called on a section with
+sh_size already set, but that doesn't have any data yet we could crash
+trying to verify the string to return.
+
+This could happen for example when a new section was created with
+elf_newscn, but no data having been added yet.
+
+	* libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base
+	is not NULL.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32672
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ libelf/elf_strptr.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c
+index c5a94f82..7be7f5e8 100644
+--- a/libelf/elf_strptr.c
++++ b/libelf/elf_strptr.c
+@@ -1,5 +1,6 @@
+ /* Return string pointer from string section.
+    Copyright (C) 1998-2002, 2004, 2008, 2009, 2015 Red Hat, Inc.
++   Copyright (C) 2025 Mark J. Wielaard <mark@klomp.org>
+    This file is part of elfutils.
+    Contributed by Ulrich Drepper <drepper@redhat.com>, 1998.
+ 
+@@ -183,9 +184,12 @@ elf_strptr (Elf *elf, size_t idx, size_t offset)
+       // initialized yet (when data_read is zero). So we cannot just
+       // look at the rawdata.d.d_size.
+ 
+-      /* Make sure the string is NUL terminated.  Start from the end,
+-	 which very likely is a NUL char.  */
+-      if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
++      /* First check there actually is any data.  This could be a new
++         section which hasn't had any data set yet.  Then make sure
++         the string is at a valid offset and NUL terminated.  */
++      if (unlikely (strscn->rawdata_base == NULL))
++	__libelf_seterrno (ELF_E_INVALID_SECTION);
++      else if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
+ 	result = &strscn->rawdata_base[offset];
+       else
+ 	__libelf_seterrno (ELF_E_INVALID_INDEX);
+-- 
+2.33.0
+
+

backport-CVE-2025-1377.patch

@@ -0,0 +1,63 @@
+From fbf1df9ca286de3323ae541973b08449f8d03aba Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 13 Feb 2025 14:59:34 +0100
+Subject: [PATCH] strip: Verify symbol table is a real symbol table
+
+We didn't check the symbol table referenced from the relocation table
+was a real symbol table. This could cause a crash if that section
+happened to be an SHT_NOBITS section without any data. Fix this by
+adding an explicit check.
+
+       * src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a
+       message string to display.
+       (INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1).
+       (remove_debug_relocations): Check the sh_link referenced
+       section is real and isn't a SHT_NOBITS section.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=32673
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ src/strip.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/strip.c b/src/strip.c
+index 3812fb17..8d2bb7a9 100644
+--- a/src/strip.c
++++ b/src/strip.c
+@@ -126,13 +126,14 @@ static char *tmp_debug_fname = NULL;
+ /* Close debug file descriptor, if opened. And remove temporary debug file.  */
+ static void cleanup_debug (void);
+ 
+-#define INTERNAL_ERROR(fname) \
++#define INTERNAL_ERROR_MSG(fname, msg) \
+   do { \
+     cleanup_debug (); \
+     error_exit (0, _("%s: INTERNAL ERROR %d (%s): %s"),			\
+-		fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1));	\
++		fname, __LINE__, PACKAGE_VERSION, msg);	\
+   } while (0)
+ 
++#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1))
+ 
+ /* Name of the output file.  */
+ static const char *output_fname;
+@@ -631,7 +632,14 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr *ehdr,
+ 	     resolve relocation symbol indexes.  */
+ 	  Elf64_Word symt = shdr->sh_link;
+ 	  Elf_Data *symdata, *xndxdata;
+-	  Elf_Scn * symscn = elf_getscn (elf, symt);
++	  Elf_Scn *symscn = elf_getscn (elf, symt);
++	  GElf_Shdr symshdr_mem;
++	  GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
++	  if (symshdr == NULL)
++	    INTERNAL_ERROR (fname);
++	  if (symshdr->sh_type == SHT_NOBITS)
++	    INTERNAL_ERROR_MSG (fname, "NOBITS section");
++
+ 	  symdata = elf_getdata (symscn, NULL);
+ 	  xndxdata = get_xndxdata (elf, symscn);
+ 	  if (symdata == NULL)
+-- 
+2.27.0
+

backport-fix-riscv64-return-value-location-retrieval-implementation.patch

@@ -0,0 +1,157 @@
+Signed-off-by: malachite <malachiten@outlook.com>
+diff --git a/backends/riscv_retval.c b/backends/riscv_retval.c
+index 0a1e02f..50c451a 100644
+--- a/backends/riscv_retval.c
++++ b/backends/riscv_retval.c
+@@ -1,6 +1,7 @@
+ /* Function return value location for Linux/RISC-V ABI.
+    Copyright (C) 2018 Sifive, Inc.
+    Copyright (C) 2013 Red Hat, Inc.
++   Copyright (C) 2024 Mark J. Wielaard <mark@klomp.org>
+    This file is part of elfutils.
+ 
+    This file is free software; you can redistribute it and/or modify
+@@ -105,23 +106,123 @@ pass_in_fpr_lp64d (const Dwarf_Op **locp, Dwarf_Word size)
+   return size <= 8 ? 1 : 4;
+ }
+ 
++/* Checks if we can "flatten" the given type, Only handles the simple
++   cases where we have a struct with one or two the same base type
++   elements.  */
+ static int
+-flatten_aggregate_arg (Dwarf_Die *typedie __attribute__ ((unused)),
+-		       Dwarf_Die *arg0 __attribute__ ((unused)),
+-		       Dwarf_Die *arg1 __attribute__ ((unused)))
++flatten_aggregate_arg (Dwarf_Die *typedie,
++		       Dwarf_Word size,
++		       Dwarf_Die *arg0,
++		       Dwarf_Die *arg1)
+ {
+-  /* ??? */
++  int tag0, tag1;
++  Dwarf_Die member;
++  Dwarf_Word encoding0, encoding1;
++  Dwarf_Attribute attr;
++  Dwarf_Word size0, size1;
++
++  if (size < 8 || size > 16)
++    return 0;
++
++  if (dwarf_child (typedie, arg0) != 0)
++    return 0;
++
++  tag0 = dwarf_tag (arg0);
++  while (tag0 != -1 && tag0 != DW_TAG_member)
++    {
++      if (dwarf_siblingof (arg0, arg0) != 0)
++	return 0;
++      tag0 = dwarf_tag (arg0);
++    }
++
++  if (tag0 != DW_TAG_member)
++    return 0;
++
++  /* Remember where we are.  */
++  member = *arg0;
++
++  tag0 = dwarf_peeled_die_type (arg0, arg0);
++  if (tag0 != DW_TAG_base_type)
++    return 0;
++
++  if (dwarf_attr_integrate (arg0, DW_AT_encoding, &attr) == NULL
++      || dwarf_formudata (&attr, &encoding0) != 0)
++    return 0;
++
++  if (dwarf_bytesize_aux (arg0, &size0) != 0)
++    return 0;
++
++  if (size == size0)
++    return 1; /* This one member is the whole size. */
++
++  if (size != 2 * size0)
++    return 0; /* We only handle two of the same.  */
++
++  /* Look for another member with the same encoding.  */
++  if (dwarf_siblingof (&member, arg1) != 0)
++    return 0;
++
++  tag1 = dwarf_tag (arg1);
++  while (tag1 != -1 && tag1 != DW_TAG_member)
++    {
++      if (dwarf_siblingof (arg1, arg1) != 0)
++	return 0;
++      tag1 = dwarf_tag (arg1);
++    }
++
++  if (tag1 != DW_TAG_member)
++    return 0;
++
++  tag1 = dwarf_peeled_die_type (arg1, arg1);
++  if (tag1 != DW_TAG_base_type)
++    return 0; /* We can only handle two equal base types for now. */
++
++  if (dwarf_attr_integrate (arg1, DW_AT_encoding, &attr) == NULL
++      || dwarf_formudata (&attr, &encoding1) != 0
++      || encoding0 != encoding1)
++    return 0; /* We can only handle two of the same for now. */
++
++  if (dwarf_bytesize_aux (arg1, &size1) != 0)
++    return 0;
++
++  if (size0 != size1)
++    return 0; /* We can only handle two of the same for now. */
++
+   return 1;
+ }
+ 
++/* arg0 and arg1 should be the peeled die types found by
++   flatten_aggregate_arg.  */
+ static int
+-pass_by_flattened_arg (const Dwarf_Op **locp __attribute__ ((unused)),
+-		       Dwarf_Word size __attribute__ ((unused)),
+-		       Dwarf_Die *arg0 __attribute__ ((unused)),
+-		       Dwarf_Die *arg1 __attribute__ ((unused)))
++pass_by_flattened_arg (const Dwarf_Op **locp,
++		       Dwarf_Word size,
++		       Dwarf_Die *arg0,
++		       Dwarf_Die *arg1 __attribute__((unused)))
+ {
+-  /* ??? */
+-  return -2;
++  /* For now we just assume arg0 and arg1 are the same type and
++     encoding.  */
++  Dwarf_Word encoding;
++  Dwarf_Attribute attr;
++
++  if (dwarf_attr_integrate (arg0, DW_AT_encoding, &attr) == NULL
++      || dwarf_formudata (&attr, &encoding) != 0)
++    return -1;
++
++  switch (encoding)
++    {
++    case DW_ATE_boolean:
++    case DW_ATE_signed:
++    case DW_ATE_unsigned:
++    case DW_ATE_unsigned_char:
++    case DW_ATE_signed_char:
++      return pass_in_gpr_lp64 (locp, size);
++
++    case DW_ATE_float:
++      return pass_in_fpr_lp64d (locp, size);
++
++    default:
++      return -1;
++    }
+ }
+ 
+ int
+@@ -158,7 +259,7 @@ riscv_return_value_location_lp64ifd (int fp, Dwarf_Die *functypedie,
+ 	 provided the floating-point real is no more than FLEN bits wide and
+ 	 the integer is no more than XLEN bits wide.  */
+       if (tag == DW_TAG_structure_type
+-	  && flatten_aggregate_arg (&typedie, &arg0, &arg1))
++	  && flatten_aggregate_arg (&typedie, size, &arg0, &arg1))
+ 	return pass_by_flattened_arg (locp, size, &arg0, &arg1);
+       /* Aggregates larger than 2*XLEN bits are passed by reference.  */
+       else if (size > 16)
+

elfutils.spec

@@ -1,7 +1,7 @@
 # -*- rpm-spec from http://elfutils.org/ -*-
 Name: elfutils
 Version: 0.190
-Release: 5
+Release: 10
 Summary: A collection of utilities and DSOs to handle ELF files and DWARF data
 URL: http://elfutils.org/
 License: GPLv3+ and (GPLv2+ or LGPLv3+)
@@ -11,6 +11,15 @@ Patch0: Fix-segfault-in-eu-ar-m.patch
 Patch1: Fix-issue-of-moving-files-by-ar-or-br.patch
 Patch2: CVE-2024-25260.patch
 Patch3: Backport-fix-handling-of-corefiles-with-non-contiguous-segments.patch
+Patch4: add-sw_64-support.patch
+Patch5: backport-fix-riscv64-return-value-location-retrieval-implementation.patch
+
+Patch6000: backport-CVE-2025-1352.patch
+Patch6001: backport-CVE-2025-1365.patch
+Patch6002: backport-CVE-2025-1371.patch
+Patch6003: backport-CVE-2025-1372.patch
+Patch6004: backport-CVE-2025-1376.patch
+Patch6005: backport-CVE-2025-1377.patch
 
 Requires: elfutils-libelf = %{version}-%{release}
 Requires: elfutils-libs = %{version}-%{release}
@@ -137,6 +146,7 @@ License: GPLv3+ and (GPLv2+ or LGPLv3+)
 
 %package debuginfod-client-devel
 Summary: Libraries and headers to build debuginfod client applications
+Requires: %{name}-debuginfod-client = %{version}-%{release}
 License: GPLv2+ or LGPLv3+
 
 %package debuginfod
@@ -168,7 +178,22 @@ The ELF/DWARF file searching functions in libdwfl can query
 such servers to download those files on demand.
 
 %prep
-%autosetup -n %{name}-%{version} -p1
+%setup -n %{name}-%{version} 
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%ifarch sw_64
+%patch4 -p1
+%endif
+%patch5 -p1
+
+%patch6000 -p1
+%patch6001 -p1
+%patch6002 -p1
+%patch6003 -p1
+%patch6004 -p1
+%patch6005 -p1
 
 %build
 %if "%toolchain" == "clang"
@@ -291,14 +316,14 @@ fi
 %files debuginfod-client
 %defattr(-,root,root)
 %{_libdir}/libdebuginfod-%{version}.so
-%{_bindir}/debuginfod-find
 %{_libdir}/libdebuginfod.so.*
+%{_bindir}/debuginfod-find
 
 %files debuginfod-client-devel
 %defattr(-,root,root)
+%{_libdir}/libdebuginfod.so
 %{_libdir}/pkgconfig/libdebuginfod.pc
 %{_includedir}/elfutils/debuginfod.h
-%{_libdir}/libdebuginfod.so
  
 %files debuginfod
 %defattr(-,root,root)
@@ -323,6 +348,27 @@ exit 0
 %systemd_postun_with_restart debuginfod.service
 
 %changelog
+* Thu Apr 10 2025 yuanchicheng <chicheng.oerv@isrc.iscas.ac.cn> - 0.190-10
+- Type: bugfix
+- CVE: NA
+- SUG: NA
+- DESC: backport-fix-riscv64-return-value-location-retrieval-implementation.patch  
+
+* Wed Mar 12 2025 mahailiang <mahailiang@uniontech.com> - 0.190-9
+- add sw_64 support
+
+* Sun Feb 16 2025 shixuantong <shixuantong1@huawei.com> - 0.190-8
+- fix CVE-2025-1352 CVE-2025-1365 CVE-2025-1371 CVE-2025-1372 CVE-2025-1376 CVE-2025-1377
+
+* Wed Feb 05 2025 Funda Wang <fundawang@yeah.net> - 0.190-7
+- correctly fix libdebuginfod.so requirement
+
+* Fri Jan 24 2025 shixuantong <shixuantong1@huawei.com> - 0.190-6
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:move /usr/lib64/libdebuginfod.so from debuginfod-client-devel to debuginfod-client
+
 * Wed Oct 30 2024 xuguangmin <xuguangmin@kylinos.cn> - 0.190-5
 - Type: bugfix
 - CVE: NA