SOURCES/binutils-CVE-2018-12699-part3-PR22957.patch

@@ -0,0 +1,13 @@
+diff -rup binutils.orig.2/binutils/stabs.c binutils-2.30/binutils/stabs.c
+--- binutils.orig.2/binutils/stabs.c	2024-10-29 14:21:27.910212960 +0000
++++ binutils-2.30/binutils/stabs.c	2024-10-29 14:22:14.304336367 +0000
+@@ -3364,6 +3363,9 @@ pop_bincl (struct stab_handle *info)
+     return info->main_filename;
+   info->bincl_stack = o->next_stack;
+ 
++  if (o->file >= info->files)
++    return info->main_filename;
++
+   o->file_types = info->file_types[o->file];
+ 
+   if (info->bincl_stack == NULL)

SOURCES/binutils-CVE-2018-12699-part5-PR28694.patch

@@ -0,0 +1,232 @@
+diff -rup binutils.orig.4/binutils/stabs.c binutils-2.30/binutils/stabs.c
+--- binutils.orig.4/binutils/stabs.c	2024-10-29 14:31:49.044040165 +0000
++++ binutils-2.30/binutils/stabs.c	2024-10-29 14:35:01.106616133 +0000
+@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *
+ static bfd_boolean stab_record_type
+   (void *, struct stab_handle *, const int *, debug_type);
+ static debug_type stab_xcoff_builtin_type
+-  (void *, struct stab_handle *, int);
++  (void *, struct stab_handle *, unsigned int);
+ static debug_type stab_find_tagged_type
+   (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
+ static debug_type *stab_demangle_argtypes
+@@ -3538,166 +3538,168 @@ stab_record_type (void *dhandle ATTRIBUT
+ 
+ static debug_type
+ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+-			 int typenum)
++			 unsigned int typenum)
+ {
+   debug_type rettype;
+   const char *name;
+ 
+-  if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
++  typenum = -typenum - 1;
++  if (typenum >= XCOFF_TYPE_COUNT)
+     {
+-      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
++      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
+       return DEBUG_TYPE_NULL;
+     }
+-  if (info->xcoff_types[-typenum] != NULL)
+-    return info->xcoff_types[-typenum];
+ 
+-  switch (-typenum)
++  if (info->xcoff_types[typenum] != NULL)
++    return info->xcoff_types[typenum];
++
++  switch (typenum)
+     {
+-    case 1:
++    case 0:
+       /* The size of this and all the other types are fixed, defined
+ 	 by the debugging format.  */
+       name = "int";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 2:
++    case 1:
+       name = "char";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 3:
++    case 2:
+       name = "short";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 4:
++    case 3:
+       name = "long";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 5:
++    case 4:
+       name = "unsigned char";
+       rettype = debug_make_int_type (dhandle, 1, TRUE);
+       break;
+-    case 6:
++    case 5:
+       name = "signed char";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 7:
++    case 6:
+       name = "unsigned short";
+       rettype = debug_make_int_type (dhandle, 2, TRUE);
+       break;
+-    case 8:
++    case 7:
+       name = "unsigned int";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 9:
++    case 8:
+       name = "unsigned";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 10:
++    case 9:
+       name = "unsigned long";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 11:
++    case 10:
+       name = "void";
+       rettype = debug_make_void_type (dhandle);
+       break;
+-    case 12:
++    case 11:
+       /* IEEE single precision (32 bit).  */
+       name = "float";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 13:
++    case 12:
+       /* IEEE double precision (64 bit).  */
+       name = "double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 14:
++    case 13:
+       /* This is an IEEE double on the RS/6000, and different machines
+ 	 with different sizes for "long double" should use different
+ 	 negative type numbers.  See stabs.texinfo.  */
+       name = "long double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 15:
++    case 14:
+       name = "integer";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 16:
++    case 15:
+       name = "boolean";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 17:
++    case 16:
+       name = "short real";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 18:
++    case 17:
+       name = "real";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 19:
++    case 18:
+       /* FIXME */
+       name = "stringptr";
+       rettype = NULL;
+       break;
+-    case 20:
++    case 19:
+       /* FIXME */
+       name = "character";
+       rettype = debug_make_int_type (dhandle, 1, TRUE);
+       break;
+-    case 21:
++    case 20:
+       name = "logical*1";
+       rettype = debug_make_bool_type (dhandle, 1);
+       break;
+-    case 22:
++    case 21:
+       name = "logical*2";
+       rettype = debug_make_bool_type (dhandle, 2);
+       break;
+-    case 23:
++    case 22:
+       name = "logical*4";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 24:
++    case 23:
+       name = "logical";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 25:
++    case 24:
+       /* Complex type consisting of two IEEE single precision values.  */
+       name = "complex";
+       rettype = debug_make_complex_type (dhandle, 8);
+       break;
+-    case 26:
++    case 25:
+       /* Complex type consisting of two IEEE double precision values.  */
+       name = "double complex";
+       rettype = debug_make_complex_type (dhandle, 16);
+       break;
+-    case 27:
++    case 26:
+       name = "integer*1";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 28:
++    case 27:
+       name = "integer*2";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 29:
++    case 28:
+       name = "integer*4";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 30:
++    case 29:
+       /* FIXME */
+       name = "wchar";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 31:
++    case 30:
+       name = "long long";
+       rettype = debug_make_int_type (dhandle, 8, FALSE);
+       break;
+-    case 32:
++    case 31:
+       name = "unsigned long long";
+       rettype = debug_make_int_type (dhandle, 8, TRUE);
+       break;
+-    case 33:
++    case 32:
+       name = "logical*8";
+       rettype = debug_make_bool_type (dhandle, 8);
+       break;
+-    case 34:
++    case 33:
+       name = "integer*8";
+       rettype = debug_make_int_type (dhandle, 8, FALSE);
+       break;
+@@ -3706,9 +3708,7 @@ stab_xcoff_builtin_type (void *dhandle,
+     }
+ 
+   rettype = debug_name_type (dhandle, name, rettype);
+-
+-  info->xcoff_types[-typenum] = rettype;
+-
++  info->xcoff_types[typenum] = rettype;
+   return rettype;
+ }
+ 

SOURCES/binutils-CVE-2018-12699-part6-PR28862.patch

@@ -0,0 +1,33 @@
+# Commit 481153777e278b71e694fd2db6b897f7a9e3dcb8 fixing PR 28862
+#
+# From: Alan Modra <amodra@gmail.com>
+#
+# I have no info on the format of a "SUNPRO C++ Namespace" stab, so am
+# relying on the previous code being correct in parsing these stabs.
+# Just don't allow NULs anywhere in the stab.
+# 
+# 	PR 28862
+#	* stabs.c (parse_stab_string): Don't overrun buffer when parsing
+#	'Y' stab.
+--- binutils.orig/binutils/stabs.c	2024-11-06 17:39:57.460250962 +0000
++++ binutils-2.30/binutils/stabs.c	2024-11-06 17:41:32.293848603 +0000
+@@ -1138,15 +1138,13 @@ parse_stab_string (void *dhandle, struct
+     case 'Y':
+       /* SUNPro C++ Namespace =Yn0.  */
+       /* Skip the namespace mapping, as it is not used now.  */
+-      if (*(++p) == 'n' && *(++p) == '0')
++      if (*p++ != 0 && *p++ == 'n' && *p++ == '0')
+ 	{
+ 	  /* =Yn0name; */
+-	  while (*p != ';')
++	  while (*p && *p != ';')
+ 	    ++p;
+-	  ++p;
+-	  /* There is a potential resource leak here, but it is not important.  */
+-	  /* coverity[leaked_storage: FALSE] */
+-	  return TRUE;
++	  if (*p)
++	    return TRUE;
+ 	}
+       /* TODO SUNPro C++ support:
+          Support default arguments after F,P parameters

SOURCES/binutils-CVE-2018-12699-part7-PR28718.patch

@@ -0,0 +1,158 @@
+# This is a merge of four commits to fix a stack overflow bug:
+#
+# From af4004d1da135610ab931e04a3ba2c9124defbd7 Mon Sep 17 00:00:00 2001
+# From: Nick Clifton <nickc@redhat.com>
+# Date: Thu, 6 Jan 2022 16:37:26 +0000
+# Subject: [PATCH] Fix a stack exhaustion bug parsing malicious STABS format
+#  debug information.
+# 
+# 	PR 28718
+# 	* debug.c (debug_write_type): Allow for malicious recursion via
+# 	indirect debug types.
+# 
+# From 0e9f1c04b9572920c7f940203a67d5af3f6c19f6 Mon Sep 17 00:00:00 2001
+# From: Pavel Mayorov <pmayorov@cloudlinux.com>
+# Date: Fri, 7 Jan 2022 12:34:37 +0000
+# Subject: [PATCH] Revert previous delta to debug.c.  Replace with patch to
+#  reject indirect types that point to indirect types.
+# 
+# 	PR 28718
+# 	* dwarf.c: Revert previous delta.
+# 	(debug_get_real_type): Reject indirect types that point to
+# 	indirect types.
+# 	(debug_get_type_name, debug_get_type_size, debug_write_type):
+# 	Likewise.
+# 
+# From 55a75aae9d971d3d0f49884e3954ac4794559542 Mon Sep 17 00:00:00 2001
+# From: Alan Modra <amodra@gmail.com>
+# Date: Tue, 9 May 2023 17:11:46 +0930
+# Subject: [PATCH] stack overflow in debug_write_type
+# 
+# Another fuzzer attack.  This one was a "set" with elements using an
+# indirect type pointing back at the set.  The existing recursion check
+# only prevented simple recursion.
+# 
+# 	* debug.c (struct debug_type_s): Add mark.
+# 	(debug_write_type): Set mark and check before recursing into
+# 	indirect types.
+#
+# From 6109320673fe30163b5d00d9e3a7f4e77befb22a Mon Sep 17 00:00:00 2001
+# From: Alan Modra <amodra@gmail.com>
+# Date: Wed, 10 May 2023 23:05:00 +0930
+# Subject: [PATCH] Re: stack overflow in debug_write_type
+# 
+# Apparently u.kindirect->slot can point at a NULL.
+# 
+# 	* debug.c (debug_write_type): Don't segfault on NULL indirect.
+
+--- binutils.orig/binutils/debug.c	2024-11-06 17:39:57.452250912 +0000
++++ binutils-2.30/binutils/debug.c	2024-11-06 17:44:37.951018606 +0000
+@@ -2483,8 +2483,22 @@ debug_write_type (struct debug_handle *i
+     case DEBUG_KIND_INDIRECT:
+       if (*type->u.kindirect->slot == DEBUG_TYPE_NULL)
+ 	return (*fns->empty_type) (fhandle);
+-      return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
+-			       name);
++      /* PR 28718: Allow for malicious recursion.  */
++      {
++	static int recursion_depth = 0;
++	bfd_boolean result;
++
++	if (recursion_depth > 256)
++	  {
++	    debug_error (_("debug_write_type: too many levels of nested indirection"));
++	    return FALSE;
++	  }
++	++ recursion_depth;
++	result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
++				  name);
++	-- recursion_depth;
++	return result;
++      }
+     case DEBUG_KIND_VOID:
+       return (*fns->void_type) (fhandle);
+     case DEBUG_KIND_INT:
+--- binutils.orig/binutils/debug.c	2024-11-07 12:05:27.049161875 +0000
++++ binutils-2.30/binutils/debug.c	2024-11-07 12:25:03.616783102 +0000
+@@ -102,6 +102,8 @@ struct debug_type_s
+   enum debug_type_kind kind;
+   /* Size of type (0 if not known).  */
+   unsigned int size;
++  /* Used by debug_write to stop DEBUG_KIND_INDIRECT infinite recursion.  */
++  unsigned int mark;
+   /* Type which is a pointer to this type.  */
+   debug_type pointer;
+   /* Tagged union with additional information about the type.  */
+@@ -2065,7 +2067,9 @@ debug_get_real_type (void *handle, debug
+       /* The default case is just here to avoid warnings.  */
+     default:
+     case DEBUG_KIND_INDIRECT:
+-      if (*type->u.kindirect->slot != NULL)
++      /* A valid non-self-referencing indirect type.  */
++      if (*type->u.kindirect->slot != NULL
++	  && *type->u.kindirect->slot != type)
+ 	return debug_get_real_type (handle, *type->u.kindirect->slot, &rl);
+       return type;
+     case DEBUG_KIND_NAMED:
+@@ -2095,7 +2099,9 @@ debug_get_type_name (void *handle, debug
+ {
+   if (type->kind == DEBUG_KIND_INDIRECT)
+     {
+-      if (*type->u.kindirect->slot != NULL)
++      /* A valid non-self-referencing indirect type.  */
++      if (*type->u.kindirect->slot != NULL
++	  && *type->u.kindirect->slot != type)
+ 	return debug_get_type_name (handle, *type->u.kindirect->slot);
+       return type->u.kindirect->tag;
+     }
+@@ -2124,7 +2130,9 @@ debug_get_type_size (void *handle, debug
+     default:
+       return 0;
+     case DEBUG_KIND_INDIRECT:
+-      if (*type->u.kindirect->slot != NULL)
++      /* A valid non-self-referencing indirect type.  */
++      if (*type->u.kindirect->slot != NULL
++	  && *type->u.kindirect->slot != type)
+ 	return debug_get_type_size (handle, *type->u.kindirect->slot);
+       return 0;
+     case DEBUG_KIND_NAMED:
+@@ -2419,6 +2427,9 @@ debug_write_type (struct debug_handle *i
+   int is;
+   const char *tag = NULL;
+ 
++  /* Mark the type so that we don't define a type in terms of itself.  */
++  type->mark = info->mark;
++
+   /* If we have a name for this type, just output it.  We only output
+      typedef names after they have been defined.  We output type tags
+      whenever we are not actually defining them.  */
+@@ -2481,24 +2492,12 @@ debug_write_type (struct debug_handle *i
+       debug_error (_("debug_write_type: illegal type encountered"));
+       return FALSE;
+     case DEBUG_KIND_INDIRECT:
+-      if (*type->u.kindirect->slot == DEBUG_TYPE_NULL)
++      /* Prevent infinite recursion.  */
++      if (*type->u.kindirect->slot != DEBUG_TYPE_NULL
++	  && (*type->u.kindirect->slot)->mark == info->mark)
+ 	return (*fns->empty_type) (fhandle);
+-      /* PR 28718: Allow for malicious recursion.  */
+-      {
+-	static int recursion_depth = 0;
+-	bfd_boolean result;
+-
+-	if (recursion_depth > 256)
+-	  {
+-	    debug_error (_("debug_write_type: too many levels of nested indirection"));
+-	    return FALSE;
+-	  }
+-	++ recursion_depth;
+-	result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
+-				  name);
+-	-- recursion_depth;
+-	return result;
+-      }
++      return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
++			       name);
+     case DEBUG_KIND_VOID:
+       return (*fns->void_type) (fhandle);
+     case DEBUG_KIND_INT:

SPECS/binutils.spec

@@ -43,7 +43,7 @@
 Summary: A GNU collection of binary utilities
 Name: binutils%{?name_cross}%{?_with_debug:-debug}
 Version: 2.30
-Release: 123%{?dist}
+Release: 125%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils
 
@@ -638,6 +638,35 @@ Patch103: binutils-memory-access-when-parsing-an-elf-file.patch
 # Purpose:  Add support for DWARF-5 offset tables.
 # Lifetime: 2.40
 Patch104: binutils-DW_FORM_strx.patch
+
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch105: binutils-CVE-2018-12699-part1-PR22955.patch
+
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch106:  binutils-CVE-2018-12699-part2-PR87861.patch
+
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch107: binutils-CVE-2018-12699-part3-PR22957.patch
+
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch108: binutils-CVE-2018-12699-part4-PR16615.patch
+
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch109: binutils-CVE-2018-12699-part5-PR28694.patch
+
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch110: binutils-CVE-2018-12699-part6-PR28862.patch
+
+# Purpose:  Fixes an illegal memory access parsing corrupt A.OUT files.
+# Lifetime: 2.35
+Patch111: binutils-CVE-2018-12699-part7-PR28718.patch
+
 #----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
@@ -879,6 +908,13 @@ using libelf instead of BFD.
 %patch102 -p1
 %patch103 -p1
 %patch104 -p1
+%patch105 -p1
+%patch106 -p1
+%patch107 -p1
+%patch108 -p1
+%patch109 -p1
+%patch110 -p1
+%patch111 -p1
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 # FIXME - this is no longer true.  Maybe try reinstating autotool use ?
@@ -1328,6 +1364,12 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Wed Nov 06 2024 Nick Clifton  <nickc@redhat.com> - 2.30-125
+- Fix illegal memory accesses when parsing corrupt a.out format files.  (RHEL-64927)
+
+* Tue Oct 29 2024 Nick Clifton  <nickc@redhat.com> - 2.30-124
+- Fix illegal memory accesses when parsing corrupt a.out format files.  (RHEL-64927)
+
 * Tue Jul 25 2023 Nick Clifton  <nickc@redhat.com> - 2.30-123
 - Extend support for DWARF-5 offset tables as generated by Clang++.  (#2222697)