Another SLE patch and updating CVE mentions in .changes

- Add binutils-maxpagesize.diff for a problem on old code streams, where we would generate too large binaries. - This fixes these CVEs relative to 2.37: [bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648 [bsc#1193929] aka PR28694 aka CVE-2021-45078 [bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195 [bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943 [bsc#1202966] aka PR29289 aka CVE-2022-38126 [bsc#1202967] aka PR29290 aka CVE-2022-38127 [bsc#1202969] aka CVE-2021-3826 OBS-URL: https://build.opensuse.org/package/show/devel:gcc/binutils?expand=0&rev=424
2022-10-25 15:43:19 +00:00 · 2022-10-25 15:43:19 +00:00 · 2489107f56
commit 2489107f56
parent 278e829c00
3 changed files with 70 additions and 0 deletions
--- a/binutils-maxpagesize.diff
+++ b/binutils-maxpagesize.diff
@ -0,0 +1,54 @@
+commit a2267dbfc9e1dd955f78561c40f00afa9ddbe619
+Author: Michael Matz <matz@suse.de>
+Date:   Thu Oct 20 16:06:57 2022 +0200
+
+    x86-64: Use only one default max-page-size
+    
+    On x86-64 the default ELF_MAXPAGESIZE depends on a configure
+    option (--disable-separate-code).  Since 9833b775
+    ("PR28824, relro security issues") we use max-page-size for relro
+    alignment (with a short interval, from 31b4d3a ("PR28824, relro
+    security issues, x86 keep COMMONPAGESIZE relro") to its revert
+    a1faa5ea, where x86-64 only used COMMONPAGESIZE as relro alignment
+    target).
+    
+    But that means that a linker configured with --disable-separate-code
+    behaves different from one configured with --enable-separate-code
+    (the default), _even if using "-z {no,}separate-code" option to use
+    the non-configured behaviour_ .  In particular it means that when
+    configuring with --disable-separate-code the linker will produce
+    binaries aligned to 2MB pages on disk, and hence generate 2MB
+    executables for a hello world (and even 6MB when linked with
+    "-z separate-code").
+    
+    Generally we can't have constants that ultimately land in static
+    variables be depending on configure options if those only influence
+    behaviour that is overridable by command line options.
+    
+    So, do away with that, make the default MAXPAGESIZE be 4k (as is default
+    for most x86-64 configs anyway, as most people won't configure with
+    --disable-separate-code).  If people need more they can use the
+    "-z max-page-size" (with would have been required right now for a
+    default configure binutils).
+    
+    bfd/
+            * elf64-x86-64.c (ELF_MAXPAGESIZE): Don't depend on
+            DEFAULT_LD_Z_SEPARATE_CODE.
+
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index f3b54400013..2ae8dffba0f 100644
+--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
+@@ -5259,11 +5259,7 @@ elf_x86_64_special_sections[]=
+ #define ELF_ARCH			    bfd_arch_i386
+ #define ELF_TARGET_ID			    X86_64_ELF_DATA
+ #define ELF_MACHINE_CODE		    EM_X86_64
+-#if DEFAULT_LD_Z_SEPARATE_CODE
+-# define ELF_MAXPAGESIZE		    0x1000
+-#else
+-# define ELF_MAXPAGESIZE		    0x200000
+-#endif
+#define ELF_MAXPAGESIZE			    0x1000
+ #define ELF_COMMONPAGESIZE		    0x1000
+ 
+ #define elf_backend_can_gc_sections	    1
--- a/binutils.changes
+++ b/binutils.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 25 14:52:30 UTC 2022 - Michael Matz <matz@suse.com>
+
+- Add binutils-maxpagesize.diff for a problem on old code
+  streams, where we would generate too large binaries.
+
 -------------------------------------------------------------------
 Tue Oct 25 12:54:34 UTC 2022 - Andreas Schwab <schwab@suse.de>

@ -11,6 +17,14 @@ Mon Oct 17 15:16:23 UTC 2022 - Michael Matz <matz@suse.com>
  binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff,
  binutils-add-efi-aarch64-3.diff, binutils-fix-keepdebug.diff,
  binutils-add-z16-name.diff.
+- This fixes these CVEs relative to 2.37:
+  [bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648
+  [bsc#1193929] aka PR28694 aka CVE-2021-45078
+  [bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195
+  [bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943
+  [bsc#1202966] aka PR29289 aka CVE-2022-38126
+  [bsc#1202967] aka PR29290 aka CVE-2022-38127
+  [bsc#1202969] aka CVE-2021-3826

 -------------------------------------------------------------------
 Fri Aug 26 13:24:35 UTC 2022 - Michael Matz <matz@suse.com>
--- a/binutils.spec
+++ b/binutils.spec
@ -140,6 +140,7 @@ Patch42:        binutils-compat-old-behaviour.diff
 Patch43:        binutils-revert-hlasm-insns.diff
 Patch44:        binutils-revert-rela.diff
 Patch45:        binutils-pr29482.diff
+Patch46:        binutils-maxpagesize.diff
 Patch100:       add-ulp-section.diff
 Patch90:        cross-avr-nesc-as.patch
 Patch92:        cross-avr-omit_section_dynsym.patch
@ -264,6 +265,7 @@ cp ld/ldgram.y ld/ldgram.y.orig
 %patch44 -p1
 %endif
 %patch45 -p1
+%patch46 -p1
 %patch100 -p1
 %if "%{TARGET}" == "avr"
 cp gas/config/tc-avr.h gas/config/tc-avr-nesc.h