diff --git a/backport-CVE-2025-11082.patch b/backport-CVE-2025-11082.patch new file mode 100644 index 0000000000000000000000000000000000000000..88dc14815795d3e484fac15d210db607d21fc679 --- /dev/null +++ b/backport-CVE-2025-11082.patch @@ -0,0 +1,45 @@ +From ea1a0737c7692737a644af0486b71e4a392cbca8 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Mon, 22 Sep 2025 15:20:34 +0800 +Subject: [PATCH] elf: Don't read beyond .eh_frame section size + + PR ld/33464 + * elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond + .eh_frame section size. + +Signed-off-by: H.J. Lu +--- + bfd/elf-eh-frame.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/bfd/elf-eh-frame.c b/bfd/elf-eh-frame.c +index dc0d2e097f5..30bb313489c 100644 +--- a/bfd/elf-eh-frame.c ++++ b/bfd/elf-eh-frame.c +@@ -737,6 +737,7 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info, + if (hdr_id == 0) + { + unsigned int initial_insn_length; ++ char *null_byte; + + /* CIE */ + this_inf->cie = 1; +@@ -753,10 +754,13 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info, + REQUIRE (cie->version == 1 + || cie->version == 3 + || cie->version == 4); +- REQUIRE (strlen ((char *) buf) < sizeof (cie->augmentation)); ++ null_byte = memchr ((char *) buf, 0, end - buf); ++ REQUIRE (null_byte != NULL); ++ REQUIRE ((size_t) (null_byte - (char *) buf) ++ < sizeof (cie->augmentation)); + + strcpy (cie->augmentation, (char *) buf); +- buf = (bfd_byte *) strchr ((char *) buf, '\0') + 1; ++ buf = (bfd_byte *) null_byte + 1; + this_inf->u.cie.aug_str_len = buf - start - 1; + ENSURE_NO_RELOCS (buf); + if (buf[0] == 'e' && buf[1] == 'h') +-- +2.43.0 + diff --git a/backport-CVE-2025-11083.patch b/backport-CVE-2025-11083.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7bdb5416461d4b75d2160b152286cf890207859 --- /dev/null +++ b/backport-CVE-2025-11083.patch @@ -0,0 +1,76 @@ +From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 18 Sep 2025 16:59:25 -0700 +Subject: [PATCH] elf: Don't match corrupt section header in linker input + +Don't swap in nor match corrupt section header in linker input to avoid +linker crash later. + + PR ld/33457 + * elfcode.h (elf_swap_shdr_in): Changed to return bool. Return + false for corrupt section header in linker input. + (elf_object_p): Reject if elf_swap_shdr_in returns false. + +Signed-off-by: H.J. Lu +--- + bfd/elfcode.h | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index 9c65852e103..5224a1abee6 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd, + /* Translate an ELF section header table entry in external format into an + ELF section header table entry in internal format. */ + +-static void ++static bool + elf_swap_shdr_in (bfd *abfd, + const Elf_External_Shdr *src, + Elf_Internal_Shdr *dst) +@@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd, + { + _bfd_error_handler (_("warning: %pB has a section " + "extending past end of file"), abfd); ++ /* PR ld/33457: Don't match corrupt section header. */ ++ if (abfd->is_linker_input) ++ return false; + abfd->read_only = 1; + } + } +@@ -350,6 +353,7 @@ elf_swap_shdr_in (bfd *abfd, + dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize); + dst->bfd_section = NULL; + dst->contents = NULL; ++ return true; + } + + /* Translate an ELF section header table entry in internal format into an +@@ -642,9 +646,9 @@ elf_object_p (bfd *abfd) + + /* Read the first section header at index 0, and convert to internal + form. */ +- if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, &i_shdr); + + /* If the section count is zero, the actual count is in the first + section header. */ +@@ -730,9 +734,9 @@ elf_object_p (bfd *abfd) + to internal form. */ + for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++) + { +- if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex); + + /* Sanity check sh_link and sh_info. */ + if (i_shdrp[shindex].sh_link >= num_sec) +-- +2.43.0 + diff --git a/binutils.spec b/binutils.spec index 682da95696ebff71d3a4f2a37b93ad2efad95925..8dbc285a8d0d0fa4c9b31ad24141abac46ba2065 100644 --- a/binutils.spec +++ b/binutils.spec @@ -2,7 +2,7 @@ Summary: A GNU collection of binary utilities Name: binutils%{?_with_debug:-debug} Version: 2.41 -Release: 28 +Release: 29 License: GPL-3.0-or-later AND (GPL-3.0-or-later WITH Bison-exception-2.2) AND (LGPL-2.0-or-later WITH GCC-exception-2.0) AND BSD-3-Clause AND GFDL-1.3-or-later AND GPL-2.0-or-later AND LGPL-2.1-or-later AND LGPL-2.0-or-later URL: https://sourceware.org/binutils @@ -438,6 +438,14 @@ Patch5030: backport-CVE-2025-5245.patch # Lifetime: Fixed in 2.46 Patch5031: backport-CVE-2025-11412-PR-33452-SEGV-in-bfd_elf_gc_record_vtentry.patch +# Purpose: PR binutils/33464 +# Lifetime: Fixed in 2.46 +Patch5032: backport-CVE-2025-11082.patch + +# Purpose: PR binutils/33457 +# Lifetime: Fixed in 2.46 +Patch5033: backport-CVE-2025-11083.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -1452,6 +1460,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Mon Dec 15 2025 eastb233 - 2.41-29 +- Fix CVE-2025-11082 and CVE-2025-11083 + * Wed Dec 10 2025 Linux_zhang - 2.41-28 - Fix CVE-2025-11412