binutils: patch CVE-2025-11412

Pick commit per NVD CVE report. (From OE-Core rev: 6b94ff6c584a31d2b1e06d1e1dc19392d759b4b7) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2025-10-21 00:09:09 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-10-27 11:37:43 +0000
commit: 52f475fd131f5f5d2931442fb041c5efeccad356 (patch)
tree: e7bc6ae473e41e9f5d604317e06f4301c65e19fa
parent: 241b6711792924ba3a6ad8b565f21435fd70d4de (diff)
download: poky-52f475fd131f5f5d2931442fb041c5efeccad356.tar.gz
2 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 2adff3c456..ffd6c3b238 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -40,4 +40,5 @@ SRC_URI = "\
     file://0016-CVE-2025-11082.patch \
     file://0017-CVE-2025-11083.patch \
     file://CVE-2025-11414.patch \
+     file://CVE-2025-11412.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
new file mode 100644
index 0000000000..ab718f5354
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
@@ -0,0 +1,35 @@
+From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 25 Sep 2025 08:22:24 +0930
+Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry
+Limit addends on vtentry relocs, otherwise ld might attempt to
+allocate a stupidly large array.  This also fixes the expression
+overflow leading to pr33452.  A vtable of 33M entries on a 64-bit
+host is surely large enough, especially considering that VTINHERIT
+and VTENTRY relocations are to support -fvtable-gc that disappeared
+from gcc over 20 years ago.
+        PR ld/33452
+        * elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
+CVE: CVE-2025-11412
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 54f0d6e957e..0a0456177c2 100644
+--- a/bfd/elflink.c
+++ b/bfd/elflink.c
+@@ -14837,7 +14837,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec,
+   const struct elf_backend_data *bed = get_elf_backend_data (abfd);
+   unsigned int log_file_align = bed->s->log_file_align;
+ 
+-  if (!h)
+  if (!h || addend > 1u << 28)
+     {
+       /* xgettext:c-format */
+       _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),
author	Peter Marko <peter.marko@siemens.com>	2025-10-21 00:09:09 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-10-27 11:37:43 +0000
commit	52f475fd131f5f5d2931442fb041c5efeccad356 (patch)
tree	e7bc6ae473e41e9f5d604317e06f4301c65e19fa
parent	241b6711792924ba3a6ad8b565f21435fd70d4de (diff)
download	poky-52f475fd131f5f5d2931442fb041c5efeccad356.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 2adff3c456..ffd6c3b238 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -40,4 +40,5 @@ SRC_URI = "\
40	file://0016-CVE-2025-11082.patch \	40	file://0016-CVE-2025-11082.patch \
41	file://0017-CVE-2025-11083.patch \	41	file://0017-CVE-2025-11083.patch \
42	file://CVE-2025-11414.patch \	42	file://CVE-2025-11414.patch \
		43	file://CVE-2025-11412.patch \
43	"	44	"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch new file mode 100644 index 0000000000..ab718f5354 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
@@ -0,0 +1,35 @@
		1	From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Thu, 25 Sep 2025 08:22:24 +0930
		4	Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry
		5
		6	Limit addends on vtentry relocs, otherwise ld might attempt to
		7	allocate a stupidly large array. This also fixes the expression
		8	overflow leading to pr33452. A vtable of 33M entries on a 64-bit
		9	host is surely large enough, especially considering that VTINHERIT
		10	and VTENTRY relocations are to support -fvtable-gc that disappeared
		11	from gcc over 20 years ago.
		12
		13	PR ld/33452
		14	* elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
		15
		16	CVE: CVE-2025-11412
		17	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc]
		18	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		19	---
		20	bfd/elflink.c \| 2 +-
		21	1 file changed, 1 insertion(+), 1 deletion(-)
		22
		23	diff --git a/bfd/elflink.c b/bfd/elflink.c
		24	index 54f0d6e957e..0a0456177c2 100644
		25	--- a/bfd/elflink.c
		26	+++ b/bfd/elflink.c
		27	@@ -14837,7 +14837,7 @@ bfd_elf_gc_record_vtentry (bfd abfd, asection sec,
		28	const struct elf_backend_data *bed = get_elf_backend_data (abfd);
		29	unsigned int log_file_align = bed->s->log_file_align;
		30
		31	- if (!h)
		32	+ if (!h \|\| addend > 1u << 28)
		33	{
		34	/* xgettext:c-format */
		35	_bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),