2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 8ace34495d..391b0157d3 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -38,4 +38,5 @@ SRC_URI = "\
     file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
     file://0015-CVE-2025-11081.patch \
     file://0016-CVE-2025-11082.patch \
+     file://0017-CVE-2025-11083.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-11083.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-11083.patch
new file mode 100644
index 0000000000..b51bb5a19d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-11083.patch
@@ -0,0 +1,77 @@
+From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Thu, 18 Sep 2025 16:59:25 -0700
+Subject: [PATCH] elf: Don't match corrupt section header in linker input
+Don't swap in nor match corrupt section header in linker input to avoid
+linker crash later.
+        PR ld/33457
+        * elfcode.h (elf_swap_shdr_in): Changed to return bool.  Return
+        false for corrupt section header in linker input.
+        (elf_object_p): Reject if elf_swap_shdr_in returns false.
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+CVE: CVE-2025-11083
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elfcode.h | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index 9c65852e103..5224a1abee6 100644
+--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
+@@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd,
+ /* Translate an ELF section header table entry in external format into an
+    ELF section header table entry in internal format.  */
+ 
+-static void
+static bool
+ elf_swap_shdr_in (bfd *abfd,
+                  const Elf_External_Shdr *src,
+                  Elf_Internal_Shdr *dst)
+@@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd,
+        {
+          _bfd_error_handler (_("warning: %pB has a section "
+                                "extending past end of file"), abfd);
+         /* PR ld/33457: Don't match corrupt section header.  */
+         if (abfd->is_linker_input)
+           return false;
+          abfd->read_only = 1;
+        }
+     }
+@@ -350,6 +353,7 @@ elf_swap_shdr_in (bfd *abfd,
+   dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
+   dst->bfd_section = NULL;
+   dst->contents = NULL;
+  return true;
+ }
+ 
+ /* Translate an ELF section header table entry in internal format into an
+@@ -642,9 +646,9 @@ elf_object_p (bfd *abfd)
+ 
+       /* Read the first section header at index 0, and convert to internal
+         form.  */
+-      if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+      if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
+         || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
+        goto got_no_match;
+-      elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
+ 
+       /* If the section count is zero, the actual count is in the first
+         section header.  */
+@@ -730,9 +734,9 @@ elf_object_p (bfd *abfd)
+         to internal form.  */
+       for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
+        {
+-         if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+         if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
+             || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
+            goto got_no_match;
+-         elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
+ 
+          /* Sanity check sh_link and sh_info.  */
+          if (i_shdrp[shindex].sh_link >= num_sec)

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 8ace34495d..391b0157d3 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -38,4 +38,5 @@ SRC_URI = "\
38	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \	38	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
39	file://0015-CVE-2025-11081.patch \	39	file://0015-CVE-2025-11081.patch \
40	file://0016-CVE-2025-11082.patch \	40	file://0016-CVE-2025-11082.patch \
		41	file://0017-CVE-2025-11083.patch \
41	"	42	"


diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-11083.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-11083.patch new file mode 100644 index 0000000000..b51bb5a19d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-11083.patch
@@ -0,0 +1,77 @@
		1	From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001
		2	From: "H.J. Lu" <hjl.tools@gmail.com>
		3	Date: Thu, 18 Sep 2025 16:59:25 -0700
		4	Subject: [PATCH] elf: Don't match corrupt section header in linker input
		5
		6	Don't swap in nor match corrupt section header in linker input to avoid
		7	linker crash later.
		8
		9	PR ld/33457
		10	* elfcode.h (elf_swap_shdr_in): Changed to return bool. Return
		11	false for corrupt section header in linker input.
		12	(elf_object_p): Reject if elf_swap_shdr_in returns false.
		13
		14	Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
		15
		16	CVE: CVE-2025-11083
		17	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490]
		18	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		19	---
		20	bfd/elfcode.h \| 14 +++++++++-----
		21	1 file changed, 9 insertions(+), 5 deletions(-)
		22
		23	diff --git a/bfd/elfcode.h b/bfd/elfcode.h
		24	index 9c65852e103..5224a1abee6 100644
		25	--- a/bfd/elfcode.h
		26	+++ b/bfd/elfcode.h
		27	@@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd,
		28	/* Translate an ELF section header table entry in external format into an
		29	ELF section header table entry in internal format. */
		30
		31	-static void
		32	+static bool
		33	elf_swap_shdr_in (bfd *abfd,
		34	const Elf_External_Shdr *src,
		35	Elf_Internal_Shdr *dst)
		36	@@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd,
		37	{
		38	_bfd_error_handler (_("warning: %pB has a section "
		39	"extending past end of file"), abfd);
		40	+ /* PR ld/33457: Don't match corrupt section header. */
		41	+ if (abfd->is_linker_input)
		42	+ return false;
		43	abfd->read_only = 1;
		44	}
		45	}
		46	@@ -350,6 +353,7 @@ elf_swap_shdr_in (bfd *abfd,
		47	dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
		48	dst->bfd_section = NULL;
		49	dst->contents = NULL;
		50	+ return true;
		51	}
		52
		53	/* Translate an ELF section header table entry in internal format into an
		54	@@ -642,9 +646,9 @@ elf_object_p (bfd *abfd)
		55
		56	/* Read the first section header at index 0, and convert to internal
		57	form. */
		58	- if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
		59	+ if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
		60	+ \|\| !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
		61	goto got_no_match;
		62	- elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
		63
		64	/* If the section count is zero, the actual count is in the first
		65	section header. */
		66	@@ -730,9 +734,9 @@ elf_object_p (bfd *abfd)
		67	to internal form. */
		68	for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
		69	{
		70	- if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
		71	+ if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
		72	+ \|\| !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
		73	goto got_no_match;
		74	- elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
		75
		76	/* Sanity check sh_link and sh_info. */
		77	if (i_shdrp[shindex].sh_link >= num_sec)