binutils: Fix CVE-2025-7545

objcopy: Don't extend the output section size Since the output section contents are copied from the input, don't extend the output section size beyond the input section size. Backport a patch from upstream to fix CVE-2025-7545 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944] (From OE-Core rev: 128e40c39d8eafdd32fea71b902b38801afec202) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> 2025-07-24 03:31:53 -0700
committer: Steve Sakoman <steve@sakoman.com> 2025-07-29 07:59:52 -0700
commit: 76f88baf019b612109670938047c6840e15083b1 (patch)
tree: 4e1bf17b0e68d3e73f5160b3c95062f4d5f4137c
parent: b162dfb4920a6a18a2ff0a8cbfcfe89b5111763b (diff)
download: poky-76f88baf019b612109670938047c6840e15083b1.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index a3ad655dbe..fb34ea9763 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -54,5 +54,6 @@ SRC_URI = "\
     file://0022-CVE-2025-5245.patch \
     file://0022-CVE-2025-5244.patch \
     file://0023-CVE-2025-7546.patch \
+     file://0023-CVE-2025-7545.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch
new file mode 100644
index 0000000000..de132f74fc
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch
@@ -0,0 +1,39 @@
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 21 Jun 2025 06:36:56 +0800
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944]
+CVE: CVE-2025-7545
+Since the output section contents are copied from the input, don't
+extend the output section size beyond the input section size.
+        PR binutils/33049
+        * objcopy.c (copy_section): Don't extend the output section
+        size beyond the input section size.
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index a85d2620..18cd1bfd 100644
+--- a/binutils/objcopy.c
+++ b/binutils/objcopy.c
+@@ -4547,6 +4547,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)
+          char *to = (char *) memhunk;
+          char *end = (char *) memhunk + size;
+          int i;
+         bfd_size_type memhunk_size = size;
+ 
+          /* If the section address is not exactly divisible by the interleave,
+             then we must bias the from address.  If the copy_byte is less than
+@@ -4566,6 +4567,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)
+              }
+ 
+          size = (size + interleave - 1 - copy_byte) / interleave * copy_width;
+
+         /* Don't extend the output section size.  */
+         if (size > memhunk_size)
+           size = memhunk_size;
+         
+          osection->lma /= interleave;
+          if (copy_byte < extra)
+            osection->lma++;
author	Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>	2025-07-24 03:31:53 -0700
committer	Steve Sakoman <steve@sakoman.com>	2025-07-29 07:59:52 -0700
commit	76f88baf019b612109670938047c6840e15083b1 (patch)
tree	4e1bf17b0e68d3e73f5160b3c95062f4d5f4137c
parent	b162dfb4920a6a18a2ff0a8cbfcfe89b5111763b (diff)
download	poky-76f88baf019b612109670938047c6840e15083b1.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index a3ad655dbe..fb34ea9763 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -54,5 +54,6 @@ SRC_URI = "\
54	file://0022-CVE-2025-5245.patch \	54	file://0022-CVE-2025-5245.patch \
55	file://0022-CVE-2025-5244.patch \	55	file://0022-CVE-2025-5244.patch \
56	file://0023-CVE-2025-7546.patch \	56	file://0023-CVE-2025-7546.patch \
		57	file://0023-CVE-2025-7545.patch \
57	"	58	"
58	S = "${WORKDIR}/git"	59	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch new file mode 100644 index 0000000000..de132f74fc --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch
@@ -0,0 +1,39 @@
		1	From: "H.J. Lu" <hjl.tools@gmail.com>
		2	Date: Sat, 21 Jun 2025 06:36:56 +0800
		3
		4	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944]
		5	CVE: CVE-2025-7545
		6
		7	Since the output section contents are copied from the input, don't
		8	extend the output section size beyond the input section size.
		9
		10	PR binutils/33049
		11	* objcopy.c (copy_section): Don't extend the output section
		12	size beyond the input section size.
		13
		14	Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
		15
		16	diff --git a/binutils/objcopy.c b/binutils/objcopy.c
		17	index a85d2620..18cd1bfd 100644
		18	--- a/binutils/objcopy.c
		19	+++ b/binutils/objcopy.c
		20	@@ -4547,6 +4547,7 @@ copy_section (bfd ibfd, sec_ptr isection, void obfdarg)
		21	char to = (char ) memhunk;
		22	char end = (char ) memhunk + size;
		23	int i;
		24	+ bfd_size_type memhunk_size = size;
		25
		26	/* If the section address is not exactly divisible by the interleave,
		27	then we must bias the from address. If the copy_byte is less than
		28	@@ -4566,6 +4567,11 @@ copy_section (bfd ibfd, sec_ptr isection, void obfdarg)
		29	}
		30
		31	size = (size + interleave - 1 - copy_byte) / interleave * copy_width;
		32	+
		33	+ /* Don't extend the output section size. */
		34	+ if (size > memhunk_size)
		35	+ size = memhunk_size;
		36	+
		37	osection->lma /= interleave;
		38	if (copy_byte < extra)
		39	osection->lma++;