summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2025-10-13 21:07:45 +0200
committerSteve Sakoman <steve@sakoman.com>2025-10-17 07:27:24 -0700
commit2325a1dbc53f7a3efe66cfacd01b3d18e45045ac (patch)
treedf20b236567446e243ecd5787bb2a1f870d59bc8
parent2952d99f0f777bf337c45ca1499eff04925a5e85 (diff)
downloadpoky-2325a1dbc53f7a3efe66cfacd01b3d18e45045ac.tar.gz
binutils: patch CVE-2025-11082
Pick patch per link in NVD report. (From OE-Core rev: cdc458b5dd21614058aac56de68a272201283141) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.38.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/0044-CVE-2025-11082.patch46
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 527334ccec..0fd950e694 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -80,5 +80,6 @@ SRC_URI = "\
80 file://0042-CVE-2025-5245.patch \ 80 file://0042-CVE-2025-5245.patch \
81 file://0043-CVE-2025-7546.patch \ 81 file://0043-CVE-2025-7546.patch \
82 file://0043-CVE-2025-7545.patch \ 82 file://0043-CVE-2025-7545.patch \
83 file://0044-CVE-2025-11082.patch \
83" 84"
84S = "${WORKDIR}/git" 85S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0044-CVE-2025-11082.patch b/meta/recipes-devtools/binutils/binutils/0044-CVE-2025-11082.patch
new file mode 100644
index 0000000000..83747d4e8b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0044-CVE-2025-11082.patch
@@ -0,0 +1,46 @@
1From ea1a0737c7692737a644af0486b71e4a392cbca8 Mon Sep 17 00:00:00 2001
2From: "H.J. Lu" <hjl.tools@gmail.com>
3Date: Mon, 22 Sep 2025 15:20:34 +0800
4Subject: [PATCH] elf: Don't read beyond .eh_frame section size
5
6 PR ld/33464
7 * elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond
8 .eh_frame section size.
9
10Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
11
12CVE: CVE-2025-11082
13Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8]
14Signed-off-by: Peter Marko <peter.marko@siemens.com>
15---
16 bfd/elf-eh-frame.c | 8 ++++++--
17 1 file changed, 6 insertions(+), 2 deletions(-)
18
19diff --git a/bfd/elf-eh-frame.c b/bfd/elf-eh-frame.c
20index dc0d2e097f5..30bb313489c 100644
21--- a/bfd/elf-eh-frame.c
22+++ b/bfd/elf-eh-frame.c
23@@ -733,6 +733,7 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info,
24 if (hdr_id == 0)
25 {
26 unsigned int initial_insn_length;
27+ char *null_byte;
28
29 /* CIE */
30 this_inf->cie = 1;
31@@ -749,10 +750,13 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info,
32 REQUIRE (cie->version == 1
33 || cie->version == 3
34 || cie->version == 4);
35- REQUIRE (strlen ((char *) buf) < sizeof (cie->augmentation));
36+ null_byte = memchr ((char *) buf, 0, end - buf);
37+ REQUIRE (null_byte != NULL);
38+ REQUIRE ((size_t) (null_byte - (char *) buf)
39+ < sizeof (cie->augmentation));
40
41 strcpy (cie->augmentation, (char *) buf);
42- buf = (bfd_byte *) strchr ((char *) buf, '\0') + 1;
43+ buf = (bfd_byte *) null_byte + 1;
44 this_inf->u.cie.aug_str_len = buf - start - 1;
45 ENSURE_NO_RELOCS (buf);
46 if (buf[0] == 'e' && buf[1] == 'h')