binutils: patch CVE-2025-11495

Pick commit per NVD CVE report. (From OE-Core rev: d3ec5a470bba069dee809780a5c892c7d52e05ac) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2025-10-21 00:09:11 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-10-27 11:37:43 +0000
commit: 06237fd316b3a123f20ee4f9a7fe73424be1f8ca (patch)
tree: 7eccb222cae0645df9ff02ad7968fdc34cff2fca /meta/recipes-devtools/binutils
parent: 5b2ea2b50ee6d4ead1e4dd8466de3047b20b8e10 (diff)
download: poky-06237fd316b3a123f20ee4f9a7fe73424be1f8ca.tar.gz
2 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 62b5bf6c26..288475ac39 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -42,4 +42,5 @@ SRC_URI = "\
     file://CVE-2025-11414.patch \
     file://CVE-2025-11412.patch \
     file://CVE-2025-11413.patch \
+     file://CVE-2025-11495.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch
new file mode 100644
index 0000000000..6e5e68fe27
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch
@@ -0,0 +1,153 @@
+From 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 30 Sep 2025 08:18:29 +0800
+Subject: [PATCH] x86: Disallow TLS relocation in non executable section
+Since TLS relocations are applied to executable machine instructions,
+disallow TLS relocation in non-SHT_PROGBITS, non-SHF_EXECINSTR section.
+        PR ld/33451
+        PR ld/33502
+        * elf32-i386.c (elf_i386_tls_transition): Disallow TLS relocation
+        in non-SHT_PROGBITS, non-SHF_EXECINSTR section.
+        (elf_i386_scan_relocs): Likewise.
+        * elf64-x86-64.c (elf_x86_64_tls_transition): Likewise.
+        (elf_x86_64_scan_relocs): Likewise.
+        * elfxx-x86.c (_bfd_x86_elf_link_report_tls_invalid_section_error):
+        New.
+        * elfxx-x86.h (_bfd_x86_elf_link_report_tls_invalid_section_error):
+        Likewise.
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+CVE: CVE-2025-11495
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elf32-i386.c   | 19 +++++++++++++++++++
+ bfd/elf64-x86-64.c | 20 ++++++++++++++++++++
+ bfd/elfxx-x86.c    | 20 ++++++++++++++++++++
+ bfd/elfxx-x86.h    |  4 ++++
+ 4 files changed, 63 insertions(+)
+diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
+index 507a0762aff..0d60eded701 100644
+--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
+@@ -1166,6 +1166,15 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd,
+       return true;
+     }
+ 
+  if ((elf_section_type (sec) != SHT_PROGBITS
+       || (sec->flags & SEC_CODE) == 0))
+    {
+      reloc_howto_type *howto = elf_i386_rtype_to_howto (from_type);
+      _bfd_x86_elf_link_report_tls_invalid_section_error
+       (abfd, sec, symtab_hdr, h, sym, howto);
+      return false;
+    }
+
+   /* Return TRUE if there is no transition.  */
+   if (from_type == to_type)
+     return true;
+@@ -1727,6 +1736,16 @@ elf_i386_scan_relocs (bfd *abfd,
+                tls_type = GOT_TLS_IE_POS; break;
+              }
+ 
+           if (tls_type >= GOT_TLS_GD
+               && tls_type <= GOT_TLS_GDESC
+               && (elf_section_type (sec) != SHT_PROGBITS
+                   || (sec->flags & SEC_CODE) == 0))
+             {
+               _bfd_x86_elf_link_report_tls_invalid_section_error
+                 (abfd, sec, symtab_hdr, h, isym, howto);
+               goto error_return;
+             }
+
+            if (h != NULL)
+              {
+                h->got.refcount = 1;
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index 620b6a380cd..59b43149897 100644
+--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
+@@ -1626,6 +1626,16 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd,
+       return true;
+     }
+ 
+  if ((elf_section_type (sec) != SHT_PROGBITS
+       || (sec->flags & SEC_CODE) == 0))
+    {
+      reloc_howto_type *howto = elf_x86_64_rtype_to_howto (abfd,
+                                                          from_type);
+      _bfd_x86_elf_link_report_tls_invalid_section_error
+       (abfd, sec, symtab_hdr, h, sym, howto);
+      return false;
+    }
+
+   /* Return TRUE if there is no transition.  */
+   if (from_type == to_type
+       || (from_type == R_X86_64_CODE_4_GOTTPOFF
+@@ -2748,6 +2758,16 @@ elf_x86_64_scan_relocs (bfd *abfd, struct bfd_link_info *info,
+                break;
+              }
+ 
+           if (tls_type >= GOT_TLS_GD
+               && tls_type <= GOT_TLS_GDESC
+               && (elf_section_type (sec) != SHT_PROGBITS
+                   || (sec->flags & SEC_CODE) == 0))
+             {
+               _bfd_x86_elf_link_report_tls_invalid_section_error
+                 (abfd, sec, symtab_hdr, h, isym, howto);
+               goto error_return;
+             }
+
+            if (h != NULL)
+              {
+                h->got.refcount = 1;
+diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
+index 0d389968c91..d8c653a9ad2 100644
+--- a/bfd/elfxx-x86.c
+++ b/bfd/elfxx-x86.c
+@@ -3348,6 +3348,26 @@ _bfd_x86_elf_link_report_tls_transition_error
+   bfd_set_error (bfd_error_bad_value);
+ }
+ 
+/* Report TLS invalid section error.  */
+
+void
+_bfd_x86_elf_link_report_tls_invalid_section_error
+  (bfd *abfd, asection *sec, Elf_Internal_Shdr *symtab_hdr,
+   struct elf_link_hash_entry *h, Elf_Internal_Sym *sym,
+   reloc_howto_type *howto)
+{
+  const char *name;
+  if (h)
+    name = h->root.root.string;
+  else
+    name = bfd_elf_sym_name (abfd, symtab_hdr, sym, NULL);
+  _bfd_error_handler
+    /* xgettext:c-format */
+    (_("%pB: relocation %s against thread local symbol `%s' in "
+       "invalid section `%pA'"), abfd, howto->name, name, sec);
+  bfd_set_error (bfd_error_bad_value);
+}
+
+ /* Return TRUE if symbol should be hashed in the `.gnu.hash' section.  */
+ 
+ bool
+diff --git a/bfd/elfxx-x86.h b/bfd/elfxx-x86.h
+index 1ebc9d2f2e5..f8a24a77577 100644
+--- a/bfd/elfxx-x86.h
+++ b/bfd/elfxx-x86.h
+@@ -939,6 +939,10 @@ extern void _bfd_x86_elf_link_report_tls_transition_error
+    const Elf_Internal_Rela *, const char *, const char *,
+    enum elf_x86_tls_error_type);
+ 
+extern void _bfd_x86_elf_link_report_tls_invalid_section_error
+  (bfd *, asection *, Elf_Internal_Shdr *, struct elf_link_hash_entry *,
+   Elf_Internal_Sym *, reloc_howto_type *);
+
+ #define bfd_elf64_mkobject \
+   _bfd_x86_elf_mkobject
+ #define bfd_elf32_mkobject \
author	Peter Marko <peter.marko@siemens.com>	2025-10-21 00:09:11 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-10-27 11:37:43 +0000
commit	06237fd316b3a123f20ee4f9a7fe73424be1f8ca (patch)
tree	7eccb222cae0645df9ff02ad7968fdc34cff2fca /meta/recipes-devtools/binutils
parent	5b2ea2b50ee6d4ead1e4dd8466de3047b20b8e10 (diff)
download	poky-06237fd316b3a123f20ee4f9a7fe73424be1f8ca.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 62b5bf6c26..288475ac39 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -42,4 +42,5 @@ SRC_URI = "\
42	file://CVE-2025-11414.patch \	42	file://CVE-2025-11414.patch \
43	file://CVE-2025-11412.patch \	43	file://CVE-2025-11412.patch \
44	file://CVE-2025-11413.patch \	44	file://CVE-2025-11413.patch \
		45	file://CVE-2025-11495.patch \
45	"	46	"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch new file mode 100644 index 0000000000..6e5e68fe27 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch
@@ -0,0 +1,153 @@
		1	From 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0 Mon Sep 17 00:00:00 2001
		2	From: "H.J. Lu" <hjl.tools@gmail.com>
		3	Date: Tue, 30 Sep 2025 08:18:29 +0800
		4	Subject: [PATCH] x86: Disallow TLS relocation in non executable section
		5
		6	Since TLS relocations are applied to executable machine instructions,
		7	disallow TLS relocation in non-SHT_PROGBITS, non-SHF_EXECINSTR section.
		8
		9	PR ld/33451
		10	PR ld/33502
		11	* elf32-i386.c (elf_i386_tls_transition): Disallow TLS relocation
		12	in non-SHT_PROGBITS, non-SHF_EXECINSTR section.
		13	(elf_i386_scan_relocs): Likewise.
		14	* elf64-x86-64.c (elf_x86_64_tls_transition): Likewise.
		15	(elf_x86_64_scan_relocs): Likewise.
		16	* elfxx-x86.c (_bfd_x86_elf_link_report_tls_invalid_section_error):
		17	New.
		18	* elfxx-x86.h (_bfd_x86_elf_link_report_tls_invalid_section_error):
		19	Likewise.
		20
		21	Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
		22
		23	CVE: CVE-2025-11495
		24	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0]
		25	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		26	---
		27	bfd/elf32-i386.c \| 19 +++++++++++++++++++
		28	bfd/elf64-x86-64.c \| 20 ++++++++++++++++++++
		29	bfd/elfxx-x86.c \| 20 ++++++++++++++++++++
		30	bfd/elfxx-x86.h \| 4 ++++
		31	4 files changed, 63 insertions(+)
		32
		33	diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
		34	index 507a0762aff..0d60eded701 100644
		35	--- a/bfd/elf32-i386.c
		36	+++ b/bfd/elf32-i386.c
		37	@@ -1166,6 +1166,15 @@ elf_i386_tls_transition (struct bfd_link_info info, bfd abfd,
		38	return true;
		39	}
		40
		41	+ if ((elf_section_type (sec) != SHT_PROGBITS
		42	+ \|\| (sec->flags & SEC_CODE) == 0))
		43	+ {
		44	+ reloc_howto_type *howto = elf_i386_rtype_to_howto (from_type);
		45	+ _bfd_x86_elf_link_report_tls_invalid_section_error
		46	+ (abfd, sec, symtab_hdr, h, sym, howto);
		47	+ return false;
		48	+ }
		49	+
		50	/* Return TRUE if there is no transition. */
		51	if (from_type == to_type)
		52	return true;
		53	@@ -1727,6 +1736,16 @@ elf_i386_scan_relocs (bfd *abfd,
		54	tls_type = GOT_TLS_IE_POS; break;
		55	}
		56
		57	+ if (tls_type >= GOT_TLS_GD
		58	+ && tls_type <= GOT_TLS_GDESC
		59	+ && (elf_section_type (sec) != SHT_PROGBITS
		60	+ \|\| (sec->flags & SEC_CODE) == 0))
		61	+ {
		62	+ _bfd_x86_elf_link_report_tls_invalid_section_error
		63	+ (abfd, sec, symtab_hdr, h, isym, howto);
		64	+ goto error_return;
		65	+ }
		66	+
		67	if (h != NULL)
		68	{
		69	h->got.refcount = 1;
		70	diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
		71	index 620b6a380cd..59b43149897 100644
		72	--- a/bfd/elf64-x86-64.c
		73	+++ b/bfd/elf64-x86-64.c
		74	@@ -1626,6 +1626,16 @@ elf_x86_64_tls_transition (struct bfd_link_info info, bfd abfd,
		75	return true;
		76	}
		77
		78	+ if ((elf_section_type (sec) != SHT_PROGBITS
		79	+ \|\| (sec->flags & SEC_CODE) == 0))
		80	+ {
		81	+ reloc_howto_type *howto = elf_x86_64_rtype_to_howto (abfd,
		82	+ from_type);
		83	+ _bfd_x86_elf_link_report_tls_invalid_section_error
		84	+ (abfd, sec, symtab_hdr, h, sym, howto);
		85	+ return false;
		86	+ }
		87	+
		88	/* Return TRUE if there is no transition. */
		89	if (from_type == to_type
		90	\|\| (from_type == R_X86_64_CODE_4_GOTTPOFF
		91	@@ -2748,6 +2758,16 @@ elf_x86_64_scan_relocs (bfd abfd, struct bfd_link_info info,
		92	break;
		93	}
		94
		95	+ if (tls_type >= GOT_TLS_GD
		96	+ && tls_type <= GOT_TLS_GDESC
		97	+ && (elf_section_type (sec) != SHT_PROGBITS
		98	+ \|\| (sec->flags & SEC_CODE) == 0))
		99	+ {
		100	+ _bfd_x86_elf_link_report_tls_invalid_section_error
		101	+ (abfd, sec, symtab_hdr, h, isym, howto);
		102	+ goto error_return;
		103	+ }
		104	+
		105	if (h != NULL)
		106	{
		107	h->got.refcount = 1;
		108	diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
		109	index 0d389968c91..d8c653a9ad2 100644
		110	--- a/bfd/elfxx-x86.c
		111	+++ b/bfd/elfxx-x86.c
		112	@@ -3348,6 +3348,26 @@ _bfd_x86_elf_link_report_tls_transition_error
		113	bfd_set_error (bfd_error_bad_value);
		114	}
		115
		116	+/* Report TLS invalid section error. */
		117	+
		118	+void
		119	+_bfd_x86_elf_link_report_tls_invalid_section_error
		120	+ (bfd abfd, asection sec, Elf_Internal_Shdr *symtab_hdr,
		121	+ struct elf_link_hash_entry h, Elf_Internal_Sym sym,
		122	+ reloc_howto_type *howto)
		123	+{
		124	+ const char *name;
		125	+ if (h)
		126	+ name = h->root.root.string;
		127	+ else
		128	+ name = bfd_elf_sym_name (abfd, symtab_hdr, sym, NULL);
		129	+ _bfd_error_handler
		130	+ /* xgettext:c-format */
		131	+ (_("%pB: relocation %s against thread local symbol `%s' in "
		132	+ "invalid section `%pA'"), abfd, howto->name, name, sec);
		133	+ bfd_set_error (bfd_error_bad_value);
		134	+}
		135	+
		136	/* Return TRUE if symbol should be hashed in the `.gnu.hash' section. */
		137
		138	bool
		139	diff --git a/bfd/elfxx-x86.h b/bfd/elfxx-x86.h
		140	index 1ebc9d2f2e5..f8a24a77577 100644
		141	--- a/bfd/elfxx-x86.h
		142	+++ b/bfd/elfxx-x86.h
		143	@@ -939,6 +939,10 @@ extern void _bfd_x86_elf_link_report_tls_transition_error
		144	const Elf_Internal_Rela , const char , const char *,
		145	enum elf_x86_tls_error_type);
		146
		147	+extern void _bfd_x86_elf_link_report_tls_invalid_section_error
		148	+ (bfd , asection , Elf_Internal_Shdr , struct elf_link_hash_entry ,
		149	+ Elf_Internal_Sym , reloc_howto_type );
		150	+
		151	#define bfd_elf64_mkobject \
		152	_bfd_x86_elf_mkobject
		153	#define bfd_elf32_mkobject \