binutils: patch CVE-2025-1178 & CVE-2024-57360

Backport Fixes for: *CVE-2025-1178 - Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0] *CVE-2024-57360 - Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=5f8987d3999edb26e757115fe87be55787d510b9] (From OE-Core rev: 15a7f68ce14f635acf9b988fc1958ee625de4e11) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ashish Sharma <asharma@mvista.com> 2025-04-15 14:28:39 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-04-19 14:42:10 -0700
commit: 757102953a852d23a11710daa4ecb038e64c5e24 (patch)
tree: 12bbf74dd10ab2150340bd7d5927d4603c6d0385 /meta/recipes-devtools/binutils
parent: d13450d71377643de575a3fc7b91867e73d3ea85 (diff)
download: poky-757102953a852d23a11710daa4ecb038e64c5e24.tar.gz
3 files changed, 115 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 0ca00552ce..d366350556 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -40,5 +40,7 @@ SRC_URI = "\
     file://0017-dlltool-file-name-too-long.patch \
     file://0018-CVE-2025-0840.patch \
     file://CVE-2025-1176.patch \
+     file://CVE-2025-1178.patch \
+     file://CVE-2024-57360.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2024-57360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2024-57360.patch
new file mode 100644
index 0000000000..6d9720414b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2024-57360.patch
@@ -0,0 +1,75 @@
+From 5f8987d3999edb26e757115fe87be55787d510b9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 17 Dec 2024 09:18:57 +0000
+Subject: [PATCH] nm: Avoid potential segmentation fault when displaying
+ symbols without version info.
+PR 32467
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0]
+CVE: CVE-2024-57360
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ binutils/nm.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+diff --git a/binutils/nm.c b/binutils/nm.c
+index faf27c59b4d..0ba7604d34f 100644
+--- a/binutils/nm.c
+++ b/binutils/nm.c
+@@ -682,7 +682,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
+               const char *name, bfd *abfd)
+ {
+   char *alloc = NULL;
+-  char *atver = NULL;
+  char *atname = NULL;
+ 
+   if (name == NULL)
+     name = info->sinfo->name;
+@@ -690,9 +690,19 @@ print_symname (const char *form, struct extended_symbol_info *info,
+   if (!with_symbol_versions
+       && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+     {
+-      atver = strchr (name, '@');
+      char *atver = strchr (name, '@');
+
+       if (atver)
+-       *atver = 0;
+       {
+         /* PR 32467 - Corrupt binaries might include an @ character in a
+            symbol name.  Since non-versioned symbol names can be in
+            read-only memory (via memory mapping of a file's contents) we
+            cannot just replace the @ character with a NUL.  Instead we
+            create a truncated copy of the name.  */
+         atname = xstrdup (name);
+         atname [atver - name] = 0;
+         name = atname;
+       }
+     }
+ 
+   if (do_demangle && *name)
+@@ -703,9 +713,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
+     }
+ 
+   if (unicode_display != unicode_default)
+-    {
+-      name = convert_utf8 (name);
+-    }
+    name = convert_utf8 (name);
+ 
+   if (info != NULL && info->elfinfo && with_symbol_versions)
+     {
+@@ -726,8 +734,8 @@ print_symname (const char *form, struct extended_symbol_info *info,
+        }
+     }
+   printf (form, name);
+-  if (atver)
+-    *atver = '@';
+
+  free (atname);
+   free (alloc);
+ }
+ 
+-- 
+2.43.5
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1178.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1178.patch
new file mode 100644
index 0000000000..a68a5e1c3c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1178.patch
@@ -0,0 +1,38 @@
+From 75086e9de1707281172cc77f178e7949a4414ed0 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 5 Feb 2025 13:26:51 +0000
+Subject: [PATCH] Prevent an abort in the bfd linker when attempting to
+ generate dynamic relocs for a corrupt input file.
+PR 32638
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0]
+CVE: CVE-2025-1178
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ bfd/elf64-x86-64.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index 61334c3ab04..32db254ba6c 100644
+--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
+@@ -5303,6 +5303,15 @@ elf_x86_64_finish_dynamic_symbol (bfd *output_bfd,
+ 
+       if (generate_dynamic_reloc)
+        {
+         /* If the relgot section has not been created, then
+            generate an error instead of a reloc.  cf PR 32638.  */
+         if (relgot == NULL || relgot->size == 0)
+           {
+             info->callbacks->einfo (_("%F%pB: Unable to generate dynamic relocs because a suitable section does not exist\n"),
+                                       output_bfd);
+             return false;
+           }
+         
+          if (relative_reloc_name != NULL
+              && htab->params->report_relative_reloc)
+            _bfd_x86_elf_link_report_relative_reloc
+-- 
+2.43.5
author	Ashish Sharma <asharma@mvista.com>	2025-04-15 14:28:39 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-04-19 14:42:10 -0700
commit	757102953a852d23a11710daa4ecb038e64c5e24 (patch)
tree	12bbf74dd10ab2150340bd7d5927d4603c6d0385 /meta/recipes-devtools/binutils
parent	d13450d71377643de575a3fc7b91867e73d3ea85 (diff)
download	poky-757102953a852d23a11710daa4ecb038e64c5e24.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 0ca00552ce..d366350556 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -40,5 +40,7 @@ SRC_URI = "\
40	file://0017-dlltool-file-name-too-long.patch \	40	file://0017-dlltool-file-name-too-long.patch \
41	file://0018-CVE-2025-0840.patch \	41	file://0018-CVE-2025-0840.patch \
42	file://CVE-2025-1176.patch \	42	file://CVE-2025-1176.patch \
		43	file://CVE-2025-1178.patch \
		44	file://CVE-2024-57360.patch \
43	"	45	"
44	S = "${WORKDIR}/git"	46	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2024-57360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2024-57360.patch new file mode 100644 index 0000000000..6d9720414b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2024-57360.patch
@@ -0,0 +1,75 @@
		1	From 5f8987d3999edb26e757115fe87be55787d510b9 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Tue, 17 Dec 2024 09:18:57 +0000
		4	Subject: [PATCH] nm: Avoid potential segmentation fault when displaying
		5	symbols without version info.
		6
		7	PR 32467
		8
		9	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0]
		10	CVE: CVE-2024-57360
		11	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		12
		13	binutils/nm.c \| 24 ++++++++++++++++--------
		14	1 file changed, 16 insertions(+), 8 deletions(-)
		15
		16	diff --git a/binutils/nm.c b/binutils/nm.c
		17	index faf27c59b4d..0ba7604d34f 100644
		18	--- a/binutils/nm.c
		19	+++ b/binutils/nm.c
		20	@@ -682,7 +682,7 @@ print_symname (const char form, struct extended_symbol_info info,
		21	const char name, bfd abfd)
		22	{
		23	char *alloc = NULL;
		24	- char *atver = NULL;
		25	+ char *atname = NULL;
		26
		27	if (name == NULL)
		28	name = info->sinfo->name;
		29	@@ -690,9 +690,19 @@ print_symname (const char form, struct extended_symbol_info info,
		30	if (!with_symbol_versions
		31	&& bfd_get_flavour (abfd) == bfd_target_elf_flavour)
		32	{
		33	- atver = strchr (name, '@');
		34	+ char *atver = strchr (name, '@');
		35	+
		36	if (atver)
		37	- *atver = 0;
		38	+ {
		39	+ /* PR 32467 - Corrupt binaries might include an @ character in a
		40	+ symbol name. Since non-versioned symbol names can be in
		41	+ read-only memory (via memory mapping of a file's contents) we
		42	+ cannot just replace the @ character with a NUL. Instead we
		43	+ create a truncated copy of the name. */
		44	+ atname = xstrdup (name);
		45	+ atname [atver - name] = 0;
		46	+ name = atname;
		47	+ }
		48	}
		49
		50	if (do_demangle && *name)
		51	@@ -703,9 +713,7 @@ print_symname (const char form, struct extended_symbol_info info,
		52	}
		53
		54	if (unicode_display != unicode_default)
		55	- {
		56	- name = convert_utf8 (name);
		57	- }
		58	+ name = convert_utf8 (name);
		59
		60	if (info != NULL && info->elfinfo && with_symbol_versions)
		61	{
		62	@@ -726,8 +734,8 @@ print_symname (const char form, struct extended_symbol_info info,
		63	}
		64	}
		65	printf (form, name);
		66	- if (atver)
		67	- *atver = '@';
		68	+
		69	+ free (atname);
		70	free (alloc);
		71	}
		72
		73	--
		74	2.43.5
		75


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1178.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1178.patch new file mode 100644 index 0000000000..a68a5e1c3c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1178.patch
@@ -0,0 +1,38 @@
		1	From 75086e9de1707281172cc77f178e7949a4414ed0 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 5 Feb 2025 13:26:51 +0000
		4	Subject: [PATCH] Prevent an abort in the bfd linker when attempting to
		5	generate dynamic relocs for a corrupt input file.
		6
		7	PR 32638
		8
		9	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0]
		10	CVE: CVE-2025-1178
		11	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		12
		13	bfd/elf64-x86-64.c \| 9 +++++++++
		14	1 file changed, 9 insertions(+)
		15
		16	diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
		17	index 61334c3ab04..32db254ba6c 100644
		18	--- a/bfd/elf64-x86-64.c
		19	+++ b/bfd/elf64-x86-64.c
		20	@@ -5303,6 +5303,15 @@ elf_x86_64_finish_dynamic_symbol (bfd *output_bfd,
		21
		22	if (generate_dynamic_reloc)
		23	{
		24	+ /* If the relgot section has not been created, then
		25	+ generate an error instead of a reloc. cf PR 32638. */
		26	+ if (relgot == NULL \|\| relgot->size == 0)
		27	+ {
		28	+ info->callbacks->einfo (_("%F%pB: Unable to generate dynamic relocs because a suitable section does not exist\n"),
		29	+ output_bfd);
		30	+ return false;
		31	+ }
		32	+
		33	if (relative_reloc_name != NULL
		34	&& htab->params->report_relative_reloc)
		35	_bfd_x86_elf_link_report_relative_reloc
		36	--
		37	2.43.5
		38