binutils: fix CVE-2025-11081

CVE: CVE-2025-11081 Trying to dump .sframe in a PE file results in a segfault accessing elf_section_data. * objdump (dump_sframe_section, dump_dwarf_section): Don't access elf_section_type without first checking the file is ELF. PR 33406 SEGV in dump_dwarf_section [https://sourceware.org/bugzilla/show_bug.cgi?id=33406] Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b] (From OE-Core rev: d1eb65d2e9365f6bd2acf450496d3bfeda6aedc1) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yash Shinde <Yash.Shinde@windriver.com> 2025-10-10 04:59:11 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-10-13 18:01:04 +0100
commit: 932a695838b9e6800267d03ed3bf956dc0e1d932 (patch)
tree: 7acb31633d7928e69b15bec2d279aec3d59635c6 /meta/recipes-devtools/binutils
parent: bd0535ddf8ffbbafc557aa6541ad1015baa5ec16 (diff)
download: poky-932a695838b9e6800267d03ed3bf956dc0e1d932.tar.gz
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 9c82f65eca..e419d829c2 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -36,4 +36,5 @@ SRC_URI = "\
     file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
     file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
     file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
+     file://0015-CVE-2025-11081.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
new file mode 100644
index 0000000000..0e15a7d6c2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
@@ -0,0 +1,51 @@
+From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 9 Sep 2025 18:32:09 +0930
+Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section
+Trying to dump .sframe in a PE file results in a segfault accessing
+elf_section_data.
+        * objdump (dump_sframe_section, dump_dwarf_section): Don't access
+        elf_section_type without first checking the file is ELF.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
+CVE: CVE-2025-11081
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 290f7e51f66..ee8823da05a 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -4485,7 +4485,8 @@ dump_dwarf_section (bfd *abfd, asection *section,
+   else
+     match = name;
+ 
+-  if (elf_section_type (section) == SHT_GNU_SFRAME)
+  if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
+      && elf_section_type (section) == SHT_GNU_SFRAME)
+     match = ".sframe";
+ 
+   for (i = 0; i < max; i++)
+@@ -4993,9 +4994,10 @@ dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile)
+         SHT_GNU_SFRAME.  For SFrame sections from Binutils 2.44 or earlier,
+         check explcitly for SFrame sections of type SHT_PROGBITS and name
+         ".sframe" to allow them.  */
+-      else if (elf_section_type (sec) != SHT_GNU_SFRAME
+-              && !(elf_section_type (sec) == SHT_PROGBITS
+-                   && strcmp (sect_name, ".sframe") == 0))
+      else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
+              || (elf_section_type (sec) != SHT_GNU_SFRAME
+                  && !(elf_section_type (sec) == SHT_PROGBITS
+                       && strcmp (sect_name, ".sframe") == 0)))
+        {
+          printf (_("Section %s does not contain SFrame data\n\n"),
+                  sanitize_string (sect_name));
+-- 
+2.43.7
author	Yash Shinde <Yash.Shinde@windriver.com>	2025-10-10 04:59:11 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-10-13 18:01:04 +0100
commit	932a695838b9e6800267d03ed3bf956dc0e1d932 (patch)
tree	7acb31633d7928e69b15bec2d279aec3d59635c6 /meta/recipes-devtools/binutils
parent	bd0535ddf8ffbbafc557aa6541ad1015baa5ec16 (diff)
download	poky-932a695838b9e6800267d03ed3bf956dc0e1d932.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 9c82f65eca..e419d829c2 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -36,4 +36,5 @@ SRC_URI = "\
36	file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \	36	file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
37	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \	37	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
38	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \	38	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
		39	file://0015-CVE-2025-11081.patch \
39	"	40	"


diff --git a/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch new file mode 100644 index 0000000000..0e15a7d6c2 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
@@ -0,0 +1,51 @@
		1	From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Tue, 9 Sep 2025 18:32:09 +0930
		4	Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section
		5
		6	Trying to dump .sframe in a PE file results in a segfault accessing
		7	elf_section_data.
		8
		9	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
		10	elf_section_type without first checking the file is ELF.
		11	---
		12	binutils/objdump.c \| 10 ++++++----
		13	1 file changed, 6 insertions(+), 4 deletions(-)
		14
		15	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
		16	CVE: CVE-2025-11081
		17
		18	Signed-off-by: Alan Modra <amodra@gmail.com>
		19	Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
		20
		21	diff --git a/binutils/objdump.c b/binutils/objdump.c
		22	index 290f7e51f66..ee8823da05a 100644
		23	--- a/binutils/objdump.c
		24	+++ b/binutils/objdump.c
		25	@@ -4485,7 +4485,8 @@ dump_dwarf_section (bfd abfd, asection section,
		26	else
		27	match = name;
		28
		29	- if (elf_section_type (section) == SHT_GNU_SFRAME)
		30	+ if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
		31	+ && elf_section_type (section) == SHT_GNU_SFRAME)
		32	match = ".sframe";
		33
		34	for (i = 0; i < max; i++)
		35	@@ -4993,9 +4994,10 @@ dump_sframe_section (bfd abfd, const char sect_name, bool is_mainfile)
		36	SHT_GNU_SFRAME. For SFrame sections from Binutils 2.44 or earlier,
		37	check explcitly for SFrame sections of type SHT_PROGBITS and name
		38	".sframe" to allow them. */
		39	- else if (elf_section_type (sec) != SHT_GNU_SFRAME
		40	- && !(elf_section_type (sec) == SHT_PROGBITS
		41	- && strcmp (sect_name, ".sframe") == 0))
		42	+ else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
		43	+ \|\| (elf_section_type (sec) != SHT_GNU_SFRAME
		44	+ && !(elf_section_type (sec) == SHT_PROGBITS
		45	+ && strcmp (sect_name, ".sframe") == 0)))
		46	{
		47	printf (_("Section %s does not contain SFrame data\n\n"),
		48	sanitize_string (sect_name));
		49	--
		50	2.43.7
		51