elfutils: Fix CVE-2025-1365

A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1365 https://ubuntu.com/security/CVE-2025-1365 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81 (From OE-Core rev: deb03581745a0722e1a52a8d4ee63cdc863ad014) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2025-08-13 17:40:58 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-08-26 06:33:14 -0700
commit: 17c3ea7ff835e73d7975d0ba29a0a162e3c8b51a (patch)
tree: e186ccc604dc1b58e5f5eb02c150e6f3c214e6b8 /meta
parent: 26ec7d6e30b778e8bc24d3b0263c58a4361a185a (diff)
download: poky-17c3ea7ff835e73d7975d0ba29a0a162e3c8b51a.tar.gz
2 files changed, 153 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb
index 829d9bf94f..ff40ba64ec 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
           file://0001-config-eu.am-do-not-force-Werror.patch \
           file://0001-libelf-Add-libeu-objects-to-libelf.a-static-archive.patch \
           file://CVE-2025-1352.patch \
+           file://CVE-2025-1365.patch \
           "
 SRC_URI:append:libc-musl = " \
           file://0003-musl-utils.patch \
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch
new file mode 100644
index 0000000000..b779685efd
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch
@@ -0,0 +1,152 @@
+From 5e5c0394d82c53e97750fe7b18023e6f84157b81 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sat, 8 Feb 2025 21:44:56 +0100
+Subject: [PATCH] libelf, readelf: Use validate_str also to check dynamic
+ symstr data
+When dynsym/str was read through eu-readelf --dynamic by readelf
+process_symtab the string data was not validated, possibly printing
+unallocated memory past the end of the symstr data. Fix this by
+turning the elf_strptr validate_str function into a generic
+lib/system.h helper function and use it in readelf to validate the
+strings before use.
+        * libelf/elf_strptr.c (validate_str): Remove to...
+        * lib/system.h (validate_str): ... here. Make inline, simplify
+        check and document.
+        * src/readelf.c (process_symtab): Use validate_str on symstr_data.
+https://sourceware.org/bugzilla/show_bug.cgi?id=32654
+CVE: CVE-2025-1365
+Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81]
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ lib/system.h        | 27 +++++++++++++++++++++++++++
+ libelf/elf_strptr.c | 18 ------------------
+ src/readelf.c       | 18 +++++++++++++++---
+ 3 files changed, 42 insertions(+), 21 deletions(-)
+diff --git a/lib/system.h b/lib/system.h
+index 0db12d9..0698e5f 100644
+--- a/lib/system.h
+++ b/lib/system.h
+@@ -34,6 +34,7 @@
+ #include <config.h>
+ 
+ #include <errno.h>
+#include <stdbool.h>
+ #include <stddef.h>
+ #include <stdint.h>
+ #include <string.h>
+@@ -117,6 +118,32 @@ startswith (const char *str, const char *prefix)
+   return strncmp (str, prefix, strlen (prefix)) == 0;
+ }
+ 
+/* Return TRUE if STR[FROM] is a valid string with a zero terminator
+   at or before STR[TO - 1].  Note FROM is an index into the STR
+   array, while TO is the maximum size of the STR array.  This
+   function returns FALSE when TO is zero or FROM >= TO.  */
+static inline bool
+validate_str (const char *str, size_t from, size_t to)
+{
+#if HAVE_DECL_MEMRCHR
+  // Check end first, which is likely a zero terminator,
+  // to prevent function call
+  return (to > 0
+         && (str[to - 1] == '\0'
+             || (to > from
+                 && memrchr (&str[from], '\0', to - from - 1) != NULL)));
+#else
+  do {
+    if (to <= from)
+      return false;
+
+    to--;
+  } while (str[to]);
+
+  return true;
+#endif
+}
+
+ /* A special gettext function we use if the strings are too short.  */
+ #define sgettext(Str) \
+   ({ const char *__res = strrchr (_(Str), '|');                              \
+diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c
+index 79a24d2..c5a94f8 100644
+--- a/libelf/elf_strptr.c
+++ b/libelf/elf_strptr.c
+@@ -53,24 +53,6 @@ get_zdata (Elf_Scn *strscn)
+   return zdata;
+ }
+ 
+-static bool validate_str (const char *str, size_t from, size_t to)
+-{
+-#if HAVE_DECL_MEMRCHR
+-  // Check end first, which is likely a zero terminator, to prevent function call
+-  return ((to > 0 && str[to - 1]  == '\0')
+-         || (to - from > 0 && memrchr (&str[from], '\0', to - from - 1) != NULL));
+-#else
+-  do {
+-    if (to <= from)
+-      return false;
+-
+-    to--;
+-  } while (str[to]);
+-
+-  return true;
+-#endif
+-}
+-
+ char *
+ elf_strptr (Elf *elf, size_t idx, size_t offset)
+ {
+diff --git a/src/readelf.c b/src/readelf.c
+index 3e97b64..105cddf 100644
+--- a/src/readelf.c
+++ b/src/readelf.c
+@@ -2639,6 +2639,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
+       char typebuf[64];
+       char bindbuf[64];
+       char scnbuf[64];
+      const char *sym_name;
+       Elf32_Word xndx;
+       GElf_Sym sym_mem;
+       GElf_Sym *sym
+@@ -2650,6 +2651,19 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
+       /* Determine the real section index.  */
+       if (likely (sym->st_shndx != SHN_XINDEX))
+         xndx = sym->st_shndx;
+      if (use_dynamic_segment == true)
+       {
+         if (validate_str (symstr_data->d_buf, sym->st_name,
+                           symstr_data->d_size))
+           sym_name = (char *)symstr_data->d_buf + sym->st_name;
+         else
+           sym_name = NULL;
+       }
+      else
+       sym_name = elf_strptr (ebl->elf, idx, sym->st_name);
+
+      if (sym_name == NULL)
+       sym_name = "???";
+ 
+       printf (_ ("\
+ %5u: %0*" PRIx64 " %6" PRId64 " %-7s %-6s %-9s %6s %s"),
+@@ -2662,9 +2676,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
+               get_visibility_type (GELF_ST_VISIBILITY (sym->st_other)),
+               ebl_section_name (ebl, sym->st_shndx, xndx, scnbuf,
+                                 sizeof (scnbuf), NULL, shnum),
+-              use_dynamic_segment == true
+-                  ? (char *)symstr_data->d_buf + sym->st_name
+-                  : elf_strptr (ebl->elf, idx, sym->st_name));
+              sym_name);
+ 
+       if (versym_data != NULL)
+         {
+-- 
+2.43.2
author	Soumya Sambu <soumya.sambu@windriver.com>	2025-08-13 17:40:58 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-08-26 06:33:14 -0700
commit	17c3ea7ff835e73d7975d0ba29a0a162e3c8b51a (patch)
tree	e186ccc604dc1b58e5f5eb02c150e6f3c214e6b8 /meta
parent	26ec7d6e30b778e8bc24d3b0263c58a4361a185a (diff)
download	poky-17c3ea7ff835e73d7975d0ba29a0a162e3c8b51a.tar.gz

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb index 829d9bf94f..ff40ba64ec 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
23	file://0001-config-eu.am-do-not-force-Werror.patch \	23	file://0001-config-eu.am-do-not-force-Werror.patch \
24	file://0001-libelf-Add-libeu-objects-to-libelf.a-static-archive.patch \	24	file://0001-libelf-Add-libeu-objects-to-libelf.a-static-archive.patch \
25	file://CVE-2025-1352.patch \	25	file://CVE-2025-1352.patch \
		26	file://CVE-2025-1365.patch \
26	"	27	"
27	SRC_URI:append:libc-musl = " \	28	SRC_URI:append:libc-musl = " \
28	file://0003-musl-utils.patch \	29	file://0003-musl-utils.patch \


diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch new file mode 100644 index 0000000000..b779685efd --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch
@@ -0,0 +1,152 @@
		1	From 5e5c0394d82c53e97750fe7b18023e6f84157b81 Mon Sep 17 00:00:00 2001
		2	From: Mark Wielaard <mark@klomp.org>
		3	Date: Sat, 8 Feb 2025 21:44:56 +0100
		4	Subject: [PATCH] libelf, readelf: Use validate_str also to check dynamic
		5	symstr data
		6
		7	When dynsym/str was read through eu-readelf --dynamic by readelf
		8	process_symtab the string data was not validated, possibly printing
		9	unallocated memory past the end of the symstr data. Fix this by
		10	turning the elf_strptr validate_str function into a generic
		11	lib/system.h helper function and use it in readelf to validate the
		12	strings before use.
		13
		14	* libelf/elf_strptr.c (validate_str): Remove to...
		15	* lib/system.h (validate_str): ... here. Make inline, simplify
		16	check and document.
		17	* src/readelf.c (process_symtab): Use validate_str on symstr_data.
		18
		19	https://sourceware.org/bugzilla/show_bug.cgi?id=32654
		20
		21	CVE: CVE-2025-1365
		22
		23	Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81]
		24
		25	Signed-off-by: Mark Wielaard <mark@klomp.org>
		26	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		27	---
		28	lib/system.h \| 27 +++++++++++++++++++++++++++
		29	libelf/elf_strptr.c \| 18 ------------------
		30	src/readelf.c \| 18 +++++++++++++++---
		31	3 files changed, 42 insertions(+), 21 deletions(-)
		32
		33	diff --git a/lib/system.h b/lib/system.h
		34	index 0db12d9..0698e5f 100644
		35	--- a/lib/system.h
		36	+++ b/lib/system.h
		37	@@ -34,6 +34,7 @@
		38	#include <config.h>
		39
		40	#include <errno.h>
		41	+#include <stdbool.h>
		42	#include <stddef.h>
		43	#include <stdint.h>
		44	#include <string.h>
		45	@@ -117,6 +118,32 @@ startswith (const char str, const char prefix)
		46	return strncmp (str, prefix, strlen (prefix)) == 0;
		47	}
		48
		49	+/* Return TRUE if STR[FROM] is a valid string with a zero terminator
		50	+ at or before STR[TO - 1]. Note FROM is an index into the STR
		51	+ array, while TO is the maximum size of the STR array. This
		52	+ function returns FALSE when TO is zero or FROM >= TO. */
		53	+static inline bool
		54	+validate_str (const char *str, size_t from, size_t to)
		55	+{
		56	+#if HAVE_DECL_MEMRCHR
		57	+ // Check end first, which is likely a zero terminator,
		58	+ // to prevent function call
		59	+ return (to > 0
		60	+ && (str[to - 1] == '\0'
		61	+ \|\| (to > from
		62	+ && memrchr (&str[from], '\0', to - from - 1) != NULL)));
		63	+#else
		64	+ do {
		65	+ if (to <= from)
		66	+ return false;
		67	+
		68	+ to--;
		69	+ } while (str[to]);
		70	+
		71	+ return true;
		72	+#endif
		73	+}
		74	+
		75	/* A special gettext function we use if the strings are too short. */
		76	#define sgettext(Str) \
		77	({ const char *__res = strrchr (_(Str), '\|'); \
		78	diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c
		79	index 79a24d2..c5a94f8 100644
		80	--- a/libelf/elf_strptr.c
		81	+++ b/libelf/elf_strptr.c
		82	@@ -53,24 +53,6 @@ get_zdata (Elf_Scn *strscn)
		83	return zdata;
		84	}
		85
		86	-static bool validate_str (const char *str, size_t from, size_t to)
		87	-{
		88	-#if HAVE_DECL_MEMRCHR
		89	- // Check end first, which is likely a zero terminator, to prevent function call
		90	- return ((to > 0 && str[to - 1] == '\0')
		91	- \|\| (to - from > 0 && memrchr (&str[from], '\0', to - from - 1) != NULL));
		92	-#else
		93	- do {
		94	- if (to <= from)
		95	- return false;
		96	-
		97	- to--;
		98	- } while (str[to]);
		99	-
		100	- return true;
		101	-#endif
		102	-}
		103	-
		104	char *
		105	elf_strptr (Elf *elf, size_t idx, size_t offset)
		106	{
		107	diff --git a/src/readelf.c b/src/readelf.c
		108	index 3e97b64..105cddf 100644
		109	--- a/src/readelf.c
		110	+++ b/src/readelf.c
		111	@@ -2639,6 +2639,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
		112	char typebuf[64];
		113	char bindbuf[64];
		114	char scnbuf[64];
		115	+ const char *sym_name;
		116	Elf32_Word xndx;
		117	GElf_Sym sym_mem;
		118	GElf_Sym *sym
		119	@@ -2650,6 +2651,19 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
		120	/* Determine the real section index. */
		121	if (likely (sym->st_shndx != SHN_XINDEX))
		122	xndx = sym->st_shndx;
		123	+ if (use_dynamic_segment == true)
		124	+ {
		125	+ if (validate_str (symstr_data->d_buf, sym->st_name,
		126	+ symstr_data->d_size))
		127	+ sym_name = (char *)symstr_data->d_buf + sym->st_name;
		128	+ else
		129	+ sym_name = NULL;
		130	+ }
		131	+ else
		132	+ sym_name = elf_strptr (ebl->elf, idx, sym->st_name);
		133	+
		134	+ if (sym_name == NULL)
		135	+ sym_name = "???";
		136
		137	printf (_ ("\
		138	%5u: %0*" PRIx64 " %6" PRId64 " %-7s %-6s %-9s %6s %s"),
		139	@@ -2662,9 +2676,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx,
		140	get_visibility_type (GELF_ST_VISIBILITY (sym->st_other)),
		141	ebl_section_name (ebl, sym->st_shndx, xndx, scnbuf,
		142	sizeof (scnbuf), NULL, shnum),
		143	- use_dynamic_segment == true
		144	- ? (char *)symstr_data->d_buf + sym->st_name
		145	- : elf_strptr (ebl->elf, idx, sym->st_name));
		146	+ sym_name);
		147
		148	if (versym_data != NULL)
		149	{
		150	--
		151	2.43.2
		152