2 files changed, 157 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 809c4207d4..0ca00552ce 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -39,5 +39,6 @@ SRC_URI = "\
     file://0016-CVE-2024-53589.patch \
     file://0017-dlltool-file-name-too-long.patch \
     file://0018-CVE-2025-0840.patch \
+     file://CVE-2025-1176.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1176.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1176.patch
new file mode 100644
index 0000000000..1ecf09569d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1176.patch
@@ -0,0 +1,156 @@
+From f9978defb6fab0bd8583942d97c112b0932ac814 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 5 Feb 2025 11:15:11 +0000
+Subject: [PATCH] Prevent illegal memory access when indexing into the
+ sym_hashes array of the elf bfd cookie structure.
+PR 32636
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/binutils/plain/debian/patches/CVE-2025-1176.patch?h=applied/ubuntu/jammy-security&id=62a5cc5a49f4be036cf98d2b8fc7d618620ba672
+Upstream commit https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814]
+CVE: CVE-2025-1176
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+Index: binutils-2.38/bfd/elflink.c
+===================================================================
+--- binutils-2.38.orig/bfd/elflink.c
+++ binutils-2.38/bfd/elflink.c
+@@ -62,15 +62,16 @@ struct elf_find_verdep_info
+ static bool _bfd_elf_fix_symbol_flags
+   (struct elf_link_hash_entry *, struct elf_info_failed *);
+ 
+-asection *
+-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+-                            unsigned long r_symndx,
+-                            bool discard)
+static struct elf_link_hash_entry *
+get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
+ {
+-  if (r_symndx >= cookie->locsymcount
+-      || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+  struct elf_link_hash_entry *h = NULL;
+
+  if ((r_symndx >= cookie->locsymcount
+       || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+      /* Guard against corrupt input.  See PR 32636 for an example.  */
+      && r_symndx >= cookie->extsymoff)
+     {
+-      struct elf_link_hash_entry *h;
+ 
+       h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+ 
+@@ -78,6 +79,22 @@ _bfd_elf_section_for_symbol (struct elf_
+             || h->root.type == bfd_link_hash_warning)
+        h = (struct elf_link_hash_entry *) h->root.u.i.link;
+ 
+    }
+
+  return h;
+}
+ 
+asection *
+_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+                            unsigned long r_symndx,
+                            bool discard)
+{
+  struct elf_link_hash_entry *h;
+
+  h = get_ext_sym_hash (cookie, r_symndx);
+  
+  if (h != NULL)
+    {
+       if ((h->root.type == bfd_link_hash_defined
+           || h->root.type == bfd_link_hash_defweak)
+           && discarded_section (h->root.u.def.section))
+@@ -85,21 +102,20 @@ _bfd_elf_section_for_symbol (struct elf_
+       else
+        return NULL;
+     }
+-  else
+-    {
+-      /* It's not a relocation against a global symbol,
+-        but it could be a relocation against a local
+-        symbol for a discarded section.  */
+-      asection *isec;
+-      Elf_Internal_Sym *isym;
+ 
+-      /* Need to: get the symbol; get the section.  */
+-      isym = &cookie->locsyms[r_symndx];
+-      isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
+-      if (isec != NULL
+-         && discard ? discarded_section (isec) : 1)
+-       return isec;
+-     }
+  /* It's not a relocation against a global symbol,
+     but it could be a relocation against a local
+     symbol for a discarded section.  */
+  asection *isec;
+  Elf_Internal_Sym *isym;
+
+  /* Need to: get the symbol; get the section.  */
+  isym = &cookie->locsyms[r_symndx];
+  isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
+  if (isec != NULL
+      && discard ? discarded_section (isec) : 1)
+    return isec;
+
+   return NULL;
+ }
+ 
+@@ -13642,22 +13658,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_i
+   if (r_symndx == STN_UNDEF)
+     return NULL;
+ 
+-  if (r_symndx >= cookie->locsymcount
+-      || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+  h = get_ext_sym_hash (cookie, r_symndx);
+  
+  if (h != NULL)
+     {
+       bool was_marked;
+ 
+-      h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+-      if (h == NULL)
+-       {
+-         info->callbacks->einfo (_("%F%P: corrupt input: %pB\n"),
+-                                 sec->owner);
+-         return NULL;
+-       }
+-      while (h->root.type == bfd_link_hash_indirect
+-            || h->root.type == bfd_link_hash_warning)
+-       h = (struct elf_link_hash_entry *) h->root.u.i.link;
+-
+       was_marked = h->mark;
+       h->mark = 1;
+       /* Keep all aliases of the symbol too.  If an object symbol
+@@ -14703,17 +14709,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma
+       if (r_symndx == STN_UNDEF)
+        return true;
+ 
+-      if (r_symndx >= rcookie->locsymcount
+-         || ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+-       {
+-         struct elf_link_hash_entry *h;
+-
+-         h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff];
+-
+-         while (h->root.type == bfd_link_hash_indirect
+-                || h->root.type == bfd_link_hash_warning)
+-           h = (struct elf_link_hash_entry *) h->root.u.i.link;
+      struct elf_link_hash_entry *h;
+ 
+      h = get_ext_sym_hash (rcookie, r_symndx);
+      
+      if (h != NULL)
+       {
+          if ((h->root.type == bfd_link_hash_defined
+               || h->root.type == bfd_link_hash_defweak)
+              && (h->root.u.def.section->owner != rcookie->abfd
+@@ -14737,6 +14738,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma
+                  || discarded_section (isec)))
+            return true;
+        }
+
+       return false;
+     }
+   return false;

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 809c4207d4..0ca00552ce 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -39,5 +39,6 @@ SRC_URI = "\
39	file://0016-CVE-2024-53589.patch \	39	file://0016-CVE-2024-53589.patch \
40	file://0017-dlltool-file-name-too-long.patch \	40	file://0017-dlltool-file-name-too-long.patch \
41	file://0018-CVE-2025-0840.patch \	41	file://0018-CVE-2025-0840.patch \
		42	file://CVE-2025-1176.patch \
42	"	43	"
43	S = "${WORKDIR}/git"	44	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1176.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1176.patch new file mode 100644 index 0000000000..1ecf09569d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1176.patch
@@ -0,0 +1,156 @@
		1	From f9978defb6fab0bd8583942d97c112b0932ac814 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 5 Feb 2025 11:15:11 +0000
		4	Subject: [PATCH] Prevent illegal memory access when indexing into the
		5	sym_hashes array of the elf bfd cookie structure.
		6
		7	PR 32636
		8
		9	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/binutils/plain/debian/patches/CVE-2025-1176.patch?h=applied/ubuntu/jammy-security&id=62a5cc5a49f4be036cf98d2b8fc7d618620ba672
		10	Upstream commit https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814]
		11	CVE: CVE-2025-1176
		12	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		13
		14	Index: binutils-2.38/bfd/elflink.c
		15	===================================================================
		16	--- binutils-2.38.orig/bfd/elflink.c
		17	+++ binutils-2.38/bfd/elflink.c
		18	@@ -62,15 +62,16 @@ struct elf_find_verdep_info
		19	static bool _bfd_elf_fix_symbol_flags
		20	(struct elf_link_hash_entry , struct elf_info_failed );
		21
		22	-asection *
		23	-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
		24	- unsigned long r_symndx,
		25	- bool discard)
		26	+static struct elf_link_hash_entry *
		27	+get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
		28	{
		29	- if (r_symndx >= cookie->locsymcount
		30	- \|\| ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		31	+ struct elf_link_hash_entry *h = NULL;
		32	+
		33	+ if ((r_symndx >= cookie->locsymcount
		34	+ \|\| ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		35	+ /* Guard against corrupt input. See PR 32636 for an example. */
		36	+ && r_symndx >= cookie->extsymoff)
		37	{
		38	- struct elf_link_hash_entry *h;
		39
		40	h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
		41
		42	@@ -78,6 +79,22 @@ _bfd_elf_section_for_symbol (struct elf_
		43	\|\| h->root.type == bfd_link_hash_warning)
		44	h = (struct elf_link_hash_entry *) h->root.u.i.link;
		45
		46	+ }
		47	+
		48	+ return h;
		49	+}
		50	+
		51	+asection *
		52	+_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
		53	+ unsigned long r_symndx,
		54	+ bool discard)
		55	+{
		56	+ struct elf_link_hash_entry *h;
		57	+
		58	+ h = get_ext_sym_hash (cookie, r_symndx);
		59	+
		60	+ if (h != NULL)
		61	+ {
		62	if ((h->root.type == bfd_link_hash_defined
		63	\|\| h->root.type == bfd_link_hash_defweak)
		64	&& discarded_section (h->root.u.def.section))
		65	@@ -85,21 +102,20 @@ _bfd_elf_section_for_symbol (struct elf_
		66	else
		67	return NULL;
		68	}
		69	- else
		70	- {
		71	- /* It's not a relocation against a global symbol,
		72	- but it could be a relocation against a local
		73	- symbol for a discarded section. */
		74	- asection *isec;
		75	- Elf_Internal_Sym *isym;
		76
		77	- /* Need to: get the symbol; get the section. */
		78	- isym = &cookie->locsyms[r_symndx];
		79	- isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
		80	- if (isec != NULL
		81	- && discard ? discarded_section (isec) : 1)
		82	- return isec;
		83	- }
		84	+ /* It's not a relocation against a global symbol,
		85	+ but it could be a relocation against a local
		86	+ symbol for a discarded section. */
		87	+ asection *isec;
		88	+ Elf_Internal_Sym *isym;
		89	+
		90	+ /* Need to: get the symbol; get the section. */
		91	+ isym = &cookie->locsyms[r_symndx];
		92	+ isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
		93	+ if (isec != NULL
		94	+ && discard ? discarded_section (isec) : 1)
		95	+ return isec;
		96	+
		97	return NULL;
		98	}
		99
		100	@@ -13642,22 +13658,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_i
		101	if (r_symndx == STN_UNDEF)
		102	return NULL;
		103
		104	- if (r_symndx >= cookie->locsymcount
		105	- \|\| ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		106	+ h = get_ext_sym_hash (cookie, r_symndx);
		107	+
		108	+ if (h != NULL)
		109	{
		110	bool was_marked;
		111
		112	- h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
		113	- if (h == NULL)
		114	- {
		115	- info->callbacks->einfo (_("%F%P: corrupt input: %pB\n"),
		116	- sec->owner);
		117	- return NULL;
		118	- }
		119	- while (h->root.type == bfd_link_hash_indirect
		120	- \|\| h->root.type == bfd_link_hash_warning)
		121	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		122	-
		123	was_marked = h->mark;
		124	h->mark = 1;
		125	/* Keep all aliases of the symbol too. If an object symbol
		126	@@ -14703,17 +14709,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma
		127	if (r_symndx == STN_UNDEF)
		128	return true;
		129
		130	- if (r_symndx >= rcookie->locsymcount
		131	- \|\| ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		132	- {
		133	- struct elf_link_hash_entry *h;
		134	-
		135	- h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff];
		136	-
		137	- while (h->root.type == bfd_link_hash_indirect
		138	- \|\| h->root.type == bfd_link_hash_warning)
		139	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		140	+ struct elf_link_hash_entry *h;
		141
		142	+ h = get_ext_sym_hash (rcookie, r_symndx);
		143	+
		144	+ if (h != NULL)
		145	+ {
		146	if ((h->root.type == bfd_link_hash_defined
		147	\|\| h->root.type == bfd_link_hash_defweak)
		148	&& (h->root.u.def.section->owner != rcookie->abfd
		149	@@ -14737,6 +14738,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma
		150	\|\| discarded_section (isec)))
		151	return true;
		152	}
		153	+
		154	return false;
		155	}
		156	return false;