summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/elfutils/elfutils_0.186.bb1
-rw-r--r--meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch58
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.186.bb b/meta/recipes-devtools/elfutils/elfutils_0.186.bb
index b945766b75..9f0fb43d50 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.186.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.186.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
25 file://0001-debuginfod-debuginfod-client.c-use-long-for-cache-ti.patch \ 25 file://0001-debuginfod-debuginfod-client.c-use-long-for-cache-ti.patch \
26 file://CVE-2025-1352.patch \ 26 file://CVE-2025-1352.patch \
27 file://CVE-2025-1372.patch \ 27 file://CVE-2025-1372.patch \
28 file://CVE-2025-1376.patch \
28 " 29 "
29SRC_URI:append:libc-musl = " \ 30SRC_URI:append:libc-musl = " \
30 file://0003-musl-utils.patch \ 31 file://0003-musl-utils.patch \
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch
new file mode 100644
index 0000000000..1f40add305
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch
@@ -0,0 +1,58 @@
1From b16f441cca0a4841050e3215a9f120a6d8aea918 Mon Sep 17 00:00:00 2001
2From: Mark Wielaard <mark@klomp.org>
3Date: Thu, 13 Feb 2025 00:02:32 +0100
4Subject: [PATCH] libelf: Handle elf_strptr on section without any data
5
6In the unlikely situation that elf_strptr was called on a section with
7sh_size already set, but that doesn't have any data yet we could crash
8trying to verify the string to return.
9
10This could happen for example when a new section was created with
11elf_newscn, but no data having been added yet.
12
13 * libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base
14 is not NULL.
15
16https://sourceware.org/bugzilla/show_bug.cgi?id=32672
17
18Signed-off-by: Mark Wielaard <mark@klomp.org>
19
20CVE: CVE-2025-1376
21
22Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918]
23
24Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
25---
26 libelf/elf_strptr.c | 10 +++++++---
27 1 file changed, 7 insertions(+), 3 deletions(-)
28
29diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c
30index c5a94f8..7be7f5e 100644
31--- a/libelf/elf_strptr.c
32+++ b/libelf/elf_strptr.c
33@@ -1,5 +1,6 @@
34 /* Return string pointer from string section.
35 Copyright (C) 1998-2002, 2004, 2008, 2009, 2015 Red Hat, Inc.
36+ Copyright (C) 2025 Mark J. Wielaard <mark@klomp.org>
37 This file is part of elfutils.
38 Contributed by Ulrich Drepper <drepper@redhat.com>, 1998.
39
40@@ -183,9 +184,12 @@ elf_strptr (Elf *elf, size_t idx, size_t offset)
41 // initialized yet (when data_read is zero). So we cannot just
42 // look at the rawdata.d.d_size.
43
44- /* Make sure the string is NUL terminated. Start from the end,
45- which very likely is a NUL char. */
46- if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
47+ /* First check there actually is any data. This could be a new
48+ section which hasn't had any data set yet. Then make sure
49+ the string is at a valid offset and NUL terminated. */
50+ if (unlikely (strscn->rawdata_base == NULL))
51+ __libelf_seterrno (ELF_E_INVALID_SECTION);
52+ else if (likely (validate_str (strscn->rawdata_base, offset, sh_size)))
53 result = &strscn->rawdata_base[offset];
54 else
55 __libelf_seterrno (ELF_E_INVALID_INDEX);
56--
572.40.0
58