3 files changed, 480 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc
index 7d1de61e10..5838b2ebeb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.44.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.44.inc
@@ -38,5 +38,7 @@ SRC_URI = "\
     file://0015-CVE-2025-1178.patch \
     file://CVE-2025-1180.patch \
     file://CVE-2025-1182.patch \
+     file://0016-CVE-2025-1181-1.patch \
+     file://0017-CVE-2025-1181-2.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-1181-1.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-1181-1.patch
new file mode 100644
index 0000000000..d3709c7a4f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-1181-1.patch
@@ -0,0 +1,141 @@
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 5 Feb 2025 14:31:10 +0000
+Prevent illegal memory access when checking relocs in a corrupt ELF binary.
+PR 32641
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=18cc11a2771d9e40180485da9a4fb660c03efac3]
+CVE: CVE-2025-1181
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
+index 785a37dd7fd..d2bf8e5cbae 100644
+--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
+@@ -3150,6 +3150,9 @@ extern bool _bfd_elf_link_mmap_section_contents
+ extern void _bfd_elf_link_munmap_section_contents
+   (asection *);
+ 
+extern struct elf_link_hash_entry * _bfd_elf_get_link_hash_entry
+  (struct elf_link_hash_entry **, unsigned int, Elf_Internal_Shdr *);
+
+ /* Large common section.  */
+ extern asection _bfd_elf_large_com_section;
+ 
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index 32db254ba6c..2d82c6583c3 100644
+--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
+@@ -1744,7 +1744,7 @@ elf_x86_64_convert_load_reloc (bfd *abfd,
+   bool to_reloc_pc32;
+   bool abs_symbol;
+   bool local_ref;
+-  asection *tsec;
+  asection *tsec = NULL;
+   bfd_signed_vma raddend;
+   unsigned int opcode;
+   unsigned int modrm;
+@@ -1910,6 +1910,9 @@ elf_x86_64_convert_load_reloc (bfd *abfd,
+        return true;
+     }
+ 
+  if (tsec == NULL)
+    return false;
+
+   /* Don't convert GOTPCREL relocation against large section.  */
+   if (elf_section_data (tsec) !=  NULL
+       && (elf_section_flags (tsec) & SHF_X86_64_LARGE) != 0)
+@@ -2206,10 +2209,7 @@ elf_x86_64_scan_relocs (bfd *abfd, struct bfd_link_info *info,
+       else
+        {
+          isym = NULL;
+-         h = sym_hashes[r_symndx - symtab_hdr->sh_info];
+-         while (h->root.type == bfd_link_hash_indirect
+-                || h->root.type == bfd_link_hash_warning)
+-           h = (struct elf_link_hash_entry *) h->root.u.i.link;
+         h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, symtab_hdr);
+        }
+ 
+       /* Check invalid x32 relocations.  */
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 1f1263007c0..eafbd133ff5 100644
+--- a/bfd/elflink.c
+++ b/bfd/elflink.c
+@@ -96,6 +96,27 @@ _bfd_elf_link_keep_memory (struct bfd_link_info *info)
+   return true;
+ }
+ 
+struct elf_link_hash_entry *
+_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry **  sym_hashes,
+                             unsigned int                   symndx,
+                             Elf_Internal_Shdr *            symtab_hdr)
+{
+  if (symndx < symtab_hdr->sh_info)
+    return NULL;
+
+  struct elf_link_hash_entry *h = sym_hashes[symndx - symtab_hdr->sh_info];
+
+  /* The hash might be empty.  See PR 32641 for an example of this.  */
+  if (h == NULL)
+    return NULL;
+
+  while (h->root.type == bfd_link_hash_indirect
+        || h->root.type == bfd_link_hash_warning)
+    h = (struct elf_link_hash_entry *) h->root.u.i.link;
+
+  return h;
+}
+
+ static struct elf_link_hash_entry *
+ get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
+ {
+@@ -108,6 +129,9 @@ get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
+     {
+       h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+ 
+      if (h == NULL)
+       return NULL;
+
+       while (h->root.type == bfd_link_hash_indirect
+             || h->root.type == bfd_link_hash_warning)
+        h = (struct elf_link_hash_entry *) h->root.u.i.link;
+diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
+index 8e5a005fd36..832a5495eb1 100644
+--- a/bfd/elfxx-x86.c
+++ b/bfd/elfxx-x86.c
+@@ -973,15 +973,7 @@ _bfd_x86_elf_check_relocs (bfd *abfd,
+          goto error_return;
+        }
+ 
+-      if (r_symndx < symtab_hdr->sh_info)
+-       h = NULL;
+-      else
+-       {
+-         h = sym_hashes[r_symndx - symtab_hdr->sh_info];
+-         while (h->root.type == bfd_link_hash_indirect
+-                || h->root.type == bfd_link_hash_warning)
+-           h = (struct elf_link_hash_entry *) h->root.u.i.link;
+-       }
+      h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, symtab_hdr);
+ 
+       if (X86_NEED_DYNAMIC_RELOC_TYPE_P (is_x86_64, r_type)
+          && NEED_DYNAMIC_RELOCATION_P (is_x86_64, info, true, h, sec,
+@@ -1209,10 +1201,12 @@ _bfd_x86_elf_link_relax_section (bfd *abfd ATTRIBUTE_UNUSED,
+       else
+        {
+          /* Get H and SEC for GENERATE_DYNAMIC_RELOCATION_P below.  */
+-         h = sym_hashes[r_symndx - symtab_hdr->sh_info];
+-         while (h->root.type == bfd_link_hash_indirect
+-                || h->root.type == bfd_link_hash_warning)
+-           h = (struct elf_link_hash_entry *) h->root.u.i.link;
+         h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, symtab_hdr);
+         if (h == NULL)
+           {
+             /* FIXMEL: Issue an error message ?  */
+             continue;
+           }
+ 
+          if (h->root.type == bfd_link_hash_defined
+              || h->root.type == bfd_link_hash_defweak)
diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-1181-2.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-1181-2.patch
new file mode 100644
index 0000000000..5af743582f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-1181-2.patch
@@ -0,0 +1,337 @@
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 5 Feb 2025 15:43:04 +0000
+Add even more checks for corrupt input when processing
+relocations for ELF files.
+PR 32643
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=931494c9a89558acb36a03a340c01726545eef24]
+CVE: CVE-2025-1181
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index fd423d61..91cd7c28 100644
+--- a/bfd/elflink.c
+++ b/bfd/elflink.c
+@@ -96,15 +96,17 @@
+   return true;
+ }
+ 
+-struct elf_link_hash_entry *
+-_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry **  sym_hashes,
+-                             unsigned int                   symndx,
+-                             Elf_Internal_Shdr *            symtab_hdr)
+static struct elf_link_hash_entry *
+get_link_hash_entry (struct elf_link_hash_entry **  sym_hashes,
+                    unsigned int                   symndx,
+                    unsigned int                   ext_sym_start)
+ {
+-  if (symndx < symtab_hdr->sh_info)
+  if (sym_hashes == NULL
+      /* Guard against corrupt input.  See PR 32636 for an example.  */
+      || symndx < ext_sym_start)
+     return NULL;
+ 
+-  struct elf_link_hash_entry *h = sym_hashes[symndx - symtab_hdr->sh_info];
+  struct elf_link_hash_entry *h = sym_hashes[symndx - ext_sym_start];
+ 
+   /* The hash might be empty.  See PR 32641 for an example of this.  */
+   if (h == NULL)
+@@ -117,27 +119,28 @@
+   return h;
+ }
+ 
+-static struct elf_link_hash_entry *
+-get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
+struct elf_link_hash_entry *
+_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry **  sym_hashes,
+                             unsigned int                   symndx,
+                             Elf_Internal_Shdr *            symtab_hdr)
+ {
+-  struct elf_link_hash_entry *h = NULL;
+-
+-  if ((r_symndx >= cookie->locsymcount
+-       || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+-      /* Guard against corrupt input.  See PR 32636 for an example.  */
+-      && r_symndx >= cookie->extsymoff)
+-    {
+-      h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+  if (symtab_hdr == NULL)
+    return NULL;
+ 
+-      if (h == NULL)
+-       return NULL;
+  return get_link_hash_entry (sym_hashes, symndx, symtab_hdr->sh_info);
+}
+ 
+-      while (h->root.type == bfd_link_hash_indirect
+-            || h->root.type == bfd_link_hash_warning)
+-       h = (struct elf_link_hash_entry *) h->root.u.i.link;
+-    }
+static struct elf_link_hash_entry *
+get_ext_sym_hash_from_cookie (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
+{
+  if (cookie == NULL || cookie->sym_hashes == NULL)
+    return NULL;
+  
+  if (r_symndx >= cookie->locsymcount
+      || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+    return get_link_hash_entry (cookie->sym_hashes, r_symndx, cookie->extsymoff);
+ 
+-  return h;
+  return NULL;
+ }
+ 
+ asection *
+@@ -147,7 +150,7 @@
+ {
+   struct elf_link_hash_entry *h;
+ 
+-  h = get_ext_sym_hash (cookie, r_symndx);
+  h = get_ext_sym_hash_from_cookie (cookie, r_symndx);
+   
+   if (h != NULL)
+     {
+@@ -9105,7 +9108,6 @@
+                  size_t symidx,
+                  bfd_vma val)
+ {
+-  struct elf_link_hash_entry **sym_hashes;
+   struct elf_link_hash_entry *h;
+   size_t extsymoff = locsymcount;
+ 
+@@ -9128,12 +9130,12 @@
+ 
+   /* It is a global symbol: set its link type
+      to "defined" and give it a value.  */
+-
+-  sym_hashes = elf_sym_hashes (bfd_with_globals);
+-  h = sym_hashes [symidx - extsymoff];
+-  while (h->root.type == bfd_link_hash_indirect
+-        || h->root.type == bfd_link_hash_warning)
+-    h = (struct elf_link_hash_entry *) h->root.u.i.link;
+  h = get_link_hash_entry (elf_sym_hashes (bfd_with_globals), symidx, extsymoff);
+  if (h == NULL)
+    {
+      /* FIXMEL What should we do ?  */
+      return;
+    }
+   h->root.type = bfd_link_hash_defined;
+   h->root.u.def.value = val;
+   h->root.u.def.section = bfd_abs_section_ptr;
+@@ -11611,10 +11613,19 @@
+              || (elf_bad_symtab (input_bfd)
+                  && flinfo->sections[symndx] == NULL))
+            {
+-             struct elf_link_hash_entry *h = sym_hashes[symndx - extsymoff];
+-             while (h->root.type == bfd_link_hash_indirect
+-                    || h->root.type == bfd_link_hash_warning)
+-               h = (struct elf_link_hash_entry *) h->root.u.i.link;
+             struct elf_link_hash_entry *h;
+
+             h = get_link_hash_entry (sym_hashes, symndx, extsymoff);
+             if (h == NULL)
+               {
+                 _bfd_error_handler
+                   /* xgettext:c-format */
+                   (_("error: %pB: unable to create group section symbol"),
+                    input_bfd);
+                 bfd_set_error (bfd_error_bad_value);
+                 return false;
+               }             
+
+              /* Arrange for symbol to be output.  */
+              h->indx = -2;
+              elf_section_data (osec)->this_hdr.sh_info = -2;
+@@ -11749,7 +11760,7 @@
+                  || (elf_bad_symtab (input_bfd)
+                      && flinfo->sections[r_symndx] == NULL))
+                {
+-                 h = sym_hashes[r_symndx - extsymoff];
+                 h = get_link_hash_entry (sym_hashes, r_symndx, extsymoff);
+ 
+                  /* Badly formatted input files can contain relocs that
+                     reference non-existant symbols.  Check here so that
+@@ -11758,17 +11769,13 @@
+                    {
+                      _bfd_error_handler
+                        /* xgettext:c-format */
+-                       (_("error: %pB contains a reloc (%#" PRIx64 ") for section %pA "
+                       (_("error: %pB contains a reloc (%#" PRIx64 ") for section '%pA' "
+                           "that references a non-existent global symbol"),
+                         input_bfd, (uint64_t) rel->r_info, o);
+                      bfd_set_error (bfd_error_bad_value);
+                      return false;
+                    }
+ 
+-                 while (h->root.type == bfd_link_hash_indirect
+-                        || h->root.type == bfd_link_hash_warning)
+-                   h = (struct elf_link_hash_entry *) h->root.u.i.link;
+-
+                  s_type = h->type;
+ 
+                  /* If a plugin symbol is referenced from a non-IR file,
+@@ -11984,7 +11991,6 @@
+                          && flinfo->sections[r_symndx] == NULL))
+                    {
+                      struct elf_link_hash_entry *rh;
+-                     unsigned long indx;
+ 
+                      /* This is a reloc against a global symbol.  We
+                         have not yet output all the local symbols, so
+@@ -11993,15 +11999,16 @@
+                         reloc to point to the global hash table entry
+                         for this symbol.  The symbol index is then
+                         set at the end of bfd_elf_final_link.  */
+-                     indx = r_symndx - extsymoff;
+-                     rh = elf_sym_hashes (input_bfd)[indx];
+-                     while (rh->root.type == bfd_link_hash_indirect
+-                            || rh->root.type == bfd_link_hash_warning)
+-                       rh = (struct elf_link_hash_entry *) rh->root.u.i.link;
+-
+-                     /* Setting the index to -2 tells
+-                        elf_link_output_extsym that this symbol is
+-                        used by a reloc.  */
+                     rh = get_link_hash_entry (elf_sym_hashes (input_bfd),
+                                               r_symndx, extsymoff);
+                     if (rh == NULL)
+                       {
+                         /* FIXME: Generate an error ?  */
+                         continue;
+                       }
+
+                     /* Setting the index to -2 tells elf_link_output_extsym
+                        that this symbol is used by a reloc.  */
+                      BFD_ASSERT (rh->indx < 0);
+                      rh->indx = -2;
+                      *rel_hash = rh;
+@@ -13965,25 +13972,21 @@
+                       struct elf_link_hash_entry *h,
+                       Elf_Internal_Sym *sym)
+ {
+-  if (h != NULL)
+  if (h == NULL)
+    return bfd_section_from_elf_index (sec->owner, sym->st_shndx);
+
+  switch (h->root.type)
+     {
+-      switch (h->root.type)
+-       {
+-       case bfd_link_hash_defined:
+-       case bfd_link_hash_defweak:
+-         return h->root.u.def.section;
+    case bfd_link_hash_defined:
+    case bfd_link_hash_defweak:
+      return h->root.u.def.section;
+ 
+-       case bfd_link_hash_common:
+-         return h->root.u.c.p->section;
+    case bfd_link_hash_common:
+      return h->root.u.c.p->section;
+ 
+-       default:
+-         break;
+-       }
+    default:
+      return NULL;
+     }
+-  else
+-    return bfd_section_from_elf_index (sec->owner, sym->st_shndx);
+-
+-  return NULL;
+ }
+ 
+ /* Return the debug definition section.  */
+@@ -14032,46 +14035,49 @@
+   if (r_symndx == STN_UNDEF)
+     return NULL;
+ 
+-  h = get_ext_sym_hash (cookie, r_symndx);
+  h = get_ext_sym_hash_from_cookie (cookie, r_symndx);
+  if (h == NULL)
+    {
+      /* A corrup tinput file can lead to a situation where the index
+        does not reference either a local or an external symbol.  */
+      if (r_symndx >= cookie->locsymcount)
+       return NULL;
+ 
+-  if (h != NULL)
+      return (*gc_mark_hook) (sec, info, cookie->rel, NULL,
+                             &cookie->locsyms[r_symndx]);
+    }
+
+  bool was_marked = h->mark;
+
+  h->mark = 1;
+  /* Keep all aliases of the symbol too.  If an object symbol
+     needs to be copied into .dynbss then all of its aliases
+     should be present as dynamic symbols, not just the one used
+     on the copy relocation.  */
+  hw = h;
+  while (hw->is_weakalias)
+     {
+-      bool was_marked;
+      hw = hw->u.alias;
+      hw->mark = 1;
+    }
+ 
+-      was_marked = h->mark;
+-      h->mark = 1;
+-      /* Keep all aliases of the symbol too.  If an object symbol
+-        needs to be copied into .dynbss then all of its aliases
+-        should be present as dynamic symbols, not just the one used
+-        on the copy relocation.  */
+-      hw = h;
+-      while (hw->is_weakalias)
+-       {
+-         hw = hw->u.alias;
+-         hw->mark = 1;
+-       }
+  if (!was_marked && h->start_stop && !h->root.ldscript_def)
+    {
+      if (info->start_stop_gc)
+       return NULL;
+ 
+-      if (!was_marked && h->start_stop && !h->root.ldscript_def)
+      /* To work around a glibc bug, mark XXX input sections
+        when there is a reference to __start_XXX or __stop_XXX
+        symbols.  */
+      else if (start_stop != NULL)
+        {
+-         if (info->start_stop_gc)
+-           return NULL;
+-
+-         /* To work around a glibc bug, mark XXX input sections
+-            when there is a reference to __start_XXX or __stop_XXX
+-            symbols.  */
+-         else if (start_stop != NULL)
+-           {
+-             asection *s = h->u2.start_stop_section;
+-             *start_stop = true;
+-             return s;
+-           }
+         asection *s = h->u2.start_stop_section;
+         *start_stop = true;
+         return s;
+        }
+-
+-      return (*gc_mark_hook) (sec, info, cookie->rel, h, NULL);
+     }
+ 
+-  return (*gc_mark_hook) (sec, info, cookie->rel, NULL,
+-                         &cookie->locsyms[r_symndx]);
+  return (*gc_mark_hook) (sec, info, cookie->rel, h, NULL);
+ }
+ 
+ /* COOKIE->rel describes a relocation against section SEC, which is
+@@ -15094,7 +15100,7 @@
+ 
+       struct elf_link_hash_entry *h;
+ 
+-      h = get_ext_sym_hash (rcookie, r_symndx);
+      h = get_ext_sym_hash_from_cookie (rcookie, r_symndx);
+ 
+       if (h != NULL)
+        {

diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc index 7d1de61e10..5838b2ebeb 100644 --- a/meta/recipes-devtools/binutils/binutils-2.44.inc +++ b/meta/recipes-devtools/binutils/binutils-2.44.inc
@@ -38,5 +38,7 @@ SRC_URI = "\
38	file://0015-CVE-2025-1178.patch \	38	file://0015-CVE-2025-1178.patch \
39	file://CVE-2025-1180.patch \	39	file://CVE-2025-1180.patch \
40	file://CVE-2025-1182.patch \	40	file://CVE-2025-1182.patch \
		41	file://0016-CVE-2025-1181-1.patch \
		42	file://0017-CVE-2025-1181-2.patch \
41	"	43	"
42	S = "${WORKDIR}/git"	44	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-1181-1.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-1181-1.patch new file mode 100644 index 0000000000..d3709c7a4f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-1181-1.patch
@@ -0,0 +1,141 @@
		1	From: Nick Clifton <nickc@redhat.com>
		2	Date: Wed, 5 Feb 2025 14:31:10 +0000
		3
		4	Prevent illegal memory access when checking relocs in a corrupt ELF binary.
		5
		6	PR 32641
		7
		8	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=18cc11a2771d9e40180485da9a4fb660c03efac3]
		9	CVE: CVE-2025-1181
		10
		11	Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
		12
		13	diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
		14	index 785a37dd7fd..d2bf8e5cbae 100644
		15	--- a/bfd/elf-bfd.h
		16	+++ b/bfd/elf-bfd.h
		17	@@ -3150,6 +3150,9 @@ extern bool _bfd_elf_link_mmap_section_contents
		18	extern void _bfd_elf_link_munmap_section_contents
		19	(asection *);
		20
		21	+extern struct elf_link_hash_entry * _bfd_elf_get_link_hash_entry
		22	+ (struct elf_link_hash_entry *, unsigned int, Elf_Internal_Shdr );
		23	+
		24	/* Large common section. */
		25	extern asection _bfd_elf_large_com_section;
		26
		27	diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
		28	index 32db254ba6c..2d82c6583c3 100644
		29	--- a/bfd/elf64-x86-64.c
		30	+++ b/bfd/elf64-x86-64.c
		31	@@ -1744,7 +1744,7 @@ elf_x86_64_convert_load_reloc (bfd *abfd,
		32	bool to_reloc_pc32;
		33	bool abs_symbol;
		34	bool local_ref;
		35	- asection *tsec;
		36	+ asection *tsec = NULL;
		37	bfd_signed_vma raddend;
		38	unsigned int opcode;
		39	unsigned int modrm;
		40	@@ -1910,6 +1910,9 @@ elf_x86_64_convert_load_reloc (bfd *abfd,
		41	return true;
		42	}
		43
		44	+ if (tsec == NULL)
		45	+ return false;
		46	+
		47	/* Don't convert GOTPCREL relocation against large section. */
		48	if (elf_section_data (tsec) != NULL
		49	&& (elf_section_flags (tsec) & SHF_X86_64_LARGE) != 0)
		50	@@ -2206,10 +2209,7 @@ elf_x86_64_scan_relocs (bfd abfd, struct bfd_link_info info,
		51	else
		52	{
		53	isym = NULL;
		54	- h = sym_hashes[r_symndx - symtab_hdr->sh_info];
		55	- while (h->root.type == bfd_link_hash_indirect
		56	- \|\| h->root.type == bfd_link_hash_warning)
		57	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		58	+ h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, symtab_hdr);
		59	}
		60
		61	/* Check invalid x32 relocations. */
		62	diff --git a/bfd/elflink.c b/bfd/elflink.c
		63	index 1f1263007c0..eafbd133ff5 100644
		64	--- a/bfd/elflink.c
		65	+++ b/bfd/elflink.c
		66	@@ -96,6 +96,27 @@ _bfd_elf_link_keep_memory (struct bfd_link_info *info)
		67	return true;
		68	}
		69
		70	+struct elf_link_hash_entry *
		71	+_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry ** sym_hashes,
		72	+ unsigned int symndx,
		73	+ Elf_Internal_Shdr * symtab_hdr)
		74	+{
		75	+ if (symndx < symtab_hdr->sh_info)
		76	+ return NULL;
		77	+
		78	+ struct elf_link_hash_entry *h = sym_hashes[symndx - symtab_hdr->sh_info];
		79	+
		80	+ /* The hash might be empty. See PR 32641 for an example of this. */
		81	+ if (h == NULL)
		82	+ return NULL;
		83	+
		84	+ while (h->root.type == bfd_link_hash_indirect
		85	+ \|\| h->root.type == bfd_link_hash_warning)
		86	+ h = (struct elf_link_hash_entry *) h->root.u.i.link;
		87	+
		88	+ return h;
		89	+}
		90	+
		91	static struct elf_link_hash_entry *
		92	get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
		93	{
		94	@@ -108,6 +129,9 @@ get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
		95	{
		96	h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
		97
		98	+ if (h == NULL)
		99	+ return NULL;
		100	+
		101	while (h->root.type == bfd_link_hash_indirect
		102	\|\| h->root.type == bfd_link_hash_warning)
		103	h = (struct elf_link_hash_entry *) h->root.u.i.link;
		104	diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
		105	index 8e5a005fd36..832a5495eb1 100644
		106	--- a/bfd/elfxx-x86.c
		107	+++ b/bfd/elfxx-x86.c
		108	@@ -973,15 +973,7 @@ _bfd_x86_elf_check_relocs (bfd *abfd,
		109	goto error_return;
		110	}
		111
		112	- if (r_symndx < symtab_hdr->sh_info)
		113	- h = NULL;
		114	- else
		115	- {
		116	- h = sym_hashes[r_symndx - symtab_hdr->sh_info];
		117	- while (h->root.type == bfd_link_hash_indirect
		118	- \|\| h->root.type == bfd_link_hash_warning)
		119	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		120	- }
		121	+ h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, symtab_hdr);
		122
		123	if (X86_NEED_DYNAMIC_RELOC_TYPE_P (is_x86_64, r_type)
		124	&& NEED_DYNAMIC_RELOCATION_P (is_x86_64, info, true, h, sec,
		125	@@ -1209,10 +1201,12 @@ _bfd_x86_elf_link_relax_section (bfd *abfd ATTRIBUTE_UNUSED,
		126	else
		127	{
		128	/* Get H and SEC for GENERATE_DYNAMIC_RELOCATION_P below. */
		129	- h = sym_hashes[r_symndx - symtab_hdr->sh_info];
		130	- while (h->root.type == bfd_link_hash_indirect
		131	- \|\| h->root.type == bfd_link_hash_warning)
		132	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		133	+ h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, symtab_hdr);
		134	+ if (h == NULL)
		135	+ {
		136	+ /* FIXMEL: Issue an error message ? */
		137	+ continue;
		138	+ }
		139
		140	if (h->root.type == bfd_link_hash_defined
		141	\|\| h->root.type == bfd_link_hash_defweak)


diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-1181-2.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-1181-2.patch new file mode 100644 index 0000000000..5af743582f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2025-1181-2.patch
@@ -0,0 +1,337 @@
		1	From: Nick Clifton <nickc@redhat.com>
		2	Date: Wed, 5 Feb 2025 15:43:04 +0000
		3
		4	Add even more checks for corrupt input when processing
		5	relocations for ELF files.
		6
		7	PR 32643
		8
		9	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=931494c9a89558acb36a03a340c01726545eef24]
		10	CVE: CVE-2025-1181
		11
		12	Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
		13
		14	diff --git a/bfd/elflink.c b/bfd/elflink.c
		15	index fd423d61..91cd7c28 100644
		16	--- a/bfd/elflink.c
		17	+++ b/bfd/elflink.c
		18	@@ -96,15 +96,17 @@
		19	return true;
		20	}
		21
		22	-struct elf_link_hash_entry *
		23	-_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry ** sym_hashes,
		24	- unsigned int symndx,
		25	- Elf_Internal_Shdr * symtab_hdr)
		26	+static struct elf_link_hash_entry *
		27	+get_link_hash_entry (struct elf_link_hash_entry ** sym_hashes,
		28	+ unsigned int symndx,
		29	+ unsigned int ext_sym_start)
		30	{
		31	- if (symndx < symtab_hdr->sh_info)
		32	+ if (sym_hashes == NULL
		33	+ /* Guard against corrupt input. See PR 32636 for an example. */
		34	+ \|\| symndx < ext_sym_start)
		35	return NULL;
		36
		37	- struct elf_link_hash_entry *h = sym_hashes[symndx - symtab_hdr->sh_info];
		38	+ struct elf_link_hash_entry *h = sym_hashes[symndx - ext_sym_start];
		39
		40	/* The hash might be empty. See PR 32641 for an example of this. */
		41	if (h == NULL)
		42	@@ -117,27 +119,28 @@
		43	return h;
		44	}
		45
		46	-static struct elf_link_hash_entry *
		47	-get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
		48	+struct elf_link_hash_entry *
		49	+_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry ** sym_hashes,
		50	+ unsigned int symndx,
		51	+ Elf_Internal_Shdr * symtab_hdr)
		52	{
		53	- struct elf_link_hash_entry *h = NULL;
		54	-
		55	- if ((r_symndx >= cookie->locsymcount
		56	- \|\| ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		57	- /* Guard against corrupt input. See PR 32636 for an example. */
		58	- && r_symndx >= cookie->extsymoff)
		59	- {
		60	- h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
		61	+ if (symtab_hdr == NULL)
		62	+ return NULL;
		63
		64	- if (h == NULL)
		65	- return NULL;
		66	+ return get_link_hash_entry (sym_hashes, symndx, symtab_hdr->sh_info);
		67	+}
		68
		69	- while (h->root.type == bfd_link_hash_indirect
		70	- \|\| h->root.type == bfd_link_hash_warning)
		71	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		72	- }
		73	+static struct elf_link_hash_entry *
		74	+get_ext_sym_hash_from_cookie (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
		75	+{
		76	+ if (cookie == NULL \|\| cookie->sym_hashes == NULL)
		77	+ return NULL;
		78	+
		79	+ if (r_symndx >= cookie->locsymcount
		80	+ \|\| ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		81	+ return get_link_hash_entry (cookie->sym_hashes, r_symndx, cookie->extsymoff);
		82
		83	- return h;
		84	+ return NULL;
		85	}
		86
		87	asection *
		88	@@ -147,7 +150,7 @@
		89	{
		90	struct elf_link_hash_entry *h;
		91
		92	- h = get_ext_sym_hash (cookie, r_symndx);
		93	+ h = get_ext_sym_hash_from_cookie (cookie, r_symndx);
		94
		95	if (h != NULL)
		96	{
		97	@@ -9105,7 +9108,6 @@
		98	size_t symidx,
		99	bfd_vma val)
		100	{
		101	- struct elf_link_hash_entry **sym_hashes;
		102	struct elf_link_hash_entry *h;
		103	size_t extsymoff = locsymcount;
		104
		105	@@ -9128,12 +9130,12 @@
		106
		107	/* It is a global symbol: set its link type
		108	to "defined" and give it a value. */
		109	-
		110	- sym_hashes = elf_sym_hashes (bfd_with_globals);
		111	- h = sym_hashes [symidx - extsymoff];
		112	- while (h->root.type == bfd_link_hash_indirect
		113	- \|\| h->root.type == bfd_link_hash_warning)
		114	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		115	+ h = get_link_hash_entry (elf_sym_hashes (bfd_with_globals), symidx, extsymoff);
		116	+ if (h == NULL)
		117	+ {
		118	+ /* FIXMEL What should we do ? */
		119	+ return;
		120	+ }
		121	h->root.type = bfd_link_hash_defined;
		122	h->root.u.def.value = val;
		123	h->root.u.def.section = bfd_abs_section_ptr;
		124	@@ -11611,10 +11613,19 @@
		125	\|\| (elf_bad_symtab (input_bfd)
		126	&& flinfo->sections[symndx] == NULL))
		127	{
		128	- struct elf_link_hash_entry *h = sym_hashes[symndx - extsymoff];
		129	- while (h->root.type == bfd_link_hash_indirect
		130	- \|\| h->root.type == bfd_link_hash_warning)
		131	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		132	+ struct elf_link_hash_entry *h;
		133	+
		134	+ h = get_link_hash_entry (sym_hashes, symndx, extsymoff);
		135	+ if (h == NULL)
		136	+ {
		137	+ _bfd_error_handler
		138	+ /* xgettext:c-format */
		139	+ (_("error: %pB: unable to create group section symbol"),
		140	+ input_bfd);
		141	+ bfd_set_error (bfd_error_bad_value);
		142	+ return false;
		143	+ }
		144	+
		145	/* Arrange for symbol to be output. */
		146	h->indx = -2;
		147	elf_section_data (osec)->this_hdr.sh_info = -2;
		148	@@ -11749,7 +11760,7 @@
		149	\|\| (elf_bad_symtab (input_bfd)
		150	&& flinfo->sections[r_symndx] == NULL))
		151	{
		152	- h = sym_hashes[r_symndx - extsymoff];
		153	+ h = get_link_hash_entry (sym_hashes, r_symndx, extsymoff);
		154
		155	/* Badly formatted input files can contain relocs that
		156	reference non-existant symbols. Check here so that
		157	@@ -11758,17 +11769,13 @@
		158	{
		159	_bfd_error_handler
		160	/* xgettext:c-format */
		161	- (_("error: %pB contains a reloc (%#" PRIx64 ") for section %pA "
		162	+ (_("error: %pB contains a reloc (%#" PRIx64 ") for section '%pA' "
		163	"that references a non-existent global symbol"),
		164	input_bfd, (uint64_t) rel->r_info, o);
		165	bfd_set_error (bfd_error_bad_value);
		166	return false;
		167	}
		168
		169	- while (h->root.type == bfd_link_hash_indirect
		170	- \|\| h->root.type == bfd_link_hash_warning)
		171	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		172	-
		173	s_type = h->type;
		174
		175	/* If a plugin symbol is referenced from a non-IR file,
		176	@@ -11984,7 +11991,6 @@
		177	&& flinfo->sections[r_symndx] == NULL))
		178	{
		179	struct elf_link_hash_entry *rh;
		180	- unsigned long indx;
		181
		182	/* This is a reloc against a global symbol. We
		183	have not yet output all the local symbols, so
		184	@@ -11993,15 +11999,16 @@
		185	reloc to point to the global hash table entry
		186	for this symbol. The symbol index is then
		187	set at the end of bfd_elf_final_link. */
		188	- indx = r_symndx - extsymoff;
		189	- rh = elf_sym_hashes (input_bfd)[indx];
		190	- while (rh->root.type == bfd_link_hash_indirect
		191	- \|\| rh->root.type == bfd_link_hash_warning)
		192	- rh = (struct elf_link_hash_entry *) rh->root.u.i.link;
		193	-
		194	- /* Setting the index to -2 tells
		195	- elf_link_output_extsym that this symbol is
		196	- used by a reloc. */
		197	+ rh = get_link_hash_entry (elf_sym_hashes (input_bfd),
		198	+ r_symndx, extsymoff);
		199	+ if (rh == NULL)
		200	+ {
		201	+ /* FIXME: Generate an error ? */
		202	+ continue;
		203	+ }
		204	+
		205	+ /* Setting the index to -2 tells elf_link_output_extsym
		206	+ that this symbol is used by a reloc. */
		207	BFD_ASSERT (rh->indx < 0);
		208	rh->indx = -2;
		209	*rel_hash = rh;
		210	@@ -13965,25 +13972,21 @@
		211	struct elf_link_hash_entry *h,
		212	Elf_Internal_Sym *sym)
		213	{
		214	- if (h != NULL)
		215	+ if (h == NULL)
		216	+ return bfd_section_from_elf_index (sec->owner, sym->st_shndx);
		217	+
		218	+ switch (h->root.type)
		219	{
		220	- switch (h->root.type)
		221	- {
		222	- case bfd_link_hash_defined:
		223	- case bfd_link_hash_defweak:
		224	- return h->root.u.def.section;
		225	+ case bfd_link_hash_defined:
		226	+ case bfd_link_hash_defweak:
		227	+ return h->root.u.def.section;
		228
		229	- case bfd_link_hash_common:
		230	- return h->root.u.c.p->section;
		231	+ case bfd_link_hash_common:
		232	+ return h->root.u.c.p->section;
		233
		234	- default:
		235	- break;
		236	- }
		237	+ default:
		238	+ return NULL;
		239	}
		240	- else
		241	- return bfd_section_from_elf_index (sec->owner, sym->st_shndx);
		242	-
		243	- return NULL;
		244	}
		245
		246	/* Return the debug definition section. */
		247	@@ -14032,46 +14035,49 @@
		248	if (r_symndx == STN_UNDEF)
		249	return NULL;
		250
		251	- h = get_ext_sym_hash (cookie, r_symndx);
		252	+ h = get_ext_sym_hash_from_cookie (cookie, r_symndx);
		253	+ if (h == NULL)
		254	+ {
		255	+ /* A corrup tinput file can lead to a situation where the index
		256	+ does not reference either a local or an external symbol. */
		257	+ if (r_symndx >= cookie->locsymcount)
		258	+ return NULL;
		259
		260	- if (h != NULL)
		261	+ return (*gc_mark_hook) (sec, info, cookie->rel, NULL,
		262	+ &cookie->locsyms[r_symndx]);
		263	+ }
		264	+
		265	+ bool was_marked = h->mark;
		266	+
		267	+ h->mark = 1;
		268	+ /* Keep all aliases of the symbol too. If an object symbol
		269	+ needs to be copied into .dynbss then all of its aliases
		270	+ should be present as dynamic symbols, not just the one used
		271	+ on the copy relocation. */
		272	+ hw = h;
		273	+ while (hw->is_weakalias)
		274	{
		275	- bool was_marked;
		276	+ hw = hw->u.alias;
		277	+ hw->mark = 1;
		278	+ }
		279
		280	- was_marked = h->mark;
		281	- h->mark = 1;
		282	- /* Keep all aliases of the symbol too. If an object symbol
		283	- needs to be copied into .dynbss then all of its aliases
		284	- should be present as dynamic symbols, not just the one used
		285	- on the copy relocation. */
		286	- hw = h;
		287	- while (hw->is_weakalias)
		288	- {
		289	- hw = hw->u.alias;
		290	- hw->mark = 1;
		291	- }
		292	+ if (!was_marked && h->start_stop && !h->root.ldscript_def)
		293	+ {
		294	+ if (info->start_stop_gc)
		295	+ return NULL;
		296
		297	- if (!was_marked && h->start_stop && !h->root.ldscript_def)
		298	+ /* To work around a glibc bug, mark XXX input sections
		299	+ when there is a reference to __start_XXX or __stop_XXX
		300	+ symbols. */
		301	+ else if (start_stop != NULL)
		302	{
		303	- if (info->start_stop_gc)
		304	- return NULL;
		305	-
		306	- /* To work around a glibc bug, mark XXX input sections
		307	- when there is a reference to __start_XXX or __stop_XXX
		308	- symbols. */
		309	- else if (start_stop != NULL)
		310	- {
		311	- asection *s = h->u2.start_stop_section;
		312	- *start_stop = true;
		313	- return s;
		314	- }
		315	+ asection *s = h->u2.start_stop_section;
		316	+ *start_stop = true;
		317	+ return s;
		318	}
		319	-
		320	- return (*gc_mark_hook) (sec, info, cookie->rel, h, NULL);
		321	}
		322
		323	- return (*gc_mark_hook) (sec, info, cookie->rel, NULL,
		324	- &cookie->locsyms[r_symndx]);
		325	+ return (*gc_mark_hook) (sec, info, cookie->rel, h, NULL);
		326	}
		327
		328	/* COOKIE->rel describes a relocation against section SEC, which is
		329	@@ -15094,7 +15100,7 @@
		330
		331	struct elf_link_hash_entry *h;
		332
		333	- h = get_ext_sym_hash (rcookie, r_symndx);
		334	+ h = get_ext_sym_hash_from_cookie (rcookie, r_symndx);
		335
		336	if (h != NULL)
		337	{