2 files changed, 166 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc
index 1c988bafd4..40a9a53310 100644
--- a/meta/recipes-devtools/binutils/binutils-2.44.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.44.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
     file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
     file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
     file://0015-CVE-2025-1178.patch \
+     file://CVE-2025-1180.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
new file mode 100644
index 0000000000..073361cf19
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
@@ -0,0 +1,165 @@
+From 509c5afcd71afd36cd6496f8c84733b11bd5e9e5 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 22 May 2025 01:56:17 -0700
+Subject: [PATCH] Backport fix for PR 32642(CVE-2025-1180)
+Backporting the fix from PR 32636 to fix PR 32642 (ld SEGV (illegal read access)
+in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with
+ --gc-sections --gc-keep-exported option)
+https://nvd.nist.gov/vuln/detail/CVE-2025-1180 is associated with
+PR32642 which will get fixed with commit from PR 32636.
+(cherry picked from commit: f9978defb6fab0bd8583942d97c112b0932ac814)
+Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html]
+CVE: CVE-2025-1180
+Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
+---
+ bfd/elflink.c | 88 +++++++++++++++++++++++++--------------------------
+ 1 file changed, 44 insertions(+), 44 deletions(-)
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 6346d7e2b4b..d765b688801 100644
+--- a/bfd/elflink.c
+++ b/bfd/elflink.c
+@@ -96,22 +96,37 @@ _bfd_elf_link_keep_memory (struct bfd_link_info *info)
+   return true;
+ }
+ 
+-asection *
+-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+-                            unsigned long r_symndx,
+-                            bool discard)
+static struct elf_link_hash_entry *
+get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
+ {
+-  if (r_symndx >= cookie->locsymcount
+-      || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+-    {
+-      struct elf_link_hash_entry *h;
+  struct elf_link_hash_entry *h = NULL;
+ 
+  if ((r_symndx >= cookie->locsymcount
+       || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+      /* Guard against corrupt input.  See PR 32636 for an example.  */
+      && r_symndx >= cookie->extsymoff)
+    {
+       h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+ 
+       while (h->root.type == bfd_link_hash_indirect
+             || h->root.type == bfd_link_hash_warning)
+        h = (struct elf_link_hash_entry *) h->root.u.i.link;
+    }
+
+  return h;
+}
+ 
+asection *
+_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+                            unsigned long r_symndx,
+                            bool discard)
+{
+  struct elf_link_hash_entry *h;
+
+  h = get_ext_sym_hash (cookie, r_symndx);
+  
+  if (h != NULL)
+    {
+       if ((h->root.type == bfd_link_hash_defined
+           || h->root.type == bfd_link_hash_defweak)
+           && discarded_section (h->root.u.def.section))
+@@ -119,21 +134,20 @@ _bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+       else
+        return NULL;
+     }
+-  else
+-    {
+-      /* It's not a relocation against a global symbol,
+-        but it could be a relocation against a local
+-        symbol for a discarded section.  */
+-      asection *isec;
+-      Elf_Internal_Sym *isym;
+ 
+-      /* Need to: get the symbol; get the section.  */
+-      isym = &cookie->locsyms[r_symndx];
+-      isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
+-      if (isec != NULL
+-         && discard ? discarded_section (isec) : 1)
+-       return isec;
+-     }
+  /* It's not a relocation against a global symbol,
+     but it could be a relocation against a local
+     symbol for a discarded section.  */
+  asection *isec;
+  Elf_Internal_Sym *isym;
+
+  /* Need to: get the symbol; get the section.  */
+  isym = &cookie->locsyms[r_symndx];
+  isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
+  if (isec != NULL
+      && discard ? discarded_section (isec) : 1)
+    return isec;
+
+   return NULL;
+ }
+ 
+@@ -13994,22 +14008,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_info *info, asection *sec,
+   if (r_symndx == STN_UNDEF)
+     return NULL;
+ 
+-  if (r_symndx >= cookie->locsymcount
+-      || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+  h = get_ext_sym_hash (cookie, r_symndx);
+
+  if (h != NULL)
+     {
+       bool was_marked;
+ 
+-      h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+-      if (h == NULL)
+-       {
+-         info->callbacks->fatal (_("%F%P: corrupt input: %pB\n"),
+-                                 sec->owner);
+-         return NULL;
+-       }
+-      while (h->root.type == bfd_link_hash_indirect
+-            || h->root.type == bfd_link_hash_warning)
+-       h = (struct elf_link_hash_entry *) h->root.u.i.link;
+-
+       was_marked = h->mark;
+       h->mark = 1;
+       /* Keep all aliases of the symbol too.  If an object symbol
+@@ -15064,17 +15068,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
+       if (r_symndx == STN_UNDEF)
+        return true;
+ 
+-      if (r_symndx >= rcookie->locsymcount
+-         || ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+-       {
+-         struct elf_link_hash_entry *h;
+-
+-         h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff];
+      struct elf_link_hash_entry *h;
+ 
+-         while (h->root.type == bfd_link_hash_indirect
+-                || h->root.type == bfd_link_hash_warning)
+-           h = (struct elf_link_hash_entry *) h->root.u.i.link;
+      h = get_ext_sym_hash (rcookie, r_symndx);
+ 
+      if (h != NULL)
+       {
+          if ((h->root.type == bfd_link_hash_defined
+               || h->root.type == bfd_link_hash_defweak)
+              && (h->root.u.def.section->owner != rcookie->abfd
+@@ -15098,6 +15097,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
+                  || discarded_section (isec)))
+            return true;
+        }
+      
+       return false;
+     }
+   return false;
+-- 
+2.49.0

diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc index 1c988bafd4..40a9a53310 100644 --- a/meta/recipes-devtools/binutils/binutils-2.44.inc +++ b/meta/recipes-devtools/binutils/binutils-2.44.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
36	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \	36	file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
37	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \	37	file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
38	file://0015-CVE-2025-1178.patch \	38	file://0015-CVE-2025-1178.patch \
		39	file://CVE-2025-1180.patch \
39	"	40	"
40	S = "${WORKDIR}/git"	41	S = "${WORKDIR}/git"


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch new file mode 100644 index 0000000000..073361cf19 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
@@ -0,0 +1,165 @@
		1	From 509c5afcd71afd36cd6496f8c84733b11bd5e9e5 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Thu, 22 May 2025 01:56:17 -0700
		4	Subject: [PATCH] Backport fix for PR 32642(CVE-2025-1180)
		5
		6	Backporting the fix from PR 32636 to fix PR 32642 (ld SEGV (illegal read access)
		7	in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with
		8	--gc-sections --gc-keep-exported option)
		9
		10	https://nvd.nist.gov/vuln/detail/CVE-2025-1180 is associated with
		11	PR32642 which will get fixed with commit from PR 32636.
		12
		13	(cherry picked from commit: f9978defb6fab0bd8583942d97c112b0932ac814)
		14	Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html]
		15	CVE: CVE-2025-1180
		16
		17	Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
		18	---
		19	bfd/elflink.c \| 88 +++++++++++++++++++++++++--------------------------
		20	1 file changed, 44 insertions(+), 44 deletions(-)
		21
		22	diff --git a/bfd/elflink.c b/bfd/elflink.c
		23	index 6346d7e2b4b..d765b688801 100644
		24	--- a/bfd/elflink.c
		25	+++ b/bfd/elflink.c
		26	@@ -96,22 +96,37 @@ _bfd_elf_link_keep_memory (struct bfd_link_info *info)
		27	return true;
		28	}
		29
		30	-asection *
		31	-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
		32	- unsigned long r_symndx,
		33	- bool discard)
		34	+static struct elf_link_hash_entry *
		35	+get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
		36	{
		37	- if (r_symndx >= cookie->locsymcount
		38	- \|\| ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		39	- {
		40	- struct elf_link_hash_entry *h;
		41	+ struct elf_link_hash_entry *h = NULL;
		42
		43	+ if ((r_symndx >= cookie->locsymcount
		44	+ \|\| ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		45	+ /* Guard against corrupt input. See PR 32636 for an example. */
		46	+ && r_symndx >= cookie->extsymoff)
		47	+ {
		48	h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
		49
		50	while (h->root.type == bfd_link_hash_indirect
		51	\|\| h->root.type == bfd_link_hash_warning)
		52	h = (struct elf_link_hash_entry *) h->root.u.i.link;
		53	+ }
		54	+
		55	+ return h;
		56	+}
		57
		58	+asection *
		59	+_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
		60	+ unsigned long r_symndx,
		61	+ bool discard)
		62	+{
		63	+ struct elf_link_hash_entry *h;
		64	+
		65	+ h = get_ext_sym_hash (cookie, r_symndx);
		66	+
		67	+ if (h != NULL)
		68	+ {
		69	if ((h->root.type == bfd_link_hash_defined
		70	\|\| h->root.type == bfd_link_hash_defweak)
		71	&& discarded_section (h->root.u.def.section))
		72	@@ -119,21 +134,20 @@ _bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
		73	else
		74	return NULL;
		75	}
		76	- else
		77	- {
		78	- /* It's not a relocation against a global symbol,
		79	- but it could be a relocation against a local
		80	- symbol for a discarded section. */
		81	- asection *isec;
		82	- Elf_Internal_Sym *isym;
		83
		84	- /* Need to: get the symbol; get the section. */
		85	- isym = &cookie->locsyms[r_symndx];
		86	- isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
		87	- if (isec != NULL
		88	- && discard ? discarded_section (isec) : 1)
		89	- return isec;
		90	- }
		91	+ /* It's not a relocation against a global symbol,
		92	+ but it could be a relocation against a local
		93	+ symbol for a discarded section. */
		94	+ asection *isec;
		95	+ Elf_Internal_Sym *isym;
		96	+
		97	+ /* Need to: get the symbol; get the section. */
		98	+ isym = &cookie->locsyms[r_symndx];
		99	+ isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
		100	+ if (isec != NULL
		101	+ && discard ? discarded_section (isec) : 1)
		102	+ return isec;
		103	+
		104	return NULL;
		105	}
		106
		107	@@ -13994,22 +14008,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_info info, asection sec,
		108	if (r_symndx == STN_UNDEF)
		109	return NULL;
		110
		111	- if (r_symndx >= cookie->locsymcount
		112	- \|\| ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		113	+ h = get_ext_sym_hash (cookie, r_symndx);
		114	+
		115	+ if (h != NULL)
		116	{
		117	bool was_marked;
		118
		119	- h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
		120	- if (h == NULL)
		121	- {
		122	- info->callbacks->fatal (_("%F%P: corrupt input: %pB\n"),
		123	- sec->owner);
		124	- return NULL;
		125	- }
		126	- while (h->root.type == bfd_link_hash_indirect
		127	- \|\| h->root.type == bfd_link_hash_warning)
		128	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		129	-
		130	was_marked = h->mark;
		131	h->mark = 1;
		132	/* Keep all aliases of the symbol too. If an object symbol
		133	@@ -15064,17 +15068,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
		134	if (r_symndx == STN_UNDEF)
		135	return true;
		136
		137	- if (r_symndx >= rcookie->locsymcount
		138	- \|\| ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL)
		139	- {
		140	- struct elf_link_hash_entry *h;
		141	-
		142	- h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff];
		143	+ struct elf_link_hash_entry *h;
		144
		145	- while (h->root.type == bfd_link_hash_indirect
		146	- \|\| h->root.type == bfd_link_hash_warning)
		147	- h = (struct elf_link_hash_entry *) h->root.u.i.link;
		148	+ h = get_ext_sym_hash (rcookie, r_symndx);
		149
		150	+ if (h != NULL)
		151	+ {
		152	if ((h->root.type == bfd_link_hash_defined
		153	\|\| h->root.type == bfd_link_hash_defweak)
		154	&& (h->root.u.def.section->owner != rcookie->abfd
		155	@@ -15098,6 +15097,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
		156	\|\| discarded_section (isec)))
		157	return true;
		158	}
		159	+
		160	return false;
		161	}
		162	return false;
		163	--
		164	2.49.0
		165