Hello, Le mer. 14 janv. 2026 à 14:22, Vijay Anusuri via lists.openembedded.org <[email protected]> a écrit :
> From: Vijay Anusuri <[email protected]> > > import patch from ubuntu to fix > CVE-2025-1181 > > Upstream-Status: Backport [import from ubuntu > https://git.launchpad.net/ubuntu/+source/binutils/tree/debian/patches?h=ubuntu/jammy-security > Upstream commit > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24 > & > <https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24&;> > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24 > ] > This is twice the same link, second link should be : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=18cc11a2771d9e40180485da9a4fb660c03efac3 > Signed-off-by: Vijay Anusuri <[email protected]> > --- > .../binutils/binutils-2.38.inc | 2 + > .../binutils/binutils/CVE-2025-1181-pre.patch | 149 ++++++++ > .../binutils/binutils/CVE-2025-1181.patch | 342 ++++++++++++++++++ > 3 files changed, 493 insertions(+) > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2025-1181-pre.patch > create mode 100644 > meta/recipes-devtools/binutils/binutils/CVE-2025-1181.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc > b/meta/recipes-devtools/binutils/binutils-2.38.inc > index d5ad3c0ecb..63bd65c59c 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.38.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc > @@ -86,5 +86,7 @@ SRC_URI = "\ > file://0047-CVE-2025-8225.patch \ > file://CVE-2025-11412.patch \ > file://CVE-2025-11413.patch \ > + file://CVE-2025-1181-pre.patch \ > + file://CVE-2025-1181.patch \ > " > S = "${WORKDIR}/git" > diff --git > a/meta/recipes-devtools/binutils/binutils/CVE-2025-1181-pre.patch > b/meta/recipes-devtools/binutils/binutils/CVE-2025-1181-pre.patch > new file mode 100644 > index 0000000000..dc9e9b624e > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1181-pre.patch > @@ -0,0 +1,149 @@ > +Backported of: > + > +From 18cc11a2771d9e40180485da9a4fb660c03efac3 Mon Sep 17 00:00:00 2001 > +From: Nick Clifton <[email protected]> > +Date: Wed, 5 Feb 2025 14:31:10 +0000 > +Subject: [PATCH] Prevent illegal memory access when checking relocs in a > + corrupt ELF binary. > + > +PR 32641 > + > +Upstream-Status: Backport [import from ubuntu > https://git.launchpad.net/ubuntu/+source/binutils/tree/debian/patches/CVE-2025-1181-pre.patch?h=ubuntu/jammy-security > +Upstream commit > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24 > ] > Upstream commit of this patch is https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=18cc11a2771d9e40180485da9a4fb660c03efac3 Since this is not a major issue, I have fixed both in my branch : https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut&id=c673f64e4e6f856c7b76d8cee190c2103151105f Cheers, > +CVE: CVE-2025-1181 > +Signed-off-by: Vijay Anusuri <[email protected]> > +--- > + bfd/elf-bfd.h | 3 +++ > + bfd/elf64-x86-64.c | 10 +++++----- > + bfd/elflink.c | 24 ++++++++++++++++++++++++ > + bfd/elfxx-x86.c | 20 +++++++------------- > + 4 files changed, 39 insertions(+), 18 deletions(-) > +Index: binutils-2.38/bfd/elf-bfd.h > +=================================================================== > +--- binutils-2.38.orig/bfd/elf-bfd.h > ++++ binutils-2.38/bfd/elf-bfd.h > +@@ -3007,6 +3007,9 @@ extern bool _bfd_elf_maybe_set_textrel > + extern bool _bfd_elf_add_dynamic_tags > + (bfd *, struct bfd_link_info *, bool); > + > ++extern struct elf_link_hash_entry * _bfd_elf_get_link_hash_entry > ++ (struct elf_link_hash_entry **, unsigned int, Elf_Internal_Shdr *); > ++ > + /* Large common section. */ > + extern asection _bfd_elf_large_com_section; > + > +Index: binutils-2.38/bfd/elf64-x86-64.c > +=================================================================== > +--- binutils-2.38.orig/bfd/elf64-x86-64.c > ++++ binutils-2.38/bfd/elf64-x86-64.c > +@@ -1484,7 +1484,7 @@ elf_x86_64_convert_load_reloc (bfd *abfd > + bool to_reloc_pc32; > + bool abs_symbol; > + bool local_ref; > +- asection *tsec; > ++ asection *tsec = NULL; > + bfd_signed_vma raddend; > + unsigned int opcode; > + unsigned int modrm; > +@@ -1639,6 +1639,9 @@ elf_x86_64_convert_load_reloc (bfd *abfd > + return true; > + } > + > ++ if (tsec == NULL) > ++ return false; > ++ > + /* Don't convert GOTPCREL relocation against large section. */ > + if (elf_section_data (tsec) != NULL > + && (elf_section_flags (tsec) & SHF_X86_64_LARGE) != 0) > +@@ -1915,10 +1918,7 @@ elf_x86_64_scan_relocs (bfd *abfd, struc > + else > + { > + isym = NULL; > +- h = sym_hashes[r_symndx - symtab_hdr->sh_info]; > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > ++ h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, > symtab_hdr); > + } > + > + /* Check invalid x32 relocations. */ > +Index: binutils-2.38/bfd/elflink.c > +=================================================================== > +--- binutils-2.38.orig/bfd/elflink.c > ++++ binutils-2.38/bfd/elflink.c > +@@ -62,6 +62,27 @@ struct elf_find_verdep_info > + static bool _bfd_elf_fix_symbol_flags > + (struct elf_link_hash_entry *, struct elf_info_failed *); > + > ++struct elf_link_hash_entry * > ++_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry ** sym_hashes, > ++ unsigned int symndx, > ++ Elf_Internal_Shdr * symtab_hdr) > ++{ > ++ if (symndx < symtab_hdr->sh_info) > ++ return NULL; > ++ > ++ struct elf_link_hash_entry *h = sym_hashes[symndx - > symtab_hdr->sh_info]; > ++ > ++ /* The hash might be empty. See PR 32641 for an example of this. */ > ++ if (h == NULL) > ++ return NULL; > ++ > ++ while (h->root.type == bfd_link_hash_indirect > ++ || h->root.type == bfd_link_hash_warning) > ++ h = (struct elf_link_hash_entry *) h->root.u.i.link; > ++ > ++ return h; > ++} > ++ > + static struct elf_link_hash_entry * > + get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long > r_symndx) > + { > +@@ -75,6 +96,9 @@ get_ext_sym_hash (struct elf_reloc_cooki > + > + h = cookie->sym_hashes[r_symndx - cookie->extsymoff]; > + > ++ if (h == NULL) > ++ return NULL; > ++ > + while (h->root.type == bfd_link_hash_indirect > + || h->root.type == bfd_link_hash_warning) > + h = (struct elf_link_hash_entry *) h->root.u.i.link; > +Index: binutils-2.38/bfd/elfxx-x86.c > +=================================================================== > +--- binutils-2.38.orig/bfd/elfxx-x86.c > ++++ binutils-2.38/bfd/elfxx-x86.c > +@@ -973,15 +973,7 @@ _bfd_x86_elf_check_relocs (bfd *abfd, > + goto error_return; > + } > + > +- if (r_symndx < symtab_hdr->sh_info) > +- h = NULL; > +- else > +- { > +- h = sym_hashes[r_symndx - symtab_hdr->sh_info]; > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > +- } > ++ h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, > symtab_hdr); > + > + if (X86_NEED_DYNAMIC_RELOC_TYPE_P (is_x86_64, r_type) > + && NEED_DYNAMIC_RELOCATION_P (is_x86_64, info, true, h, sec, > +@@ -1200,10 +1192,12 @@ _bfd_x86_elf_link_relax_section (bfd *ab > + else > + { > + /* Get H and SEC for GENERATE_DYNAMIC_RELOCATION_P below. */ > +- h = sym_hashes[r_symndx - symtab_hdr->sh_info]; > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > ++ h = _bfd_elf_get_link_hash_entry (sym_hashes, r_symndx, > symtab_hdr); > ++ if (h == NULL) > ++ { > ++ /* FIXMEL: Issue an error message ? */ > ++ continue; > ++ } > + > + if (h->root.type == bfd_link_hash_defined > + || h->root.type == bfd_link_hash_defweak) > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1181.patch > b/meta/recipes-devtools/binutils/binutils/CVE-2025-1181.patch > new file mode 100644 > index 0000000000..2bcd55795d > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1181.patch > @@ -0,0 +1,342 @@ > +Backported of: > + > +From 931494c9a89558acb36a03a340c01726545eef24 Mon Sep 17 00:00:00 2001 > +From: Nick Clifton <[email protected]> > +Date: Wed, 5 Feb 2025 15:43:04 +0000 > +Subject: [PATCH] Add even more checks for corrupt input when processing > + relocations for ELF files. > + > +PR 32643 > + > +Upstream-Status: Backport [import from ubuntu > https://git.launchpad.net/ubuntu/+source/binutils/tree/debian/patches/CVE-2025-1181.patch?h=ubuntu/jammy-security > +Upstream commit > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24 > ] > +CVE: CVE-2025-1181 > +Signed-off-by: Vijay Anusuri <[email protected]> > + > +Index: binutils-2.38/bfd/elflink.c > +=================================================================== > +--- binutils-2.38.orig/bfd/elflink.c > ++++ binutils-2.38/bfd/elflink.c > +@@ -62,15 +62,17 @@ struct elf_find_verdep_info > + static bool _bfd_elf_fix_symbol_flags > + (struct elf_link_hash_entry *, struct elf_info_failed *); > + > +-struct elf_link_hash_entry * > +-_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry ** sym_hashes, > +- unsigned int symndx, > +- Elf_Internal_Shdr * symtab_hdr) > ++static struct elf_link_hash_entry * > ++get_link_hash_entry (struct elf_link_hash_entry ** sym_hashes, > ++ unsigned int symndx, > ++ unsigned int ext_sym_start) > + { > +- if (symndx < symtab_hdr->sh_info) > ++ if (sym_hashes == NULL > ++ /* Guard against corrupt input. See PR 32636 for an example. */ > ++ || symndx < ext_sym_start) > + return NULL; > + > +- struct elf_link_hash_entry *h = sym_hashes[symndx - > symtab_hdr->sh_info]; > ++ struct elf_link_hash_entry *h = sym_hashes[symndx - ext_sym_start]; > + > + /* The hash might be empty. See PR 32641 for an example of this. */ > + if (h == NULL) > +@@ -83,29 +85,28 @@ _bfd_elf_get_link_hash_entry (struct elf > + return h; > + } > + > +-static struct elf_link_hash_entry * > +-get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long > r_symndx) > ++struct elf_link_hash_entry * > ++_bfd_elf_get_link_hash_entry (struct elf_link_hash_entry ** sym_hashes, > ++ unsigned int symndx, > ++ Elf_Internal_Shdr * symtab_hdr) > + { > +- struct elf_link_hash_entry *h = NULL; > +- > +- if ((r_symndx >= cookie->locsymcount > +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) > +- /* Guard against corrupt input. See PR 32636 for an example. */ > +- && r_symndx >= cookie->extsymoff) > +- { > +- > +- h = cookie->sym_hashes[r_symndx - cookie->extsymoff]; > +- > +- if (h == NULL) > +- return NULL; > ++ if (symtab_hdr == NULL) > ++ return NULL; > + > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > ++ return get_link_hash_entry (sym_hashes, symndx, symtab_hdr->sh_info); > ++} > + > +- } > ++static struct elf_link_hash_entry * > ++get_ext_sym_hash_from_cookie (struct elf_reloc_cookie *cookie, unsigned > long r_symndx) > ++{ > ++ if (cookie == NULL || cookie->sym_hashes == NULL) > ++ return NULL; > ++ > ++ if (r_symndx >= cookie->locsymcount > ++ || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) > ++ return get_link_hash_entry (cookie->sym_hashes, r_symndx, > cookie->extsymoff); > + > +- return h; > ++ return NULL; > + } > + > + asection * > +@@ -115,7 +116,7 @@ _bfd_elf_section_for_symbol (struct elf_ > + { > + struct elf_link_hash_entry *h; > + > +- h = get_ext_sym_hash (cookie, r_symndx); > ++ h = get_ext_sym_hash_from_cookie (cookie, r_symndx); > + > + if (h != NULL) > + { > +@@ -8783,7 +8784,6 @@ set_symbol_value (bfd *bfd_with_globals, > + size_t symidx, > + bfd_vma val) > + { > +- struct elf_link_hash_entry **sym_hashes; > + struct elf_link_hash_entry *h; > + size_t extsymoff = locsymcount; > + > +@@ -8806,12 +8806,12 @@ set_symbol_value (bfd *bfd_with_globals, > + > + /* It is a global symbol: set its link type > + to "defined" and give it a value. */ > +- > +- sym_hashes = elf_sym_hashes (bfd_with_globals); > +- h = sym_hashes [symidx - extsymoff]; > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > ++ h = get_link_hash_entry (elf_sym_hashes (bfd_with_globals), symidx, > extsymoff); > ++ if (h == NULL) > ++ { > ++ /* FIXMEL What should we do ? */ > ++ return; > ++ } > + h->root.type = bfd_link_hash_defined; > + h->root.u.def.value = val; > + h->root.u.def.section = bfd_abs_section_ptr; > +@@ -11281,10 +11281,19 @@ elf_link_input_bfd (struct elf_final_lin > + || (elf_bad_symtab (input_bfd) > + && flinfo->sections[symndx] == NULL)) > + { > +- struct elf_link_hash_entry *h = sym_hashes[symndx - > extsymoff]; > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > ++ struct elf_link_hash_entry *h; > ++ > ++ h = get_link_hash_entry (sym_hashes, symndx, extsymoff); > ++ if (h == NULL) > ++ { > ++ _bfd_error_handler > ++ /* xgettext:c-format */ > ++ (_("error: %pB: unable to create group section > symbol"), > ++ input_bfd); > ++ bfd_set_error (bfd_error_bad_value); > ++ return false; > ++ } > ++ > + /* Arrange for symbol to be output. */ > + h->indx = -2; > + elf_section_data (osec)->this_hdr.sh_info = -2; > +@@ -11411,7 +11420,7 @@ elf_link_input_bfd (struct elf_final_lin > + || (elf_bad_symtab (input_bfd) > + && flinfo->sections[r_symndx] == NULL)) > + { > +- h = sym_hashes[r_symndx - extsymoff]; > ++ h = get_link_hash_entry (sym_hashes, r_symndx, > extsymoff); > + > + /* Badly formatted input files can contain relocs that > + reference non-existant symbols. Check here so that > +@@ -11420,17 +11429,13 @@ elf_link_input_bfd (struct elf_final_lin > + { > + _bfd_error_handler > + /* xgettext:c-format */ > +- (_("error: %pB contains a reloc (%#" PRIx64 ") for > section %pA " > ++ (_("error: %pB contains a reloc (%#" PRIx64 ") for > section '%pA' " > + "that references a non-existent global symbol"), > + input_bfd, (uint64_t) rel->r_info, o); > + bfd_set_error (bfd_error_bad_value); > + return false; > + } > + > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > +- > + s_type = h->type; > + > + /* If a plugin symbol is referenced from a non-IR file, > +@@ -11646,7 +11651,6 @@ elf_link_input_bfd (struct elf_final_lin > + && flinfo->sections[r_symndx] == NULL)) > + { > + struct elf_link_hash_entry *rh; > +- unsigned long indx; > + > + /* This is a reloc against a global symbol. We > + have not yet output all the local symbols, so > +@@ -11655,15 +11659,16 @@ elf_link_input_bfd (struct elf_final_lin > + reloc to point to the global hash table entry > + for this symbol. The symbol index is then > + set at the end of bfd_elf_final_link. */ > +- indx = r_symndx - extsymoff; > +- rh = elf_sym_hashes (input_bfd)[indx]; > +- while (rh->root.type == bfd_link_hash_indirect > +- || rh->root.type == bfd_link_hash_warning) > +- rh = (struct elf_link_hash_entry *) > rh->root.u.i.link; > +- > +- /* Setting the index to -2 tells > +- elf_link_output_extsym that this symbol is > +- used by a reloc. */ > ++ rh = get_link_hash_entry (elf_sym_hashes (input_bfd), > ++ r_symndx, extsymoff); > ++ if (rh == NULL) > ++ { > ++ /* FIXME: Generate an error ? */ > ++ continue; > ++ } > ++ > ++ /* Setting the index to -2 tells > elf_link_output_extsym > ++ that this symbol is used by a reloc. */ > + BFD_ASSERT (rh->indx < 0); > + rh->indx = -2; > + *rel_hash = rh; > +@@ -13615,25 +13620,21 @@ _bfd_elf_gc_mark_hook (asection *sec, > + struct elf_link_hash_entry *h, > + Elf_Internal_Sym *sym) > + { > +- if (h != NULL) > ++ if (h == NULL) > ++ return bfd_section_from_elf_index (sec->owner, sym->st_shndx); > ++ > ++ switch (h->root.type) > + { > +- switch (h->root.type) > +- { > +- case bfd_link_hash_defined: > +- case bfd_link_hash_defweak: > +- return h->root.u.def.section; > ++ case bfd_link_hash_defined: > ++ case bfd_link_hash_defweak: > ++ return h->root.u.def.section; > + > +- case bfd_link_hash_common: > +- return h->root.u.c.p->section; > ++ case bfd_link_hash_common: > ++ return h->root.u.c.p->section; > + > +- default: > +- break; > +- } > ++ default: > ++ return NULL; > + } > +- else > +- return bfd_section_from_elf_index (sec->owner, sym->st_shndx); > +- > +- return NULL; > + } > + > + /* Return the debug definition section. */ > +@@ -13682,46 +13683,49 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_i > + if (r_symndx == STN_UNDEF) > + return NULL; > + > +- h = get_ext_sym_hash (cookie, r_symndx); > +- > +- if (h != NULL) > ++ h = get_ext_sym_hash_from_cookie (cookie, r_symndx); > ++ if (h == NULL) > + { > +- bool was_marked; > ++ /* A corrup tinput file can lead to a situation where the index > ++ does not reference either a local or an external symbol. */ > ++ if (r_symndx >= cookie->locsymcount) > ++ return NULL; > + > +- was_marked = h->mark; > +- h->mark = 1; > +- /* Keep all aliases of the symbol too. If an object symbol > +- needs to be copied into .dynbss then all of its aliases > +- should be present as dynamic symbols, not just the one used > +- on the copy relocation. */ > +- hw = h; > +- while (hw->is_weakalias) > +- { > +- hw = hw->u.alias; > +- hw->mark = 1; > +- } > ++ return (*gc_mark_hook) (sec, info, cookie->rel, NULL, > ++ &cookie->locsyms[r_symndx]); > ++ } > + > +- if (!was_marked && h->start_stop && !h->root.ldscript_def) > +- { > +- if (info->start_stop_gc) > +- return NULL; > ++ bool was_marked = h->mark; > + > +- /* To work around a glibc bug, mark XXX input sections > +- when there is a reference to __start_XXX or __stop_XXX > +- symbols. */ > +- else if (start_stop != NULL) > +- { > +- asection *s = h->u2.start_stop_section; > +- *start_stop = true; > +- return s; > +- } > +- } > ++ h->mark = 1; > ++ /* Keep all aliases of the symbol too. If an object symbol > ++ needs to be copied into .dynbss then all of its aliases > ++ should be present as dynamic symbols, not just the one used > ++ on the copy relocation. */ > ++ hw = h; > ++ while (hw->is_weakalias) > ++ { > ++ hw = hw->u.alias; > ++ hw->mark = 1; > ++ } > + > +- return (*gc_mark_hook) (sec, info, cookie->rel, h, NULL); > ++ if (!was_marked && h->start_stop && !h->root.ldscript_def) > ++ { > ++ if (info->start_stop_gc) > ++ return NULL; > ++ > ++ /* To work around a glibc bug, mark XXX input sections > ++ when there is a reference to __start_XXX or __stop_XXX > ++ symbols. */ > ++ else if (start_stop != NULL) > ++ { > ++ asection *s = h->u2.start_stop_section; > ++ *start_stop = true; > ++ return s; > ++ } > + } > + > +- return (*gc_mark_hook) (sec, info, cookie->rel, NULL, > +- &cookie->locsyms[r_symndx]); > ++ return (*gc_mark_hook) (sec, info, cookie->rel, h, NULL); > + } > + > + /* COOKIE->rel describes a relocation against section SEC, which is > +@@ -14735,7 +14739,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma > + > + struct elf_link_hash_entry *h; > + > +- h = get_ext_sym_hash (rcookie, r_symndx); > ++ h = get_ext_sym_hash_from_cookie (rcookie, r_symndx); > + > + if (h != NULL) > + { > -- > 2.25.1 > > > > > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229441): https://lists.openembedded.org/g/openembedded-core/message/229441 Mute This Topic: https://lists.openembedded.org/mt/117260475/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
