This patch applies the upstream fix as referenced in [2], using the commit 
shown in [1].

[1] 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a089e0302382f4d4e077941156e1eaa68d01393
[2] https://security-tracker.debian.org/tracker/CVE-2026-6846

Tested with binutils-testsuite (bitbake binutils-testsuite -c check):
  binutils: PASSED: 327, FAILED: 0, SKIPPED: 5
  gas:      PASSED: 2091, FAILED: 0, SKIPPED: 4
  ld:       PASSED: 1899, FAILED: 0, SKIPPED: 129

Signed-off-by: Jaipaul Cheernam <[email protected]>
---
 .../binutils/binutils-2.46.inc                |  1 +
 .../binutils/binutils/CVE-2026-6846.patch     | 59 +++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc 
b/meta/recipes-devtools/binutils/binutils-2.46.inc
index 13d2a02108..cab270cea5 100644
--- a/meta/recipes-devtools/binutils/binutils-2.46.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.46.inc
@@ -39,4 +39,5 @@ SRC_URI = "\
      file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
      file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
      file://CVE-2026-4647.patch \
+     file://CVE-2026-6846.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch 
b/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch
new file mode 100644
index 0000000000..e7d1c3aa00
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch
@@ -0,0 +1,59 @@
+From 7a089e0302382f4d4e077941156e1eaa68d01393 Mon Sep 17 00:00:00 2001
+From: Alan Modra <[email protected]>
+Date: Mon, 6 Apr 2026 22:58:22 +0930
+Subject: [PATCH] PR 34049 buffer overflow in xcoff_link_add_symbols
+
+The fact that coffcode.h:coff_set_alignment_hook for rs6000 removes
+sections can result in target_index > section_count.  Thus any array
+indexed by target_index must not be sized by section_count.
+
+       PR ld/34049
+       * xcofflink.c (xcoff_link_add_symbols): Size reloc_info array
+       using max target_index.
+
+CVE: CVE-2026-6846
+Upstream-Status: Backport 
[https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=7a089e0302382f4d4e077941156e1eaa68d01393]
+
+Signed-off-by: Alan Modra <[email protected]>
+(cherry picked from commit 7a089e0302382f4d4e077941156e1eaa68d01393)
+Signed-off-by: Jaipaul Cheernam <[email protected]>
+---
+ bfd/xcofflink.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c
+index 1781182fa6a..7f1c0df760f 100644
+--- a/bfd/xcofflink.c
++++ b/bfd/xcofflink.c
+@@ -1335,6 +1335,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info 
*info)
+   } *reloc_info = NULL;
+   bfd_size_type amt;
+   unsigned short visibility;
++  unsigned int max_target_index;
+ 
+   keep_syms = obj_coff_keep_syms (abfd);
+ 
+@@ -1398,7 +1399,19 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info 
*info)
+      order by VMA within a given section, so we handle this by
+      scanning along the relocs as we process the csects.  We index
+      into reloc_info using the section target_index.  */
+-  amt = abfd->section_count + 1;
++  max_target_index = 0;
++  for (o = abfd->section_last; o != NULL; o = o->prev)
++    if (o->target_index != 0)
++      {
++      /* The last section added from the object file will have the
++         highest target_index.  See coffgen.c coff_real_object_p and
++         make_a_section_from_file.  Sections added by
++         xcoff_link_create_extra_sections will have a zero
++         target_index.  */
++      max_target_index = o->target_index;
++      break;
++      }
++  amt = max_target_index + 1;
+   amt *= sizeof (struct reloc_info_struct);
+   reloc_info = bfd_zmalloc (amt);
+   if (reloc_info == NULL)
+-- 
+2.43.7
+
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239288): 
https://lists.openembedded.org/g/openembedded-core/message/239288
Mute This Topic: https://lists.openembedded.org/mt/119923101/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to