From: Sudhir Dumbhare <[email protected]> This patch applies the upstream fix [1], which addresses two out-of-bounds read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes shown in [2] are referenced by [3] and [4].
[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3441 https://nvd.nist.gov/vuln/detail/CVE-2026-3442 https://www.suse.com/security/cve/CVE-2026-3441.html https://www.suse.com/security/cve/CVE-2026-3442.html Signed-off-by: Sudhir Dumbhare <[email protected]> --- .../binutils/binutils-2.46.inc | 1 + .../CVE-2026-3441_CVE-2026-3442.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc index 4948e9b576..6d8f37f78b 100644 --- a/meta/recipes-devtools/binutils/binutils-2.46.inc +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc @@ -39,4 +39,5 @@ SRC_URI = "\ file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ file://CVE-2026-4647.patch \ + file://CVE-2026-3441_CVE-2026-3442.patch \ " diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch new file mode 100644 index 0000000000..be63bb295c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch @@ -0,0 +1,51 @@ +From be1339394f1b64ba8b5d4f55343522cbea26131b Mon Sep 17 00:00:00 2001 +From: Alan Modra <[email protected]> +Date: Sat, 28 Feb 2026 13:16:40 +1030 +Subject: [PATCH] xcofflink buffer overflows + +This fixes two fuzzed object file out-of-bounds accesses. + + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check + XTY_LD x_scnlen index. Sanity check r_symndx before using it + to index sym hashes. + +CVE: CVE-2026-3441 CVE-2026-3442 +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] + +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) +Signed-off-by: Sudhir Dumbhare <[email protected]> +--- + bfd/xcofflink.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c +index 691acc854ae..e1716262871 100644 +--- a/bfd/xcofflink.c ++++ b/bfd/xcofflink.c +@@ -1908,12 +1908,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + follow its appropriate XTY_SD symbol. The .set pseudo op can + cause the XTY_LD to not follow the XTY_SD symbol. */ + { +- bool bad; +- +- bad = false; +- if (aux.x_csect.x_scnlen.u64 +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) +- bad = true; ++ bool bad = (aux.x_csect.x_scnlen.u64 ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) ++ / symesz)); + if (! bad) + { + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; +@@ -2279,6 +2276,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + functions imported from dynamic objects. */ + if (info->output_bfd->xvec == abfd->xvec + && *rel_csect != bfd_und_section_ptr ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) + { + struct xcoff_link_hash_entry *h; +-- +2.51.0 + -- 2.51.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240336): https://lists.openembedded.org/g/openembedded-core/message/240336 Mute This Topic: https://lists.openembedded.org/mt/120143923/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
