On Tue, 2026-07-07 at 15:45 +0200, Yoann Congal wrote:
> Hello,
> 
> On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via 
> lists.openembedded.org wrote:
> > CVE-2025-69649:
> >   Null pointer dereference in readelf before 2.46 results in segfault when
> >   processing a crafted ELF binary with malformed header fields.
> >   No evidence of memory corruption beyond the null pointer dereference, nor
> >   any possibility of code execution, was observed.
> > 
> > CVE-2025-69652:
> >   Null pointer dereference in readelf when processing a crafted ELF binary
> >   with malformed DWARF abbrev or debug information which leads to SIGABORT.
> >   No evidence of memory corruption or code execution was observed; the 
> > impact
> >   is limited to denial of service.
> > 
> > Signed-off-by: Roland Kovacs <[email protected]>
> > ---
> >  .../binutils/binutils-2.42.inc                |  2 +
> >  .../binutils/binutils/CVE-2025-69649.patch    | 36 +++++++++++++++++
> >  .../binutils/binutils/CVE-2025-69652.patch    | 39 +++++++++++++++++++
> >  3 files changed, 77 insertions(+)
> >  create mode 100644 
> > meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
> >  create mode 100644 
> > meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
> > 
> > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc 
> > b/meta/recipes-
> > devtools/binutils/binutils-2.42.inc
> > index 1a865c45f4..da954fc138 100644
> > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
> > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
> > @@ -74,5 +74,7 @@ SRC_URI = "\
> >       file://0030-CVE-2025-11840.patch \
> >       file://CVE-2025-69647.patch \
> >       file://CVE-2025-69648.patch \
> > +     file://CVE-2025-69649.patch \
> > +     file://CVE-2025-69652.patch \
> >  "
> >  S  = "${WORKDIR}/git"
> > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch 
> > b/meta/recipes-
> > devtools/binutils/binutils/CVE-2025-69649.patch
> > new file mode 100644
> > index 0000000000..4865ad6535
> > --- /dev/null
> > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
> > @@ -0,0 +1,36 @@
> > +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001
> > +From: Alan Modra <[email protected]>
> > +Date: Mon, 8 Dec 2025 15:58:33 +1030
> > +Subject: [PATCH] PR 33697, fuzzer segfault
> > +
> > +   PR 33697
> > +   * readelf.c (process_relocs): Don't segfault on no sections.
> > +
> > +CVE: CVE-2025-69649
> > +Upstream-Status: Backport
> > [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d
> > 7f66]
> > +
> > +Signed-off-by: Roland Kovacs <[email protected]>
> > +---
> > + binutils/readelf.c | 6 +++---
> > + 1 file changed, 3 insertions(+), 3 deletions(-)
> > +
> > +diff --git a/binutils/readelf.c b/binutils/readelf.c
> > +index 5e4ad6ea6ad..8c1987ffaec 100644
> > +--- a/binutils/readelf.c
> > ++++ b/binutils/readelf.c
> > +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata)
> > +       size_t i;
> > +       bool found = false;
> > + 
> > +-      for (i = 0, section = filedata->section_headers;
> > +-     i < filedata->file_header.e_shnum;
> > +-     i++, section++)
> > ++      section = filedata->section_headers;
> > ++      if (section != NULL)
> > ++  for (i = 0; i < filedata->file_header.e_shnum; i++, section++)
> > +   {
> > +     if (   section->sh_type != SHT_RELA
> > +         && section->sh_type != SHT_REL
> 
> This backport is sensibly different from the upstream commit. Upstream
> has a short for loop but your patch is at the start of a really long
> one!
> 
> Can you justify why your backport is safe & correct?
> 
> Thanks!

Yes, on 2.42 the formatted printing of relocations is in-line, while on 2.46 
that code mostly has
been moved into 'display_relocations()' as part of 
8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305.
See:
https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=binutils/readelf.c;h=fa0de3a7e0d9c2acc18fe047a7019e09f1ce3894;hp=c1006480b7bc3e83dd87fb20d215342375614af9;hb=8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305;hpb=31c21e2c13d85793b525f74aa911eb28700ed89c

Cheers,
        Roland
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240441): 
https://lists.openembedded.org/g/openembedded-core/message/240441
Mute This Topic: https://lists.openembedded.org/mt/120043719/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to