On Wed Jul 8, 2026 at 9:18 AM CEST, Roland Kovács wrote:
> On Tue, 2026-07-07 at 15:45 +0200, Yoann Congal wrote:
>> Hello,
>> 
>> On Tue Jun 30, 2026 at 10:25 AM CEST, Roland Kovács via 
>> lists.openembedded.org wrote:
>> > CVE-2025-69649:
>> >   Null pointer dereference in readelf before 2.46 results in segfault when
>> >   processing a crafted ELF binary with malformed header fields.
>> >   No evidence of memory corruption beyond the null pointer dereference, nor
>> >   any possibility of code execution, was observed.
>> > 
>> > CVE-2025-69652:
>> >   Null pointer dereference in readelf when processing a crafted ELF binary
>> >   with malformed DWARF abbrev or debug information which leads to SIGABORT.
>> >   No evidence of memory corruption or code execution was observed; the 
>> > impact
>> >   is limited to denial of service.
>> > 
>> > Signed-off-by: Roland Kovacs <[email protected]>
>> > ---
>> >  .../binutils/binutils-2.42.inc                |  2 +
>> >  .../binutils/binutils/CVE-2025-69649.patch    | 36 +++++++++++++++++
>> >  .../binutils/binutils/CVE-2025-69652.patch    | 39 +++++++++++++++++++
>> >  3 files changed, 77 insertions(+)
>> >  create mode 100644 
>> > meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
>> >  create mode 100644 
>> > meta/recipes-devtools/binutils/binutils/CVE-2025-69652.patch
>> > 
>> > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc 
>> > b/meta/recipes-
>> > devtools/binutils/binutils-2.42.inc
>> > index 1a865c45f4..da954fc138 100644
>> > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
>> > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
>> > @@ -74,5 +74,7 @@ SRC_URI = "\
>> >       file://0030-CVE-2025-11840.patch \
>> >       file://CVE-2025-69647.patch \
>> >       file://CVE-2025-69648.patch \
>> > +     file://CVE-2025-69649.patch \
>> > +     file://CVE-2025-69652.patch \
>> >  "
>> >  S  = "${WORKDIR}/git"
>> > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch 
>> > b/meta/recipes-
>> > devtools/binutils/binutils/CVE-2025-69649.patch
>> > new file mode 100644
>> > index 0000000000..4865ad6535
>> > --- /dev/null
>> > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69649.patch
>> > @@ -0,0 +1,36 @@
>> > +From 9d26af3871d5b8f8dd9c6b17987845e1f774eac4 Mon Sep 17 00:00:00 2001
>> > +From: Alan Modra <[email protected]>
>> > +Date: Mon, 8 Dec 2025 15:58:33 +1030
>> > +Subject: [PATCH] PR 33697, fuzzer segfault
>> > +
>> > +  PR 33697
>> > +  * readelf.c (process_relocs): Don't segfault on no sections.
>> > +
>> > +CVE: CVE-2025-69649
>> > +Upstream-Status: Backport
>> > [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d
>> > 7f66]
>> > +
>> > +Signed-off-by: Roland Kovacs <[email protected]>
>> > +---
>> > + binutils/readelf.c | 6 +++---
>> > + 1 file changed, 3 insertions(+), 3 deletions(-)
>> > +
>> > +diff --git a/binutils/readelf.c b/binutils/readelf.c
>> > +index 5e4ad6ea6ad..8c1987ffaec 100644
>> > +--- a/binutils/readelf.c
>> > ++++ b/binutils/readelf.c
>> > +@@ -8961,9 +8961,9 @@ process_relocs (Filedata * filedata)
>> > +       size_t i;
>> > +       bool found = false;
>> > + 
>> > +-      for (i = 0, section = filedata->section_headers;
>> > +-    i < filedata->file_header.e_shnum;
>> > +-    i++, section++)
>> > ++      section = filedata->section_headers;
>> > ++      if (section != NULL)
>> > ++ for (i = 0; i < filedata->file_header.e_shnum; i++, section++)
>> > +  {
>> > +    if (   section->sh_type != SHT_RELA
>> > +        && section->sh_type != SHT_REL
>> 
>> This backport is sensibly different from the upstream commit. Upstream
>> has a short for loop but your patch is at the start of a really long
>> one!
>> 
>> Can you justify why your backport is safe & correct?
>> 
>> Thanks!
>
> Yes, on 2.42 the formatted printing of relocations is in-line, while on 2.46 
> that code mostly has
> been moved into 'display_relocations()' as part of 
> 8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305.
> See:
> https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=binutils/readelf.c;h=fa0de3a7e0d9c2acc18fe047a7019e09f1ce3894;hp=c1006480b7bc3e83dd87fb20d215342375614af9;hb=8e8d0b63ff15896cc2c228c01f18dfcf2a4a9305;hpb=31c21e2c13d85793b525f74aa911eb28700ed89c

This is a good explanation, can you add it to the CVE-2025-69649 patch
with the line you added (ie the "CVE: ", "Upstream-status:", ... lines)?

Thanks!

>
> Cheers,
>       Roland


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240443): 
https://lists.openembedded.org/g/openembedded-core/message/240443
Mute This Topic: https://lists.openembedded.org/mt/120043719/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to