From: Jaipaul Cheernam Date: Mon, 22 Jun 2026 13:01:15 +0000 (+0200) Subject: binutils: Fix CVE-2026-6846 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48a578533a584cc550f308490e9ff6443192c79c;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git binutils: Fix CVE-2026-6846 This patch applies the upstream fix as referenced in [2], using the commit shown in [1]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a089e0302382f4d4e077941156e1eaa68d01393 [2] https://security-tracker.debian.org/tracker/CVE-2026-6846 Tested with binutils-testsuite (bitbake binutils-testsuite -c check): binutils: PASSED: 327, FAILED: 0, SKIPPED: 5 gas: PASSED: 2091, FAILED: 0, SKIPPED: 4 ld: PASSED: 1899, FAILED: 0, SKIPPED: 129 Signed-off-by: Jaipaul Cheernam Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-devtools/binutils/binutils-2.46.inc b/meta/recipes-devtools/binutils/binutils-2.46.inc index 13d2a02108..cab270cea5 100644 --- a/meta/recipes-devtools/binutils/binutils-2.46.inc +++ b/meta/recipes-devtools/binutils/binutils-2.46.inc @@ -39,4 +39,5 @@ SRC_URI = "\ file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ file://CVE-2026-4647.patch \ + file://CVE-2026-6846.patch \ " diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch new file mode 100644 index 0000000000..e7d1c3aa00 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-6846.patch @@ -0,0 +1,59 @@ +From 7a089e0302382f4d4e077941156e1eaa68d01393 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Mon, 6 Apr 2026 22:58:22 +0930 +Subject: [PATCH] PR 34049 buffer overflow in xcoff_link_add_symbols + +The fact that coffcode.h:coff_set_alignment_hook for rs6000 removes +sections can result in target_index > section_count. Thus any array +indexed by target_index must not be sized by section_count. + + PR ld/34049 + * xcofflink.c (xcoff_link_add_symbols): Size reloc_info array + using max target_index. + +CVE: CVE-2026-6846 +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=7a089e0302382f4d4e077941156e1eaa68d01393] + +Signed-off-by: Alan Modra +(cherry picked from commit 7a089e0302382f4d4e077941156e1eaa68d01393) +Signed-off-by: Jaipaul Cheernam +--- + bfd/xcofflink.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c +index 1781182fa6a..7f1c0df760f 100644 +--- a/bfd/xcofflink.c ++++ b/bfd/xcofflink.c +@@ -1335,6 +1335,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + } *reloc_info = NULL; + bfd_size_type amt; + unsigned short visibility; ++ unsigned int max_target_index; + + keep_syms = obj_coff_keep_syms (abfd); + +@@ -1398,7 +1399,19 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + order by VMA within a given section, so we handle this by + scanning along the relocs as we process the csects. We index + into reloc_info using the section target_index. */ +- amt = abfd->section_count + 1; ++ max_target_index = 0; ++ for (o = abfd->section_last; o != NULL; o = o->prev) ++ if (o->target_index != 0) ++ { ++ /* The last section added from the object file will have the ++ highest target_index. See coffgen.c coff_real_object_p and ++ make_a_section_from_file. Sections added by ++ xcoff_link_create_extra_sections will have a zero ++ target_index. */ ++ max_target_index = o->target_index; ++ break; ++ } ++ amt = max_target_index + 1; + amt *= sizeof (struct reloc_info_struct); + reloc_info = bfd_zmalloc (amt); + if (reloc_info == NULL) +-- +2.43.7 +