From: Deepesh Varatharajan Date: Mon, 9 Jun 2025 04:48:49 +0000 (-0700) Subject: binutils: Fix CVE-2025-5244 & CVE-2025-5245 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7eb29f802b272dec19c5bfdce93155d99bac918d;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git binutils: Fix CVE-2025-5244 & CVE-2025-5245 PR32858 ld segfault on fuzzed object We missed one place where it is necessary to check for empty groups. PR32829, SEGV on objdump function debug_type_samep u.kenum is always non-NULL, see debug_make_enum_type. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d1458933830456e54223d9fc61f0d9b3a19256f5] && [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a] Signed-off-by: Deepesh Varatharajan Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 085ca2301e..f1c29015bc 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -76,5 +76,7 @@ SRC_URI = "\ file://0039-CVE-2025-1178.patch \ file://0040-CVE-2025-1180.patch \ file://0040-CVE-2025-1182.patch \ + file://0041-CVE-2025-5244.patch \ + file://0042-CVE-2025-5245.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch b/meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch new file mode 100644 index 0000000000..e8855a4b4b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch @@ -0,0 +1,25 @@ +From: Alan Modra +Date: Thu, 10 Apr 2025 19:41:49 +0930 + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d1458933830456e54223d9fc61f0d9b3a19256f5] +CVE: CVE-2025-5244 + +PR32858 ld segfault on fuzzed object +We missed one place where it is necessary to check for empty groups. + +Signed-off-by: Deepesh Varatharajan + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index a76e8e38da7..549b7b7dd92 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14408,7 +14408,8 @@ elf_gc_sweep (bfd *abfd, struct bfd_link_info *info) + if (o->flags & SEC_GROUP) + { + asection *first = elf_next_in_group (o); +- o->gc_mark = first->gc_mark; ++ if (first != NULL) ++ o->gc_mark = first->gc_mark; + } + + if (o->gc_mark) diff --git a/meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch b/meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch new file mode 100644 index 0000000000..2de6abbe93 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch @@ -0,0 +1,38 @@ +From: Alan Modra +Date: Tue, 1 Apr 2025 22:36:54 +1030 + +PR32829, SEGV on objdump function debug_type_samep +u.kenum is always non-NULL, see debug_make_enum_type. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a] +CVE: CVE-2025-5245 + +Signed-off-by: Deepesh Varatharajan + +diff --git a/binutils/debug.c b/binutils/debug.c +index dcc8ccde..465b18e7 100644 +--- a/binutils/debug.c ++++ b/binutils/debug.c +@@ -2554,9 +2554,6 @@ debug_write_type (struct debug_handle *info, + case DEBUG_KIND_UNION_CLASS: + return debug_write_class_type (info, fns, fhandle, type, tag); + case DEBUG_KIND_ENUM: +- if (type->u.kenum == NULL) +- return (*fns->enum_type) (fhandle, tag, (const char **) NULL, +- (bfd_signed_vma *) NULL); + return (*fns->enum_type) (fhandle, tag, type->u.kenum->names, + type->u.kenum->values); + case DEBUG_KIND_POINTER: +@@ -3098,9 +3095,9 @@ debug_type_samep (struct debug_handle *info, struct debug_type_s *t1, + break; + + case DEBUG_KIND_ENUM: +- if (t1->u.kenum == NULL) +- ret = t2->u.kenum == NULL; +- else if (t2->u.kenum == NULL) ++ if (t1->u.kenum->names == NULL) ++ ret = t2->u.kenum->names == NULL; ++ else if (t2->u.kenum->names == NULL) + ret = false; + else + {