binutils: fix CVE-2025-11081

CVE: CVE-2025-11081

Trying to dump .sframe in a PE file results in a segfault accessing
elf_section_data.

	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
	elf_section_type without first checking the file is ELF.

PR 33406 SEGV in dump_dwarf_section
[https://sourceware.org/bugzilla/show_bug.cgi?id=33406]

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 9c82f65ecac3c34424ba06230c39e6c896b70bca..e419d829c2b6186e7b6e764bebec1e2a10bc2744 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -36,4 +36,5 @@ SRC_URI = "\
      file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
      file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
      file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
+     file://0015-CVE-2025-11081.patch \
 "

diff --git a/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
new file mode 100644 (file)
index 0000000..0e15a7d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
@@ -0,0 +1,51 @@
+From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 9 Sep 2025 18:32:09 +0930
+Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section
+
+Trying to dump .sframe in a PE file results in a segfault accessing
+elf_section_data.
+
+       * objdump (dump_sframe_section, dump_dwarf_section): Don't access
+       elf_section_type without first checking the file is ELF.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
+CVE: CVE-2025-11081
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 290f7e51f66..ee8823da05a 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -4485,7 +4485,8 @@ dump_dwarf_section (bfd *abfd, asection *section,
+   else
+     match = name;
+ 
+-  if (elf_section_type (section) == SHT_GNU_SFRAME)
++  if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
++      && elf_section_type (section) == SHT_GNU_SFRAME)
+     match = ".sframe";
+ 
+   for (i = 0; i < max; i++)
+@@ -4993,9 +4994,10 @@ dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile)
+        SHT_GNU_SFRAME.  For SFrame sections from Binutils 2.44 or earlier,
+        check explcitly for SFrame sections of type SHT_PROGBITS and name
+        ".sframe" to allow them.  */
+-      else if (elf_section_type (sec) != SHT_GNU_SFRAME
+-             && !(elf_section_type (sec) == SHT_PROGBITS
+-                  && strcmp (sect_name, ".sframe") == 0))
++      else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
++             || (elf_section_type (sec) != SHT_GNU_SFRAME
++                 && !(elf_section_type (sec) == SHT_PROGBITS
++                      && strcmp (sect_name, ".sframe") == 0)))
+       {
+         printf (_("Section %s does not contain SFrame data\n\n"),
+                 sanitize_string (sect_name));
+-- 
+2.43.7
+