diff mbox series

[scarthgap,03/16] binutils: Fix CVE-2025-7545

Message ID 5c0c7058484fd8b1a82c2c810f7bccf016ea482b.1753392770.git.steve@sakoman.com
State Superseded
Delegated to: Steve Sakoman
Headers show
Series [scarthgap,01/16] libxml2: fix CVE-2025-49795 | expand

Commit Message

Steve Sakoman July 24, 2025, 9:35 p.m. UTC
From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>

objcopy: Don't extend the output section size
Since the output section contents are copied from the input, don't
extend the output section size beyond the input section size.

Backport a patch from upstream to fix CVE-2025-7545
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944]

Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.42.inc                |  4 ++
 .../binutils/0023-CVE-2025-7545.patch         | 39 +++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch

Comments

Gyorgy Sarvari July 25, 2025, 5:10 a.m. UTC | #1
On 7/24/25 23:35, Steve Sakoman via lists.openembedded.org wrote:
> --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
> @@ -53,6 +53,10 @@ SRC_URI = "\
>       file://CVE-2025-1179.patch \
>       file://0022-CVE-2025-5245.patch \
>       file://0022-CVE-2025-5244.patch \
> +<<<<<<< HEAD
>       file://0023-CVE-2025-7546.patch \
> +=======
> +     file://0023-CVE-2025-7545.patch \
> +>>>>>>> binutils: Fix CVE-2025-7545
>  "

This looks like a merge conflict.
Steve Sakoman July 25, 2025, 1:05 p.m. UTC | #2
On Thu, Jul 24, 2025 at 10:10 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> On 7/24/25 23:35, Steve Sakoman via lists.openembedded.org wrote:
> > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
> > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
> > @@ -53,6 +53,10 @@ SRC_URI = "\
> >       file://CVE-2025-1179.patch \
> >       file://0022-CVE-2025-5245.patch \
> >       file://0022-CVE-2025-5244.patch \
> > +<<<<<<< HEAD
> >       file://0023-CVE-2025-7546.patch \
> > +=======
> > +     file://0023-CVE-2025-7545.patch \
> > +>>>>>>> binutils: Fix CVE-2025-7545
> >  "
>
> This looks like a merge conflict.

Hmmm . . . I remember fixing that!

I'll send a V2 of the series.

Thanks so much for reviewing!

Steve
diff mbox series

Patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index a3ad655dbe..9aa3096b4f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -53,6 +53,10 @@  SRC_URI = "\
      file://CVE-2025-1179.patch \
      file://0022-CVE-2025-5245.patch \
      file://0022-CVE-2025-5244.patch \
+<<<<<<< HEAD
      file://0023-CVE-2025-7546.patch \
+=======
+     file://0023-CVE-2025-7545.patch \
+>>>>>>> binutils: Fix CVE-2025-7545
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch
new file mode 100644
index 0000000000..de132f74fc
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch
@@ -0,0 +1,39 @@ 
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 21 Jun 2025 06:36:56 +0800
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944]
+CVE: CVE-2025-7545
+
+Since the output section contents are copied from the input, don't
+extend the output section size beyond the input section size.
+
+	PR binutils/33049
+	* objcopy.c (copy_section): Don't extend the output section
+	size beyond the input section size.
+
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index a85d2620..18cd1bfd 100644
+--- a/binutils/objcopy.c
++++ b/binutils/objcopy.c
+@@ -4547,6 +4547,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)
+ 	  char *to = (char *) memhunk;
+ 	  char *end = (char *) memhunk + size;
+ 	  int i;
++	  bfd_size_type memhunk_size = size;
+ 
+ 	  /* If the section address is not exactly divisible by the interleave,
+ 	     then we must bias the from address.  If the copy_byte is less than
+@@ -4566,6 +4567,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)
+ 	      }
+ 
+ 	  size = (size + interleave - 1 - copy_byte) / interleave * copy_width;
++
++         /* Don't extend the output section size.  */
++         if (size > memhunk_size)
++           size = memhunk_size;
++	  
+ 	  osection->lma /= interleave;
+ 	  if (copy_byte < extra)
+ 	    osection->lma++;