| Message ID | 20250522121710.3923755-1-Harish.Sadineni@windriver.com |
|---|---|
| State | Accepted, archived |
| Commit | f2681cfb09f1079543dd58cf788f67d65d26e21d |
| Headers | show |
| Series | binutils: Fix CVE-2025-1180 | expand |
On 5/22/25 5:17 AM, Sadineni, Harish via lists.openembedded.org wrote: > From: Harish Sadineni <Harish.Sadineni@windriver.com> > > Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html] > CVE: CVE-2025-1180 > > cherry picked from upstream commit: > https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814 > > Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> > --- > .../binutils/binutils-2.44.inc | 1 + > .../binutils/binutils/CVE-2025-1180.patch | 165 ++++++++++++++++++ > 2 files changed, 166 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc > index 6bc65a0fea..256d408018 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.44.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.44.inc > @@ -35,5 +35,6 @@ SRC_URI = "\ > file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \ > file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ > file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ > + file://CVE-2025-1180.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch > new file mode 100644 > index 0000000000..073361cf19 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch > @@ -0,0 +1,165 @@ > +From 509c5afcd71afd36cd6496f8c84733b11bd5e9e5 Mon Sep 17 00:00:00 2001 > +From: Nick Clifton <nickc@redhat.com> > +Date: Thu, 22 May 2025 01:56:17 -0700 > +Subject: [PATCH] Backport fix for PR 32642(CVE-2025-1180) > + > +Backporting the fix from PR 32636 to fix PR 32642 (ld SEGV (illegal read access) > +in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with > + --gc-sections --gc-keep-exported option) > + > +https://nvd.nist.gov/vuln/detail/CVE-2025-1180 is associated with > +PR32642 which will get fixed with commit from PR 32636. > + > +(cherry picked from commit: f9978defb6fab0bd8583942d97c112b0932ac814) > +Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html] > +CVE: CVE-2025-1180 > + Looks ok to me. Have we run binutils tests with this patch applied ? I would recommend we do that, and I would also wait for backport response upstream meanwhile. > +Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> > +--- > + bfd/elflink.c | 88 +++++++++++++++++++++++++-------------------------- > + 1 file changed, 44 insertions(+), 44 deletions(-) > + > +diff --git a/bfd/elflink.c b/bfd/elflink.c > +index 6346d7e2b4b..d765b688801 100644 > +--- a/bfd/elflink.c > ++++ b/bfd/elflink.c > +@@ -96,22 +96,37 @@ _bfd_elf_link_keep_memory (struct bfd_link_info *info) > + return true; > + } > + > +-asection * > +-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, > +- unsigned long r_symndx, > +- bool discard) > ++static struct elf_link_hash_entry * > ++get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx) > + { > +- if (r_symndx >= cookie->locsymcount > +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) > +- { > +- struct elf_link_hash_entry *h; > ++ struct elf_link_hash_entry *h = NULL; > + > ++ if ((r_symndx >= cookie->locsymcount > ++ || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) > ++ /* Guard against corrupt input. See PR 32636 for an example. */ > ++ && r_symndx >= cookie->extsymoff) > ++ { > + h = cookie->sym_hashes[r_symndx - cookie->extsymoff]; > + > + while (h->root.type == bfd_link_hash_indirect > + || h->root.type == bfd_link_hash_warning) > + h = (struct elf_link_hash_entry *) h->root.u.i.link; > ++ } > ++ > ++ return h; > ++} > + > ++asection * > ++_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, > ++ unsigned long r_symndx, > ++ bool discard) > ++{ > ++ struct elf_link_hash_entry *h; > ++ > ++ h = get_ext_sym_hash (cookie, r_symndx); > ++ > ++ if (h != NULL) > ++ { > + if ((h->root.type == bfd_link_hash_defined > + || h->root.type == bfd_link_hash_defweak) > + && discarded_section (h->root.u.def.section)) > +@@ -119,21 +134,20 @@ _bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, > + else > + return NULL; > + } > +- else > +- { > +- /* It's not a relocation against a global symbol, > +- but it could be a relocation against a local > +- symbol for a discarded section. */ > +- asection *isec; > +- Elf_Internal_Sym *isym; > + > +- /* Need to: get the symbol; get the section. */ > +- isym = &cookie->locsyms[r_symndx]; > +- isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx); > +- if (isec != NULL > +- && discard ? discarded_section (isec) : 1) > +- return isec; > +- } > ++ /* It's not a relocation against a global symbol, > ++ but it could be a relocation against a local > ++ symbol for a discarded section. */ > ++ asection *isec; > ++ Elf_Internal_Sym *isym; > ++ > ++ /* Need to: get the symbol; get the section. */ > ++ isym = &cookie->locsyms[r_symndx]; > ++ isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx); > ++ if (isec != NULL > ++ && discard ? discarded_section (isec) : 1) > ++ return isec; > ++ > + return NULL; > + } > + > +@@ -13994,22 +14008,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_info *info, asection *sec, > + if (r_symndx == STN_UNDEF) > + return NULL; > + > +- if (r_symndx >= cookie->locsymcount > +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) > ++ h = get_ext_sym_hash (cookie, r_symndx); > ++ > ++ if (h != NULL) > + { > + bool was_marked; > + > +- h = cookie->sym_hashes[r_symndx - cookie->extsymoff]; > +- if (h == NULL) > +- { > +- info->callbacks->fatal (_("%F%P: corrupt input: %pB\n"), > +- sec->owner); > +- return NULL; > +- } > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > +- > + was_marked = h->mark; > + h->mark = 1; > + /* Keep all aliases of the symbol too. If an object symbol > +@@ -15064,17 +15068,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie) > + if (r_symndx == STN_UNDEF) > + return true; > + > +- if (r_symndx >= rcookie->locsymcount > +- || ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL) > +- { > +- struct elf_link_hash_entry *h; > +- > +- h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff]; > ++ struct elf_link_hash_entry *h; > + > +- while (h->root.type == bfd_link_hash_indirect > +- || h->root.type == bfd_link_hash_warning) > +- h = (struct elf_link_hash_entry *) h->root.u.i.link; > ++ h = get_ext_sym_hash (rcookie, r_symndx); > + > ++ if (h != NULL) > ++ { > + if ((h->root.type == bfd_link_hash_defined > + || h->root.type == bfd_link_hash_defweak) > + && (h->root.u.def.section->owner != rcookie->abfd > +@@ -15098,6 +15097,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie) > + || discarded_section (isec))) > + return true; > + } > ++ > + return false; > + } > + return false; > +-- > +2.49.0 > + > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#217093): https://lists.openembedded.org/g/openembedded-core/message/217093 > Mute This Topic: https://lists.openembedded.org/mt/113245812/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Test result summary for binutils with before and after applying the patch: Component Metric Without Patch With Patch Change *binutils* Expected passes 310 310 — Unexpected failures 1 1 — Untested testcases 1 1 — Unsupported tests 9 9 — *gas* Expected passes 2017 2017 — Unexpected failures 4 4 — Unsupported tests 1 1 — *ld* Expected passes 1787 1787 — Expected failures 7 7 — Unresolved testcases 1 1 — Untested testcases 20 20 — Unsupported tests 99 99 — There is no regressions in test results. Thanks, Harish
Thanks for the update On Fri, May 23, 2025 at 12:23 AM Sadineni, Harish via lists.openembedded.org <Harish.Sadineni=windriver.com@lists.openembedded.org> wrote: > Test result summary for binutils with before and after applying the patch: > > Component Metric Without Patch With Patch Change > *binutils* Expected passes 310 310 — > Unexpected failures 1 1 — > Untested testcases 1 1 — > Unsupported tests 9 9 — > *gas* Expected passes 2017 2017 — > Unexpected failures 4 4 — > Unsupported tests 1 1 — > *ld* Expected passes 1787 1787 — > Expected failures 7 7 — > Unresolved testcases 1 1 — > Untested testcases 20 20 — > Unsupported tests 99 99 — > > There is no regressions in test results. > > Thanks, > Harish > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#217178): > https://lists.openembedded.org/g/openembedded-core/message/217178 > Mute This Topic: https://lists.openembedded.org/mt/113245812/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc index 6bc65a0fea..256d408018 100644 --- a/meta/recipes-devtools/binutils/binutils-2.44.inc +++ b/meta/recipes-devtools/binutils/binutils-2.44.inc @@ -35,5 +35,6 @@ SRC_URI = "\ file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \ file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ + file://CVE-2025-1180.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch new file mode 100644 index 0000000000..073361cf19 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch @@ -0,0 +1,165 @@ +From 509c5afcd71afd36cd6496f8c84733b11bd5e9e5 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 22 May 2025 01:56:17 -0700 +Subject: [PATCH] Backport fix for PR 32642(CVE-2025-1180) + +Backporting the fix from PR 32636 to fix PR 32642 (ld SEGV (illegal read access) +in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with + --gc-sections --gc-keep-exported option) + +https://nvd.nist.gov/vuln/detail/CVE-2025-1180 is associated with +PR32642 which will get fixed with commit from PR 32636. + +(cherry picked from commit: f9978defb6fab0bd8583942d97c112b0932ac814) +Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html] +CVE: CVE-2025-1180 + +Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> +--- + bfd/elflink.c | 88 +++++++++++++++++++++++++-------------------------- + 1 file changed, 44 insertions(+), 44 deletions(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 6346d7e2b4b..d765b688801 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -96,22 +96,37 @@ _bfd_elf_link_keep_memory (struct bfd_link_info *info) + return true; + } + +-asection * +-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, +- unsigned long r_symndx, +- bool discard) ++static struct elf_link_hash_entry * ++get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx) + { +- if (r_symndx >= cookie->locsymcount +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) +- { +- struct elf_link_hash_entry *h; ++ struct elf_link_hash_entry *h = NULL; + ++ if ((r_symndx >= cookie->locsymcount ++ || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) ++ /* Guard against corrupt input. See PR 32636 for an example. */ ++ && r_symndx >= cookie->extsymoff) ++ { + h = cookie->sym_hashes[r_symndx - cookie->extsymoff]; + + while (h->root.type == bfd_link_hash_indirect + || h->root.type == bfd_link_hash_warning) + h = (struct elf_link_hash_entry *) h->root.u.i.link; ++ } ++ ++ return h; ++} + ++asection * ++_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, ++ unsigned long r_symndx, ++ bool discard) ++{ ++ struct elf_link_hash_entry *h; ++ ++ h = get_ext_sym_hash (cookie, r_symndx); ++ ++ if (h != NULL) ++ { + if ((h->root.type == bfd_link_hash_defined + || h->root.type == bfd_link_hash_defweak) + && discarded_section (h->root.u.def.section)) +@@ -119,21 +134,20 @@ _bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, + else + return NULL; + } +- else +- { +- /* It's not a relocation against a global symbol, +- but it could be a relocation against a local +- symbol for a discarded section. */ +- asection *isec; +- Elf_Internal_Sym *isym; + +- /* Need to: get the symbol; get the section. */ +- isym = &cookie->locsyms[r_symndx]; +- isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx); +- if (isec != NULL +- && discard ? discarded_section (isec) : 1) +- return isec; +- } ++ /* It's not a relocation against a global symbol, ++ but it could be a relocation against a local ++ symbol for a discarded section. */ ++ asection *isec; ++ Elf_Internal_Sym *isym; ++ ++ /* Need to: get the symbol; get the section. */ ++ isym = &cookie->locsyms[r_symndx]; ++ isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx); ++ if (isec != NULL ++ && discard ? discarded_section (isec) : 1) ++ return isec; ++ + return NULL; + } + +@@ -13994,22 +14008,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_info *info, asection *sec, + if (r_symndx == STN_UNDEF) + return NULL; + +- if (r_symndx >= cookie->locsymcount +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) ++ h = get_ext_sym_hash (cookie, r_symndx); ++ ++ if (h != NULL) + { + bool was_marked; + +- h = cookie->sym_hashes[r_symndx - cookie->extsymoff]; +- if (h == NULL) +- { +- info->callbacks->fatal (_("%F%P: corrupt input: %pB\n"), +- sec->owner); +- return NULL; +- } +- while (h->root.type == bfd_link_hash_indirect +- || h->root.type == bfd_link_hash_warning) +- h = (struct elf_link_hash_entry *) h->root.u.i.link; +- + was_marked = h->mark; + h->mark = 1; + /* Keep all aliases of the symbol too. If an object symbol +@@ -15064,17 +15068,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie) + if (r_symndx == STN_UNDEF) + return true; + +- if (r_symndx >= rcookie->locsymcount +- || ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL) +- { +- struct elf_link_hash_entry *h; +- +- h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff]; ++ struct elf_link_hash_entry *h; + +- while (h->root.type == bfd_link_hash_indirect +- || h->root.type == bfd_link_hash_warning) +- h = (struct elf_link_hash_entry *) h->root.u.i.link; ++ h = get_ext_sym_hash (rcookie, r_symndx); + ++ if (h != NULL) ++ { + if ((h->root.type == bfd_link_hash_defined + || h->root.type == bfd_link_hash_defweak) + && (h->root.u.def.section->owner != rcookie->abfd +@@ -15098,6 +15097,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie) + || discarded_section (isec))) + return true; + } ++ + return false; + } + return false; +-- +2.49.0 +