| Message ID | 20250724103153.532074-1-Deepesh.Varatharajan@windriver.com |
|---|---|
| State | Under Review |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap] binutils: Fix CVE-2025-7545 | expand |
On 7/24/25 12:31, Varatharajan, Deepesh via lists.openembedded.org wrote: > From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> > > objcopy: Don't extend the output section size > Since the output section contents are copied from the input, don't > extend the output section size beyond the input section size. > > Backport a patch from upstream to fix CVE-2025-7545 > Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944] > > Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> > --- > .../binutils/binutils-2.42.inc | 1 + > .../binutils/0023-CVE-2025-7545.patch | 39 +++++++++++++++++++ > 2 files changed, 40 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 9471e6accd..c2685948f7 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -53,5 +53,6 @@ SRC_URI = "\ > file://CVE-2025-1179.patch \ > file://0022-CVE-2025-5245.patch \ > file://0022-CVE-2025-5244.patch \ > + file://0023-CVE-2025-7545.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch > new file mode 100644 > index 0000000000..de132f74fc > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch > @@ -0,0 +1,39 @@ > +From: "H.J. Lu" <hjl.tools@gmail.com> > +Date: Sat, 21 Jun 2025 06:36:56 +0800 > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944] It's a very small thing, but it caused me quite some head scratching while reviewing this. When I visit this link, it leads me to a completely different commit, which I didn't really understand. After a few minutes of intense staring, I noticed the problem (good link over the bad one): https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944 https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944 A "=" is missing from the patch's link. (But otherwise the patch itself looks OK) > +CVE: CVE-2025-7545 > + > +Since the output section contents are copied from the input, don't > +extend the output section size beyond the input section size. > + > + PR binutils/33049 > + * objcopy.c (copy_section): Don't extend the output section > + size beyond the input section size. > + > +Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> > + > +diff --git a/binutils/objcopy.c b/binutils/objcopy.c > +index a85d2620..18cd1bfd 100644 > +--- a/binutils/objcopy.c > ++++ b/binutils/objcopy.c > +@@ -4547,6 +4547,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) > + char *to = (char *) memhunk; > + char *end = (char *) memhunk + size; > + int i; > ++ bfd_size_type memhunk_size = size; > + > + /* If the section address is not exactly divisible by the interleave, > + then we must bias the from address. If the copy_byte is less than > +@@ -4566,6 +4567,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) > + } > + > + size = (size + interleave - 1 - copy_byte) / interleave * copy_width; > ++ > ++ /* Don't extend the output section size. */ > ++ if (size > memhunk_size) > ++ size = memhunk_size; > ++ > + osection->lma /= interleave; > + if (copy_byte < extra) > + osection->lma++; > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#220833): https://lists.openembedded.org/g/openembedded-core/message/220833 > Mute This Topic: https://lists.openembedded.org/mt/114318691/6084445 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Thu, Jul 24, 2025 at 3:32 AM Varatharajan, Deepesh via lists.openembedded.org <deepesh.varatharajan=windriver.com@lists.openembedded.org> wrote: > > From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> > > objcopy: Don't extend the output section size > Since the output section contents are copied from the input, don't > extend the output section size beyond the input section size. > > Backport a patch from upstream to fix CVE-2025-7545 > Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944] > Looks good. > Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> > --- > .../binutils/binutils-2.42.inc | 1 + > .../binutils/0023-CVE-2025-7545.patch | 39 +++++++++++++++++++ > 2 files changed, 40 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 9471e6accd..c2685948f7 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -53,5 +53,6 @@ SRC_URI = "\ > file://CVE-2025-1179.patch \ > file://0022-CVE-2025-5245.patch \ > file://0022-CVE-2025-5244.patch \ > + file://0023-CVE-2025-7545.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch > new file mode 100644 > index 0000000000..de132f74fc > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch > @@ -0,0 +1,39 @@ > +From: "H.J. Lu" <hjl.tools@gmail.com> > +Date: Sat, 21 Jun 2025 06:36:56 +0800 > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944] > +CVE: CVE-2025-7545 > + > +Since the output section contents are copied from the input, don't > +extend the output section size beyond the input section size. > + > + PR binutils/33049 > + * objcopy.c (copy_section): Don't extend the output section > + size beyond the input section size. > + > +Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> > + > +diff --git a/binutils/objcopy.c b/binutils/objcopy.c > +index a85d2620..18cd1bfd 100644 > +--- a/binutils/objcopy.c > ++++ b/binutils/objcopy.c > +@@ -4547,6 +4547,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) > + char *to = (char *) memhunk; > + char *end = (char *) memhunk + size; > + int i; > ++ bfd_size_type memhunk_size = size; > + > + /* If the section address is not exactly divisible by the interleave, > + then we must bias the from address. If the copy_byte is less than > +@@ -4566,6 +4567,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) > + } > + > + size = (size + interleave - 1 - copy_byte) / interleave * copy_width; > ++ > ++ /* Don't extend the output section size. */ > ++ if (size > memhunk_size) > ++ size = memhunk_size; > ++ > + osection->lma /= interleave; > + if (copy_byte < extra) > + osection->lma++; > -- > 2.49.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#220833): https://lists.openembedded.org/g/openembedded-core/message/220833 > Mute This Topic: https://lists.openembedded.org/mt/114318691/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 9471e6accd..c2685948f7 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -53,5 +53,6 @@ SRC_URI = "\ file://CVE-2025-1179.patch \ file://0022-CVE-2025-5245.patch \ file://0022-CVE-2025-5244.patch \ + file://0023-CVE-2025-7545.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch new file mode 100644 index 0000000000..de132f74fc --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2025-7545.patch @@ -0,0 +1,39 @@ +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Sat, 21 Jun 2025 06:36:56 +0800 + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944] +CVE: CVE-2025-7545 + +Since the output section contents are copied from the input, don't +extend the output section size beyond the input section size. + + PR binutils/33049 + * objcopy.c (copy_section): Don't extend the output section + size beyond the input section size. + +Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> + +diff --git a/binutils/objcopy.c b/binutils/objcopy.c +index a85d2620..18cd1bfd 100644 +--- a/binutils/objcopy.c ++++ b/binutils/objcopy.c +@@ -4547,6 +4547,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) + char *to = (char *) memhunk; + char *end = (char *) memhunk + size; + int i; ++ bfd_size_type memhunk_size = size; + + /* If the section address is not exactly divisible by the interleave, + then we must bias the from address. If the copy_byte is less than +@@ -4566,6 +4567,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) + } + + size = (size + interleave - 1 - copy_byte) / interleave * copy_width; ++ ++ /* Don't extend the output section size. */ ++ if (size > memhunk_size) ++ size = memhunk_size; ++ + osection->lma /= interleave; + if (copy_byte < extra) + osection->lma++;