diff mbox series

[whinlatter] Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output .eh_frame section is non-empty.

Message ID 20251216074835.1317924-1-Deepesh.Varatharajan@windriver.com
State New
Headers show
Series [whinlatter] Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output .eh_frame section is non-empty. | expand

Commit Message

Deepesh Varatharajan Dec. 16, 2025, 7:48 a.m. UTC 
From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>

Backport a patch from upstream to fix CVE-2025-11494
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]

Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
---
 .../binutils/binutils-2.45.inc                |  1 +
 .../binutils/0018-CVE-2025-11494.patch        | 43 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2025-11494.patch

Comments

Deepesh Varatharajan Dec. 16, 2025, 7:54 a.m. UTC | #1 
Missed commit title. v2 incoming

On 16-12-2025 13:18, Deepesh.Varatharajan@windriver.com wrote:
> From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
>
> Backport a patch from upstream to fix CVE-2025-11494
> Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]
>
> Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
> ---
>   .../binutils/binutils-2.45.inc                |  1 +
>   .../binutils/0018-CVE-2025-11494.patch        | 43 +++++++++++++++++++
>   2 files changed, 44 insertions(+)
>   create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2025-11494.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
> index 288475ac39..58964a6cfb 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.45.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
> @@ -43,4 +43,5 @@ SRC_URI = "\
>        file://CVE-2025-11412.patch \
>        file://CVE-2025-11413.patch \
>        file://CVE-2025-11495.patch \
> +     file://0018-CVE-2025-11494.patch \
>   "
> diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-11494.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-11494.patch
> new file mode 100644
> index 0000000000..dc4b413658
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-11494.patch
> @@ -0,0 +1,43 @@
> +From: "H.J. Lu" <hjl.tools@gmail.com>
> +Date: Tue, 30 Sep 2025 08:13:56 +0800
> +
> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]
> +CVE: CVE-2025-11494
> +
> +Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep
> +_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output
> +.eh_frame section is non-empty.
> +
> +	PR ld/33499
> +	* elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep
> +	_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the
> +	output .eh_frame section is non-empty.
> +
> +Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
> +
> +diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
> +index c054f7cd..ddc15945 100644
> +--- a/bfd/elfxx-x86.c
> ++++ b/bfd/elfxx-x86.c
> +@@ -2447,6 +2447,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
> +
> +   if (htab->elf.sgotplt)
> +     {
> ++      asection *eh_frame;
> ++
> +       /* Don't allocate .got.plt section if there are no GOT nor PLT
> + 	 entries and there is no reference to _GLOBAL_OFFSET_TABLE_.  */
> +       if ((htab->elf.hgot == NULL
> +@@ -2459,7 +2461,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
> + 	  && (htab->elf.iplt == NULL
> + 	      || htab->elf.iplt->size == 0)
> + 	  && (htab->elf.igotplt == NULL
> +-	      || htab->elf.igotplt->size == 0))
> ++             || htab->elf.igotplt->size == 0)
> ++         && (!htab->elf.dynamic_sections_created
> ++             || (eh_frame = bfd_get_section_by_name (output_bfd,
> ++                                                     ".eh_frame")) == NULL
> ++             || eh_frame->rawsize == 0))
> + 	{
> + 	  htab->elf.sgotplt->size = 0;
> + 	  /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it
diff mbox series

Patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 288475ac39..58964a6cfb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -43,4 +43,5 @@  SRC_URI = "\
      file://CVE-2025-11412.patch \
      file://CVE-2025-11413.patch \
      file://CVE-2025-11495.patch \
+     file://0018-CVE-2025-11494.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-11494.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-11494.patch
new file mode 100644
index 0000000000..dc4b413658
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2025-11494.patch
@@ -0,0 +1,43 @@ 
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 30 Sep 2025 08:13:56 +0800
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]
+CVE: CVE-2025-11494
+
+Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep
+_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output
+.eh_frame section is non-empty.
+
+	PR ld/33499
+	* elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep
+	_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the
+	output .eh_frame section is non-empty.
+
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+
+diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
+index c054f7cd..ddc15945 100644
+--- a/bfd/elfxx-x86.c
++++ b/bfd/elfxx-x86.c
+@@ -2447,6 +2447,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
+ 
+   if (htab->elf.sgotplt)
+     {
++      asection *eh_frame;
++
+       /* Don't allocate .got.plt section if there are no GOT nor PLT
+ 	 entries and there is no reference to _GLOBAL_OFFSET_TABLE_.  */
+       if ((htab->elf.hgot == NULL
+@@ -2459,7 +2461,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
+ 	  && (htab->elf.iplt == NULL
+ 	      || htab->elf.iplt->size == 0)
+ 	  && (htab->elf.igotplt == NULL
+-	      || htab->elf.igotplt->size == 0))
++             || htab->elf.igotplt->size == 0)
++         && (!htab->elf.dynamic_sections_created
++             || (eh_frame = bfd_get_section_by_name (output_bfd,
++                                                     ".eh_frame")) == NULL
++             || eh_frame->rawsize == 0))
+ 	{
+ 	  htab->elf.sgotplt->size = 0;
+ 	  /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it