From patchwork Wed Apr 22 13:03:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adarsh Jagadish Kamini X-Patchwork-Id: 86642 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52743F9EDD0 for ; Wed, 22 Apr 2026 13:35:29 +0000 (UTC) Received: from PA4PR04CU001.outbound.protection.outlook.com (PA4PR04CU001.outbound.protection.outlook.com [40.107.162.70]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.82088.1776863030238721383 for ; Wed, 22 Apr 2026 06:03:50 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=mlSiR2j/; spf=pass (domain: est.tech, ip: 40.107.162.70, mailfrom: adarsh.jagadish.kamini@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UaHi75YnYB2VcEOCgFKGSzZlQjq4cB/bQ0JlIe51tx1hDM20l9HPgWdJXIExQHA63oyfS3H8p+GOvf59N6shIfS8QF77lDjqnCakKz8Kyf7/u5edDNPf/hAYjGYKY3DLatE8wTqD1GfyGarCpiHyDmtgA7xWhp6E7KwME+FFLm28AiEO8eU/ZH5GeKsXg7xmXpvKTl3L5txqssXoOxCVGwgV6gB0i026DigksMj+9HFZhLLHlt1DqGe48XIc0cNCXPVe2zdEAGnXtYwsSA3dDjYcbuHtjQenojy++uguHr2c6YxpXkkS1OEVTVNeJ4d3D70T+KhHTgwoYiYAxn1Kog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XG+sFQf/PdZYIyeXpOZswVDNaIkIaL0Yx+nfcXUwgjs=; b=GJQJHEvo43urZxMXGMnACxxvd8sDuNtC7EcqwQttHPpkO439BlQGKwK+qc3bxkLV7l/w/GW2HRYuahZvhLjXKLcUC5GK97QKl0WVbJqlzj9ANgS0k9J8bqPsnLWXAHJOv16KNdrTJMHCsFW3vmvLv6WXTiL/VZRUvQ84/6DgStq9AZevLXHfApsg8QpGNIw6gFr4m38SETb4QxeXsgkn6VaqRnTIvE1xKkE1QmUqjAnh3OLnL+/5FhUyebq5PYgbLxWB6Lv98XjY6s7TXBtrWLLmQ7ZLG+x2fDYZXjMCLhddyBRX3AeuprfJr9kgcKnDzz6HUIOiOmC92BKhmf9Yuw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XG+sFQf/PdZYIyeXpOZswVDNaIkIaL0Yx+nfcXUwgjs=; b=mlSiR2j/Tdthlv1B9g/I8D/uDFvEPfg6Utxx3JSJMSaRL7MiAJFyHfsWgSkJbdMChZgoTItTAsVxMXPGuPcZdZYEWhjb80TpFpGp5+D5oTsDFODspb4b0pdSdBQVfVRekFB4b2pP5Plu1PFu7+2y4zGl5xXxjWHrd/zYbZ7SaDjFCgdjniwkGIWcR4GMNM6Y+ivQGVY+22JXZ5AoEPvb7FOXfh6+j0EpWCa41sQNAg/VARSbTs1Pp0Qu10yY26cRgw4phL+bKYROJg+J0yzSHZ+d5kX1V8YAF6IVr8xxZOI2uVkTqncOuKHHa0myFopZLixdbAM5jlHzSsQRc/H6ng== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AS8P189MB1672.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:396::9) by GV1P189MB2812.EURP189.PROD.OUTLOOK.COM (2603:10a6:150:1f4::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9846.18; Wed, 22 Apr 2026 13:03:47 +0000 Received: from AS8P189MB1672.EURP189.PROD.OUTLOOK.COM ([fe80::f147:85e5:34de:eeff]) by AS8P189MB1672.EURP189.PROD.OUTLOOK.COM ([fe80::f147:85e5:34de:eeff%6]) with mapi id 15.20.9846.016; Wed, 22 Apr 2026 13:03:46 +0000 From: "Adarsh Jagadish Kamini" To: openembedded-core@lists.openembedded.org CC: Adarsh Jagadish Kamini Subject: [OE-core][scarthgap][PATCH 2/4] binutils: fix CVE-2025-69648 Date: Wed, 22 Apr 2026 15:03:39 +0200 Message-ID: <20260422130342.386379-1-adarsh.jagadish.kamini@est.tech> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: LO4P123CA0405.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:189::14) To AS8P189MB1672.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:396::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P189MB1672:EE_|GV1P189MB2812:EE_ X-MS-Office365-Filtering-Correlation-Id: 0f79f7c2-3b6a-4cc7-8fbb-08dea06f96f1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|18002099003|13003099007|56012099003; X-Microsoft-Antispam-Message-Info: Z+YKHhLtfq4ZV1IaPEG9pgk+bNGLnlHOK/HVgweHrpUmLLYE6YMZFwMpPaqmt08W4fW8KoCMxpPf840RRwzZe6VwJjyxcpMnLAonIYRbcYCZkabGXnQtVpZnb0sTyLH1z9iXNgfAbUznkMS77R9ujxCnkIEHKGlpAaiTpMTk78Abpu4TfAw/ihRbeNQI8xa4fcMmzqTa6+grLEDeA1AvOQubjMUNHe04/DV4ZhacYax8DUXfAN6cs73Ajc+x3XL9TGdb9ah8Gk6B1IbKgTJ6QnTTizABP5vCh1YlakGMYSmZIm1GUL5zQka1gMJI7hF6ySMFuJgctp2toHlIcPfc2Te3ZcU4DHI6EL2YRvGULKhRdO4a6pSCwS2/2dWT5tWx9PX3LU781Xhp2aSyN9Ysoo62mKHXQUGvAkjjhJSVhy4QTefNKaJhJ9Q88e/Tpuw4cEH1FxdGpRuMi09LcJodp/5LYf1PZZ+ehRWOqAc28BV65+bX0dQ0s+1p8jJaaUk+wnsSAHZafg68SHRq7LjuM/uQyFAioY23J+2GAvzIUJwXZ8KpLAjWpld62uOb0KohTi17HrD23rqXnoFoWWQveLNV1jMuRNDqcMQp4cNgAq+uS0UVR1ODKqeHds575Rb3RccdotwtYN91dQELKj+szzANwWu05jILwoUNQBpRHaxFrbeiF7GgcOF3yodA6LNT13RhUtR3IdDnSEaaBGVvRw5IDf+7V2bK0QMw3hd/KmI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8P189MB1672.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(18002099003)(13003099007)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 9vG35cOnMabnAakxwcsif9cI61wnuWYATw0I5k5M0VY0LUVPItaAv92V+bkhYUU/o+0hCI7rLdjwsSYNosUY0s3MTen5eGiK9rVPt1ZkWi4BJFeByStLXJuTqgLBSCgyM6QudnpqR5PUrEW43ZfC77xLJ2SWoAgkjIJcX3FtmC4zIbEUczhdNbqCDQWhfch5RsM09iNzUJL1yig481Gmzd2XFhTdHLX7R2CliyqWruEDZg2ZzFbgx/ERNKhwGqvgICYj2NlEDRJPmBzYJH/2NvtkSePexOM32AAkAYtmyDnAIr/FejchW2RfoI4yHA4sU0dJjL+dvVIuanztuD/zYdl7hMEDmiBZJJBmluPlOaPtoBrWadNfUUOIteKvCPFtkUJ9lFBhw3dSF8nX7GhJD2Pv6h1lk5B2UUKuG5Cbkh/jUpVDSP1KT90wkliZvtON/+hPAZ92AQRPUtYtEa8g1/vHgZmHNzixrNExqjfufIzolnoV6mJsweh66rShor0i02s81cPzCZZZweAAm3uLaMYSSgJ+m9KV5Ow4aRAW3lnRhyOmPujVPHtv/PV0WCvVhXGaKuY8MW/i6Rg5hUKB7Mw6PMsg1w3+DzWmXD/tqcYrY+svJiIQiOVhbq0GlZhyO+S+vuK1B1HoocDjOEMpgM+S5u9oNQlyYWQQzYTfx7ntAnGAR2sEEASg18e5kRGiwaaxEV4HQE6/cPfUlHGZolx125bD+aVHN+8pn777OvuU39M2dkYmjD3ziI2ICGMjyXdXYr7CzrsSjZbbCpZorw8b4HDjNiiKYk6x4LfKfGj0hzvQVMMbhYK8nEmVjjhTePjIQSHcE1mWp4r+uLizYyGCqPRmx6jmgXIrv50HF4OQpxyX8f/zeOHS4+6ue7wEZeTsHR89PGFkDiGDTMkS35IXBlWLnf3wthyFayEZZ2MU7rntzbMTWSmX9kDJDpVS4Zd5jbOJVStfN3BYVWojZujPpSTqxIVVC7SG5433SF09HdDGbWu81Af5DMgYKg4MyWR1QhIFomdXeTTBhVBIvwsoci2VOvi/beg2VP25PV4190pBFWTMDpVW5fpWMGFdqkhkcEX4cA5PEuzsRuHGJVHRWwRtuaavCSox8Op3q/whkDyKdX+Gtews5GSoGCxd03/twR/7iXtEqw3+0NYeRJcoeQSz/enyO7ZSuwgUoX3vw7RqwuRhZ7KPBE4l6R8ESebVvdSXpy9nPgYRhNoqoKKmvub71pywIvP4g4xYiSXZkjzutEd5I6Ep5HN0qaOCSELkpzXIDLZqVvOFA/qY067qUEZD1eHwF0fm208Y87dhoJhi/mHoGWvklwVlTHTKrE+cCwMGXgmlsP8Gw5m15UQNOrxm5g/u54C9RsjnLDNg2OD3ApQkFcGxFwWbNeDWo4r++32rp1T2w3r7NcOCN0tGnh5WTNuQqU88lkZKt1umvKDbMVUN4zwgG2nL6cCBR1K1TFJmWj6Z3W0PtRnynKhFfoFUgLA/bH8sTVeo+tW5ukAcFNyPMbbNrDXaiuzVqcFu1TUFxqxkMnTzxRe8HXefOzDMRwzMFwQ5VZgFc2+fjc26hahcYjhP/i4n7YNS+g77NVGQOvo7SfzIUTmZpyKXgzwI7sTeEyriZEOAv5pvA7A7r2sQTG8kTKgm66MxGbK0hRwoI3fnfVEzc9Cj1SWbFNQ47hP9OLE7/UvEaiIX+o8Ve32DZK4G6Z0SHFTHj8eWIqa6nJ79SxZZKoromDhsVWZaIfgVip0TzZGoD/o= X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 0f79f7c2-3b6a-4cc7-8fbb-08dea06f96f1 X-MS-Exchange-CrossTenant-AuthSource: AS8P189MB1672.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2026 13:03:46.8766 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: T0YC6ud8VYWMugfD3z5V1ejolBDpbOD3mSlKyRd0+i7toB0egUTfItpfK7TNnpT+SoWVnIlQqA20R2bRXmCokXr3jQTF+g7Suzw7cSG5kZg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1P189MB2812 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 13:35:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235723 From: Adarsh Jagadish Kamini Backport upstream fix for CVE-2025-69648 [1]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33 Signed-off-by: Adarsh Jagadish Kamini --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2025-69648.patch | 190 ++++++++++++++++++ 2 files changed, 191 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index a337a3e850..6c1f9dc870 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -72,5 +72,6 @@ SRC_URI = "\ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ file://CVE-2025-69647.patch \ + file://CVE-2025-69648.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch new file mode 100644 index 0000000000..e04d7ed6c2 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch @@ -0,0 +1,190 @@ +From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 22 Nov 2025 09:22:10 +1030 +Subject: [PATCH] PR 33638, debug_rnglists output + +The fuzzed testcase in this PR continuously outputs an error about +the debug_rnglists header. Fixed by taking notice of the error and +stopping output. The patch also limits the length in all cases, not +just when a relocation is present, and limits the offset entry count +read from the header. I removed the warning and the test for relocs +because the code can't work reliably with unresolved relocs in the +length field. + + PR 33638 + * dwarf.c (display_debug_rnglists_list): Return bool. Rename + "inital_length" to plain "length". Verify length is large + enough to read header. Limit length to rest of section. + Similarly limit offset_entry_count. + (display_debug_ranges): Check display_debug_rnglists_unit_header + return status. Stop output on error. + +CVE: CVE-2025-69648 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33] + +(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33) +Signed-off-by: Deepak Rathore +Signed-off-by: Adarsh Jagadish Kamini +--- + binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------ + 1 file changed, 34 insertions(+), 33 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index f4bcb677761..b4fb56351ec 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start, + return start; + } + +-static int ++static bool + display_debug_rnglists_unit_header (struct dwarf_section * section, + uint64_t * unit_offset, + unsigned char * poffset_size) +@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section * section, + uint64_t start_offset = *unit_offset; + unsigned char * p = section->start + start_offset; + unsigned char * finish = section->start + section->size; +- uint64_t initial_length; ++ unsigned char * hdr; ++ uint64_t length; + unsigned char segment_selector_size; + unsigned int offset_entry_count; + unsigned int i; +@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section * section, + unsigned char offset_size; + + /* Get and check the length of the block. */ +- SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish); ++ SAFE_BYTE_GET_AND_INC (length, p, 4, finish); + +- if (initial_length == 0xffffffff) ++ if (length == 0xffffffff) + { + /* This section is 64-bit DWARF 3. */ +- SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish); ++ SAFE_BYTE_GET_AND_INC (length, p, 8, finish); + *poffset_size = offset_size = 8; + } + else + *poffset_size = offset_size = 4; + +- if (initial_length > (size_t) (finish - p)) +- { +- /* If the length field has a relocation against it, then we should +- not complain if it is inaccurate (and probably negative). +- It is copied from .debug_line handling code. */ +- if (reloc_at (section, (p - section->start) - offset_size)) +- initial_length = finish - p; +- else +- { +- warn (_("The length field (%#" PRIx64 +- ") in the debug_rnglists header is wrong" +- " - the section is too small\n"), +- initial_length); +- return 0; +- } +- } +- +- /* Report the next unit offset to the caller. */ +- *unit_offset = (p - section->start) + initial_length; ++ if (length < 8) ++ return false; + + /* Get the other fields in the header. */ ++ hdr = p; + SAFE_BYTE_GET_AND_INC (version, p, 2, finish); + SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish); + SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish); + SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish); + + printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset); +- printf (_(" Length: %#" PRIx64 "\n"), initial_length); ++ printf (_(" Length: %#" PRIx64 "\n"), length); + printf (_(" DWARF version: %u\n"), version); + printf (_(" Address size: %u\n"), address_size); + printf (_(" Segment size: %u\n"), segment_selector_size); + printf (_(" Offset entries: %u\n"), offset_entry_count); + ++ if (length > (size_t) (finish - hdr)) ++ length = finish - hdr; ++ ++ /* Report the next unit offset to the caller. */ ++ *unit_offset = (hdr - section->start) + length; ++ + /* Check the fields. */ + if (segment_selector_size != 0) + { + warn (_("The %s section contains " + "unsupported segment selector size: %d.\n"), + section->name, segment_selector_size); +- return 0; ++ return false; + } + + if (version < 5) + { + warn (_("Only DWARF version 5+ debug_rnglists info " + "is currently supported.\n")); +- return 0; ++ return false; + } + ++ uint64_t max_off_count = (length - 8) / offset_size; ++ if (offset_entry_count > max_off_count) ++ offset_entry_count = max_off_count; + if (offset_entry_count != 0) + { + printf (_("\n Offsets starting at %#tx:\n"), p - section->start); +@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section * section, + } + } + +- return 1; ++ return true; + } + + static bool +@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section, + uint64_t last_offset = 0; + uint64_t next_rnglists_cu_offset = 0; + unsigned char offset_size; ++ bool ok_header = true; + + if (bytes == 0) + { +@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section, + /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s). */ + if (is_rnglists && next_rnglists_cu_offset < offset) + { +- while (next_rnglists_cu_offset < offset) +- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size); ++ while (ok_header && next_rnglists_cu_offset < offset) ++ ok_header = display_debug_rnglists_unit_header (section, ++ &next_rnglists_cu_offset, ++ &offset_size); ++ if (!ok_header) ++ break; + printf (_(" Offset Begin End\n")); + } + +@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section, + } + + /* Display trailing empty (or unreferenced) compile units, if any. */ +- if (is_rnglists) ++ if (is_rnglists && ok_header) + while (next_rnglists_cu_offset < section->size) +- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size); +- ++ if (!display_debug_rnglists_unit_header (section, ++ &next_rnglists_cu_offset, ++ &offset_size)) ++ break; + putchar ('\n'); + + free (range_entries); +-- +2.35.6 +