[kirkstone,2/4] binutils: fix CVE-2025-8225

From: Yash Shinde <Yash.Shinde@windriver.com>

CVE: CVE-2025-8225

It is possible with fuzzed files to have num_debug_info_entries zero
after allocating space for debug_information, leading to multiple
allocations.

* dwarf.c (process_debug_info): Don't test num_debug_info_entries
to determine whether debug_information has been allocated,
test alloc_num_debug_info_entries.

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |  1 +
 .../binutils/0047-CVE-2025-8225.patch         | 47 +++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch

this looks ok.

On Tue, Oct 28, 2025 at 7:54 PM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> From: Yash Shinde <Yash.Shinde@windriver.com>
>
> CVE: CVE-2025-8225
>
> It is possible with fuzzed files to have num_debug_info_entries zero
> after allocating space for debug_information, leading to multiple
> allocations.
>
> * dwarf.c (process_debug_info): Don't test num_debug_info_entries
> to determine whether debug_information has been allocated,
> test alloc_num_debug_info_entries.
>
> Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
>
> Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  .../binutils/binutils-2.38.inc                |  1 +
>  .../binutils/0047-CVE-2025-8225.patch         | 47 +++++++++++++++++++
>  2 files changed, 48 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
> index 2444a304be..ade69881a1 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.38.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
> @@ -83,5 +83,6 @@ SRC_URI = "\
>       file://0044-CVE-2025-11082.patch \
>       file://0045-CVE-2025-11083.patch \
>       file://0046-CVE-2025-11081.patch \
> +     file://0047-CVE-2025-8225.patch \
>  "
>  S  = "${WORKDIR}/git"
> diff --git a/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch b/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
> new file mode 100644
> index 0000000000..410ba64143
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
> @@ -0,0 +1,47 @@
> +From e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4 Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Wed, 19 Feb 2025 22:45:29 +1030
> +Subject: [PATCH] binutils/dwarf.c debug_information leak
> +
> +It is possible with fuzzed files to have num_debug_info_entries zero
> +after allocating space for debug_information, leading to multiple
> +allocations.
> +
> +       * dwarf.c (process_debug_info): Don't test num_debug_info_entries
> +       to determine whether debug_information has been allocated,
> +       test alloc_num_debug_info_entries.
> +---
> +
> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
> +CVE: CVE-2025-8225
> +
> + binutils/dwarf.c | 8 +++-----
> + 1 file changed, 3 insertions(+), 5 deletions(-)
> +
> +Signed-off-by: Alan Modra <amodra@gmail.com>
> +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
> +
> +diff --git a/binutils/dwarf.c b/binutils/dwarf.c
> +index 8e004cea839..bfbf83ec9f4 100644
> +--- a/binutils/dwarf.c
> ++++ b/binutils/dwarf.c
> +@@ -3807,13 +3807,11 @@ process_debug_info (struct dwarf_section * section,
> +     }
> +
> +   if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
> +-      && num_debug_info_entries == 0
> +-      && ! do_types)
> ++      && alloc_num_debug_info_entries == 0
> ++      && !do_types)
> +     {
> +-
> +       /* Then allocate an array to hold the information.  */
> +-      debug_information = (debug_info *) cmalloc (num_units,
> +-                                                sizeof (* debug_information));
> ++      debug_information = cmalloc (num_units, sizeof (*debug_information));
> +       if (debug_information == NULL)
> +       {
> +         error (_("Not enough memory for a debug info array of %u entries\n"),
> +--
> +2.43.7
> +
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#225424): https://lists.openembedded.org/g/openembedded-core/message/225424
> Mute This Topic: https://lists.openembedded.org/mt/116006916/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>