From patchwork Wed Aug 13 12:10:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 68451 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6199ECA0EE5 for ; Wed, 13 Aug 2025 12:11:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.99180.1755087076707315381 for ; Wed, 13 Aug 2025 05:11:16 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=0320ba7ade=soumya.sambu@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57DAuhoj3348346 for ; Wed, 13 Aug 2025 12:11:15 GMT Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48fv001tk1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 13 Aug 2025 12:11:15 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 13 Aug 2025 05:11:12 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 13 Aug 2025 05:11:10 -0700 From: ssambu To: Subject: [OE-core][walnascar][PATCH 1/6] elfutils: Fix CVE-2025-1352 Date: Wed, 13 Aug 2025 17:40:57 +0530 Message-ID: <20250813121102.779009-1-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=JKQ7s9Kb c=1 sm=1 tr=0 ts=689c80e3 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=fxJcL_dCAAAA:8 a=CCpqsmhAAAAA:8 a=t7CeM3EgAAAA:8 a=n9Nvxce8AAAA:8 a=20KFwNOVAAAA:8 a=IArezhZYhTUGa1GMXZEA:9 a=ul9cdbp4aOFLsgKbc677:22 a=FdTzh2GWekK77mhwV6Dw:22 a=V4tbcg9hxeXQX3VEsxKP:22 X-Proofpoint-ORIG-GUID: KA5v_H29LELWC4S7NHeAj17ceSU67ZPY X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODEzMDExNSBTYWx0ZWRfX3Q2aQ0L/XPue WzHsAu97uW1cMaCmYSVHfjGzNT6Vx9MoTpoJ6b+59hZYhT+jhHKzFP2eLtrNFArTchfbwW3wLI+ MGnjd21x4gMlwr/OTBeWjHSLP1rNYqYNLdS0o1snDa+Yz30CisVUG4ksMYKoEonyMjpNJFE6A8r FfypkrRyqoxHy9YQ/Sn0YtaeW60rE0VuWI/u+40aEdxs1rzxe9I5F4Tf7Vqi38LjYaiZhjKK06n YXh0qn7O1B43CUtkrpREmq+cCm5kQE3g0S1XkUb7oDYmj5KY7JISwbr33RXX6hNUw4GASoFkC+B vpOphkMBLbvzEt5NeQ9O7CHijhup3p6WGOHzj9QsGpLzxqmQl34jqjckhvc9ls= X-Proofpoint-GUID: KA5v_H29LELWC4S7NHeAj17ceSU67ZPY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-13_01,2025-08-11_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 malwarescore=0 clxscore=1015 suspectscore=0 phishscore=0 priorityscore=1501 spamscore=0 impostorscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Aug 2025 12:11:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221807 From: Soumya Sambu A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1352 https://ubuntu.com/security/CVE-2025-1352 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 Signed-off-by: Soumya Sambu --- .../elfutils/elfutils_0.192.bb | 1 + .../elfutils/files/CVE-2025-1352.patch | 154 ++++++++++++++++++ 2 files changed, 155 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1352.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb index 7bf9865555..829d9bf94f 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb @@ -22,6 +22,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://0001-tests-Makefile.am-compile-test_nlist-with-standard-C.patch \ file://0001-config-eu.am-do-not-force-Werror.patch \ file://0001-libelf-Add-libeu-objects-to-libelf.a-static-archive.patch \ + file://CVE-2025-1352.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1352.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1352.patch new file mode 100644 index 0000000000..b5e8dff980 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1352.patch @@ -0,0 +1,154 @@ +From 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sat, 8 Feb 2025 20:00:12 +0100 +Subject: [PATCH] libdw: Simplify __libdw_getabbrev and fix dwarf_offabbrev + issue + +__libdw_getabbrev could crash on reading a bad abbrev by trying to +deallocate memory it didn't allocate itself. This could happen because +dwarf_offabbrev would supply its own memory when calling +__libdw_getabbrev. No other caller did this. + +Simplify the __libdw_getabbrev common code by not taking external +memory to put the abbrev result in (this would also not work correctly +if the abbrev was already cached). And make dwarf_offabbrev explicitly +copy the result (if there was no error or end of abbrev). + + * libdw/dwarf_getabbrev.c (__libdw_getabbrev): Don't take + Dwarf_Abbrev result argument. Always just allocate abb when + abbrev not found in cache. + (dwarf_getabbrev): Don't pass NULL as last argument to + __libdw_getabbrev. + * libdw/dwarf_tag.c (__libdw_findabbrev): Likewise. + * libdw/dwarf_offabbrev.c (dwarf_offabbrev): Likewise. And copy + abbrev into abbrevp on success. + * libdw/libdw.h (dwarf_offabbrev): Document return values. + * libdw/libdwP.h (__libdw_getabbrev): Don't take Dwarf_Abbrev + result argument. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32650 + +CVE: CVE-2025-1352 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753] + +Signed-off-by: Mark Wielaard +Signed-off-by: Soumya Sambu +--- + libdw/dwarf_getabbrev.c | 12 ++++-------- + libdw/dwarf_offabbrev.c | 10 +++++++--- + libdw/dwarf_tag.c | 3 +-- + libdw/libdw.h | 4 +++- + libdw/libdwP.h | 3 +-- + 5 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/libdw/dwarf_getabbrev.c b/libdw/dwarf_getabbrev.c +index 5b02333..d9a6c02 100644 +--- a/libdw/dwarf_getabbrev.c ++++ b/libdw/dwarf_getabbrev.c +@@ -1,5 +1,6 @@ + /* Get abbreviation at given offset. + Copyright (C) 2003, 2004, 2005, 2006, 2014, 2017 Red Hat, Inc. ++ Copyright (C) 2025 Mark J. Wielaard + This file is part of elfutils. + Written by Ulrich Drepper , 2003. + +@@ -38,7 +39,7 @@ + Dwarf_Abbrev * + internal_function + __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset, +- size_t *lengthp, Dwarf_Abbrev *result) ++ size_t *lengthp) + { + /* Don't fail if there is not .debug_abbrev section. */ + if (dbg->sectiondata[IDX_debug_abbrev] == NULL) +@@ -85,12 +86,7 @@ __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset, + Dwarf_Abbrev *abb = NULL; + if (cu == NULL + || (abb = Dwarf_Abbrev_Hash_find (&cu->abbrev_hash, code)) == NULL) +- { +- if (result == NULL) +- abb = libdw_typed_alloc (dbg, Dwarf_Abbrev); +- else +- abb = result; +- } ++ abb = libdw_typed_alloc (dbg, Dwarf_Abbrev); + else + { + foundit = true; +@@ -183,5 +179,5 @@ dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, size_t *lengthp) + return NULL; + } + +- return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp, NULL); ++ return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp); + } +diff --git a/libdw/dwarf_offabbrev.c b/libdw/dwarf_offabbrev.c +index 27cdad6..41df69b 100644 +--- a/libdw/dwarf_offabbrev.c ++++ b/libdw/dwarf_offabbrev.c +@@ -41,11 +41,15 @@ dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp, + if (dbg == NULL) + return -1; + +- Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp, +- abbrevp); ++ Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp); + + if (abbrev == NULL) + return -1; + +- return abbrev == DWARF_END_ABBREV ? 1 : 0; ++ if (abbrev == DWARF_END_ABBREV) ++ return 1; ++ ++ *abbrevp = *abbrev; ++ ++ return 0; + } +diff --git a/libdw/dwarf_tag.c b/libdw/dwarf_tag.c +index d784970..218382a 100644 +--- a/libdw/dwarf_tag.c ++++ b/libdw/dwarf_tag.c +@@ -53,8 +53,7 @@ __libdw_findabbrev (struct Dwarf_CU *cu, unsigned int code) + + /* Find the next entry. It gets automatically added to the + hash table. */ +- abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length, +- NULL); ++ abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length); + if (abb == NULL || abb == DWARF_END_ABBREV) + { + /* Make sure we do not try to search for it again. */ +diff --git a/libdw/libdw.h b/libdw/libdw.h +index d53dc78..ec4713a 100644 +--- a/libdw/libdw.h ++++ b/libdw/libdw.h +@@ -587,7 +587,9 @@ extern int dwarf_srclang (Dwarf_Die *die); + extern Dwarf_Abbrev *dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, + size_t *lengthp); + +-/* Get abbreviation at given offset in .debug_abbrev section. */ ++/* Get abbreviation at given offset in .debug_abbrev section. On ++ success return zero and fills in ABBREVP. When there is no (more) ++ abbrev at offset returns one. On error returns a negative value. */ + extern int dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp, + Dwarf_Abbrev *abbrevp) + __nonnull_attribute__ (4); +diff --git a/libdw/libdwP.h b/libdw/libdwP.h +index d6bab60..0cff5c2 100644 +--- a/libdw/libdwP.h ++++ b/libdw/libdwP.h +@@ -795,8 +795,7 @@ extern Dwarf_Abbrev *__libdw_findabbrev (struct Dwarf_CU *cu, + + /* Get abbreviation at given offset. */ + extern Dwarf_Abbrev *__libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, +- Dwarf_Off offset, size_t *lengthp, +- Dwarf_Abbrev *result) ++ Dwarf_Off offset, size_t *lengthp) + __nonnull_attribute__ (1) internal_function; + + /* Get abbreviation of given DIE, and optionally set *READP to the DIE memory +-- +2.43.2 + From patchwork Wed Aug 13 12:10:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 68450 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BB2AC87FCF for ; Wed, 13 Aug 2025 12:11:21 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.99648.1755087077870902308 for ; Wed, 13 Aug 2025 05:11:17 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=0320ba7ade=soumya.sambu@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57DAthZS3792344 for ; Wed, 13 Aug 2025 05:11:17 -0700 Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48fvk21q3k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 13 Aug 2025 05:11:17 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 13 Aug 2025 05:11:14 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 13 Aug 2025 05:11:12 -0700 From: ssambu To: Subject: [OE-core][walnascar][PATCH 2/6] elfutils: Fix CVE-2025-1365 Date: Wed, 13 Aug 2025 17:40:58 +0530 Message-ID: <20250813121102.779009-2-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250813121102.779009-1-soumya.sambu@windriver.com> References: <20250813121102.779009-1-soumya.sambu@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODEzMDExNSBTYWx0ZWRfXyQ6hBEWLkFQL 3t+kl9JFOZ+5YmBwQRHlKHC2Gxe0P8GS5zd1dC/eG0NWciVOnuywpxJlILfj2PIty0BlfFeMZiS ACei2c/3Gvyr0WkIIIJ3oNL0Qv0POAKeXi2np6trGaD7V5DLbdu4eNt1/oNsMit1eyE3LJV/Alo lp4Q4m2f12yzDkqCsHov/kt7ushx9A/V0H0mARwKkVRhll5wltJwz3uMPqCtB+q5fvmJBxnCuHP nKtY6tGDkDf+7HGxOmN99amI6TLxa31MNDf9ybcwe7eejsJ64gLETeCD115heCVJ9oiooHg+P1c uqGKJ7BZKjdlXpQONIEasjjbAINtT/YaizHkJUuW93asnHE/zL2gbvPjZ5AOFc= X-Proofpoint-ORIG-GUID: 1NBUrXfYMCkBTPQubuB-az0YKBmtu649 X-Proofpoint-GUID: 1NBUrXfYMCkBTPQubuB-az0YKBmtu649 X-Authority-Analysis: v=2.4 cv=PsOTbxM3 c=1 sm=1 tr=0 ts=689c80e5 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=fxJcL_dCAAAA:8 a=CCpqsmhAAAAA:8 a=t7CeM3EgAAAA:8 a=n9Nvxce8AAAA:8 a=wcQEek_B8788ZG99LD0A:9 a=ul9cdbp4aOFLsgKbc677:22 a=FdTzh2GWekK77mhwV6Dw:22 a=V4tbcg9hxeXQX3VEsxKP:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-13_01,2025-08-11_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1011 spamscore=0 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Aug 2025 12:11:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221808 From: Soumya Sambu A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1365 https://ubuntu.com/security/CVE-2025-1365 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81 Signed-off-by: Soumya Sambu --- .../elfutils/elfutils_0.192.bb | 1 + .../elfutils/files/CVE-2025-1365.patch | 152 ++++++++++++++++++ 2 files changed, 153 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb index 829d9bf94f..ff40ba64ec 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb @@ -23,6 +23,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://0001-config-eu.am-do-not-force-Werror.patch \ file://0001-libelf-Add-libeu-objects-to-libelf.a-static-archive.patch \ file://CVE-2025-1352.patch \ + file://CVE-2025-1365.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch new file mode 100644 index 0000000000..b779685efd --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1365.patch @@ -0,0 +1,152 @@ +From 5e5c0394d82c53e97750fe7b18023e6f84157b81 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sat, 8 Feb 2025 21:44:56 +0100 +Subject: [PATCH] libelf, readelf: Use validate_str also to check dynamic + symstr data + +When dynsym/str was read through eu-readelf --dynamic by readelf +process_symtab the string data was not validated, possibly printing +unallocated memory past the end of the symstr data. Fix this by +turning the elf_strptr validate_str function into a generic +lib/system.h helper function and use it in readelf to validate the +strings before use. + + * libelf/elf_strptr.c (validate_str): Remove to... + * lib/system.h (validate_str): ... here. Make inline, simplify + check and document. + * src/readelf.c (process_symtab): Use validate_str on symstr_data. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32654 + +CVE: CVE-2025-1365 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81] + +Signed-off-by: Mark Wielaard +Signed-off-by: Soumya Sambu +--- + lib/system.h | 27 +++++++++++++++++++++++++++ + libelf/elf_strptr.c | 18 ------------------ + src/readelf.c | 18 +++++++++++++++--- + 3 files changed, 42 insertions(+), 21 deletions(-) + +diff --git a/lib/system.h b/lib/system.h +index 0db12d9..0698e5f 100644 +--- a/lib/system.h ++++ b/lib/system.h +@@ -34,6 +34,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -117,6 +118,32 @@ startswith (const char *str, const char *prefix) + return strncmp (str, prefix, strlen (prefix)) == 0; + } + ++/* Return TRUE if STR[FROM] is a valid string with a zero terminator ++ at or before STR[TO - 1]. Note FROM is an index into the STR ++ array, while TO is the maximum size of the STR array. This ++ function returns FALSE when TO is zero or FROM >= TO. */ ++static inline bool ++validate_str (const char *str, size_t from, size_t to) ++{ ++#if HAVE_DECL_MEMRCHR ++ // Check end first, which is likely a zero terminator, ++ // to prevent function call ++ return (to > 0 ++ && (str[to - 1] == '\0' ++ || (to > from ++ && memrchr (&str[from], '\0', to - from - 1) != NULL))); ++#else ++ do { ++ if (to <= from) ++ return false; ++ ++ to--; ++ } while (str[to]); ++ ++ return true; ++#endif ++} ++ + /* A special gettext function we use if the strings are too short. */ + #define sgettext(Str) \ + ({ const char *__res = strrchr (_(Str), '|'); \ +diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c +index 79a24d2..c5a94f8 100644 +--- a/libelf/elf_strptr.c ++++ b/libelf/elf_strptr.c +@@ -53,24 +53,6 @@ get_zdata (Elf_Scn *strscn) + return zdata; + } + +-static bool validate_str (const char *str, size_t from, size_t to) +-{ +-#if HAVE_DECL_MEMRCHR +- // Check end first, which is likely a zero terminator, to prevent function call +- return ((to > 0 && str[to - 1] == '\0') +- || (to - from > 0 && memrchr (&str[from], '\0', to - from - 1) != NULL)); +-#else +- do { +- if (to <= from) +- return false; +- +- to--; +- } while (str[to]); +- +- return true; +-#endif +-} +- + char * + elf_strptr (Elf *elf, size_t idx, size_t offset) + { +diff --git a/src/readelf.c b/src/readelf.c +index 3e97b64..105cddf 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -2639,6 +2639,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx, + char typebuf[64]; + char bindbuf[64]; + char scnbuf[64]; ++ const char *sym_name; + Elf32_Word xndx; + GElf_Sym sym_mem; + GElf_Sym *sym +@@ -2650,6 +2651,19 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx, + /* Determine the real section index. */ + if (likely (sym->st_shndx != SHN_XINDEX)) + xndx = sym->st_shndx; ++ if (use_dynamic_segment == true) ++ { ++ if (validate_str (symstr_data->d_buf, sym->st_name, ++ symstr_data->d_size)) ++ sym_name = (char *)symstr_data->d_buf + sym->st_name; ++ else ++ sym_name = NULL; ++ } ++ else ++ sym_name = elf_strptr (ebl->elf, idx, sym->st_name); ++ ++ if (sym_name == NULL) ++ sym_name = "???"; + + printf (_ ("\ + %5u: %0*" PRIx64 " %6" PRId64 " %-7s %-6s %-9s %6s %s"), +@@ -2662,9 +2676,7 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx, + get_visibility_type (GELF_ST_VISIBILITY (sym->st_other)), + ebl_section_name (ebl, sym->st_shndx, xndx, scnbuf, + sizeof (scnbuf), NULL, shnum), +- use_dynamic_segment == true +- ? (char *)symstr_data->d_buf + sym->st_name +- : elf_strptr (ebl->elf, idx, sym->st_name)); ++ sym_name); + + if (versym_data != NULL) + { +-- +2.43.2 + From patchwork Wed Aug 13 12:10:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 68449 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E067CA0EE4 for ; Wed, 13 Aug 2025 12:11:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.99649.1755087080545889547 for ; Wed, 13 Aug 2025 05:11:20 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=0320ba7ade=soumya.sambu@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57DAtpBH3347053 for ; Wed, 13 Aug 2025 12:11:19 GMT Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48fv001tk4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 13 Aug 2025 12:11:19 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 13 Aug 2025 05:11:16 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 13 Aug 2025 05:11:14 -0700 From: ssambu To: Subject: [OE-core][walnascar][PATCH 3/6] elfutils: Fix CVE-2025-1371 Date: Wed, 13 Aug 2025 17:40:59 +0530 Message-ID: <20250813121102.779009-3-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250813121102.779009-1-soumya.sambu@windriver.com> References: <20250813121102.779009-1-soumya.sambu@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=JKQ7s9Kb c=1 sm=1 tr=0 ts=689c80e7 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=fxJcL_dCAAAA:8 a=CCpqsmhAAAAA:8 a=t7CeM3EgAAAA:8 a=n9Nvxce8AAAA:8 a=oY9sVq7jc0uHDv3kPFoA:9 a=ul9cdbp4aOFLsgKbc677:22 a=FdTzh2GWekK77mhwV6Dw:22 a=V4tbcg9hxeXQX3VEsxKP:22 X-Proofpoint-ORIG-GUID: RC-gp0Dz-iIpf2JfqSFd3ogxJP-ZTK5C X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODEzMDExNSBTYWx0ZWRfX7RaNooxL0bla uxHyFkTcQd+3q0q7JCOa5EBL1Sy6V8SE2w/8hJ1MqAH2/luncVdh0AlPzuyOraLPA5okwwVRGPm MPGIxCuO3rxRYfVs97vXkGWXyff+Qtc7qxzM3/gXw4IN3fW55pt8d2CLtKmECGzU8TqHrKJyxSo ZXhLV1Lk5TQcKYPFIUUegnv/Kyq/v4zO2Ptz3DpoC6XFwtSDSQA2OoKIPNzTnu2ZFyuMSLUn6SP ZtmFWUbHnEzw18vAQOCt02SAEqIa8jILLa3MCq6tmnI427j5VDjrPurshDarX3Z6aPClJlH1DRi 1uA1OBAQcLmXX16Uud0N3qCxSY3Xp5PvXDwQKs5xghXUU+aiEUJQX+H9netrBk= X-Proofpoint-GUID: RC-gp0Dz-iIpf2JfqSFd3ogxJP-ZTK5C X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-13_01,2025-08-11_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 malwarescore=0 clxscore=1011 suspectscore=0 phishscore=0 priorityscore=1501 spamscore=0 impostorscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Aug 2025 12:11:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221809 From: Soumya Sambu A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1371 https://ubuntu.com/security/CVE-2025-1371 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=b38e562a4c907e08171c76b8b2def8464d5a104a Signed-off-by: Soumya Sambu --- .../elfutils/elfutils_0.192.bb | 1 + .../elfutils/files/CVE-2025-1371.patch | 41 +++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1371.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb index ff40ba64ec..2f34bfeebb 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb @@ -24,6 +24,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://0001-libelf-Add-libeu-objects-to-libelf.a-static-archive.patch \ file://CVE-2025-1352.patch \ file://CVE-2025-1365.patch \ + file://CVE-2025-1371.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1371.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1371.patch new file mode 100644 index 0000000000..9ecb045f82 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1371.patch @@ -0,0 +1,41 @@ +From b38e562a4c907e08171c76b8b2def8464d5a104a Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sun, 9 Feb 2025 00:07:13 +0100 +Subject: [PATCH] readelf: Handle NULL phdr in handle_dynamic_symtab + +A corrupt ELF file can have broken program headers, in which case +gelf_getphdr returns NULL. This could crash handle_dynamic_symtab +while searching for the PT_DYNAMIC phdr. Fix this by checking whether +gelf_phdr returns NULL. + + * src/readelf.c (handle_dynamic_symtab): Check whether + gelf_getphdr returns NULL. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32655 + +CVE: CVE-2025-1371 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=b38e562a4c907e08171c76b8b2def8464d5a104a] + +Signed-off-by: Mark Wielaard +Signed-off-by: Soumya Sambu +--- + src/readelf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/readelf.c b/src/readelf.c +index 105cddf..a526fa8 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -2912,7 +2912,7 @@ handle_dynamic_symtab (Ebl *ebl) + for (size_t i = 0; i < phnum; ++i) + { + phdr = gelf_getphdr (ebl->elf, i, &phdr_mem); +- if (phdr->p_type == PT_DYNAMIC) ++ if (phdr == NULL || phdr->p_type == PT_DYNAMIC) + break; + } + if (phdr == NULL) +-- +2.43.2 + From patchwork Wed Aug 13 12:11:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 68453 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DC5BC87FCF for ; Wed, 13 Aug 2025 12:11:31 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.99650.1755087081432565812 for ; Wed, 13 Aug 2025 05:11:21 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=0320ba7ade=soumya.sambu@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57DBJvrr3831838 for ; Wed, 13 Aug 2025 05:11:21 -0700 Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48fvk21q41-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 13 Aug 2025 05:11:20 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 13 Aug 2025 05:11:18 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 13 Aug 2025 05:11:16 -0700 From: ssambu To: Subject: [OE-core][walnascar][PATCH 4/6] elfutils: Fix CVE-2025-1372 Date: Wed, 13 Aug 2025 17:41:00 +0530 Message-ID: <20250813121102.779009-4-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250813121102.779009-1-soumya.sambu@windriver.com> References: <20250813121102.779009-1-soumya.sambu@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODEzMDExNSBTYWx0ZWRfX6GEYPVig2ZCn 8WFIEiLpxMwWlz/YhhxqCBpwf8xmYPyXlAG3ZSmIi3xzxAVxOYUsFSSHFdI6JgWvjZIVAt8ObzT ZzybOMYprx/Ty3WfVwfDDxParMdBnK9aMkJoh0T/w0yKDsUrPFrCXLrY4gPOyUG0KfLHJaU7qXy xf0Ij5bEsDD1Gi46nuxeDL4vLz1JHyZ3YZnOcApgvaInR5AhvRK2qZuEUNwERYjJpZYku1C5vIo aSt7gOMkje4HaAuPI97uq7nhGWqO7WqsI5EiKT8WGiOTgKF8/qDFM/uC9Y6KsiRffMfuym0hu0O gUKsqo58AJXLEypRMJ77IW4Yde/is3Md3jJGe9oBTVmk64fM8Vjs9/BrcySp/4= X-Proofpoint-ORIG-GUID: ncdFjeuURIEBvFvtJvSPFGJH8Ig_htnB X-Proofpoint-GUID: ncdFjeuURIEBvFvtJvSPFGJH8Ig_htnB X-Authority-Analysis: v=2.4 cv=PsOTbxM3 c=1 sm=1 tr=0 ts=689c80e9 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=fxJcL_dCAAAA:8 a=CCpqsmhAAAAA:8 a=t7CeM3EgAAAA:8 a=n9Nvxce8AAAA:8 a=u3vmu-HN0Zf1HdXin3oA:9 a=ul9cdbp4aOFLsgKbc677:22 a=FdTzh2GWekK77mhwV6Dw:22 a=V4tbcg9hxeXQX3VEsxKP:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-13_01,2025-08-11_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1011 spamscore=0 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Aug 2025 12:11:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221810 From: Soumya Sambu A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1372 https://ubuntu.com/security/CVE-2025-1372 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db Signed-off-by: Soumya Sambu --- .../elfutils/elfutils_0.192.bb | 1 + .../elfutils/files/CVE-2025-1372.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb index 2f34bfeebb..4dcc774bb9 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb @@ -25,6 +25,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://CVE-2025-1352.patch \ file://CVE-2025-1365.patch \ file://CVE-2025-1371.patch \ + file://CVE-2025-1372.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch new file mode 100644 index 0000000000..c202d8359c --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1372.patch @@ -0,0 +1,51 @@ +From 73db9d2021cab9e23fd734b0a76a612d52a6f1db Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sun, 9 Feb 2025 00:07:39 +0100 +Subject: [PATCH] readelf: Skip trying to uncompress sections without a name + +When combining eu-readelf -z with -x or -p to dump the data or strings +in an (corrupted ELF) unnamed numbered section eu-readelf could crash +trying to check whether the section name starts with .zdebug. Fix this +by skipping sections without a name. + + * src/readelf.c (dump_data_section): Don't try to gnu decompress a + section without a name. + (print_string_section): Likewise. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32656 + +CVE: CVE-2025-1372 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db] + +Signed-off-by: Mark Wielaard +Signed-off-by: Soumya Sambu +--- + src/readelf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/readelf.c b/src/readelf.c +index a526fa8..89ee80a 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -13321,7 +13321,7 @@ dump_data_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name) + _("Couldn't uncompress section"), + elf_ndxscn (scn)); + } +- else if (startswith (name, ".zdebug")) ++ else if (name && startswith (name, ".zdebug")) + { + if (elf_compress_gnu (scn, 0, 0) < 0) + printf ("WARNING: %s [%zd]\n", +@@ -13372,7 +13372,7 @@ print_string_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name) + _("Couldn't uncompress section"), + elf_ndxscn (scn)); + } +- else if (startswith (name, ".zdebug")) ++ else if (name && startswith (name, ".zdebug")) + { + if (elf_compress_gnu (scn, 0, 0) < 0) + printf ("WARNING: %s [%zd]\n", +-- +2.43.2 + From patchwork Wed Aug 13 12:11:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 68452 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DC92CA0EE4 for ; Wed, 13 Aug 2025 12:11:31 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.99184.1755087084719465109 for ; Wed, 13 Aug 2025 05:11:24 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=0320ba7ade=soumya.sambu@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57DAPLcF3251883 for ; Wed, 13 Aug 2025 12:11:23 GMT Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48ggw0re9g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 13 Aug 2025 12:11:23 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 13 Aug 2025 05:11:20 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 13 Aug 2025 05:11:18 -0700 From: ssambu To: Subject: [OE-core][walnascar][PATCH 5/6] elfutils: Fix CVE-2025-1376 Date: Wed, 13 Aug 2025 17:41:01 +0530 Message-ID: <20250813121102.779009-5-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250813121102.779009-1-soumya.sambu@windriver.com> References: <20250813121102.779009-1-soumya.sambu@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: Zv8h7AflUIiXQoLBIc_oHZwGdHtYiqd2 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODEzMDExNSBTYWx0ZWRfX9G0LArzywJ3W TrpZhy48BCU0U8xVmQBoAZvhUvokiw/LRRiiax/l5uZCyRNaS3x99a3VhMjPNCOxC6YFm+gOllG VY51Qv5mkwR3oh0QmrS8XhWUOUN70lzwpFwqvRhzLkXqvkI+QzdgXkHsvXCxPfxPWmTQAsEH78q NAg0VSR63eKsa53NO5mWnHUupD2lxsMP7yOGi/Fne8gvTU2tILlJiCjpoDPOqtNDTI2Qr8dRKxb ZdnoxwSWLFGQtZ72/XYNyOfbBFTvLqNDbUIbJY8QzTK91yiECvj57aTYdVLMkpeg4Us6+kMW0wP wMqiYIC5O1hupL6vNy5KWwp9LEEc3RisQpReZclxtrZwjmmp5jGvdnOywb0d8A= X-Authority-Analysis: v=2.4 cv=fN453Yae c=1 sm=1 tr=0 ts=689c80eb cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=fxJcL_dCAAAA:8 a=CCpqsmhAAAAA:8 a=t7CeM3EgAAAA:8 a=n9Nvxce8AAAA:8 a=20KFwNOVAAAA:8 a=gVDT7s7VQLW7QZflkVIA:9 a=ul9cdbp4aOFLsgKbc677:22 a=FdTzh2GWekK77mhwV6Dw:22 a=V4tbcg9hxeXQX3VEsxKP:22 X-Proofpoint-ORIG-GUID: Zv8h7AflUIiXQoLBIc_oHZwGdHtYiqd2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-13_01,2025-08-11_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 bulkscore=0 clxscore=1011 impostorscore=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Aug 2025 12:11:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221811 From: Soumya Sambu A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1376 https://ubuntu.com/security/CVE-2025-1376 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918 Signed-off-by: Soumya Sambu --- .../elfutils/elfutils_0.192.bb | 1 + .../elfutils/files/CVE-2025-1376.patch | 57 +++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb index 4dcc774bb9..f8cf083ec6 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb @@ -26,6 +26,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://CVE-2025-1365.patch \ file://CVE-2025-1371.patch \ file://CVE-2025-1372.patch \ + file://CVE-2025-1376.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch new file mode 100644 index 0000000000..ebffb2bd72 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch @@ -0,0 +1,57 @@ +From b16f441cca0a4841050e3215a9f120a6d8aea918 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 13 Feb 2025 00:02:32 +0100 +Subject: [PATCH] libelf: Handle elf_strptr on section without any data + +In the unlikely situation that elf_strptr was called on a section with +sh_size already set, but that doesn't have any data yet we could crash +trying to verify the string to return. + +This could happen for example when a new section was created with +elf_newscn, but no data having been added yet. + + * libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base + is not NULL. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32672 + +CVE: CVE-2025-1376 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918] + +Signed-off-by: Mark Wielaard +Signed-off-by: Soumya Sambu +--- + libelf/elf_strptr.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c +index c5a94f8..7be7f5e 100644 +--- a/libelf/elf_strptr.c ++++ b/libelf/elf_strptr.c +@@ -1,5 +1,6 @@ + /* Return string pointer from string section. + Copyright (C) 1998-2002, 2004, 2008, 2009, 2015 Red Hat, Inc. ++ Copyright (C) 2025 Mark J. Wielaard + This file is part of elfutils. + Contributed by Ulrich Drepper , 1998. + +@@ -183,9 +184,12 @@ elf_strptr (Elf *elf, size_t idx, size_t offset) + // initialized yet (when data_read is zero). So we cannot just + // look at the rawdata.d.d_size. + +- /* Make sure the string is NUL terminated. Start from the end, +- which very likely is a NUL char. */ +- if (likely (validate_str (strscn->rawdata_base, offset, sh_size))) ++ /* First check there actually is any data. This could be a new ++ section which hasn't had any data set yet. Then make sure ++ the string is at a valid offset and NUL terminated. */ ++ if (unlikely (strscn->rawdata_base == NULL)) ++ __libelf_seterrno (ELF_E_INVALID_SECTION); ++ else if (likely (validate_str (strscn->rawdata_base, offset, sh_size))) + result = &strscn->rawdata_base[offset]; + else + __libelf_seterrno (ELF_E_INVALID_INDEX); +-- +2.43.2 + From patchwork Wed Aug 13 12:11:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 68454 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43522CA0EE0 for ; Wed, 13 Aug 2025 12:11:31 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.99188.1755087085615677639 for ; Wed, 13 Aug 2025 05:11:25 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=0320ba7ade=soumya.sambu@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57DBIfCA3850513 for ; Wed, 13 Aug 2025 05:11:25 -0700 Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48fvchhq5j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 13 Aug 2025 05:11:25 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 13 Aug 2025 05:11:22 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 13 Aug 2025 05:11:20 -0700 From: ssambu To: Subject: [OE-core][walnascar][PATCH 6/6] elfutils: Fix CVE-2025-1377 Date: Wed, 13 Aug 2025 17:41:02 +0530 Message-ID: <20250813121102.779009-6-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250813121102.779009-1-soumya.sambu@windriver.com> References: <20250813121102.779009-1-soumya.sambu@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: MHRa0g-2NOwRoO8tEwc7nlQRP2etApQC X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODEzMDExNSBTYWx0ZWRfX1rxr0qxWf3z/ O31ZdpVtBGBgbalDALutUX6tuuSgKzcNoBMUetvmZwKvK2NxU6iMuQoZDkFz8x6t+YO7g1jpl4J m5dTw8+fiA17ju8ASqOsj5HVy1kQV+kb4lee13YDye/8G3cIf8vP10Gt4/ONT98wQL5ij/XiYOf yaty77rm+ipZMYHBLBD9EtjI0AsLkojTlEVpEQE2wAZ4XSSg1mGB5KHbGBy6bblFCSkBLxrSCSL 0j3u7UVCjQ60NK/hBvrz+i0DSHllKlJlr3dva6n8WNpfFZNIxDJ64PzuHQVMX8XFBppqOX731Y0 jWTXV9gYZHclc2zNxKSkrk0TSHIybARvkokDCEdFLcFSdR1nek0q8us5KkGpv4= X-Proofpoint-ORIG-GUID: MHRa0g-2NOwRoO8tEwc7nlQRP2etApQC X-Authority-Analysis: v=2.4 cv=RPGzH5i+ c=1 sm=1 tr=0 ts=689c80ed cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=fxJcL_dCAAAA:8 a=CCpqsmhAAAAA:8 a=t7CeM3EgAAAA:8 a=n9Nvxce8AAAA:8 a=y-d2qrJoStY-tIdE7G0A:9 a=ul9cdbp4aOFLsgKbc677:22 a=FdTzh2GWekK77mhwV6Dw:22 a=V4tbcg9hxeXQX3VEsxKP:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-13_01,2025-08-11_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 malwarescore=0 adultscore=0 impostorscore=0 suspectscore=0 priorityscore=1501 clxscore=1015 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Aug 2025 12:11:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221812 From: Soumya Sambu A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-1377 https://ubuntu.com/security/CVE-2025-1377 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba Signed-off-by: Soumya Sambu --- .../elfutils/elfutils_0.192.bb | 1 + .../elfutils/files/CVE-2025-1377.patch | 68 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.192.bb b/meta/recipes-devtools/elfutils/elfutils_0.192.bb index f8cf083ec6..fb4109441b 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.192.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.192.bb @@ -27,6 +27,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://CVE-2025-1371.patch \ file://CVE-2025-1372.patch \ file://CVE-2025-1376.patch \ + file://CVE-2025-1377.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch new file mode 100644 index 0000000000..003215017f --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch @@ -0,0 +1,68 @@ +From fbf1df9ca286de3323ae541973b08449f8d03aba Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 13 Feb 2025 14:59:34 +0100 +Subject: [PATCH] strip: Verify symbol table is a real symbol table + +We didn't check the symbol table referenced from the relocation table +was a real symbol table. This could cause a crash if that section +happened to be an SHT_NOBITS section without any data. Fix this by +adding an explicit check. + + * src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a + message string to display. + (INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1). + (remove_debug_relocations): Check the sh_link referenced + section is real and isn't a SHT_NOBITS section. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32673 + +CVE: CVE-2025-1377 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba] + +Signed-off-by: Mark Wielaard +Signed-off-by: Soumya Sambu +--- + src/strip.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/strip.c b/src/strip.c +index 403e0f6..2b5d057 100644 +--- a/src/strip.c ++++ b/src/strip.c +@@ -126,13 +126,14 @@ static char *tmp_debug_fname = NULL; + /* Close debug file descriptor, if opened. And remove temporary debug file. */ + static void cleanup_debug (void); + +-#define INTERNAL_ERROR(fname) \ ++#define INTERNAL_ERROR_MSG(fname, msg) \ + do { \ + cleanup_debug (); \ + error_exit (0, _("%s: INTERNAL ERROR %d (%s): %s"), \ +- fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1)); \ ++ fname, __LINE__, PACKAGE_VERSION, msg); \ + } while (0) + ++#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1)) + + /* Name of the output file. */ + static const char *output_fname; +@@ -631,7 +632,14 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr *ehdr, + resolve relocation symbol indexes. */ + Elf64_Word symt = shdr->sh_link; + Elf_Data *symdata, *xndxdata; +- Elf_Scn * symscn = elf_getscn (elf, symt); ++ Elf_Scn *symscn = elf_getscn (elf, symt); ++ GElf_Shdr symshdr_mem; ++ GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem); ++ if (symshdr == NULL) ++ INTERNAL_ERROR (fname); ++ if (symshdr->sh_type == SHT_NOBITS) ++ INTERNAL_ERROR_MSG (fname, "NOBITS section"); ++ + symdata = elf_getdata (symscn, NULL); + xndxdata = get_xndxdata (elf, symscn); + if (symdata == NULL) +-- +2.43.2 +