From patchwork Mon Oct 20 22:09:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 72738 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84731CCD1A2 for ; Mon, 20 Oct 2025 22:09:34 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.4882.1760998166653454265 for ; Mon, 20 Oct 2025 15:09:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=hCZMACgh; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-2025102022092024b1f9180100020755-fqlqwt@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2025102022092024b1f9180100020755 for ; Tue, 21 Oct 2025 00:09:21 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=q/qP2esf9vs6dC7a1q81RvnyqX2yqC0WE60BfS4AdRM=; b=hCZMACgh2AUzASjniL+qJePDjTihEWC1J9aWax7J0mDwHYo+AHvHinDeGfZOo80hHUG4L3 rsUVrtqYC86I+TDjeMDZLhQ0a90KelQ8Fd54S87/+MDUz/f4hx3oMZfC5GS61ALeXekaR4w3 y6LSIzfxc5pwhmjhE50bv9IlFFxHp/0yJHFlbtgQSKXLpYXEhUDGG8OfmD8wm+nqdj8dzwrh M6UOm4wAL10l1c5ZqXZLUNA3PJYXvHnQAQtwCt2zMysLRsEB3IutgJkiRW5ZuofT4oYSqjou 5TDYybFFr5dFKv+Pb4z58apst34z3v/cLQKNkJkcPWjJFBSAuH4egzzQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 1/5] binutils: patch CVE-2025-11414 Date: Tue, 21 Oct 2025 00:09:08 +0200 Message-Id: <20251020220912.483748-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Oct 2025 22:09:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225135 From: Peter Marko Pick commit per NVD CVE report. Signed-off-by: Peter Marko --- .../binutils/binutils-2.45.inc | 1 + .../binutils/binutils/CVE-2025-11414.patch | 84 +++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 391b0157d3a..2adff3c4562 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc @@ -39,4 +39,5 @@ SRC_URI = "\ file://0015-CVE-2025-11081.patch \ file://0016-CVE-2025-11082.patch \ file://0017-CVE-2025-11083.patch \ + file://CVE-2025-11414.patch \ " diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch new file mode 100644 index 00000000000..21f98f075ed --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch @@ -0,0 +1,84 @@ +From aeaaa9af6359c8e394ce9cf24911fec4f4d23703 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 23 Sep 2025 08:52:26 +0800 +Subject: [PATCH] elf: Return error on unsorted symbol table if not allowed + +Normally ELF symbol table should be sorted, i.e., local symbols precede +global symbols. Irix 6 is an exception and its elf_bad_symtab is set +to true. Issue an error if elf_bad_symtab is false and symbol table is +unsorted. + + PR ld/33450 + * elflink.c (set_symbol_value): Change return type to bool and + return false on error. Issue an error on unsorted symbol table + if not allowed. + (elf_link_input_bfd): Return false if set_symbol_value reurns + false. + +Signed-off-by: H.J. Lu + +CVE: CVE-2025-11414 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703] +Signed-off-by: Peter Marko +--- + bfd/elflink.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 66982f82b94..54f0d6e957e 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -9127,7 +9127,7 @@ struct elf_outext_info + := as in C + := as in C, plus "0-" for unambiguous negation. */ + +-static void ++static bool + set_symbol_value (bfd *bfd_with_globals, + Elf_Internal_Sym *isymbuf, + size_t locsymcount, +@@ -9148,9 +9148,15 @@ set_symbol_value (bfd *bfd_with_globals, + "absolute" section and give it a value. */ + sym->st_shndx = SHN_ABS; + sym->st_value = val; +- return; ++ return true; ++ } ++ if (!elf_bad_symtab (bfd_with_globals)) ++ { ++ _bfd_error_handler (_("%pB: corrupt symbol table"), ++ bfd_with_globals); ++ bfd_set_error (bfd_error_bad_value); ++ return false; + } +- BFD_ASSERT (elf_bad_symtab (bfd_with_globals)); + extsymoff = 0; + } + +@@ -9160,11 +9166,12 @@ set_symbol_value (bfd *bfd_with_globals, + if (h == NULL) + { + /* FIXMEL What should we do ? */ +- return; ++ return false; + } + h->root.type = bfd_link_hash_defined; + h->root.u.def.value = val; + h->root.u.def.section = bfd_abs_section_ptr; ++ return true; + } + + static bool +@@ -11862,8 +11869,10 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd) + return false; + + /* Symbol evaluated OK. Update to absolute value. */ +- set_symbol_value (input_bfd, isymbuf, locsymcount, +- r_symndx, val); ++ if (!set_symbol_value (input_bfd, isymbuf, locsymcount, r_symndx, ++ val)) ++ return false; ++ + continue; + } + From patchwork Mon Oct 20 22:09:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 72739 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85F4DCCD1A5 for ; Mon, 20 Oct 2025 22:09:34 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.4814.1760998167891148917 for ; Mon, 20 Oct 2025 15:09:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Ku9e14kA; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20251020220925eba7784bf2000207e7-d1uiy4@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20251020220925eba7784bf2000207e7 for ; Tue, 21 Oct 2025 00:09:26 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=oAXfDdgfivKmXi/GTn8T/Qfl+qkO021EF0ifB27StvY=; b=Ku9e14kAY9N3nZZUtwTrvnAyg5Plbw2G+0SUg0/UxqFP9wkJERGf3sJlqaJRna9n5B25IH SOXOfefY8h2PcmVeF1ieEYtR9p9SBau5qNq6ijBM9BU4vc4/X3B9o0b/M5p8bQI+M1yPX02D 3zG5Xgcrsuoks9bo8ghRF349OZx+hJHdKXcvONsZJJYJ2tvqPpT7AjlCbSv1TIUJ8RPtlvtG lidWQ3jYv0AdELt9WJNXRs9H/fEZF9kFaE3sNHe7egBIHDIJviBXkcERLSRAKKSDzVQPmQTH 1e+2sw5Irgc5zPXzqokzhZX9mHoCT1JOTKB42XJQM04G+PLZ0qZP3AWA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 2/5] binutils: patch CVE-2025-11412 Date: Tue, 21 Oct 2025 00:09:09 +0200 Message-Id: <20251020220912.483748-2-peter.marko@siemens.com> In-Reply-To: <20251020220912.483748-1-peter.marko@siemens.com> References: <20251020220912.483748-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Oct 2025 22:09:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225136 From: Peter Marko Pick commit per NVD CVE report. Signed-off-by: Peter Marko --- .../binutils/binutils-2.45.inc | 1 + .../binutils/binutils/CVE-2025-11412.patch | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 2adff3c4562..ffd6c3b2388 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc @@ -40,4 +40,5 @@ SRC_URI = "\ file://0016-CVE-2025-11082.patch \ file://0017-CVE-2025-11083.patch \ file://CVE-2025-11414.patch \ + file://CVE-2025-11412.patch \ " diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch new file mode 100644 index 00000000000..ab718f53542 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch @@ -0,0 +1,35 @@ +From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 25 Sep 2025 08:22:24 +0930 +Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry + +Limit addends on vtentry relocs, otherwise ld might attempt to +allocate a stupidly large array. This also fixes the expression +overflow leading to pr33452. A vtable of 33M entries on a 64-bit +host is surely large enough, especially considering that VTINHERIT +and VTENTRY relocations are to support -fvtable-gc that disappeared +from gcc over 20 years ago. + + PR ld/33452 + * elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend. + +CVE: CVE-2025-11412 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc] +Signed-off-by: Peter Marko +--- + bfd/elflink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 54f0d6e957e..0a0456177c2 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14837,7 +14837,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec, + const struct elf_backend_data *bed = get_elf_backend_data (abfd); + unsigned int log_file_align = bed->s->log_file_align; + +- if (!h) ++ if (!h || addend > 1u << 28) + { + /* xgettext:c-format */ + _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"), From patchwork Mon Oct 20 22:09:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 72740 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93AEECCD19F for ; Mon, 20 Oct 2025 22:09:34 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.4816.1760998172974854454 for ; Mon, 20 Oct 2025 15:09:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=YbJ3+q8m; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-2025102022093169dd36cf35000207b2-62d5gb@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2025102022093169dd36cf35000207b2 for ; Tue, 21 Oct 2025 00:09:31 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=6mzVu+b39HiIHVK4dcAOigJZgFa9km7+NKmPOmUfk/0=; b=YbJ3+q8mwQosJOtAQveZ1hkpcHfsgQl1OlypupyHdQ8FwXLD3VIGqjqIgZFpUUjUnNFozx zFH8tlxKOGyRDsQW6/1IYpT7SnoOOh783+4I4sQYzEG6wQNeflNdxLm6znrOvVSLDS0yNXcs KS3wr5RwLA7LLpA/0MqO8oSB+JlA3jD/UFS65muwTkbm0zPMKF39wEqXAkIt57AajhEajTzt CiD+3IBGd0/YidKZm91epG5i1yAEQHbs7eQnn5rNEf4RtXsu2UQrNnV9U8hSDRe/0NdnO3Hy N6VRottcnD+ZASTJAljTi44joBIYwLi2GyArH+Wo500kHoox4bCOGJBw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 3/5] binutils: patch CVE-2025-11413 Date: Tue, 21 Oct 2025 00:09:10 +0200 Message-Id: <20251020220912.483748-3-peter.marko@siemens.com> In-Reply-To: <20251020220912.483748-1-peter.marko@siemens.com> References: <20251020220912.483748-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Oct 2025 22:09:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225137 From: Peter Marko Pick commit per NVD CVE report. Note that there were two patches for this, first [1] and then [2]. The second patch moved the original patch to different location. Cherry-pick of second patch is successful leaving out the code removing the code from first location, so the patch attached here is not identical to the upstream commit but is identical to applying both and merging them to a single patch. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=1108620d7a521f1c85d2f629031ce0fbae14e331 [2] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0 Signed-off-by: Peter Marko --- .../binutils/binutils-2.45.inc | 1 + .../binutils/binutils/CVE-2025-11413.patch | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index ffd6c3b2388..62b5bf6c264 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc @@ -41,4 +41,5 @@ SRC_URI = "\ file://0017-CVE-2025-11083.patch \ file://CVE-2025-11414.patch \ file://CVE-2025-11412.patch \ + file://CVE-2025-11413.patch \ " diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch new file mode 100644 index 00000000000..1467d38049a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch @@ -0,0 +1,38 @@ +From 72efdf166aa0ed72ecc69fc2349af6591a7a19c0 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 25 Sep 2025 10:41:32 +0930 +Subject: [PATCH] Re: elf: Disallow the empty global symbol name + +sparc64-linux-gnu +FAIL: selective2 +sparc64-linux-gnu +FAIL: selective3 + + PR ld/33456 + * elflink.c (elf_link_add_object_symbols): Move new check later + to give the backend add_symbol_hook a chance to remove symbols + with empty names. + +CVE: CVE-2025-11413 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0] +Signed-off-by: Peter Marko +--- + bfd/elflink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 0a0456177c2..5c8b822e36a 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -5118,6 +5118,13 @@ elf_link_add_object_symbols (bfd *abfd, struct bfd_link_info *info) + continue; + } + ++ if (name[0] == '\0') ++ { ++ _bfd_error_handler (_("%pB: corrupt symbol table"), abfd); ++ bfd_set_error (bfd_error_bad_value); ++ goto error_free_vers; ++ } ++ + /* Sanity check that all possibilities were handled. */ + if (sec == NULL) + abort (); From patchwork Mon Oct 20 22:09:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 72741 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64E4CCCD19F for ; Mon, 20 Oct 2025 22:09:44 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.4817.1760998178190960188 for ; Mon, 20 Oct 2025 15:09:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=IUyvh2EU; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20251020220936e59e038779000207ee-ie4qtw@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20251020220936e59e038779000207ee for ; Tue, 21 Oct 2025 00:09:36 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=q0knAXxqWx7L8HwLLiZtrWZ/VoDG/1cnzCykKDn5Nq8=; b=IUyvh2EUVLwFo4JoUiClqtnK2fTMm1/vd7r0lqA2Y+LVcuJJNHOx6tDOANwjhTQeaeYKpb yjNU5d1rzpbQpTSecBAVbwfD8fp3H0M7OG5NdYqcSLbVIboWzhjwlP+iaHckLoSqFn4iAZmP BJpK5bzPbTABjdZ+8aINanROfbCfIbfosk/2lO5y+hhqhzKkHRBarDby9GE6t8wzm5ML6qT7 XMiz0mfTVhbRarYRP1Cj38HtcoCIotDBl8pqTTTbeoimQSV7KqOWy93vMH7QnaWdWv2KIqcR 3FJ9Al4ZisPfoZc/Jz4GL/n6WSbfb3xe4HIsl7MQqixyNDz014s3WnGw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 4/5] binutils: patch CVE-2025-11495 Date: Tue, 21 Oct 2025 00:09:11 +0200 Message-Id: <20251020220912.483748-4-peter.marko@siemens.com> In-Reply-To: <20251020220912.483748-1-peter.marko@siemens.com> References: <20251020220912.483748-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Oct 2025 22:09:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225138 From: Peter Marko Pick commit per NVD CVE report. Signed-off-by: Peter Marko --- .../binutils/binutils-2.45.inc | 1 + .../binutils/binutils/CVE-2025-11495.patch | 153 ++++++++++++++++++ 2 files changed, 154 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 62b5bf6c264..288475ac390 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc @@ -42,4 +42,5 @@ SRC_URI = "\ file://CVE-2025-11414.patch \ file://CVE-2025-11412.patch \ file://CVE-2025-11413.patch \ + file://CVE-2025-11495.patch \ " diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch new file mode 100644 index 00000000000..6e5e68fe275 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11495.patch @@ -0,0 +1,153 @@ +From 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 30 Sep 2025 08:18:29 +0800 +Subject: [PATCH] x86: Disallow TLS relocation in non executable section + +Since TLS relocations are applied to executable machine instructions, +disallow TLS relocation in non-SHT_PROGBITS, non-SHF_EXECINSTR section. + + PR ld/33451 + PR ld/33502 + * elf32-i386.c (elf_i386_tls_transition): Disallow TLS relocation + in non-SHT_PROGBITS, non-SHF_EXECINSTR section. + (elf_i386_scan_relocs): Likewise. + * elf64-x86-64.c (elf_x86_64_tls_transition): Likewise. + (elf_x86_64_scan_relocs): Likewise. + * elfxx-x86.c (_bfd_x86_elf_link_report_tls_invalid_section_error): + New. + * elfxx-x86.h (_bfd_x86_elf_link_report_tls_invalid_section_error): + Likewise. + +Signed-off-by: H.J. Lu + +CVE: CVE-2025-11495 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0] +Signed-off-by: Peter Marko +--- + bfd/elf32-i386.c | 19 +++++++++++++++++++ + bfd/elf64-x86-64.c | 20 ++++++++++++++++++++ + bfd/elfxx-x86.c | 20 ++++++++++++++++++++ + bfd/elfxx-x86.h | 4 ++++ + 4 files changed, 63 insertions(+) + +diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c +index 507a0762aff..0d60eded701 100644 +--- a/bfd/elf32-i386.c ++++ b/bfd/elf32-i386.c +@@ -1166,6 +1166,15 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd, + return true; + } + ++ if ((elf_section_type (sec) != SHT_PROGBITS ++ || (sec->flags & SEC_CODE) == 0)) ++ { ++ reloc_howto_type *howto = elf_i386_rtype_to_howto (from_type); ++ _bfd_x86_elf_link_report_tls_invalid_section_error ++ (abfd, sec, symtab_hdr, h, sym, howto); ++ return false; ++ } ++ + /* Return TRUE if there is no transition. */ + if (from_type == to_type) + return true; +@@ -1727,6 +1736,16 @@ elf_i386_scan_relocs (bfd *abfd, + tls_type = GOT_TLS_IE_POS; break; + } + ++ if (tls_type >= GOT_TLS_GD ++ && tls_type <= GOT_TLS_GDESC ++ && (elf_section_type (sec) != SHT_PROGBITS ++ || (sec->flags & SEC_CODE) == 0)) ++ { ++ _bfd_x86_elf_link_report_tls_invalid_section_error ++ (abfd, sec, symtab_hdr, h, isym, howto); ++ goto error_return; ++ } ++ + if (h != NULL) + { + h->got.refcount = 1; +diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c +index 620b6a380cd..59b43149897 100644 +--- a/bfd/elf64-x86-64.c ++++ b/bfd/elf64-x86-64.c +@@ -1626,6 +1626,16 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd, + return true; + } + ++ if ((elf_section_type (sec) != SHT_PROGBITS ++ || (sec->flags & SEC_CODE) == 0)) ++ { ++ reloc_howto_type *howto = elf_x86_64_rtype_to_howto (abfd, ++ from_type); ++ _bfd_x86_elf_link_report_tls_invalid_section_error ++ (abfd, sec, symtab_hdr, h, sym, howto); ++ return false; ++ } ++ + /* Return TRUE if there is no transition. */ + if (from_type == to_type + || (from_type == R_X86_64_CODE_4_GOTTPOFF +@@ -2748,6 +2758,16 @@ elf_x86_64_scan_relocs (bfd *abfd, struct bfd_link_info *info, + break; + } + ++ if (tls_type >= GOT_TLS_GD ++ && tls_type <= GOT_TLS_GDESC ++ && (elf_section_type (sec) != SHT_PROGBITS ++ || (sec->flags & SEC_CODE) == 0)) ++ { ++ _bfd_x86_elf_link_report_tls_invalid_section_error ++ (abfd, sec, symtab_hdr, h, isym, howto); ++ goto error_return; ++ } ++ + if (h != NULL) + { + h->got.refcount = 1; +diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c +index 0d389968c91..d8c653a9ad2 100644 +--- a/bfd/elfxx-x86.c ++++ b/bfd/elfxx-x86.c +@@ -3348,6 +3348,26 @@ _bfd_x86_elf_link_report_tls_transition_error + bfd_set_error (bfd_error_bad_value); + } + ++/* Report TLS invalid section error. */ ++ ++void ++_bfd_x86_elf_link_report_tls_invalid_section_error ++ (bfd *abfd, asection *sec, Elf_Internal_Shdr *symtab_hdr, ++ struct elf_link_hash_entry *h, Elf_Internal_Sym *sym, ++ reloc_howto_type *howto) ++{ ++ const char *name; ++ if (h) ++ name = h->root.root.string; ++ else ++ name = bfd_elf_sym_name (abfd, symtab_hdr, sym, NULL); ++ _bfd_error_handler ++ /* xgettext:c-format */ ++ (_("%pB: relocation %s against thread local symbol `%s' in " ++ "invalid section `%pA'"), abfd, howto->name, name, sec); ++ bfd_set_error (bfd_error_bad_value); ++} ++ + /* Return TRUE if symbol should be hashed in the `.gnu.hash' section. */ + + bool +diff --git a/bfd/elfxx-x86.h b/bfd/elfxx-x86.h +index 1ebc9d2f2e5..f8a24a77577 100644 +--- a/bfd/elfxx-x86.h ++++ b/bfd/elfxx-x86.h +@@ -939,6 +939,10 @@ extern void _bfd_x86_elf_link_report_tls_transition_error + const Elf_Internal_Rela *, const char *, const char *, + enum elf_x86_tls_error_type); + ++extern void _bfd_x86_elf_link_report_tls_invalid_section_error ++ (bfd *, asection *, Elf_Internal_Shdr *, struct elf_link_hash_entry *, ++ Elf_Internal_Sym *, reloc_howto_type *); ++ + #define bfd_elf64_mkobject \ + _bfd_x86_elf_mkobject + #define bfd_elf32_mkobject \ From patchwork Mon Oct 20 22:09:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 72742 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6476BCCD1A2 for ; Mon, 20 Oct 2025 22:09:54 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.4822.1760998184582937760 for ; Mon, 20 Oct 2025 15:09:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=BS8t/vL1; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20251020220941e10ffe342500020791-unzvh6@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20251020220941e10ffe342500020791 for ; Tue, 21 Oct 2025 00:09:41 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Vfsv0HHFTFdmluBz37A/MNDJdewIDyICSrZmMf3Eqi8=; b=BS8t/vL1xMsOD79NBCopVbKLK7lwrAFO1xswBgQTv3gHlSkur+Lldg1UmrS8yFFiBn3C4s iquG+j56k51nNoPnvoCj3Qx4voXafb5YgM4v1hhknjhUNX6H+OOME2A8bpZXczDKnqgOJhYO Xc7+lHyxy8LqAQLanj7lzmQY4m4WJxNtjhhBXs6vYZxv5tEgUJMc0kqr3fvPnStLETISp3gk hL7HIvNB3LWHAQyRsjvfFmCwaA8iiR8AOK2yJivZsWzZCYdjbHfBXw8faIN4P2mxE+5amZQP 8MlfnMFY+f5sHr37kjLoy89Lug6UwbIYg8AUZ3Xf/WBQ1UjGKh3R9uMw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 5/5] binutils: patch CVE-2025-11494 Date: Tue, 21 Oct 2025 00:09:12 +0200 Message-Id: <20251020220912.483748-5-peter.marko@siemens.com> In-Reply-To: <20251020220912.483748-1-peter.marko@siemens.com> References: <20251020220912.483748-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Oct 2025 22:09:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225139 From: Peter Marko Pick commit per NVD CVE report. Signed-off-by: Peter Marko --- .../binutils/binutils-2.45.inc | 1 + .../binutils/binutils/CVE-2025-11494.patch | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc index 288475ac390..72ed156a945 100644 --- a/meta/recipes-devtools/binutils/binutils-2.45.inc +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc @@ -43,4 +43,5 @@ SRC_URI = "\ file://CVE-2025-11412.patch \ file://CVE-2025-11413.patch \ file://CVE-2025-11495.patch \ + file://CVE-2025-11494.patch \ " diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch new file mode 100644 index 00000000000..91ca74fb485 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11494.patch @@ -0,0 +1,49 @@ +From b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 30 Sep 2025 08:13:56 +0800 +Subject: [PATCH] x86: Keep _GLOBAL_OFFSET_TABLE_ for .eh_frame + +Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep +_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output +.eh_frame section is non-empty. + + PR ld/33499 + * elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep + _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the + output .eh_frame section is non-empty. + +Signed-off-by: H.J. Lu + +CVE: CVE-2025-11494 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a] +Signed-off-by: Peter Marko +--- + bfd/elfxx-x86.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c +index d8c653a9ad2..140e86888a6 100644 +--- a/bfd/elfxx-x86.c ++++ b/bfd/elfxx-x86.c +@@ -2445,6 +2445,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd, + + if (htab->elf.sgotplt) + { ++ asection *eh_frame; ++ + /* Don't allocate .got.plt section if there are no GOT nor PLT + entries and there is no reference to _GLOBAL_OFFSET_TABLE_. */ + if ((htab->elf.hgot == NULL +@@ -2457,7 +2459,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd, + && (htab->elf.iplt == NULL + || htab->elf.iplt->size == 0) + && (htab->elf.igotplt == NULL +- || htab->elf.igotplt->size == 0)) ++ || htab->elf.igotplt->size == 0) ++ && (!htab->elf.dynamic_sections_created ++ || (eh_frame = bfd_get_section_by_name (output_bfd, ++ ".eh_frame")) == NULL ++ || eh_frame->rawsize == 0)) + { + htab->elf.sgotplt->size = 0; + /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it