From patchwork Sun Nov 2 11:58:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 73445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B681ECCFA03 for ; Sun, 2 Nov 2025 11:58:44 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8505.1762084722086947715 for ; Sun, 02 Nov 2025 03:58:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=b8VDrGJ5; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20251102115837ee5bf91818000207d6-2uvp7r@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20251102115837ee5bf91818000207d6 for ; Sun, 02 Nov 2025 12:58:38 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=STz4WgBDOOPMWV6H5T7iYRy1A4ifHddQNy1i1zX8+0w=; b=b8VDrGJ5rbvYzygvlTBi9O4dQzxdH0qQnbKysYsqU7209LL8yZz/pPWe9xPyK7UujUEn/3 rw/rfTF2OyaUQKh209PNWYrCm42tQRvYXSr2NFVuDJ6utvXBXNP1tuip9fMqP9zuKXO8I5lC c7kOkHe0QsuUY7psZOTFT4ygcMlBuuWNUMUovxFA2UvNXab6nv3uu2MTXKEG0RfnNWi9psWA eZdgA6PhOnd3exUMuOQIAychKNA1egbXmCO64fR6MtDtgXSwCOfuEK6ppvawN/GdAKngIsQ9 wiHab+SYDT8hj878wewRFS/iT+sjdK2m5OFMKALNvkIf0/x4HsJ6Meig==; From: Peter Marko To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 1/3] binutils: patch CVE-2025-11414 Date: Sun, 2 Nov 2025 12:58:34 +0100 Message-Id: <20251102115836.1374458-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 02 Nov 2025 11:58:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225577 From: Peter Marko Pick commit per NVD CVE report. (From OE-Core rev: cd7ce80fa1a99916aa2f93c4d9591c5496c3ef71) Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2025-11414.patch | 84 +++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 3e180b60181..d358634ec58 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -61,5 +61,6 @@ SRC_URI = "\ file://0023-CVE-2025-7545.patch \ file://0024-CVE-2025-11082.patch \ file://0025-CVE-2025-11083.patch \ + file://CVE-2025-11414.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch new file mode 100644 index 00000000000..c6e45c3091a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch @@ -0,0 +1,84 @@ +From aeaaa9af6359c8e394ce9cf24911fec4f4d23703 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 23 Sep 2025 08:52:26 +0800 +Subject: [PATCH] elf: Return error on unsorted symbol table if not allowed + +Normally ELF symbol table should be sorted, i.e., local symbols precede +global symbols. Irix 6 is an exception and its elf_bad_symtab is set +to true. Issue an error if elf_bad_symtab is false and symbol table is +unsorted. + + PR ld/33450 + * elflink.c (set_symbol_value): Change return type to bool and + return false on error. Issue an error on unsorted symbol table + if not allowed. + (elf_link_input_bfd): Return false if set_symbol_value reurns + false. + +Signed-off-by: H.J. Lu + +CVE: CVE-2025-11414 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703] +Signed-off-by: Peter Marko +--- + bfd/elflink.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 66982f82b94..54f0d6e957e 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -8914,7 +8914,7 @@ struct elf_outext_info + := as in C + := as in C, plus "0-" for unambiguous negation. */ + +-static void ++static bool + set_symbol_value (bfd *bfd_with_globals, + Elf_Internal_Sym *isymbuf, + size_t locsymcount, +@@ -8935,9 +8935,15 @@ set_symbol_value (bfd *bfd_with_globals, + "absolute" section and give it a value. */ + sym->st_shndx = SHN_ABS; + sym->st_value = val; +- return; ++ return true; ++ } ++ if (!elf_bad_symtab (bfd_with_globals)) ++ { ++ _bfd_error_handler (_("%pB: corrupt symbol table"), ++ bfd_with_globals); ++ bfd_set_error (bfd_error_bad_value); ++ return false; + } +- BFD_ASSERT (elf_bad_symtab (bfd_with_globals)); + extsymoff = 0; + } + +@@ -8947,11 +8953,12 @@ set_symbol_value (bfd *bfd_with_globals, + if (h == NULL) + { + /* FIXMEL What should we do ? */ +- return; ++ return false; + } + h->root.type = bfd_link_hash_defined; + h->root.u.def.value = val; + h->root.u.def.section = bfd_abs_section_ptr; ++ return true; + } + + static bool +@@ -11641,8 +11648,10 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd) + return false; + + /* Symbol evaluated OK. Update to absolute value. */ +- set_symbol_value (input_bfd, isymbuf, locsymcount, +- r_symndx, val); ++ if (!set_symbol_value (input_bfd, isymbuf, locsymcount, r_symndx, ++ val)) ++ return false; ++ + continue; + } + From patchwork Sun Nov 2 11:58:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 73446 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5BDCCCFA02 for ; Sun, 2 Nov 2025 11:58:44 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8658.1762084722121795287 for ; Sun, 02 Nov 2025 03:58:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=lV6kWsMB; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-202511021158374868d92a3b00020793-qhvcyc@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 202511021158374868d92a3b00020793 for ; Sun, 02 Nov 2025 12:58:38 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=cUVb3zJsfmabVcGYyOKn4Nh/GIxKUSZ9e9t8P5ozqOs=; b=lV6kWsMBfrg76f9ZbXNz1+9RY5fnvsnLgzDMyDNQuVAKhqrr74rOh1Jn0hWKV3chlS6aJA QCzVFDIllYkfvrK4FcTedFp5PFMbItoPFMBxMNmzKqdDSLHeFYL9KlGk1KfE+gq+Ccv4StwA QRjaQn/jr7bADP5gSWJuTwcoVE+8zCA4zU2LBb+kZpaxBqKZOS3AJBz9CdFFIyLBR9gH6NsQ 2VhQ1lfhx7FV0xte/6tEyrSNsksum3bdfTYLo0iWH9fUQjNDidn6mZqAq/YqIHjtqesPURdF rd0aDcyN99Jr0Kp6A8JQM6SbCXczseHWfhBv9+W7EwINp5fi3bnw36kQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 2/3] binutils: patch CVE-2025-11412 Date: Sun, 2 Nov 2025 12:58:35 +0100 Message-Id: <20251102115836.1374458-2-peter.marko@siemens.com> In-Reply-To: <20251102115836.1374458-1-peter.marko@siemens.com> References: <20251102115836.1374458-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 02 Nov 2025 11:58:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225579 From: Peter Marko Pick commit per NVD CVE report. (From OE-Core rev: 6b94ff6c584a31d2b1e06d1e1dc19392d759b4b7) Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2025-11412.patch | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index d358634ec58..1de32d1badc 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -62,5 +62,6 @@ SRC_URI = "\ file://0024-CVE-2025-11082.patch \ file://0025-CVE-2025-11083.patch \ file://CVE-2025-11414.patch \ + file://CVE-2025-11412.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch new file mode 100644 index 00000000000..e2a2b10c182 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch @@ -0,0 +1,35 @@ +From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 25 Sep 2025 08:22:24 +0930 +Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry + +Limit addends on vtentry relocs, otherwise ld might attempt to +allocate a stupidly large array. This also fixes the expression +overflow leading to pr33452. A vtable of 33M entries on a 64-bit +host is surely large enough, especially considering that VTINHERIT +and VTENTRY relocations are to support -fvtable-gc that disappeared +from gcc over 20 years ago. + + PR ld/33452 + * elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend. + +CVE: CVE-2025-11412 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc] +Signed-off-by: Peter Marko +--- + bfd/elflink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 54f0d6e957e..0a0456177c2 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14613,7 +14613,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec, + const struct elf_backend_data *bed = get_elf_backend_data (abfd); + unsigned int log_file_align = bed->s->log_file_align; + +- if (!h) ++ if (!h || addend > 1u << 28) + { + /* xgettext:c-format */ + _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"), From patchwork Sun Nov 2 11:58:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 73444 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B52CECCF9E3 for ; Sun, 2 Nov 2025 11:58:44 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8657.1762084721694309419 for ; Sun, 02 Nov 2025 03:58:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=Y5ITCv4g; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-20251102115837212abde4d7000207a5-arww5e@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20251102115837212abde4d7000207a5 for ; Sun, 02 Nov 2025 12:58:38 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=7noIzbu3ph82WbjNLB/RRr/pnk/P52qSBjrpnj09LCE=; b=Y5ITCv4gCTffxruu/YiZL17GJ0n2ggNzegF7T6qRScTjR6aaLxpFmmHhYDfW+1pvZo8VjZ uDH8Z609i0FHEX8/ThSnRVQuwdHbv9q14D49P2261i1gM9owMIkU+WPnoRYG9YehjEka/VKj rcTNRYzUqYpMBxbs6lpR57IuynDaZZgzSeryEPU257+kY7POBgnabsMXNE1CZMQoKIWGjoTU gtHj6M7pQLnW3oYKJ9VQiTLtffcddvBBayRgFJITnQRl4obWmhkeBLREnG2k9oJIUqwR3Q7g smZhPG7dOjU+LRQK6xpSVEyJ+ZEjHE/mTqIKDVnYq82RFI0E6zknGxiQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 3/3] binutils: patch CVE-2025-11413 Date: Sun, 2 Nov 2025 12:58:36 +0100 Message-Id: <20251102115836.1374458-3-peter.marko@siemens.com> In-Reply-To: <20251102115836.1374458-1-peter.marko@siemens.com> References: <20251102115836.1374458-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 02 Nov 2025 11:58:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225578 From: Peter Marko Pick commit per NVD CVE report. Note that there were two patches for this, first [1] and then [2]. The second patch moved the original patch to different location. Cherry-pick of second patch is successful leaving out the code removing the code from first location, so the patch attached here is not identical to the upstream commit but is identical to applying both and merging them to a single patch. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=1108620d7a521f1c85d2f629031ce0fbae14e331 [2] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0 (From OE-Core rev: 98df728e6136d04af0f4922b7ffbeffb704de395) Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2025-11413.patch | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 1de32d1badc..60f921b5b0d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -63,5 +63,6 @@ SRC_URI = "\ file://0025-CVE-2025-11083.patch \ file://CVE-2025-11414.patch \ file://CVE-2025-11412.patch \ + file://CVE-2025-11413.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch new file mode 100644 index 00000000000..a7697d247f4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch @@ -0,0 +1,38 @@ +From 72efdf166aa0ed72ecc69fc2349af6591a7a19c0 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 25 Sep 2025 10:41:32 +0930 +Subject: [PATCH] Re: elf: Disallow the empty global symbol name + +sparc64-linux-gnu +FAIL: selective2 +sparc64-linux-gnu +FAIL: selective3 + + PR ld/33456 + * elflink.c (elf_link_add_object_symbols): Move new check later + to give the backend add_symbol_hook a chance to remove symbols + with empty names. + +CVE: CVE-2025-11413 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0] +Signed-off-by: Peter Marko +--- + bfd/elflink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 0a0456177c2..5c8b822e36a 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -5015,6 +5015,13 @@ elf_link_add_object_symbols (bfd *abfd, struct bfd_link_info *info) + continue; + } + ++ if (name[0] == '\0') ++ { ++ _bfd_error_handler (_("%pB: corrupt symbol table"), abfd); ++ bfd_set_error (bfd_error_bad_value); ++ goto error_free_vers; ++ } ++ + /* Sanity check that all possibilities were handled. */ + if (sec == NULL) + abort ();