From patchwork Sat May 2 14:23:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 87394 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B635FCD3423 for ; Sat, 2 May 2026 14:24:34 +0000 (UTC) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7182.1777731874243935583 for ; Sat, 02 May 2026 07:24:34 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=hb9f2WZq; spf=pass (domain: cisco.com, ip: 173.37.142.88, mailfrom: sudumbha@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3949; q=dns/txt; s=iport01; t=1777731874; x=1778941474; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=6xuYVtcpFrqrOceUGK3Pt6jQPZCWm6CMci3oFXanyes=; b=hb9f2WZqgNM3UgxXCFSFG5gaNp8vttAogmdszXgEv8V2ffJxdrkt6FM7 x6UYvwv9hUUrCoiPBET/RpU81TF0NzCxDsTVrZxv3QTGgJl/EP/JtsmaU 75QVWOLZMl53GulnyEaVWH/WRtThkusAqssxovwsKggkNS3EgUQTlPXRK gSP7JHJHl61uN4wewXX6WPG3KoV8JqE66AAk7/gqQqjbKuaH0qvhp1dkv u0f6y2d535VcnPCFxZKz1xf0eDpoHJTjlOXxoqZI8jngpJIoZKiPAW/PQ jla8FV0oa18P9aWZ5AbVwhkAMMooB2QN3M8ab+bGzInF8pUnYmynzvGrS A==; X-CSE-ConnectionGUID: OW4/lqhCTCewjCjUjSKAXg== X-CSE-MsgGUID: hCgUwgCnRNuSRSFhQqw+RA== X-IPAS-Result: A0BxAgC1CPZp/5H/Ja1aglmCV3FfQkkDlCeCIYEWilGSNoF/DwEBAQ84GQQBAZI5AiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAS0LAXIDAQJPCyMhgwIBgjoDNgIBEQaycYF5M4EBg1oFCQJDUNhIDYJSAQUGFAGBOIU/gnmFI1sYAYR6JxsbgXKBFYE7gTd2gQWBGkIBAgEYiAoEgiKBDoFgHo0cSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgUuDAG1qgQOEYHgjLANOcgMLGA1IESw3FBsEPm4HimQdD4IwAYENAQciAiKCCqV0oB1xCiiDdIwejz6FfBozhASUFZJSmQaOCYQJkkeEaIFoPIFHCwdwFYMiUxkPjjiDa4F/gxTAECM1AgkDLwEBBwIHDQMLgWiRfQEB IronPort-Data: A9a23:zr0Xva8Ym6haOTs3IsJBDrUD0X+TJUtcMsCJ2f8bNWPcYEJGY0x3n WpKCj2COK3fNmOjf90lOt7joUhTvp/UnIdiGQpopSBEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mpyyHjEAX9gWAsbzpOs/jrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2kRAtFf/v93Kl1l+ OMaAzIwbCugrtK5lefTpulE3qzPLeHxN48Z/3UlxjbDALN+EdbIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZP0An1lQ/UPrSmM+zm3XidjdYoXqepLE85C7YywkZPL3Fb4GLJ4PWFJwK9qqej mLt8FnmDTocDvqC8gC+3HKVn/CMpwquDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0W5Qd93L 00P5jFoqrA/8kGuRNTxUxC05nmesXYht8F4CeY27kSJj6HT+QvcXjhCRT9aY9tgv8gzLdA36 mK0cxrSLWQHmNWopbi1r994cRva1fApEFI/ IronPort-HdrOrdr: A9a23:7HPT2aMghFi2ZcBcTvGjsMiBIKoaSvp037BN7TESdfU7SKKlfq yV8cjztiWE6wr5JktApTnoAsDpKhnhHPVOjrX5U43PYOCfgguVBbAny5f+yDv9HCC73Otc2a B8N5VaMrTLfD1HZQKQ2njeLz7mq+P3lJyVuQ== X-Talos-CUID: 9a23:EyIB5221kd5x+d/sxsqeYbxfPf95NXnEzFzsCEKnC01rdb+uanag9/Yx X-Talos-MUID: 9a23:s/YcIQUqeyepGUPq/D/Hiwx9O+xu2YKzM3o2v5U/otbHDwUlbg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.23,212,1770595200"; d="scan'208";a="736574917" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by alln-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 02 May 2026 14:24:33 +0000 Received: from sjc-ads-12007.cisco.com (sjc-ads-12007.cisco.com [171.70.97.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id 2D24818000460 for ; Sat, 2 May 2026 14:24:33 +0000 (GMT) Received: by sjc-ads-12007.cisco.com (Postfix, from userid 1840713) id CA831CC12B5; Sat, 2 May 2026 07:24:32 -0700 (PDT) From: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Date: Sat, 2 May 2026 07:23:54 -0700 Message-Id: <20260502142354.3840615-1-sudumbha@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Outbound-Client-TLS: ANONYMOUS;sjc-ads-12007.cisco.com [171.70.97.7];TLSv1.3;TLS_AES_256_GCM_SHA384;256 X-Outbound-SMTP-Client: 171.70.97.7, sjc-ads-12007.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 02 May 2026 14:24:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236307 From: Sudhir Dumbhare This patch applies the upstream fix [1], which addresses two out-of-bounds read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes shown in [2] are referenced by [3] and [4]. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3441 https://nvd.nist.gov/vuln/detail/CVE-2026-3442 https://www.suse.com/security/cve/CVE-2026-3441.html https://www.suse.com/security/cve/CVE-2026-3442.html Signed-off-by: Sudhir Dumbhare --- .../binutils/binutils-2.42.inc | 1 + .../CVE-2026-3441_CVE-2026-3442.patch | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 839d31242e..5d91a41648 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -69,5 +69,6 @@ SRC_URI = "\ file://0028-CVE-2025-11494.patch \ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ + file://CVE-2026-3441_CVE-2026-3442.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch new file mode 100644 index 0000000000..28cface2c9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch @@ -0,0 +1,50 @@ +From 88a051b765a7684b24250907c2dad9fa8cd4124a Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 28 Feb 2026 13:16:40 +1030 +Subject: [PATCH] xcofflink buffer overflows + +This fixes two fuzzed object file out-of-bounds accesses. + + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check + XTY_LD x_scnlen index. Sanity check r_symndx before using it + to index sym hashes. + +CVE: CVE-2026-3441 CVE-2026-3442 +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] + +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) +Signed-off-by: Sudhir Dumbhare +--- + bfd/xcofflink.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c +index e0165d202a9..88c49755c64 100644 +--- a/bfd/xcofflink.c ++++ b/bfd/xcofflink.c +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + follow its appropriate XTY_SD symbol. The .set pseudo op can + cause the XTY_LD to not follow the XTY_SD symbol. */ + { +- bool bad; +- +- bad = false; +- if (aux.x_csect.x_scnlen.u64 +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) +- bad = true; ++ bool bad = (aux.x_csect.x_scnlen.u64 ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) ++ / symesz)); + if (! bad) + { + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + functions imported from dynamic objects. */ + if (info->output_bfd->xvec == abfd->xvec + && *rel_csect != bfd_und_section_ptr ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) + { + struct xcoff_link_hash_entry *h; +-- +2.44.4 From patchwork Sat May 2 14:23:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 87395 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE00ACD13DA for ; Sat, 2 May 2026 14:26:14 +0000 (UTC) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7179.1777731973706370832 for ; Sat, 02 May 2026 07:26:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Mtn5gqRW; spf=pass (domain: cisco.com, ip: 173.37.142.94, mailfrom: sudumbha@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=10002; q=dns/txt; s=iport01; t=1777731973; x=1778941573; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=Fzd6/tytQ1p/6b9fTPj+oYOe3HR1pPgi+n0wrJNMmaY=; b=Mtn5gqRW9i+/hluaWsW9+giTBhVx8jGMBEQbCCbICHFe2aPs0dUtFGDt 67+J3JXb7vZuDwTG7xevNb+7orLjJQSHS+K4XNpDkIa+e53GsYK2ZWMV5 T4BmO9bo/4p55lKcSK2pXXkTzVz4/y24+2UIH4MEca/gzec2SumaN4vpF 1G6uLGZTYsgUTOxyVfA0wicdVTZP+SfZmtDxxdvxOQwT7+y2YU3bobRUu AZdjvYnkmOjaGuRbK9ADseYQVuaDObFeGYftKgNQk4hB9svhpL3siO5Os dgBbyX8tOj9SiynT9a+WDu86nw3gap0ODUKU/XBLpjbEeAXj/xBN+pKWG g==; X-CSE-ConnectionGUID: f1F62q1jRImvPNhd7tacwQ== X-CSE-MsgGUID: I8kQvauoRD+atWR8op+hcw== X-IPAS-Result: A0B2AgAlCfZp/4//Ja1aglmCV3FfQkkDlCeCIQOBE4pRkjaBfw8BAQEPRA0EAQGFBgKNMQImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwFWHAMBAi8gCyMIGYMCAYI6AzYCAREGsneBeTOBAYNaBQkCQ1DYSA2CUgEFBhQBgTiFP4J5hSNbGAGEeicbG4FygRQBgTuBN3aBBYEaQgECARh+boYeBIIigQ6BYB6NHEiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYFLgwBtaoEDhGB4IywDTnIDCxgNSBEsNxQbBD5uB4pkHQ+BPnIBLGEBKQIggV0SHZM/kBSCIaAdcQoog3SMHo8+hXwaM4QElBWSUpkGjgmECZJHhGiBaDyBRwsHcBWDIlMZD44tCwuDYIF/gxTAECM1AgkDLwEBBwIHDQMLgWiQEYFsAQE IronPort-Data: A9a23:i1OMt6ib05+BGlhdxpXUbIL2X161MREKZh0ujC45NGQN5FlHY01je htvXGmGO6qDMGfwf491btiw805T7ZHRz4RhSFdvqCg0QnhjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeEULOZ82QsaDxMtvrZ8EkHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUWo8gpW3gX9 8Y5LS41SBCP2P6/y62CH7wEasQLdKEHPasFsX1miDWcBvE8TNWbHePB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWZgx/5JEWxI9EglHkbjFFrViVrII84nPYy0p6172F3N/9JYfSGp0EzxnFz o7A10WpASgEPcGY8xbG+26TvL/IhWD7U51HQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmAHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn289lte5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:e7dnq6nRv8gWMPPHJmpk99m06Q/pDfIA3DAbv31ZSRFFG/Fw8P re+MjzuiWbtN98YhwdcJW7Scq9qBDnhPtICPcqXItKNTOO0ADDEGgh1/qB/9SKIULDH4BmuZ uIC5IfNPTASX5nkM39/A60V/wkwNWB7eSUoN229QYLcemvAJsQljuQzW2gYytLeDU= X-Talos-CUID: 9a23:ElTZFmFPXNb5Qm36qmJprWBKQNl8cEf8yWnoBU+0VnpgQ6KsHAo= X-Talos-MUID: 9a23:Nf6JNA4jwFhHE8BOAoMF99f6xoxJs6eXFkkQlq8q+MCYChYgPC/ejD+oF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.23,212,1770595200"; d="scan'208";a="730709975" Received: from rcdn-l-core-06.cisco.com ([173.37.255.143]) by alln-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 02 May 2026 14:26:10 +0000 Received: from sjc-ads-12007.cisco.com (sjc-ads-12007.cisco.com [171.70.97.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-06.cisco.com (Postfix) with ESMTPS id CC0771800039B for ; Sat, 2 May 2026 14:26:10 +0000 (GMT) Received: by sjc-ads-12007.cisco.com (Postfix, from userid 1840713) id 79061CC12B5; Sat, 2 May 2026 07:26:10 -0700 (PDT) From: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Date: Sat, 2 May 2026 07:23:56 -0700 Message-Id: <20260502142354.3840615-2-sudumbha@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260502142354.3840615-1-sudumbha@cisco.com> References: <20260502142354.3840615-1-sudumbha@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: ANONYMOUS;sjc-ads-12007.cisco.com [171.70.97.7];TLSv1.3;TLS_AES_256_GCM_SHA384;256 X-Outbound-SMTP-Client: 171.70.97.7, sjc-ads-12007.cisco.com X-Outbound-Node: rcdn-l-core-06.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 02 May 2026 14:26:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236308 From: Sudhir Dumbhare This patch applies the upstream fix [1], which addresses an out-of-bounds read issue in XCOFF relocation processing, as described in [2]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 Reference: https://bugzilla.suse.com/show_bug.cgi?id=1260338 https://www.suse.com/security/cve/CVE-2026-4647.html https://nvd.nist.gov/vuln/detail/CVE-2026-4647 Signed-off-by: Sudhir Dumbhare --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2026-4647.patch | 228 ++++++++++++++++++ 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 5d91a41648..b1546de02c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -70,5 +70,6 @@ SRC_URI = "\ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ file://CVE-2026-3441_CVE-2026-3442.patch \ + file://CVE-2026-4647.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch new file mode 100644 index 0000000000..cece5afefe --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch @@ -0,0 +1,228 @@ +From 3e24faeffc0116c271d048137b340586d800e17c Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Fri, 13 Mar 2026 17:28:28 +1030 +Subject: [PATCH] PR33919 Out-of-bounds read in XCOFF relocation processing + + PR 33919 + * coff-rs6000.c (xcoff_calculate_relocation): Don't use explicit + array size. + (xcoff_complain_overflow): Likewise. + (xcoff_rtype2howto): Return a NULL howto rather than aborting. + (_bfd_xcoff_reloc_name_lookup): Use ARRAY_SIZE. + (xcoff_ppc_relocate_section): Sanity check reloc r_type before + accessing xcoff_howto_table. Print r_type using %#x. Remove + now redundant later reloc r_type sanity check. + * coff64-rs6000.c: Similarly. + * libxcoff.h (XCOFF_MAX_CALCULATE_RELOCATION): Don't define. + (XCOFF_MAX_COMPLAIN_OVERFLOW): Don't define. + +CVE: CVE-2026-4647 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2] + +(cherry picked from commit 9e99dbc1f19ffaf18d0250788951706066ebe7f2) +Signed-off-by: Sudhir Dumbhare +--- + bfd/coff-rs6000.c | 36 +++++++++++++++++++++--------------- + bfd/coff64-rs6000.c | 33 ++++++++++++++++++++------------- + bfd/libxcoff.h | 3 --- + 3 files changed, 41 insertions(+), 31 deletions(-) + +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c +index 87feb672bf1..0f2cc496b63 100644 +--- a/bfd/coff-rs6000.c ++++ b/bfd/coff-rs6000.c +@@ -155,8 +155,7 @@ static xcoff_complain_function xcoff_complain_overflow_bitfield_func; + static xcoff_complain_function xcoff_complain_overflow_signed_func; + static xcoff_complain_function xcoff_complain_overflow_unsigned_func; + +-xcoff_reloc_function *const +-xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -210,8 +209,7 @@ xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = + xcoff_reloc_type_toc, /* R_TOCL (0x31) */ + }; + +-xcoff_complain_function *const +-xcoff_complain_overflow[XCOFF_MAX_COMPLAIN_OVERFLOW] = ++xcoff_complain_function *const xcoff_complain_overflow[] = + { + xcoff_complain_overflow_dont_func, + xcoff_complain_overflow_bitfield_func, +@@ -1158,8 +1156,11 @@ reloc_howto_type xcoff_howto_table[] = + void + xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff_howto_table[internal->r_type]; +@@ -1183,7 +1184,7 @@ xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x1f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1236,9 +1237,7 @@ _bfd_xcoff_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff_howto_table) / sizeof (xcoff_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff_howto_table); i++) + if (xcoff_howto_table[i].name != NULL + && strcasecmp (xcoff_howto_table[i].name, r_name) == 0) + return &xcoff_howto_table[i]; +@@ -3776,6 +3775,14 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -3795,7 +3802,7 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), ++ (_("%pB: relocation (%#x) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), + input_bfd, rel->r_type, (uint64_t) rel->r_vaddr, rel->r_size); + return false; + } +@@ -3871,10 +3878,9 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/coff64-rs6000.c b/bfd/coff64-rs6000.c +index 0f8d9e08783..c74698070d5 100644 +--- a/bfd/coff64-rs6000.c ++++ b/bfd/coff64-rs6000.c +@@ -177,8 +177,7 @@ static bool xcoff64_bad_format_hook + /* Relocation functions */ + static xcoff_reloc_function xcoff64_reloc_type_br; + +-xcoff_reloc_function *const +-xcoff64_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff64_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -1439,8 +1438,11 @@ reloc_howto_type xcoff64_howto_table[] = + void + xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff64_howto_table[internal->r_type]; +@@ -1473,7 +1475,7 @@ xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x3f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1528,9 +1530,7 @@ xcoff64_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff64_howto_table) / sizeof (xcoff64_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff64_howto_table); i++) + if (xcoff64_howto_table[i].name != NULL + && strcasecmp (xcoff64_howto_table[i].name, r_name) == 0) + return &xcoff64_howto_table[i]; +@@ -1574,6 +1574,14 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -1595,7 +1603,7 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at (0x%" PRIx64 ") has wrong" ++ (_("%pB: relocation (%#x) at (0x%" PRIx64 ") has wrong" + " r_rsize (0x%x)\n"), + input_bfd, rel->r_type, rel->r_vaddr, rel->r_size); + return false; +@@ -1668,10 +1676,9 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff64_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff64_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/libxcoff.h b/bfd/libxcoff.h +index 81c4e205e06..ca716a9ef3a 100644 +--- a/bfd/libxcoff.h ++++ b/bfd/libxcoff.h +@@ -215,9 +215,6 @@ struct xcoff_backend_data_rec + #define bfd_xcoff_text_align_power(a) ((xcoff_data (a)->text_align_power)) + #define bfd_xcoff_data_align_power(a) ((xcoff_data (a)->data_align_power)) + +-/* xcoff*_ppc_relocate_section macros */ +-#define XCOFF_MAX_CALCULATE_RELOCATION (0x32) +-#define XCOFF_MAX_COMPLAIN_OVERFLOW (4) + /* N_ONES produces N one bits, without overflowing machine arithmetic. */ + #ifdef N_ONES + #undef N_ONES +-- +2.44.4 +