* [PATCH] binutils: Fix CVE-2025-1180
@ 2025-05-22 12:17 Harish.Sadineni
2025-05-23 0:16 ` [OE-core] " Khem Raj
0 siblings, 1 reply; 4+ messages in thread
From: Harish.Sadineni @ 2025-05-22 12:17 UTC (permalink / raw)
To: openembedded-core; +Cc: Sundeep.Kokkonda
From: Harish Sadineni <Harish.Sadineni@windriver.com>
Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html]
CVE: CVE-2025-1180
cherry picked from upstream commit:
https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814
Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
---
.../binutils/binutils-2.44.inc | 1 +
.../binutils/binutils/CVE-2025-1180.patch | 165 ++++++++++++++++++
2 files changed, 166 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc
index 6bc65a0fea..256d408018 100644
--- a/meta/recipes-devtools/binutils/binutils-2.44.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.44.inc
@@ -35,5 +35,6 @@ SRC_URI = "\
file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
+ file://CVE-2025-1180.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
new file mode 100644
index 0000000000..073361cf19
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
@@ -0,0 +1,165 @@
+From 509c5afcd71afd36cd6496f8c84733b11bd5e9e5 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 22 May 2025 01:56:17 -0700
+Subject: [PATCH] Backport fix for PR 32642(CVE-2025-1180)
+
+Backporting the fix from PR 32636 to fix PR 32642 (ld SEGV (illegal read access)
+in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with
+ --gc-sections --gc-keep-exported option)
+
+https://nvd.nist.gov/vuln/detail/CVE-2025-1180 is associated with
+PR32642 which will get fixed with commit from PR 32636.
+
+(cherry picked from commit: f9978defb6fab0bd8583942d97c112b0932ac814)
+Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html]
+CVE: CVE-2025-1180
+
+Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
+---
+ bfd/elflink.c | 88 +++++++++++++++++++++++++--------------------------
+ 1 file changed, 44 insertions(+), 44 deletions(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 6346d7e2b4b..d765b688801 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -96,22 +96,37 @@ _bfd_elf_link_keep_memory (struct bfd_link_info *info)
+ return true;
+ }
+
+-asection *
+-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+- unsigned long r_symndx,
+- bool discard)
++static struct elf_link_hash_entry *
++get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
+ {
+- if (r_symndx >= cookie->locsymcount
+- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+- {
+- struct elf_link_hash_entry *h;
++ struct elf_link_hash_entry *h = NULL;
+
++ if ((r_symndx >= cookie->locsymcount
++ || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
++ /* Guard against corrupt input. See PR 32636 for an example. */
++ && r_symndx >= cookie->extsymoff)
++ {
+ h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+
+ while (h->root.type == bfd_link_hash_indirect
+ || h->root.type == bfd_link_hash_warning)
+ h = (struct elf_link_hash_entry *) h->root.u.i.link;
++ }
++
++ return h;
++}
+
++asection *
++_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
++ unsigned long r_symndx,
++ bool discard)
++{
++ struct elf_link_hash_entry *h;
++
++ h = get_ext_sym_hash (cookie, r_symndx);
++
++ if (h != NULL)
++ {
+ if ((h->root.type == bfd_link_hash_defined
+ || h->root.type == bfd_link_hash_defweak)
+ && discarded_section (h->root.u.def.section))
+@@ -119,21 +134,20 @@ _bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
+ else
+ return NULL;
+ }
+- else
+- {
+- /* It's not a relocation against a global symbol,
+- but it could be a relocation against a local
+- symbol for a discarded section. */
+- asection *isec;
+- Elf_Internal_Sym *isym;
+
+- /* Need to: get the symbol; get the section. */
+- isym = &cookie->locsyms[r_symndx];
+- isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
+- if (isec != NULL
+- && discard ? discarded_section (isec) : 1)
+- return isec;
+- }
++ /* It's not a relocation against a global symbol,
++ but it could be a relocation against a local
++ symbol for a discarded section. */
++ asection *isec;
++ Elf_Internal_Sym *isym;
++
++ /* Need to: get the symbol; get the section. */
++ isym = &cookie->locsyms[r_symndx];
++ isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
++ if (isec != NULL
++ && discard ? discarded_section (isec) : 1)
++ return isec;
++
+ return NULL;
+ }
+
+@@ -13994,22 +14008,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_info *info, asection *sec,
+ if (r_symndx == STN_UNDEF)
+ return NULL;
+
+- if (r_symndx >= cookie->locsymcount
+- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
++ h = get_ext_sym_hash (cookie, r_symndx);
++
++ if (h != NULL)
+ {
+ bool was_marked;
+
+- h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
+- if (h == NULL)
+- {
+- info->callbacks->fatal (_("%F%P: corrupt input: %pB\n"),
+- sec->owner);
+- return NULL;
+- }
+- while (h->root.type == bfd_link_hash_indirect
+- || h->root.type == bfd_link_hash_warning)
+- h = (struct elf_link_hash_entry *) h->root.u.i.link;
+-
+ was_marked = h->mark;
+ h->mark = 1;
+ /* Keep all aliases of the symbol too. If an object symbol
+@@ -15064,17 +15068,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
+ if (r_symndx == STN_UNDEF)
+ return true;
+
+- if (r_symndx >= rcookie->locsymcount
+- || ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL)
+- {
+- struct elf_link_hash_entry *h;
+-
+- h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff];
++ struct elf_link_hash_entry *h;
+
+- while (h->root.type == bfd_link_hash_indirect
+- || h->root.type == bfd_link_hash_warning)
+- h = (struct elf_link_hash_entry *) h->root.u.i.link;
++ h = get_ext_sym_hash (rcookie, r_symndx);
+
++ if (h != NULL)
++ {
+ if ((h->root.type == bfd_link_hash_defined
+ || h->root.type == bfd_link_hash_defweak)
+ && (h->root.u.def.section->owner != rcookie->abfd
+@@ -15098,6 +15097,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
+ || discarded_section (isec)))
+ return true;
+ }
++
+ return false;
+ }
+ return false;
+--
+2.49.0
+
--
2.49.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] binutils: Fix CVE-2025-1180
2025-05-22 12:17 [PATCH] binutils: Fix CVE-2025-1180 Harish.Sadineni
@ 2025-05-23 0:16 ` Khem Raj
2025-05-23 7:23 ` Sadineni, Harish
0 siblings, 1 reply; 4+ messages in thread
From: Khem Raj @ 2025-05-23 0:16 UTC (permalink / raw)
To: Harish.Sadineni, openembedded-core; +Cc: Sundeep.Kokkonda
On 5/22/25 5:17 AM, Sadineni, Harish via lists.openembedded.org wrote:
> From: Harish Sadineni <Harish.Sadineni@windriver.com>
>
> Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html]
> CVE: CVE-2025-1180
>
> cherry picked from upstream commit:
> https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814
>
> Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
> ---
> .../binutils/binutils-2.44.inc | 1 +
> .../binutils/binutils/CVE-2025-1180.patch | 165 ++++++++++++++++++
> 2 files changed, 166 insertions(+)
> create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc
> index 6bc65a0fea..256d408018 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.44.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.44.inc
> @@ -35,5 +35,6 @@ SRC_URI = "\
> file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
> file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
> file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
> + file://CVE-2025-1180.patch \
> "
> S = "${WORKDIR}/git"
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
> new file mode 100644
> index 0000000000..073361cf19
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1180.patch
> @@ -0,0 +1,165 @@
> +From 509c5afcd71afd36cd6496f8c84733b11bd5e9e5 Mon Sep 17 00:00:00 2001
> +From: Nick Clifton <nickc@redhat.com>
> +Date: Thu, 22 May 2025 01:56:17 -0700
> +Subject: [PATCH] Backport fix for PR 32642(CVE-2025-1180)
> +
> +Backporting the fix from PR 32636 to fix PR 32642 (ld SEGV (illegal read access)
> +in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with
> + --gc-sections --gc-keep-exported option)
> +
> +https://nvd.nist.gov/vuln/detail/CVE-2025-1180 is associated with
> +PR32642 which will get fixed with commit from PR 32636.
> +
> +(cherry picked from commit: f9978defb6fab0bd8583942d97c112b0932ac814)
> +Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141351.html]
> +CVE: CVE-2025-1180
> +
Looks ok to me.
Have we run binutils tests with this patch applied ? I would recommend
we do that, and I would also wait for backport response upstream meanwhile.
> +Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
> +---
> + bfd/elflink.c | 88 +++++++++++++++++++++++++--------------------------
> + 1 file changed, 44 insertions(+), 44 deletions(-)
> +
> +diff --git a/bfd/elflink.c b/bfd/elflink.c
> +index 6346d7e2b4b..d765b688801 100644
> +--- a/bfd/elflink.c
> ++++ b/bfd/elflink.c
> +@@ -96,22 +96,37 @@ _bfd_elf_link_keep_memory (struct bfd_link_info *info)
> + return true;
> + }
> +
> +-asection *
> +-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
> +- unsigned long r_symndx,
> +- bool discard)
> ++static struct elf_link_hash_entry *
> ++get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx)
> + {
> +- if (r_symndx >= cookie->locsymcount
> +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
> +- {
> +- struct elf_link_hash_entry *h;
> ++ struct elf_link_hash_entry *h = NULL;
> +
> ++ if ((r_symndx >= cookie->locsymcount
> ++ || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
> ++ /* Guard against corrupt input. See PR 32636 for an example. */
> ++ && r_symndx >= cookie->extsymoff)
> ++ {
> + h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
> +
> + while (h->root.type == bfd_link_hash_indirect
> + || h->root.type == bfd_link_hash_warning)
> + h = (struct elf_link_hash_entry *) h->root.u.i.link;
> ++ }
> ++
> ++ return h;
> ++}
> +
> ++asection *
> ++_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
> ++ unsigned long r_symndx,
> ++ bool discard)
> ++{
> ++ struct elf_link_hash_entry *h;
> ++
> ++ h = get_ext_sym_hash (cookie, r_symndx);
> ++
> ++ if (h != NULL)
> ++ {
> + if ((h->root.type == bfd_link_hash_defined
> + || h->root.type == bfd_link_hash_defweak)
> + && discarded_section (h->root.u.def.section))
> +@@ -119,21 +134,20 @@ _bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie,
> + else
> + return NULL;
> + }
> +- else
> +- {
> +- /* It's not a relocation against a global symbol,
> +- but it could be a relocation against a local
> +- symbol for a discarded section. */
> +- asection *isec;
> +- Elf_Internal_Sym *isym;
> +
> +- /* Need to: get the symbol; get the section. */
> +- isym = &cookie->locsyms[r_symndx];
> +- isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
> +- if (isec != NULL
> +- && discard ? discarded_section (isec) : 1)
> +- return isec;
> +- }
> ++ /* It's not a relocation against a global symbol,
> ++ but it could be a relocation against a local
> ++ symbol for a discarded section. */
> ++ asection *isec;
> ++ Elf_Internal_Sym *isym;
> ++
> ++ /* Need to: get the symbol; get the section. */
> ++ isym = &cookie->locsyms[r_symndx];
> ++ isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx);
> ++ if (isec != NULL
> ++ && discard ? discarded_section (isec) : 1)
> ++ return isec;
> ++
> + return NULL;
> + }
> +
> +@@ -13994,22 +14008,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_info *info, asection *sec,
> + if (r_symndx == STN_UNDEF)
> + return NULL;
> +
> +- if (r_symndx >= cookie->locsymcount
> +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL)
> ++ h = get_ext_sym_hash (cookie, r_symndx);
> ++
> ++ if (h != NULL)
> + {
> + bool was_marked;
> +
> +- h = cookie->sym_hashes[r_symndx - cookie->extsymoff];
> +- if (h == NULL)
> +- {
> +- info->callbacks->fatal (_("%F%P: corrupt input: %pB\n"),
> +- sec->owner);
> +- return NULL;
> +- }
> +- while (h->root.type == bfd_link_hash_indirect
> +- || h->root.type == bfd_link_hash_warning)
> +- h = (struct elf_link_hash_entry *) h->root.u.i.link;
> +-
> + was_marked = h->mark;
> + h->mark = 1;
> + /* Keep all aliases of the symbol too. If an object symbol
> +@@ -15064,17 +15068,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
> + if (r_symndx == STN_UNDEF)
> + return true;
> +
> +- if (r_symndx >= rcookie->locsymcount
> +- || ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL)
> +- {
> +- struct elf_link_hash_entry *h;
> +-
> +- h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff];
> ++ struct elf_link_hash_entry *h;
> +
> +- while (h->root.type == bfd_link_hash_indirect
> +- || h->root.type == bfd_link_hash_warning)
> +- h = (struct elf_link_hash_entry *) h->root.u.i.link;
> ++ h = get_ext_sym_hash (rcookie, r_symndx);
> +
> ++ if (h != NULL)
> ++ {
> + if ((h->root.type == bfd_link_hash_defined
> + || h->root.type == bfd_link_hash_defweak)
> + && (h->root.u.def.section->owner != rcookie->abfd
> +@@ -15098,6 +15097,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie)
> + || discarded_section (isec)))
> + return true;
> + }
> ++
> + return false;
> + }
> + return false;
> +--
> +2.49.0
> +
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#217093): https://lists.openembedded.org/g/openembedded-core/message/217093
> Mute This Topic: https://lists.openembedded.org/mt/113245812/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] binutils: Fix CVE-2025-1180
2025-05-23 0:16 ` [OE-core] " Khem Raj
@ 2025-05-23 7:23 ` Sadineni, Harish
2025-05-23 14:23 ` [OE-core] " Khem Raj
0 siblings, 1 reply; 4+ messages in thread
From: Sadineni, Harish @ 2025-05-23 7:23 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 548 bytes --]
Test result summary for binutils with before and after applying the patch:
Component Metric Without Patch With Patch Change *binutils* Expected passes 310 310 — Unexpected failures 1 1 — Untested testcases 1 1 — Unsupported tests 9 9 — *gas* Expected passes 2017 2017 — Unexpected failures 4 4 — Unsupported tests 1 1 — *ld* Expected passes 1787 1787 — Expected failures 7 7 — Unresolved testcases 1 1 — Untested testcases 20 20 — Unsupported tests 99 99 —
There is no regressions in test results.
Thanks,
Harish
[-- Attachment #2: Type: text/html, Size: 1629 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] binutils: Fix CVE-2025-1180
2025-05-23 7:23 ` Sadineni, Harish
@ 2025-05-23 14:23 ` Khem Raj
0 siblings, 0 replies; 4+ messages in thread
From: Khem Raj @ 2025-05-23 14:23 UTC (permalink / raw)
To: Harish.Sadineni; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1237 bytes --]
Thanks for the update
On Fri, May 23, 2025 at 12:23 AM Sadineni, Harish via lists.openembedded.org
<Harish.Sadineni=windriver.com@lists.openembedded.org> wrote:
> Test result summary for binutils with before and after applying the patch:
>
> Component Metric Without Patch With Patch Change
> *binutils* Expected passes 310 310 —
> Unexpected failures 1 1 —
> Untested testcases 1 1 —
> Unsupported tests 9 9 —
> *gas* Expected passes 2017 2017 —
> Unexpected failures 4 4 —
> Unsupported tests 1 1 —
> *ld* Expected passes 1787 1787 —
> Expected failures 7 7 —
> Unresolved testcases 1 1 —
> Untested testcases 20 20 —
> Unsupported tests 99 99 —
>
> There is no regressions in test results.
>
> Thanks,
> Harish
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#217178):
> https://lists.openembedded.org/g/openembedded-core/message/217178
> Mute This Topic: https://lists.openembedded.org/mt/113245812/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
[-- Attachment #2: Type: text/html, Size: 2975 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-05-23 14:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-22 12:17 [PATCH] binutils: Fix CVE-2025-1180 Harish.Sadineni
2025-05-23 0:16 ` [OE-core] " Khem Raj
2025-05-23 7:23 ` Sadineni, Harish
2025-05-23 14:23 ` [OE-core] " Khem Raj
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.