All of lore.kernel.org
 help / color / mirror / Atom feed
* [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442
@ 2026-05-02 14:23 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
  2026-05-02 14:23 ` [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
  2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal
  0 siblings, 2 replies; 10+ messages in thread
From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-02 14:23 UTC (permalink / raw)
  To: openembedded-core

From: Sudhir Dumbhare <sudumbha@cisco.com>

This patch applies the upstream fix [1], which addresses two out-of-bounds
read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes
shown in [2] are referenced by [3] and [4].

[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf
[2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527
[3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441
[4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-3441
https://nvd.nist.gov/vuln/detail/CVE-2026-3442
https://www.suse.com/security/cve/CVE-2026-3441.html
https://www.suse.com/security/cve/CVE-2026-3442.html

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
 .../binutils/binutils-2.42.inc                |  1 +
 .../CVE-2026-3441_CVE-2026-3442.patch         | 50 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 839d31242e..5d91a41648 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -69,5 +69,6 @@ SRC_URI = "\
      file://0028-CVE-2025-11494.patch \
      file://0029-CVE-2025-11839.patch \
      file://0030-CVE-2025-11840.patch \
+     file://CVE-2026-3441_CVE-2026-3442.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch
new file mode 100644
index 0000000000..28cface2c9
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch
@@ -0,0 +1,50 @@
+From 88a051b765a7684b24250907c2dad9fa8cd4124a Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 28 Feb 2026 13:16:40 +1030
+Subject: [PATCH] xcofflink buffer overflows
+
+This fixes two fuzzed object file out-of-bounds accesses.
+
+	* xcofflink.c (xcoff_link_add_symbols): Properly bounds check
+	XTY_LD x_scnlen index.  Sanity check r_symndx before using it
+	to index sym hashes.
+
+CVE: CVE-2026-3441 CVE-2026-3442
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf]
+
+(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ bfd/xcofflink.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c
+index e0165d202a9..88c49755c64 100644
+--- a/bfd/xcofflink.c
++++ b/bfd/xcofflink.c
+@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info)
+	     follow its appropriate XTY_SD symbol.  The .set pseudo op can
+	     cause the XTY_LD to not follow the XTY_SD symbol. */
+	  {
+-	    bool bad;
+-
+-	    bad = false;
+-	    if (aux.x_csect.x_scnlen.u64
+-		>= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd)))
+-	      bad = true;
++	    bool bad = (aux.x_csect.x_scnlen.u64
++			>= ((esym - (bfd_byte *) obj_coff_external_syms (abfd))
++			    / symesz));
+	    if (! bad)
+	      {
+		section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64];
+@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info)
+		 functions imported from dynamic objects.  */
+	      if (info->output_bfd->xvec == abfd->xvec
+		  && *rel_csect != bfd_und_section_ptr
++		  && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd)
+		  && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL)
+		{
+		  struct xcoff_link_hash_entry *h;
+--
+2.44.4
-- 
2.44.4



^ permalink raw reply related	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2026-07-08 12:15 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-02 14:23 [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-05-02 14:23 ` [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal
2026-05-13 17:27   ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-05-13 17:27     ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-03 21:09       ` Yoann Congal
2026-07-06 10:43         ` Yoann Congal
2026-06-03 21:02     ` [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal
2026-07-08 12:15       ` [scarthgap][PATCH " Sudhir Dumbhare
2026-05-13 17:39   ` [scarthgap][PATCH " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.