[PATCH] binutils: fix CVE-2025-11081

[PATCH] binutils: fix CVE-2025-11081

[Yash.Shinde]

From: Yash Shinde <Yash.Shinde@windriver.com>

CVE: CVE-2025-11081

Trying to dump .sframe in a PE file results in a segfault accessing
elf_section_data.

	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
	elf_section_type without first checking the file is ELF.

PR 33406 SEGV in dump_dwarf_section
[https://sourceware.org/bugzilla/show_bug.cgi?id=33406]

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
---
 .../binutils/binutils-2.45.inc                |  1 +
 .../binutils/0015-CVE-2025-11081.patch        | 51 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index 9c82f65eca..e419d829c2 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -36,4 +36,5 @@ SRC_URI = "\
      file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
      file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
      file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
+     file://0015-CVE-2025-11081.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
new file mode 100644
index 0000000000..0e15a7d6c2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
@@ -0,0 +1,51 @@
+From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 9 Sep 2025 18:32:09 +0930
+Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section
+
+Trying to dump .sframe in a PE file results in a segfault accessing
+elf_section_data.
+
+	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
+	elf_section_type without first checking the file is ELF.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
+CVE: CVE-2025-11081
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 290f7e51f66..ee8823da05a 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -4485,7 +4485,8 @@ dump_dwarf_section (bfd *abfd, asection *section,
+   else
+     match = name;
+ 
+-  if (elf_section_type (section) == SHT_GNU_SFRAME)
++  if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
++      && elf_section_type (section) == SHT_GNU_SFRAME)
+     match = ".sframe";
+ 
+   for (i = 0; i < max; i++)
+@@ -4993,9 +4994,10 @@ dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile)
+ 	 SHT_GNU_SFRAME.  For SFrame sections from Binutils 2.44 or earlier,
+ 	 check explcitly for SFrame sections of type SHT_PROGBITS and name
+ 	 ".sframe" to allow them.  */
+-      else if (elf_section_type (sec) != SHT_GNU_SFRAME
+-	       && !(elf_section_type (sec) == SHT_PROGBITS
+-		    && strcmp (sect_name, ".sframe") == 0))
++      else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
++	       || (elf_section_type (sec) != SHT_GNU_SFRAME
++		   && !(elf_section_type (sec) == SHT_PROGBITS
++			&& strcmp (sect_name, ".sframe") == 0)))
+ 	{
+ 	  printf (_("Section %s does not contain SFrame data\n\n"),
+ 		  sanitize_string (sect_name));
+-- 
+2.43.7
+
-- 
2.49.0