From: "Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)" <deeratho@cisco.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter][PATCH v2 2/4] binutils: Fix CVE-2025-69644 CVE-2025-69647
Date: Tue, 17 Mar 2026 09:42:27 +0530 [thread overview]
Message-ID: <20260317041229.2932275-2-deeratho@cisco.com> (raw)
In-Reply-To: <20260317041229.2932275-1-deeratho@cisco.com>
From: Deepak Rathore <deeratho@cisco.com>
Pick the patch [1] as mentioned in [2] and [3].
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-69644
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-69647
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
---
Changes from v1 -> v2:
- Rephrase the patch on top of CVE-2025-69648 patch
- Update the commit message to include both CVE-2025-69644 and CVE-2025-69647
- Update the CVE-ID patch name to include both CVE-2025-69644 and CVE-2025-69647
- Add CVE-2025-69647 in the CVE field in the commit message
diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
index b6d7b3d60f..48579b3602 100644
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -47,4 +47,5 @@ SRC_URI = "\
file://0019-CVE-2025-11839.patch \
file://0020-CVE-2025-11840.patch \
file://CVE-2025-69648.patch \
+ file://CVE-2025-69644_CVE-2025-69647.patch \
"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69644_CVE-2025-69647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69644_CVE-2025-69647.patch
new file mode 100644
index 0000000000..b20e9adec2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69644_CVE-2025-69647.patch
@@ -0,0 +1,84 @@
+From ba49416855d61189ef1d8c422ad2815b8702871e Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 22 Nov 2025 09:52:18 +1030
+Subject: [PATCH] PR 33639 .debug_loclists output
+
+The fuzzed testcase in this PR prints an almost endless table of
+offsets, due to a bogus offset count. Limit that count, and the total
+length too.
+
+ PR 33639
+ * dwarf.c (display_loclists_unit_header): Return error on
+ length too small to read header. Limit length to section
+ size. Limit offset count similarly.
+
+CVE: CVE-2025-69644 CVE-2025-69647
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=455446bbdc8675f34808187de2bbad4682016ff7]
+
+(cherry picked from commit 455446bbdc8675f34808187de2bbad4682016ff7)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ binutils/dwarf.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index f4bcb677761..3c53821149c 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -7257,8 +7257,6 @@ display_loclists_unit_header (struct dwarf_section * section,
+ bool is_64bit;
+ uint32_t i;
+
+- printf (_("Table at Offset %#" PRIx64 "\n"), header_offset);
+-
+ SAFE_BYTE_GET_AND_INC (length, start, 4, end);
+ if (length == 0xffffffff)
+ {
+@@ -7267,6 +7265,11 @@ display_loclists_unit_header (struct dwarf_section * section,
+ }
+ else
+ is_64bit = false;
++ if (length < 8)
++ return (uint64_t) -1;
++
++ printf (_("Table at Offset %#" PRIx64 "\n"), header_offset);
++ header_offset = start - section->start;
+
+ SAFE_BYTE_GET_AND_INC (version, start, 2, end);
+ SAFE_BYTE_GET_AND_INC (address_size, start, 1, end);
+@@ -7279,15 +7282,21 @@ display_loclists_unit_header (struct dwarf_section * section,
+ printf (_(" Segment size: %u\n"), segment_selector_size);
+ printf (_(" Offset entries: %u\n"), *offset_count);
+
++ if (length > section->size - header_offset)
++ length = section->size - header_offset;
++
+ if (segment_selector_size != 0)
+ {
+ warn (_("The %s section contains an "
+ "unsupported segment selector size: %d.\n"),
+ section->name, segment_selector_size);
+- return (uint64_t)-1;
++ return (uint64_t) -1;
+ }
+
+- if ( *offset_count)
++ uint64_t max_off_count = length >> (is_64bit ? 3 : 2);
++ if (*offset_count > max_off_count)
++ *offset_count = max_off_count;
++ if (*offset_count)
+ {
+ printf (_("\n Offset Entries starting at %#tx:\n"),
+ start - section->start);
+@@ -7304,8 +7313,7 @@ display_loclists_unit_header (struct dwarf_section * section,
+ putchar ('\n');
+ *loclists_start = start;
+
+- /* The length field doesn't include the length field itself. */
+- return header_offset + length + (is_64bit ? 12 : 4);
++ return header_offset + length;
+ }
+
+ static int
+--
+2.44.1
--
2.35.6
next prev parent reply other threads:[~2026-03-17 4:12 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 4:12 [OE-core][whinlatter][PATCH 1/4] binutils: Fix CVE-2025-69648 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-17 4:12 ` Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-03-19 23:56 ` Yoann Congal
2026-04-01 10:05 ` [whinlatter][PATCH " Deepak Rathore
2026-04-01 10:17 ` [OE-core] " Yoann Congal
2026-04-02 7:14 ` Deepak Rathore
2026-04-01 10:00 ` [OE-core][whinlatter][PATCH v2 " Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-01 10:15 ` Patchtest results for " patchtest
2026-04-01 10:19 ` Yoann Congal
2026-04-02 6:54 ` [OE-core][whinlatter][PATCH v3 " Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-01 10:04 ` [OE-core][whinlatter][PATCH v3 4/4] binutils: Fix CVE-2025-69652 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-02 6:57 ` [OE-core][whinlatter][PATCH v4 3/4] binutils: Fix CVE-2025-69649 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-02 6:58 ` [OE-core][whinlatter][PATCH v4 4/4] binutils: Fix CVE-2025-69652 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260317041229.2932275-2-deeratho@cisco.com \
--to=deeratho@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox