* [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 @ 2026-05-02 14:23 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-02 14:23 ` [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 0 siblings, 2 replies; 9+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-02 14:23 UTC (permalink / raw) To: openembedded-core From: Sudhir Dumbhare <sudumbha@cisco.com> This patch applies the upstream fix [1], which addresses two out-of-bounds read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes shown in [2] are referenced by [3] and [4]. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3441 https://nvd.nist.gov/vuln/detail/CVE-2026-3442 https://www.suse.com/security/cve/CVE-2026-3441.html https://www.suse.com/security/cve/CVE-2026-3442.html Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- .../binutils/binutils-2.42.inc | 1 + .../CVE-2026-3441_CVE-2026-3442.patch | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 839d31242e..5d91a41648 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -69,5 +69,6 @@ SRC_URI = "\ file://0028-CVE-2025-11494.patch \ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ + file://CVE-2026-3441_CVE-2026-3442.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch new file mode 100644 index 0000000000..28cface2c9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch @@ -0,0 +1,50 @@ +From 88a051b765a7684b24250907c2dad9fa8cd4124a Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 28 Feb 2026 13:16:40 +1030 +Subject: [PATCH] xcofflink buffer overflows + +This fixes two fuzzed object file out-of-bounds accesses. + + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check + XTY_LD x_scnlen index. Sanity check r_symndx before using it + to index sym hashes. + +CVE: CVE-2026-3441 CVE-2026-3442 +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] + +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + bfd/xcofflink.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c +index e0165d202a9..88c49755c64 100644 +--- a/bfd/xcofflink.c ++++ b/bfd/xcofflink.c +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + follow its appropriate XTY_SD symbol. The .set pseudo op can + cause the XTY_LD to not follow the XTY_SD symbol. */ + { +- bool bad; +- +- bad = false; +- if (aux.x_csect.x_scnlen.u64 +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) +- bad = true; ++ bool bad = (aux.x_csect.x_scnlen.u64 ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) ++ / symesz)); + if (! bad) + { + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + functions imported from dynamic objects. */ + if (info->output_bfd->xvec == abfd->xvec + && *rel_csect != bfd_und_section_ptr ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) + { + struct xcoff_link_hash_entry *h; +-- +2.44.4 -- 2.44.4 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 2026-05-02 14:23 [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-02 14:23 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 1 sibling, 0 replies; 9+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-02 14:23 UTC (permalink / raw) To: openembedded-core From: Sudhir Dumbhare <sudumbha@cisco.com> This patch applies the upstream fix [1], which addresses an out-of-bounds read issue in XCOFF relocation processing, as described in [2]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 Reference: https://bugzilla.suse.com/show_bug.cgi?id=1260338 https://www.suse.com/security/cve/CVE-2026-4647.html https://nvd.nist.gov/vuln/detail/CVE-2026-4647 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2026-4647.patch | 228 ++++++++++++++++++ 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 5d91a41648..b1546de02c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -70,5 +70,6 @@ SRC_URI = "\ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ file://CVE-2026-3441_CVE-2026-3442.patch \ + file://CVE-2026-4647.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch new file mode 100644 index 0000000000..cece5afefe --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch @@ -0,0 +1,228 @@ +From 3e24faeffc0116c271d048137b340586d800e17c Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 13 Mar 2026 17:28:28 +1030 +Subject: [PATCH] PR33919 Out-of-bounds read in XCOFF relocation processing + + PR 33919 + * coff-rs6000.c (xcoff_calculate_relocation): Don't use explicit + array size. + (xcoff_complain_overflow): Likewise. + (xcoff_rtype2howto): Return a NULL howto rather than aborting. + (_bfd_xcoff_reloc_name_lookup): Use ARRAY_SIZE. + (xcoff_ppc_relocate_section): Sanity check reloc r_type before + accessing xcoff_howto_table. Print r_type using %#x. Remove + now redundant later reloc r_type sanity check. + * coff64-rs6000.c: Similarly. + * libxcoff.h (XCOFF_MAX_CALCULATE_RELOCATION): Don't define. + (XCOFF_MAX_COMPLAIN_OVERFLOW): Don't define. + +CVE: CVE-2026-4647 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2] + +(cherry picked from commit 9e99dbc1f19ffaf18d0250788951706066ebe7f2) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + bfd/coff-rs6000.c | 36 +++++++++++++++++++++--------------- + bfd/coff64-rs6000.c | 33 ++++++++++++++++++++------------- + bfd/libxcoff.h | 3 --- + 3 files changed, 41 insertions(+), 31 deletions(-) + +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c +index 87feb672bf1..0f2cc496b63 100644 +--- a/bfd/coff-rs6000.c ++++ b/bfd/coff-rs6000.c +@@ -155,8 +155,7 @@ static xcoff_complain_function xcoff_complain_overflow_bitfield_func; + static xcoff_complain_function xcoff_complain_overflow_signed_func; + static xcoff_complain_function xcoff_complain_overflow_unsigned_func; + +-xcoff_reloc_function *const +-xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -210,8 +209,7 @@ xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = + xcoff_reloc_type_toc, /* R_TOCL (0x31) */ + }; + +-xcoff_complain_function *const +-xcoff_complain_overflow[XCOFF_MAX_COMPLAIN_OVERFLOW] = ++xcoff_complain_function *const xcoff_complain_overflow[] = + { + xcoff_complain_overflow_dont_func, + xcoff_complain_overflow_bitfield_func, +@@ -1158,8 +1156,11 @@ reloc_howto_type xcoff_howto_table[] = + void + xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff_howto_table[internal->r_type]; +@@ -1183,7 +1184,7 @@ xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x1f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1236,9 +1237,7 @@ _bfd_xcoff_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff_howto_table) / sizeof (xcoff_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff_howto_table); i++) + if (xcoff_howto_table[i].name != NULL + && strcasecmp (xcoff_howto_table[i].name, r_name) == 0) + return &xcoff_howto_table[i]; +@@ -3776,6 +3775,14 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -3795,7 +3802,7 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), ++ (_("%pB: relocation (%#x) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), + input_bfd, rel->r_type, (uint64_t) rel->r_vaddr, rel->r_size); + return false; + } +@@ -3871,10 +3878,9 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/coff64-rs6000.c b/bfd/coff64-rs6000.c +index 0f8d9e08783..c74698070d5 100644 +--- a/bfd/coff64-rs6000.c ++++ b/bfd/coff64-rs6000.c +@@ -177,8 +177,7 @@ static bool xcoff64_bad_format_hook + /* Relocation functions */ + static xcoff_reloc_function xcoff64_reloc_type_br; + +-xcoff_reloc_function *const +-xcoff64_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff64_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -1439,8 +1438,11 @@ reloc_howto_type xcoff64_howto_table[] = + void + xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff64_howto_table[internal->r_type]; +@@ -1473,7 +1475,7 @@ xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x3f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1528,9 +1530,7 @@ xcoff64_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff64_howto_table) / sizeof (xcoff64_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff64_howto_table); i++) + if (xcoff64_howto_table[i].name != NULL + && strcasecmp (xcoff64_howto_table[i].name, r_name) == 0) + return &xcoff64_howto_table[i]; +@@ -1574,6 +1574,14 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -1595,7 +1603,7 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at (0x%" PRIx64 ") has wrong" ++ (_("%pB: relocation (%#x) at (0x%" PRIx64 ") has wrong" + " r_rsize (0x%x)\n"), + input_bfd, rel->r_type, rel->r_vaddr, rel->r_size); + return false; +@@ -1668,10 +1676,9 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff64_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff64_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/libxcoff.h b/bfd/libxcoff.h +index 81c4e205e06..ca716a9ef3a 100644 +--- a/bfd/libxcoff.h ++++ b/bfd/libxcoff.h +@@ -215,9 +215,6 @@ struct xcoff_backend_data_rec + #define bfd_xcoff_text_align_power(a) ((xcoff_data (a)->text_align_power)) + #define bfd_xcoff_data_align_power(a) ((xcoff_data (a)->data_align_power)) + +-/* xcoff*_ppc_relocate_section macros */ +-#define XCOFF_MAX_CALCULATE_RELOCATION (0x32) +-#define XCOFF_MAX_COMPLAIN_OVERFLOW (4) + /* N_ONES produces N one bits, without overflowing machine arithmetic. */ + #ifdef N_ONES + #undef N_ONES +-- +2.44.4 + -- 2.44.4 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-05-02 14:23 [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-02 14:23 ` [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-07 22:03 ` Yoann Congal 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-13 17:39 ` [scarthgap][PATCH " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 2 replies; 9+ messages in thread From: Yoann Congal @ 2026-05-07 22:03 UTC (permalink / raw) To: sudumbha, openembedded-core On Sat May 2, 2026 at 4:23 PM CEST, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Sudhir Dumbhare <sudumbha@cisco.com> > > This patch applies the upstream fix [1], which addresses two out-of-bounds > read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes > shown in [2] are referenced by [3] and [4]. > > [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf > [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 > [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2026-3441 > https://nvd.nist.gov/vuln/detail/CVE-2026-3442 > https://www.suse.com/security/cve/CVE-2026-3441.html > https://www.suse.com/security/cve/CVE-2026-3442.html > > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > --- > .../binutils/binutils-2.42.inc | 1 + > .../CVE-2026-3441_CVE-2026-3442.patch | 50 +++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 839d31242e..5d91a41648 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -69,5 +69,6 @@ SRC_URI = "\ > file://0028-CVE-2025-11494.patch \ > file://0029-CVE-2025-11839.patch \ > file://0030-CVE-2025-11840.patch \ > + file://CVE-2026-3441_CVE-2026-3442.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > new file mode 100644 > index 0000000000..28cface2c9 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > @@ -0,0 +1,50 @@ > +From 88a051b765a7684b24250907c2dad9fa8cd4124a Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amodra@gmail.com> > +Date: Sat, 28 Feb 2026 13:16:40 +1030 > +Subject: [PATCH] xcofflink buffer overflows > + > +This fixes two fuzzed object file out-of-bounds accesses. > + > + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check > + XTY_LD x_scnlen index. Sanity check r_symndx before using it > + to index sym hashes. > + > +CVE: CVE-2026-3441 CVE-2026-3442 > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] > + > +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) > +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > +--- > + bfd/xcofflink.c | 10 ++++------ > + 1 file changed, 4 insertions(+), 6 deletions(-) > + Hello, This patch has a weird format: > +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c > +index e0165d202a9..88c49755c64 100644 > +--- a/bfd/xcofflink.c > ++++ b/bfd/xcofflink.c > +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) > + follow its appropriate XTY_SD symbol. The .set pseudo op can ^ here a context line starts with a TAB instead of the usual space. Can you check please? > + cause the XTY_LD to not follow the XTY_SD symbol. */ > + { > +- bool bad; > +- > +- bad = false; > +- if (aux.x_csect.x_scnlen.u64 > +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) > +- bad = true; > ++ bool bad = (aux.x_csect.x_scnlen.u64 > ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) > ++ / symesz)); > + if (! bad) > + { > + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; > +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) > + functions imported from dynamic objects. */ > + if (info->output_bfd->xvec == abfd->xvec > + && *rel_csect != bfd_und_section_ptr > ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) > + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) > + { > + struct xcoff_link_hash_entry *h; > +-- ^ Also, this line usually has a ending space. Maybe some tool decided to rewrite spaces, unaware of the patch expected format? Thanks! > +2.44.4 -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 9+ messages in thread
* [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal @ 2026-05-13 17:27 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-06-03 21:02 ` [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 2026-05-13 17:39 ` [scarthgap][PATCH " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 2 replies; 9+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:27 UTC (permalink / raw) To: yoann.congal, openembedded-core From: Sudhir Dumbhare <sudumbha@cisco.com> This patch applies the upstream fix [1], which addresses two out-of-bounds read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes shown in [2] are referenced by [3] and [4]. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3441 https://nvd.nist.gov/vuln/detail/CVE-2026-3442 https://www.suse.com/security/cve/CVE-2026-3441.html https://www.suse.com/security/cve/CVE-2026-3442.html Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- Changes v1 -> v2: - fixed tab issue around context lines .../binutils/binutils-2.42.inc | 1 + .../CVE-2026-3441_CVE-2026-3442.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 1a865c45f4..1a91792b13 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -74,5 +74,6 @@ SRC_URI = "\ file://0030-CVE-2025-11840.patch \ file://CVE-2025-69647.patch \ file://CVE-2025-69648.patch \ + file://CVE-2026-3441_CVE-2026-3442.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch new file mode 100644 index 0000000000..ada80e5189 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch @@ -0,0 +1,51 @@ +From a28f517b1e3c3c22d5984e82046dcb844eef63fd Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 28 Feb 2026 13:16:40 +1030 +Subject: [PATCH] xcofflink buffer overflows + +This fixes two fuzzed object file out-of-bounds accesses. + + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check + XTY_LD x_scnlen index. Sanity check r_symndx before using it + to index sym hashes. + +CVE: CVE-2026-3441 CVE-2026-3442 +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] + +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + bfd/xcofflink.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c +index e0165d202a9..88c49755c64 100644 +--- a/bfd/xcofflink.c ++++ b/bfd/xcofflink.c +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + follow its appropriate XTY_SD symbol. The .set pseudo op can + cause the XTY_LD to not follow the XTY_SD symbol. */ + { +- bool bad; +- +- bad = false; +- if (aux.x_csect.x_scnlen.u64 +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) +- bad = true; ++ bool bad = (aux.x_csect.x_scnlen.u64 ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) ++ / symesz)); + if (! bad) + { + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + functions imported from dynamic objects. */ + if (info->output_bfd->xvec == abfd->xvec + && *rel_csect != bfd_und_section_ptr ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) + { + struct xcoff_link_hash_entry *h; +-- +2.35.6 + -- 2.35.6 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:27 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-06-03 21:09 ` Yoann Congal 2026-06-03 21:02 ` [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 1 sibling, 1 reply; 9+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:27 UTC (permalink / raw) To: yoann.congal, openembedded-core From: Sudhir Dumbhare <sudumbha@cisco.com> This patch applies the upstream fix [1], which addresses an out-of-bounds read issue in XCOFF relocation processing, as described in [2]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 Reference: https://bugzilla.suse.com/show_bug.cgi?id=1260338 https://www.suse.com/security/cve/CVE-2026-4647.html https://nvd.nist.gov/vuln/detail/CVE-2026-4647 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- Changes v1 -> v2: - fixed tab issue around context lines .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2026-4647.patch | 228 ++++++++++++++++++ 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 1a91792b13..3296573baf 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -75,5 +75,6 @@ SRC_URI = "\ file://CVE-2025-69647.patch \ file://CVE-2025-69648.patch \ file://CVE-2026-3441_CVE-2026-3442.patch \ + file://CVE-2026-4647.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch new file mode 100644 index 0000000000..564c435692 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch @@ -0,0 +1,228 @@ +From a0df757a2ad6728da209fa7fcc9f3a598183999b Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 13 Mar 2026 17:28:28 +1030 +Subject: [PATCH] PR33919 Out-of-bounds read in XCOFF relocation processing + + PR 33919 + * coff-rs6000.c (xcoff_calculate_relocation): Don't use explicit + array size. + (xcoff_complain_overflow): Likewise. + (xcoff_rtype2howto): Return a NULL howto rather than aborting. + (_bfd_xcoff_reloc_name_lookup): Use ARRAY_SIZE. + (xcoff_ppc_relocate_section): Sanity check reloc r_type before + accessing xcoff_howto_table. Print r_type using %#x. Remove + now redundant later reloc r_type sanity check. + * coff64-rs6000.c: Similarly. + * libxcoff.h (XCOFF_MAX_CALCULATE_RELOCATION): Don't define. + (XCOFF_MAX_COMPLAIN_OVERFLOW): Don't define. + +CVE: CVE-2026-4647 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2] + +(cherry picked from commit 9e99dbc1f19ffaf18d0250788951706066ebe7f2) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + bfd/coff-rs6000.c | 36 +++++++++++++++++++++--------------- + bfd/coff64-rs6000.c | 33 ++++++++++++++++++++------------- + bfd/libxcoff.h | 3 --- + 3 files changed, 41 insertions(+), 31 deletions(-) + +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c +index 87feb672bf1..0f2cc496b63 100644 +--- a/bfd/coff-rs6000.c ++++ b/bfd/coff-rs6000.c +@@ -155,8 +155,7 @@ static xcoff_complain_function xcoff_complain_overflow_bitfield_func; + static xcoff_complain_function xcoff_complain_overflow_signed_func; + static xcoff_complain_function xcoff_complain_overflow_unsigned_func; + +-xcoff_reloc_function *const +-xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -210,8 +209,7 @@ xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = + xcoff_reloc_type_toc, /* R_TOCL (0x31) */ + }; + +-xcoff_complain_function *const +-xcoff_complain_overflow[XCOFF_MAX_COMPLAIN_OVERFLOW] = ++xcoff_complain_function *const xcoff_complain_overflow[] = + { + xcoff_complain_overflow_dont_func, + xcoff_complain_overflow_bitfield_func, +@@ -1158,8 +1156,11 @@ reloc_howto_type xcoff_howto_table[] = + void + xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff_howto_table[internal->r_type]; +@@ -1183,7 +1184,7 @@ xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x1f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1236,9 +1237,7 @@ _bfd_xcoff_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff_howto_table) / sizeof (xcoff_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff_howto_table); i++) + if (xcoff_howto_table[i].name != NULL + && strcasecmp (xcoff_howto_table[i].name, r_name) == 0) + return &xcoff_howto_table[i]; +@@ -3776,6 +3775,14 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -3795,7 +3802,7 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), ++ (_("%pB: relocation (%#x) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), + input_bfd, rel->r_type, (uint64_t) rel->r_vaddr, rel->r_size); + return false; + } +@@ -3871,10 +3878,9 @@ xcoff_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/coff64-rs6000.c b/bfd/coff64-rs6000.c +index 0f8d9e08783..c74698070d5 100644 +--- a/bfd/coff64-rs6000.c ++++ b/bfd/coff64-rs6000.c +@@ -177,8 +177,7 @@ static bool xcoff64_bad_format_hook + /* Relocation functions */ + static xcoff_reloc_function xcoff64_reloc_type_br; + +-xcoff_reloc_function *const +-xcoff64_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = ++xcoff_reloc_function *const xcoff64_calculate_relocation[] = + { + xcoff_reloc_type_pos, /* R_POS (0x00) */ + xcoff_reloc_type_neg, /* R_NEG (0x01) */ +@@ -1439,8 +1438,11 @@ reloc_howto_type xcoff64_howto_table[] = + void + xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + { +- if (internal->r_type > R_TOCL) +- abort (); ++ if (internal->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ relent->howto = NULL; ++ return; ++ } + + /* Default howto layout works most of the time */ + relent->howto = &xcoff64_howto_table[internal->r_type]; +@@ -1473,7 +1475,7 @@ xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) + if (relent->howto->dst_mask != 0 + && (relent->howto->bitsize + != ((unsigned int) internal->r_size & 0x3f) + 1)) +- abort (); ++ relent->howto = NULL; + } + + reloc_howto_type * +@@ -1528,9 +1530,7 @@ xcoff64_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, + { + unsigned int i; + +- for (i = 0; +- i < sizeof (xcoff64_howto_table) / sizeof (xcoff64_howto_table[0]); +- i++) ++ for (i = 0; i < ARRAY_SIZE (xcoff64_howto_table); i++) + if (xcoff64_howto_table[i].name != NULL + && strcasecmp (xcoff64_howto_table[i].name, r_name) == 0) + return &xcoff64_howto_table[i]; +@@ -1574,6 +1574,14 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + the csect including the symbol which it references. */ + if (rel->r_type == R_REF) + continue; ++ if (rel->r_type >= ARRAY_SIZE (xcoff64_howto_table)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), ++ input_bfd, rel->r_type); ++ bfd_set_error (bfd_error_bad_value); ++ return false; ++ } + + /* Retrieve default value in HOWTO table and fix up according + to r_size field, if it can be different. +@@ -1595,7 +1603,7 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + + default: + _bfd_error_handler +- (_("%pB: relocation (%d) at (0x%" PRIx64 ") has wrong" ++ (_("%pB: relocation (%#x) at (0x%" PRIx64 ") has wrong" + " r_rsize (0x%x)\n"), + input_bfd, rel->r_type, rel->r_vaddr, rel->r_size); + return false; +@@ -1668,10 +1676,9 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, + } + } + +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION +- || !((*xcoff64_calculate_relocation[rel->r_type]) +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, +- addend, &relocation, contents, info))) ++ if (!((*xcoff64_calculate_relocation[rel->r_type]) ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, ++ addend, &relocation, contents, info))) + return false; + + /* address */ +diff --git a/bfd/libxcoff.h b/bfd/libxcoff.h +index 81c4e205e06..ca716a9ef3a 100644 +--- a/bfd/libxcoff.h ++++ b/bfd/libxcoff.h +@@ -215,9 +215,6 @@ struct xcoff_backend_data_rec + #define bfd_xcoff_text_align_power(a) ((xcoff_data (a)->text_align_power)) + #define bfd_xcoff_data_align_power(a) ((xcoff_data (a)->data_align_power)) + +-/* xcoff*_ppc_relocate_section macros */ +-#define XCOFF_MAX_CALCULATE_RELOCATION (0x32) +-#define XCOFF_MAX_COMPLAIN_OVERFLOW (4) + /* N_ONES produces N one bits, without overflowing machine arithmetic. */ + #ifdef N_ONES + #undef N_ONES +-- +2.35.6 + -- 2.35.6 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-03 21:09 ` Yoann Congal 2026-07-06 10:43 ` Yoann Congal 0 siblings, 1 reply; 9+ messages in thread From: Yoann Congal @ 2026-06-03 21:09 UTC (permalink / raw) To: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco), openembedded-core On Wed May 13, 2026 at 7:27 PM CEST, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: > From: Sudhir Dumbhare <sudumbha@cisco.com> > > This patch applies the upstream fix [1], which addresses an out-of-bounds > read issue in XCOFF relocation processing, as described in [2]. > > [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 > [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 > > Reference: > https://bugzilla.suse.com/show_bug.cgi?id=1260338 > https://www.suse.com/security/cve/CVE-2026-4647.html > https://nvd.nist.gov/vuln/detail/CVE-2026-4647 > > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > --- Hello, Same as 1/2, this look like it's needed on master/wrynose. Can you send the fix there and ping back here? Thanks! > Changes v1 -> v2: > - fixed tab issue around context lines > > .../binutils/binutils-2.42.inc | 1 + > .../binutils/binutils/CVE-2026-4647.patch | 228 ++++++++++++++++++ > 2 files changed, 229 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 1a91792b13..3296573baf 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -75,5 +75,6 @@ SRC_URI = "\ > file://CVE-2025-69647.patch \ > file://CVE-2025-69648.patch \ > file://CVE-2026-3441_CVE-2026-3442.patch \ > + file://CVE-2026-4647.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch > new file mode 100644 > index 0000000000..564c435692 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-4647.patch > @@ -0,0 +1,228 @@ > +From a0df757a2ad6728da209fa7fcc9f3a598183999b Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amodra@gmail.com> > +Date: Fri, 13 Mar 2026 17:28:28 +1030 > +Subject: [PATCH] PR33919 Out-of-bounds read in XCOFF relocation processing > + > + PR 33919 > + * coff-rs6000.c (xcoff_calculate_relocation): Don't use explicit > + array size. > + (xcoff_complain_overflow): Likewise. > + (xcoff_rtype2howto): Return a NULL howto rather than aborting. > + (_bfd_xcoff_reloc_name_lookup): Use ARRAY_SIZE. > + (xcoff_ppc_relocate_section): Sanity check reloc r_type before > + accessing xcoff_howto_table. Print r_type using %#x. Remove > + now redundant later reloc r_type sanity check. > + * coff64-rs6000.c: Similarly. > + * libxcoff.h (XCOFF_MAX_CALCULATE_RELOCATION): Don't define. > + (XCOFF_MAX_COMPLAIN_OVERFLOW): Don't define. > + > +CVE: CVE-2026-4647 > +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2] > + > +(cherry picked from commit 9e99dbc1f19ffaf18d0250788951706066ebe7f2) > +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > +--- > + bfd/coff-rs6000.c | 36 +++++++++++++++++++++--------------- > + bfd/coff64-rs6000.c | 33 ++++++++++++++++++++------------- > + bfd/libxcoff.h | 3 --- > + 3 files changed, 41 insertions(+), 31 deletions(-) > + > +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c > +index 87feb672bf1..0f2cc496b63 100644 > +--- a/bfd/coff-rs6000.c > ++++ b/bfd/coff-rs6000.c > +@@ -155,8 +155,7 @@ static xcoff_complain_function xcoff_complain_overflow_bitfield_func; > + static xcoff_complain_function xcoff_complain_overflow_signed_func; > + static xcoff_complain_function xcoff_complain_overflow_unsigned_func; > + > +-xcoff_reloc_function *const > +-xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = > ++xcoff_reloc_function *const xcoff_calculate_relocation[] = > + { > + xcoff_reloc_type_pos, /* R_POS (0x00) */ > + xcoff_reloc_type_neg, /* R_NEG (0x01) */ > +@@ -210,8 +209,7 @@ xcoff_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = > + xcoff_reloc_type_toc, /* R_TOCL (0x31) */ > + }; > + > +-xcoff_complain_function *const > +-xcoff_complain_overflow[XCOFF_MAX_COMPLAIN_OVERFLOW] = > ++xcoff_complain_function *const xcoff_complain_overflow[] = > + { > + xcoff_complain_overflow_dont_func, > + xcoff_complain_overflow_bitfield_func, > +@@ -1158,8 +1156,11 @@ reloc_howto_type xcoff_howto_table[] = > + void > + xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) > + { > +- if (internal->r_type > R_TOCL) > +- abort (); > ++ if (internal->r_type >= ARRAY_SIZE (xcoff_howto_table)) > ++ { > ++ relent->howto = NULL; > ++ return; > ++ } > + > + /* Default howto layout works most of the time */ > + relent->howto = &xcoff_howto_table[internal->r_type]; > +@@ -1183,7 +1184,7 @@ xcoff_rtype2howto (arelent *relent, struct internal_reloc *internal) > + if (relent->howto->dst_mask != 0 > + && (relent->howto->bitsize > + != ((unsigned int) internal->r_size & 0x1f) + 1)) > +- abort (); > ++ relent->howto = NULL; > + } > + > + reloc_howto_type * > +@@ -1236,9 +1237,7 @@ _bfd_xcoff_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, > + { > + unsigned int i; > + > +- for (i = 0; > +- i < sizeof (xcoff_howto_table) / sizeof (xcoff_howto_table[0]); > +- i++) > ++ for (i = 0; i < ARRAY_SIZE (xcoff_howto_table); i++) > + if (xcoff_howto_table[i].name != NULL > + && strcasecmp (xcoff_howto_table[i].name, r_name) == 0) > + return &xcoff_howto_table[i]; > +@@ -3776,6 +3775,14 @@ xcoff_ppc_relocate_section (bfd *output_bfd, > + the csect including the symbol which it references. */ > + if (rel->r_type == R_REF) > + continue; > ++ if (rel->r_type >= ARRAY_SIZE (xcoff_howto_table)) > ++ { > ++ /* xgettext:c-format */ > ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), > ++ input_bfd, rel->r_type); > ++ bfd_set_error (bfd_error_bad_value); > ++ return false; > ++ } > + > + /* Retrieve default value in HOWTO table and fix up according > + to r_size field, if it can be different. > +@@ -3795,7 +3802,7 @@ xcoff_ppc_relocate_section (bfd *output_bfd, > + > + default: > + _bfd_error_handler > +- (_("%pB: relocation (%d) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), > ++ (_("%pB: relocation (%#x) at 0x%" PRIx64 " has wrong r_rsize (0x%x)\n"), > + input_bfd, rel->r_type, (uint64_t) rel->r_vaddr, rel->r_size); > + return false; > + } > +@@ -3871,10 +3878,9 @@ xcoff_ppc_relocate_section (bfd *output_bfd, > + } > + } > + > +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION > +- || !((*xcoff_calculate_relocation[rel->r_type]) > +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, > +- addend, &relocation, contents, info))) > ++ if (!((*xcoff_calculate_relocation[rel->r_type]) > ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, > ++ addend, &relocation, contents, info))) > + return false; > + > + /* address */ > +diff --git a/bfd/coff64-rs6000.c b/bfd/coff64-rs6000.c > +index 0f8d9e08783..c74698070d5 100644 > +--- a/bfd/coff64-rs6000.c > ++++ b/bfd/coff64-rs6000.c > +@@ -177,8 +177,7 @@ static bool xcoff64_bad_format_hook > + /* Relocation functions */ > + static xcoff_reloc_function xcoff64_reloc_type_br; > + > +-xcoff_reloc_function *const > +-xcoff64_calculate_relocation[XCOFF_MAX_CALCULATE_RELOCATION] = > ++xcoff_reloc_function *const xcoff64_calculate_relocation[] = > + { > + xcoff_reloc_type_pos, /* R_POS (0x00) */ > + xcoff_reloc_type_neg, /* R_NEG (0x01) */ > +@@ -1439,8 +1438,11 @@ reloc_howto_type xcoff64_howto_table[] = > + void > + xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) > + { > +- if (internal->r_type > R_TOCL) > +- abort (); > ++ if (internal->r_type >= ARRAY_SIZE (xcoff64_howto_table)) > ++ { > ++ relent->howto = NULL; > ++ return; > ++ } > + > + /* Default howto layout works most of the time */ > + relent->howto = &xcoff64_howto_table[internal->r_type]; > +@@ -1473,7 +1475,7 @@ xcoff64_rtype2howto (arelent *relent, struct internal_reloc *internal) > + if (relent->howto->dst_mask != 0 > + && (relent->howto->bitsize > + != ((unsigned int) internal->r_size & 0x3f) + 1)) > +- abort (); > ++ relent->howto = NULL; > + } > + > + reloc_howto_type * > +@@ -1528,9 +1530,7 @@ xcoff64_reloc_name_lookup (bfd *abfd ATTRIBUTE_UNUSED, > + { > + unsigned int i; > + > +- for (i = 0; > +- i < sizeof (xcoff64_howto_table) / sizeof (xcoff64_howto_table[0]); > +- i++) > ++ for (i = 0; i < ARRAY_SIZE (xcoff64_howto_table); i++) > + if (xcoff64_howto_table[i].name != NULL > + && strcasecmp (xcoff64_howto_table[i].name, r_name) == 0) > + return &xcoff64_howto_table[i]; > +@@ -1574,6 +1574,14 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, > + the csect including the symbol which it references. */ > + if (rel->r_type == R_REF) > + continue; > ++ if (rel->r_type >= ARRAY_SIZE (xcoff64_howto_table)) > ++ { > ++ /* xgettext:c-format */ > ++ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), > ++ input_bfd, rel->r_type); > ++ bfd_set_error (bfd_error_bad_value); > ++ return false; > ++ } > + > + /* Retrieve default value in HOWTO table and fix up according > + to r_size field, if it can be different. > +@@ -1595,7 +1603,7 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, > + > + default: > + _bfd_error_handler > +- (_("%pB: relocation (%d) at (0x%" PRIx64 ") has wrong" > ++ (_("%pB: relocation (%#x) at (0x%" PRIx64 ") has wrong" > + " r_rsize (0x%x)\n"), > + input_bfd, rel->r_type, rel->r_vaddr, rel->r_size); > + return false; > +@@ -1668,10 +1676,9 @@ xcoff64_ppc_relocate_section (bfd *output_bfd, > + } > + } > + > +- if (rel->r_type >= XCOFF_MAX_CALCULATE_RELOCATION > +- || !((*xcoff64_calculate_relocation[rel->r_type]) > +- (input_bfd, input_section, output_bfd, rel, sym, &howto, val, > +- addend, &relocation, contents, info))) > ++ if (!((*xcoff64_calculate_relocation[rel->r_type]) > ++ (input_bfd, input_section, output_bfd, rel, sym, &howto, val, > ++ addend, &relocation, contents, info))) > + return false; > + > + /* address */ > +diff --git a/bfd/libxcoff.h b/bfd/libxcoff.h > +index 81c4e205e06..ca716a9ef3a 100644 > +--- a/bfd/libxcoff.h > ++++ b/bfd/libxcoff.h > +@@ -215,9 +215,6 @@ struct xcoff_backend_data_rec > + #define bfd_xcoff_text_align_power(a) ((xcoff_data (a)->text_align_power)) > + #define bfd_xcoff_data_align_power(a) ((xcoff_data (a)->data_align_power)) > + > +-/* xcoff*_ppc_relocate_section macros */ > +-#define XCOFF_MAX_CALCULATE_RELOCATION (0x32) > +-#define XCOFF_MAX_COMPLAIN_OVERFLOW (4) > + /* N_ONES produces N one bits, without overflowing machine arithmetic. */ > + #ifdef N_ONES > + #undef N_ONES > +-- > +2.35.6 > + -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 2026-06-03 21:09 ` Yoann Congal @ 2026-07-06 10:43 ` Yoann Congal 0 siblings, 0 replies; 9+ messages in thread From: Yoann Congal @ 2026-07-06 10:43 UTC (permalink / raw) To: Yoann Congal, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco), openembedded-core On Wed Jun 3, 2026 at 11:09 PM CEST, Yoann Congal wrote: > On Wed May 13, 2026 at 7:27 PM CEST, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: >> From: Sudhir Dumbhare <sudumbha@cisco.com> >> >> This patch applies the upstream fix [1], which addresses an out-of-bounds >> read issue in XCOFF relocation processing, as described in [2]. >> >> [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 >> [2] https://sourceware.org/bugzilla/show_bug.cgi?id=33919 >> >> Reference: >> https://bugzilla.suse.com/show_bug.cgi?id=1260338 >> https://www.suse.com/security/cve/CVE-2026-4647.html >> https://nvd.nist.gov/vuln/detail/CVE-2026-4647 >> >> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> >> --- > > Hello, > > Same as 1/2, this look like it's needed on master/wrynose. Can you send > the fix there and ping back here? > > Thanks! Hello, I will now drop this patch. If the above situation changes, please send a new patch. Regards, -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-03 21:02 ` Yoann Congal 1 sibling, 0 replies; 9+ messages in thread From: Yoann Congal @ 2026-06-03 21:02 UTC (permalink / raw) To: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco), openembedded-core On Wed May 13, 2026 at 7:27 PM CEST, Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: > From: Sudhir Dumbhare <sudumbha@cisco.com> > > This patch applies the upstream fix [1], which addresses two out-of-bounds > read issues in bfd/xcofflink.c within xcoff_link_add_symbols(). The changes > shown in [2] are referenced by [3] and [4]. > > [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf > [2] https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/xcofflink.c;h=1781182fa6a3f92e5e91996f8b0dcf3ab192679b;hp=fde21c9f9583baff05e72e390e6bb896d02f9d43;hb=c2bf7de1eb77a91d7a3c86d56408bf57de540faf;hpb=d7f532cb3a46527 > [3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3441 > [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-3442 > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2026-3441 > https://nvd.nist.gov/vuln/detail/CVE-2026-3442 > https://www.suse.com/security/cve/CVE-2026-3441.html > https://www.suse.com/security/cve/CVE-2026-3442.html > > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > --- Hello, Thanks for this new version but as far as I can tell, those CVEs also apply to master and wrynose, can you send the fix for those branches and ping back here? Thanks! > Changes v1 -> v2: > - fixed tab issue around context lines > > .../binutils/binutils-2.42.inc | 1 + > .../CVE-2026-3441_CVE-2026-3442.patch | 51 +++++++++++++++++++ > 2 files changed, 52 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc > index 1a865c45f4..1a91792b13 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.42.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc > @@ -74,5 +74,6 @@ SRC_URI = "\ > file://0030-CVE-2025-11840.patch \ > file://CVE-2025-69647.patch \ > file://CVE-2025-69648.patch \ > + file://CVE-2026-3441_CVE-2026-3442.patch \ > " > S = "${WORKDIR}/git" > diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > new file mode 100644 > index 0000000000..ada80e5189 > --- /dev/null > +++ b/meta/recipes-devtools/binutils/binutils/CVE-2026-3441_CVE-2026-3442.patch > @@ -0,0 +1,51 @@ > +From a28f517b1e3c3c22d5984e82046dcb844eef63fd Mon Sep 17 00:00:00 2001 > +From: Alan Modra <amodra@gmail.com> > +Date: Sat, 28 Feb 2026 13:16:40 +1030 > +Subject: [PATCH] xcofflink buffer overflows > + > +This fixes two fuzzed object file out-of-bounds accesses. > + > + * xcofflink.c (xcoff_link_add_symbols): Properly bounds check > + XTY_LD x_scnlen index. Sanity check r_symndx before using it > + to index sym hashes. > + > +CVE: CVE-2026-3441 CVE-2026-3442 > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c2bf7de1eb77a91d7a3c86d56408bf57de540faf] > + > +(cherry picked from commit c2bf7de1eb77a91d7a3c86d56408bf57de540faf) > +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > +--- > + bfd/xcofflink.c | 10 ++++------ > + 1 file changed, 4 insertions(+), 6 deletions(-) > + > +diff --git a/bfd/xcofflink.c b/bfd/xcofflink.c > +index e0165d202a9..88c49755c64 100644 > +--- a/bfd/xcofflink.c > ++++ b/bfd/xcofflink.c > +@@ -1873,12 +1873,9 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) > + follow its appropriate XTY_SD symbol. The .set pseudo op can > + cause the XTY_LD to not follow the XTY_SD symbol. */ > + { > +- bool bad; > +- > +- bad = false; > +- if (aux.x_csect.x_scnlen.u64 > +- >= (size_t) (esym - (bfd_byte *) obj_coff_external_syms (abfd))) > +- bad = true; > ++ bool bad = (aux.x_csect.x_scnlen.u64 > ++ >= ((esym - (bfd_byte *) obj_coff_external_syms (abfd)) > ++ / symesz)); > + if (! bad) > + { > + section = xcoff_data (abfd)->csects[aux.x_csect.x_scnlen.u64]; > +@@ -2244,6 +2241,7 @@ xcoff_link_add_symbols (bfd *abfd, struct bfd_link_info *info) > + functions imported from dynamic objects. */ > + if (info->output_bfd->xvec == abfd->xvec > + && *rel_csect != bfd_und_section_ptr > ++ && (unsigned long) rel->r_symndx < obj_raw_syment_count (abfd) > + && obj_xcoff_sym_hashes (abfd)[rel->r_symndx] != NULL) > + { > + struct xcoff_link_hash_entry *h; > +-- > +2.35.6 > + -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:39 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 1 sibling, 0 replies; 9+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-05-13 17:39 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 447 bytes --] Hi Yoann, Thank you for your review. I have regenerated the patch and address the issue which you have highlighted. I have resent the v2 here: [scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 ( https://lists.openembedded.org/g/openembedded-core/message/236997 ) [scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 ( https://lists.openembedded.org/g/openembedded-core/message/236998 ) Thanks and Regards, Sudhir [-- Attachment #2: Type: text/html, Size: 742 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2026-07-06 10:43 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-02 14:23 [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-02 14:23 ` [OE-core][scarthgap][PATCH 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-07 22:03 ` [OE-core][scarthgap][PATCH 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-05-13 17:27 ` [OE-core][scarthgap][PATCH v2 2/2] binutils: fix CVE-2026-4647 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2026-06-03 21:09 ` Yoann Congal 2026-07-06 10:43 ` Yoann Congal 2026-06-03 21:02 ` [OE-core][scarthgap][PATCH v2 1/2] binutils: fix CVE-2026-3441 and CVE-2026-3442 Yoann Congal 2026-05-13 17:39 ` [scarthgap][PATCH " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox