From: "Yoann Congal" <yoann.congal@smile.fr>
To: <deeratho@cisco.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][whinlatter][PATCH 1/4] binutils: Fix CVE-2025-69648
Date: Fri, 20 Mar 2026 00:56:56 +0100 [thread overview]
Message-ID: <DH75Z2970Q68.2IIP1XOVZ2EPX@smile.fr> (raw)
In-Reply-To: <20260317041229.2932275-1-deeratho@cisco.com>
On Tue Mar 17, 2026 at 5:12 AM CET, Deepak Rathore via lists.openembedded.org wrote:
> From: Deepak Rathore <deeratho@cisco.com>
>
> Pick the patch [1] as mentioned in [2].
>
> [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
> [2] https://nvd.nist.gov/vuln/detail/CVE-2025-69648
>
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
> index 16a63cabc5..b6d7b3d60f 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.45.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
> @@ -46,4 +46,5 @@ SRC_URI = "\
> file://0018-CVE-2025-11494.patch \
> file://0019-CVE-2025-11839.patch \
> file://0020-CVE-2025-11840.patch \
> + file://CVE-2025-69648.patch \
> "
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> new file mode 100644
> index 0000000000..a247bc0fe7
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> @@ -0,0 +1,188 @@
> +From da5460f518952684a8c774d9b202a395676ff85f Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Sat, 22 Nov 2025 09:22:10 +1030
> +Subject: [PATCH] PR 33638, debug_rnglists output
> +
> +The fuzzed testcase in this PR continuously outputs an error about
> +the debug_rnglists header. Fixed by taking notice of the error and
> +stopping output. The patch also limits the length in all cases, not
> +just when a relocation is present, and limits the offset entry count
> +read from the header. I removed the warning and the test for relocs
> +because the code can't work reliably with unresolved relocs in the
> +length field.
> +
> + PR 33638
> + * dwarf.c (display_debug_rnglists_list): Return bool. Rename
> + "inital_length" to plain "length". Verify length is large
> + enough to read header. Limit length to rest of section.
> + Similarly limit offset_entry_count.
> + (display_debug_ranges): Check display_debug_rnglists_unit_header
> + return status. Stop output on error.
> +
> +CVE: CVE-2025-69648
> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
> +
> +(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +---
> + binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------
> + 1 file changed, 34 insertions(+), 33 deletions(-)
> +
> +diff --git a/binutils/dwarf.c b/binutils/dwarf.c
> +index d9f514180de..0d88ea94619 100644
> +--- a/binutils/dwarf.c
> ++++ b/binutils/dwarf.c
> +@@ -8292,7 +8292,7 @@ display_debug_rnglists_list (unsigned char * start,
> + return start;
> + }
> +
> +-static int
> ++static bool
> + display_debug_rnglists_unit_header (struct dwarf_section * section,
> + uint64_t * unit_offset,
Hello,
This patch and other in the whole series has a weird format. The context
lines starts with tabs and not a single space as usual. While it seems
like it passes tests, I'm afraid it will break something down the line
and I'd rather not take this like this.
Can you please check?
Thanks!
> + unsigned char * poffset_size)
> +@@ -8300,7 +8300,8 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> + uint64_t start_offset = *unit_offset;
> + unsigned char * p = section->start + start_offset;
> + unsigned char * finish = section->start + section->size;
> +- uint64_t initial_length;
> ++ unsigned char * hdr;
> ++ uint64_t length;
> + unsigned char segment_selector_size;
> + unsigned int offset_entry_count;
> + unsigned int i;
> +@@ -8309,66 +8310,59 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> + unsigned char offset_size;
> +
> + /* Get and check the length of the block. */
> +- SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish);
> ++ SAFE_BYTE_GET_AND_INC (length, p, 4, finish);
> +
> +- if (initial_length == 0xffffffff)
> ++ if (length == 0xffffffff)
> + {
> + /* This section is 64-bit DWARF 3. */
> +- SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish);
> ++ SAFE_BYTE_GET_AND_INC (length, p, 8, finish);
> + *poffset_size = offset_size = 8;
> + }
> + else
> + *poffset_size = offset_size = 4;
> +
> +- if (initial_length > (size_t) (finish - p))
> +- {
> +- /* If the length field has a relocation against it, then we should
> +- not complain if it is inaccurate (and probably negative).
> +- It is copied from .debug_line handling code. */
> +- if (reloc_at (section, (p - section->start) - offset_size))
> +- initial_length = finish - p;
> +- else
> +- {
> +- warn (_("The length field (%#" PRIx64
> +- ") in the debug_rnglists header is wrong"
> +- " - the section is too small\n"),
> +- initial_length);
> +- return 0;
> +- }
> +- }
> +-
> +- /* Report the next unit offset to the caller. */
> +- *unit_offset = (p - section->start) + initial_length;
> ++ if (length < 8)
> ++ return false;
> +
> + /* Get the other fields in the header. */
> ++ hdr = p;
> + SAFE_BYTE_GET_AND_INC (version, p, 2, finish);
> + SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish);
> + SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish);
> + SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish);
> +
> + printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset);
> +- printf (_(" Length: %#" PRIx64 "\n"), initial_length);
> ++ printf (_(" Length: %#" PRIx64 "\n"), length);
> + printf (_(" DWARF version: %u\n"), version);
> + printf (_(" Address size: %u\n"), address_size);
> + printf (_(" Segment size: %u\n"), segment_selector_size);
> + printf (_(" Offset entries: %u\n"), offset_entry_count);
> +
> ++ if (length > (size_t) (finish - hdr))
> ++ length = finish - hdr;
> ++
> ++ /* Report the next unit offset to the caller. */
> ++ *unit_offset = (hdr - section->start) + length;
> ++
> + /* Check the fields. */
> + if (segment_selector_size != 0)
> + {
> + warn (_("The %s section contains "
> + "unsupported segment selector size: %d.\n"),
> + section->name, segment_selector_size);
> +- return 0;
> ++ return false;
> + }
> +
> + if (version < 5)
> + {
> + warn (_("Only DWARF version 5+ debug_rnglists info "
> + "is currently supported.\n"));
> +- return 0;
> ++ return false;
> + }
> +
> ++ uint64_t max_off_count = (length - 8) / offset_size;
> ++ if (offset_entry_count > max_off_count)
> ++ offset_entry_count = max_off_count;
> + if (offset_entry_count != 0)
> + {
> + printf (_("\n Offsets starting at %#tx:\n"), p - section->start);
> +@@ -8382,7 +8376,7 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> + }
> + }
> +
> +- return 1;
> ++ return true;
> + }
> +
> + static bool
> +@@ -8414,6 +8408,7 @@ display_debug_ranges (struct dwarf_section *section,
> + uint64_t last_offset = 0;
> + uint64_t next_rnglists_cu_offset = 0;
> + unsigned char offset_size;
> ++ bool ok_header = true;
> +
> + if (bytes == 0)
> + {
> +@@ -8503,8 +8498,12 @@ display_debug_ranges (struct dwarf_section *section,
> + /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s). */
> + if (is_rnglists && next_rnglists_cu_offset < offset)
> + {
> +- while (next_rnglists_cu_offset < offset)
> +- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> ++ while (ok_header && next_rnglists_cu_offset < offset)
> ++ ok_header = display_debug_rnglists_unit_header (section,
> ++ &next_rnglists_cu_offset,
> ++ &offset_size);
> ++ if (!ok_header)
> ++ break;
> + printf (_(" Offset Begin End\n"));
> + }
> +
> +@@ -8558,10 +8557,12 @@ display_debug_ranges (struct dwarf_section *section,
> + }
> +
> + /* Display trailing empty (or unreferenced) compile units, if any. */
> +- if (is_rnglists)
> ++ if (is_rnglists && ok_header)
> + while (next_rnglists_cu_offset < section->size)
> +- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> +-
> ++ if (!display_debug_rnglists_unit_header (section,
> ++ &next_rnglists_cu_offset,
> ++ &offset_size))
> ++ break;
> + putchar ('\n');
> +
> + free (range_entries);
> +--
> +2.35.6
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-03-19 23:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 4:12 [OE-core][whinlatter][PATCH 1/4] binutils: Fix CVE-2025-69648 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-17 4:12 ` [OE-core][whinlatter][PATCH v2 2/4] binutils: Fix CVE-2025-69644 CVE-2025-69647 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-19 23:56 ` Yoann Congal [this message]
2026-04-01 10:05 ` [whinlatter][PATCH 1/4] binutils: Fix CVE-2025-69648 Deepak Rathore
2026-04-01 10:17 ` [OE-core] " Yoann Congal
2026-04-02 7:14 ` Deepak Rathore
2026-04-01 10:00 ` [OE-core][whinlatter][PATCH v2 " Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-01 10:15 ` Patchtest results for " patchtest
2026-04-01 10:19 ` Yoann Congal
2026-04-02 6:54 ` [OE-core][whinlatter][PATCH v3 " Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-01 10:04 ` [OE-core][whinlatter][PATCH v3 4/4] binutils: Fix CVE-2025-69652 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-02 6:57 ` [OE-core][whinlatter][PATCH v4 3/4] binutils: Fix CVE-2025-69649 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-02 6:58 ` [OE-core][whinlatter][PATCH v4 4/4] binutils: Fix CVE-2025-69652 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DH75Z2970Q68.2IIP1XOVZ2EPX@smile.fr \
--to=yoann.congal@smile.fr \
--cc=deeratho@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox