From: "Yoann Congal" <yoann.congal@smile.fr>
To: <deeratho@cisco.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][whinlatter][PATCH v2 1/4] binutils: Fix CVE-2025-69648
Date: Wed, 01 Apr 2026 12:19:25 +0200 [thread overview]
Message-ID: <DHHQQ7P9WLR7.2F2R814TO910H@smile.fr> (raw)
In-Reply-To: <20260401100022.1173083-1-deeratho@cisco.com>
On Wed Apr 1, 2026 at 12:00 PM CEST, Deepak Rathore via lists.openembedded.org wrote:
> From: Deepak Rathore <deeratho@cisco.com>
>
> pick the patch [1] as mentioned in [2]
>
> [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
> [2] https://nvd.nist.gov/vuln/detail/CVE-2025-69648
>
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
>
> diff --git a/meta/recipes-devtools/binutils/0001-pick-the-patch-1-as-mentioned-in-2.patch b/meta/recipes-devtools/binutils/0001-pick-the-patch-1-as-mentioned-in-2.patch
> new file mode 100644
> index 0000000000..70866fd7da
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/0001-pick-the-patch-1-as-mentioned-in-2.patch
> @@ -0,0 +1,222 @@
> +From 507f05eb8f3a132a536c593e232fdc7878fb9bba Mon Sep 17 00:00:00 2001
> +From: Deepak Rathore <deeratho@cisco.com>
> +Date: Tue, 31 Mar 2026 11:25:32 +0000
> +Subject: [PATCH] pick the patch [1] as mentioned in [2].
> +
> +[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
> +[2] https://nvd.nist.gov/vuln/detail/CVE-2025-69648
> +
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +---
> + .../binutils/binutils-2.45.inc | 1 +
> + .../binutils/binutils/CVE-2025-69648.patch | 188 ++++++++++++++++++
That added patch is targeted at oe-core not binutils?
Something went wrong...
> + 2 files changed, 189 insertions(+)
> + create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> +
> +diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
> +index 16a63cabc5..b6d7b3d60f 100644
> +--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
> ++++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
> +@@ -46,4 +46,5 @@ SRC_URI = "\
> + file://0018-CVE-2025-11494.patch \
> + file://0019-CVE-2025-11839.patch \
> + file://0020-CVE-2025-11840.patch \
> ++ file://CVE-2025-69648.patch \
> + "
> +diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> +new file mode 100644
> +index 0000000000..2346b18f01
> +--- /dev/null
> ++++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> +@@ -0,0 +1,188 @@
> ++From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001
> ++From: Alan Modra <amodra@gmail.com>
> ++Date: Sat, 22 Nov 2025 09:22:10 +1030
> ++Subject: [PATCH] PR 33638, debug_rnglists output
> ++
> ++The fuzzed testcase in this PR continuously outputs an error about
> ++the debug_rnglists header. Fixed by taking notice of the error and
> ++stopping output. The patch also limits the length in all cases, not
> ++just when a relocation is present, and limits the offset entry count
> ++read from the header. I removed the warning and the test for relocs
> ++because the code can't work reliably with unresolved relocs in the
> ++length field.
> ++
> ++ PR 33638
> ++ * dwarf.c (display_debug_rnglists_list): Return bool. Rename
> ++ "inital_length" to plain "length". Verify length is large
> ++ enough to read header. Limit length to rest of section.
> ++ Similarly limit offset_entry_count.
> ++ (display_debug_ranges): Check display_debug_rnglists_unit_header
> ++ return status. Stop output on error.
> ++
> ++CVE: CVE-2025-69648
> ++Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
> ++
> ++(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
> ++Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> ++---
> ++ binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------
> ++ 1 file changed, 34 insertions(+), 33 deletions(-)
> ++
> ++diff --git a/binutils/dwarf.c b/binutils/dwarf.c
> ++index f4bcb677761..b4fb56351ec 100644
> ++--- a/binutils/dwarf.c
> +++++ b/binutils/dwarf.c
> ++@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start,
> ++ return start;
> ++ }
> ++
> ++-static int
> +++static bool
> ++ display_debug_rnglists_unit_header (struct dwarf_section * section,
> ++ uint64_t * unit_offset,
> ++ unsigned char * poffset_size)
> ++@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> ++ uint64_t start_offset = *unit_offset;
> ++ unsigned char * p = section->start + start_offset;
> ++ unsigned char * finish = section->start + section->size;
> ++- uint64_t initial_length;
> +++ unsigned char * hdr;
> +++ uint64_t length;
> ++ unsigned char segment_selector_size;
> ++ unsigned int offset_entry_count;
> ++ unsigned int i;
> ++@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> ++ unsigned char offset_size;
> ++
> ++ /* Get and check the length of the block. */
> ++- SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish);
> +++ SAFE_BYTE_GET_AND_INC (length, p, 4, finish);
> ++
> ++- if (initial_length == 0xffffffff)
> +++ if (length == 0xffffffff)
> ++ {
> ++ /* This section is 64-bit DWARF 3. */
> ++- SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish);
> +++ SAFE_BYTE_GET_AND_INC (length, p, 8, finish);
> ++ *poffset_size = offset_size = 8;
> ++ }
> ++ else
> ++ *poffset_size = offset_size = 4;
> ++
> ++- if (initial_length > (size_t) (finish - p))
> ++- {
> ++- /* If the length field has a relocation against it, then we should
> ++- not complain if it is inaccurate (and probably negative).
> ++- It is copied from .debug_line handling code. */
> ++- if (reloc_at (section, (p - section->start) - offset_size))
> ++- initial_length = finish - p;
> ++- else
> ++- {
> ++- warn (_("The length field (%#" PRIx64
> ++- ") in the debug_rnglists header is wrong"
> ++- " - the section is too small\n"),
> ++- initial_length);
> ++- return 0;
> ++- }
> ++- }
> ++-
> ++- /* Report the next unit offset to the caller. */
> ++- *unit_offset = (p - section->start) + initial_length;
> +++ if (length < 8)
> +++ return false;
> ++
> ++ /* Get the other fields in the header. */
> +++ hdr = p;
> ++ SAFE_BYTE_GET_AND_INC (version, p, 2, finish);
> ++ SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish);
> ++ SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish);
> ++ SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish);
> ++
> ++ printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset);
> ++- printf (_(" Length: %#" PRIx64 "\n"), initial_length);
> +++ printf (_(" Length: %#" PRIx64 "\n"), length);
> ++ printf (_(" DWARF version: %u\n"), version);
> ++ printf (_(" Address size: %u\n"), address_size);
> ++ printf (_(" Segment size: %u\n"), segment_selector_size);
> ++ printf (_(" Offset entries: %u\n"), offset_entry_count);
> ++
> +++ if (length > (size_t) (finish - hdr))
> +++ length = finish - hdr;
> +++
> +++ /* Report the next unit offset to the caller. */
> +++ *unit_offset = (hdr - section->start) + length;
> +++
> ++ /* Check the fields. */
> ++ if (segment_selector_size != 0)
> ++ {
> ++ warn (_("The %s section contains "
> ++ "unsupported segment selector size: %d.\n"),
> ++ section->name, segment_selector_size);
> ++- return 0;
> +++ return false;
> ++ }
> ++
> ++ if (version < 5)
> ++ {
> ++ warn (_("Only DWARF version 5+ debug_rnglists info "
> ++ "is currently supported.\n"));
> ++- return 0;
> +++ return false;
> ++ }
> ++
> +++ uint64_t max_off_count = (length - 8) / offset_size;
> +++ if (offset_entry_count > max_off_count)
> +++ offset_entry_count = max_off_count;
> ++ if (offset_entry_count != 0)
> ++ {
> ++ printf (_("\n Offsets starting at %#tx:\n"), p - section->start);
> ++@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> ++ }
> ++ }
> ++
> ++- return 1;
> +++ return true;
> ++ }
> ++
> ++ static bool
> ++@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section,
> ++ uint64_t last_offset = 0;
> ++ uint64_t next_rnglists_cu_offset = 0;
> ++ unsigned char offset_size;
> +++ bool ok_header = true;
> ++
> ++ if (bytes == 0)
> ++ {
> ++@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section,
> ++ /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s). */
> ++ if (is_rnglists && next_rnglists_cu_offset < offset)
> ++ {
> ++- while (next_rnglists_cu_offset < offset)
> ++- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> +++ while (ok_header && next_rnglists_cu_offset < offset)
> +++ ok_header = display_debug_rnglists_unit_header (section,
> +++ &next_rnglists_cu_offset,
> +++ &offset_size);
> +++ if (!ok_header)
> +++ break;
> ++ printf (_(" Offset Begin End\n"));
> ++ }
> ++
> ++@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section,
> ++ }
> ++
> ++ /* Display trailing empty (or unreferenced) compile units, if any. */
> ++- if (is_rnglists)
> +++ if (is_rnglists && ok_header)
> ++ while (next_rnglists_cu_offset < section->size)
> ++- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> ++-
> +++ if (!display_debug_rnglists_unit_header (section,
> +++ &next_rnglists_cu_offset,
> +++ &offset_size))
> +++ break;
> ++ putchar ('\n');
> ++
> ++ free (range_entries);
> ++--
> ++2.35.6
> +--
> +2.51.0
> +
> diff --git a/meta/recipes-devtools/binutils/binutils-2.45.inc b/meta/recipes-devtools/binutils/binutils-2.45.inc
> index 16a63cabc5..b6d7b3d60f 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.45.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
> @@ -46,4 +46,5 @@ SRC_URI = "\
> file://0018-CVE-2025-11494.patch \
> file://0019-CVE-2025-11839.patch \
> file://0020-CVE-2025-11840.patch \
> + file://CVE-2025-69648.patch \
> "
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> new file mode 100644
> index 0000000000..ce0e764762
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> @@ -0,0 +1,189 @@
> +From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Sat, 22 Nov 2025 09:22:10 +1030
> +Subject: [PATCH] PR 33638, debug_rnglists output
> +
> +The fuzzed testcase in this PR continuously outputs an error about
> +the debug_rnglists header. Fixed by taking notice of the error and
> +stopping output. The patch also limits the length in all cases, not
> +just when a relocation is present, and limits the offset entry count
> +read from the header. I removed the warning and the test for relocs
> +because the code can't work reliably with unresolved relocs in the
> +length field.
> +
> + PR 33638
> + * dwarf.c (display_debug_rnglists_list): Return bool. Rename
> + "inital_length" to plain "length". Verify length is large
> + enough to read header. Limit length to rest of section.
> + Similarly limit offset_entry_count.
> + (display_debug_ranges): Check display_debug_rnglists_unit_header
> + return status. Stop output on error.
> +
> +CVE: CVE-2025-69648
> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
> +
> +(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +---
> + binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------
> + 1 file changed, 34 insertions(+), 33 deletions(-)
> +
> +diff --git a/binutils/dwarf.c b/binutils/dwarf.c
> +index f4bcb677761..b4fb56351ec 100644
> +--- a/binutils/dwarf.c
> ++++ b/binutils/dwarf.c
> +@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start,
> + return start;
> + }
> +
> +-static int
> ++static bool
> + display_debug_rnglists_unit_header (struct dwarf_section * section,
> + uint64_t * unit_offset,
> + unsigned char * poffset_size)
> +@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> + uint64_t start_offset = *unit_offset;
> + unsigned char * p = section->start + start_offset;
> + unsigned char * finish = section->start + section->size;
> +- uint64_t initial_length;
> ++ unsigned char * hdr;
> ++ uint64_t length;
> + unsigned char segment_selector_size;
> + unsigned int offset_entry_count;
> + unsigned int i;
> +@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> + unsigned char offset_size;
> +
> + /* Get and check the length of the block. */
> +- SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish);
> ++ SAFE_BYTE_GET_AND_INC (length, p, 4, finish);
> +
> +- if (initial_length == 0xffffffff)
> ++ if (length == 0xffffffff)
> + {
> + /* This section is 64-bit DWARF 3. */
> +- SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish);
> ++ SAFE_BYTE_GET_AND_INC (length, p, 8, finish);
> + *poffset_size = offset_size = 8;
> + }
> + else
> + *poffset_size = offset_size = 4;
> +
> +- if (initial_length > (size_t) (finish - p))
> +- {
> +- /* If the length field has a relocation against it, then we should
> +- not complain if it is inaccurate (and probably negative).
> +- It is copied from .debug_line handling code. */
> +- if (reloc_at (section, (p - section->start) - offset_size))
> +- initial_length = finish - p;
> +- else
> +- {
> +- warn (_("The length field (%#" PRIx64
> +- ") in the debug_rnglists header is wrong"
> +- " - the section is too small\n"),
> +- initial_length);
> +- return 0;
> +- }
> +- }
> +-
> +- /* Report the next unit offset to the caller. */
> +- *unit_offset = (p - section->start) + initial_length;
> ++ if (length < 8)
> ++ return false;
> +
> + /* Get the other fields in the header. */
> ++ hdr = p;
> + SAFE_BYTE_GET_AND_INC (version, p, 2, finish);
> + SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish);
> + SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish);
> + SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish);
> +
> + printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset);
> +- printf (_(" Length: %#" PRIx64 "\n"), initial_length);
> ++ printf (_(" Length: %#" PRIx64 "\n"), length);
> + printf (_(" DWARF version: %u\n"), version);
> + printf (_(" Address size: %u\n"), address_size);
> + printf (_(" Segment size: %u\n"), segment_selector_size);
> + printf (_(" Offset entries: %u\n"), offset_entry_count);
> +
> ++ if (length > (size_t) (finish - hdr))
> ++ length = finish - hdr;
> ++
> ++ /* Report the next unit offset to the caller. */
> ++ *unit_offset = (hdr - section->start) + length;
> ++
> + /* Check the fields. */
> + if (segment_selector_size != 0)
> + {
> + warn (_("The %s section contains "
> + "unsupported segment selector size: %d.\n"),
> + section->name, segment_selector_size);
> +- return 0;
> ++ return false;
> + }
> +
> + if (version < 5)
> + {
> + warn (_("Only DWARF version 5+ debug_rnglists info "
> + "is currently supported.\n"));
> +- return 0;
> ++ return false;
> + }
> +
> ++ uint64_t max_off_count = (length - 8) / offset_size;
> ++ if (offset_entry_count > max_off_count)
> ++ offset_entry_count = max_off_count;
> + if (offset_entry_count != 0)
> + {
> + printf (_("\n Offsets starting at %#tx:\n"), p - section->start);
> +@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
> + }
> + }
> +
> +- return 1;
> ++ return true;
> + }
> +
> + static bool
> +@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section,
> + uint64_t last_offset = 0;
> + uint64_t next_rnglists_cu_offset = 0;
> + unsigned char offset_size;
> ++ bool ok_header = true;
> +
> + if (bytes == 0)
> + {
> +@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section,
> + /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s). */
> + if (is_rnglists && next_rnglists_cu_offset < offset)
> + {
> +- while (next_rnglists_cu_offset < offset)
> +- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> ++ while (ok_header && next_rnglists_cu_offset < offset)
> ++ ok_header = display_debug_rnglists_unit_header (section,
> ++ &next_rnglists_cu_offset,
> ++ &offset_size);
> ++ if (!ok_header)
> ++ break;
> + printf (_(" Offset Begin End\n"));
> + }
> +
> +@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section,
> + }
> +
> + /* Display trailing empty (or unreferenced) compile units, if any. */
> +- if (is_rnglists)
> ++ if (is_rnglists && ok_header)
> + while (next_rnglists_cu_offset < section->size)
> +- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> +-
> ++ if (!display_debug_rnglists_unit_header (section,
> ++ &next_rnglists_cu_offset,
> ++ &offset_size))
> ++ break;
> + putchar ('\n');
> +
> + free (range_entries);
> +--
> +2.35.6
> +
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-04-01 10:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 4:12 [OE-core][whinlatter][PATCH 1/4] binutils: Fix CVE-2025-69648 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-17 4:12 ` [OE-core][whinlatter][PATCH v2 2/4] binutils: Fix CVE-2025-69644 CVE-2025-69647 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-19 23:56 ` [OE-core][whinlatter][PATCH 1/4] binutils: Fix CVE-2025-69648 Yoann Congal
2026-04-01 10:05 ` [whinlatter][PATCH " Deepak Rathore
2026-04-01 10:17 ` [OE-core] " Yoann Congal
2026-04-02 7:14 ` Deepak Rathore
2026-04-01 10:00 ` [OE-core][whinlatter][PATCH v2 " Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-01 10:15 ` Patchtest results for " patchtest
2026-04-01 10:19 ` Yoann Congal [this message]
2026-04-02 6:54 ` [OE-core][whinlatter][PATCH v3 " Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-01 10:04 ` [OE-core][whinlatter][PATCH v3 4/4] binutils: Fix CVE-2025-69652 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-02 6:57 ` [OE-core][whinlatter][PATCH v4 3/4] binutils: Fix CVE-2025-69649 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-04-02 6:58 ` [OE-core][whinlatter][PATCH v4 4/4] binutils: Fix CVE-2025-69652 Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHHQQ7P9WLR7.2F2R814TO910H@smile.fr \
--to=yoann.congal@smile.fr \
--cc=deeratho@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox