[OE-core][scarthgap][PATCH 2/4] binutils: fix CVE-2025-69648

[OE-core][scarthgap][PATCH 2/4] binutils: fix CVE-2025-69648

[Adarsh Jagadish Kamini]

From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>

Backport upstream fix for CVE-2025-69648 [1].

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
---
 .../binutils/binutils-2.42.inc                |   1 +
 .../binutils/binutils/CVE-2025-69648.patch    | 190 ++++++++++++++++++
 2 files changed, 191 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index a337a3e850..6c1f9dc870 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -72,5 +72,6 @@ SRC_URI = "\
      file://0029-CVE-2025-11839.patch \
      file://0030-CVE-2025-11840.patch \
      file://CVE-2025-69647.patch \
+     file://CVE-2025-69648.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
new file mode 100644
index 0000000000..e04d7ed6c2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
@@ -0,0 +1,190 @@
+From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 22 Nov 2025 09:22:10 +1030
+Subject: [PATCH] PR 33638, debug_rnglists output
+
+The fuzzed testcase in this PR continuously outputs an error about
+the debug_rnglists header.  Fixed by taking notice of the error and
+stopping output.  The patch also limits the length in all cases, not
+just when a relocation is present, and limits the offset entry count
+read from the header.  I removed the warning and the test for relocs
+because the code can't work reliably with unresolved relocs in the
+length field.
+
+	PR 33638
+	* dwarf.c (display_debug_rnglists_list): Return bool.  Rename
+	"inital_length" to plain "length".  Verify length is large
+	enough to read header.  Limit length to rest of section.
+	Similarly limit offset_entry_count.
+	(display_debug_ranges): Check display_debug_rnglists_unit_header
+	return status.  Stop output on error.
+
+CVE: CVE-2025-69648
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
+
+(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------
+ 1 file changed, 34 insertions(+), 33 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index f4bcb677761..b4fb56351ec 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start,
+   return start;
+ }
+ 
+-static int
++static bool
+ display_debug_rnglists_unit_header (struct dwarf_section *  section,
+ 				    uint64_t *              unit_offset,
+ 				    unsigned char *         poffset_size)
+@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
+   uint64_t        start_offset = *unit_offset;
+   unsigned char * p = section->start + start_offset;
+   unsigned char * finish = section->start + section->size;
+-  uint64_t        initial_length;
++  unsigned char * hdr;
++  uint64_t        length;
+   unsigned char   segment_selector_size;
+   unsigned int    offset_entry_count;
+   unsigned int    i;
+@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
+   unsigned char   offset_size;
+ 
+   /* Get and check the length of the block.  */
+-  SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish);
++  SAFE_BYTE_GET_AND_INC (length, p, 4, finish);
+ 
+-  if (initial_length == 0xffffffff)
++  if (length == 0xffffffff)
+     {
+       /* This section is 64-bit DWARF 3.  */
+-      SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish);
++      SAFE_BYTE_GET_AND_INC (length, p, 8, finish);
+       *poffset_size = offset_size = 8;
+     }
+   else
+     *poffset_size = offset_size = 4;
+ 
+-  if (initial_length > (size_t) (finish - p))
+-    {
+-      /* If the length field has a relocation against it, then we should
+-	 not complain if it is inaccurate (and probably negative).
+-	 It is copied from .debug_line handling code.  */
+-      if (reloc_at (section, (p - section->start) - offset_size))
+-	initial_length = finish - p;
+-      else
+-	{
+-	  warn (_("The length field (%#" PRIx64
+-		  ") in the debug_rnglists header is wrong"
+-		  " - the section is too small\n"),
+-		initial_length);
+-	  return 0;
+-	}
+-    }
+-
+-  /* Report the next unit offset to the caller.  */
+-  *unit_offset = (p - section->start) + initial_length;
++  if (length < 8)
++    return false;
+ 
+   /* Get the other fields in the header.  */
++  hdr = p;
+   SAFE_BYTE_GET_AND_INC (version, p, 2, finish);
+   SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish);
+   SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish);
+   SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish);
+ 
+   printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset);
+-  printf (_("  Length:          %#" PRIx64 "\n"), initial_length);
++  printf (_("  Length:          %#" PRIx64 "\n"), length);
+   printf (_("  DWARF version:   %u\n"), version);
+   printf (_("  Address size:    %u\n"), address_size);
+   printf (_("  Segment size:    %u\n"), segment_selector_size);
+   printf (_("  Offset entries:  %u\n"), offset_entry_count);
+ 
++  if (length > (size_t) (finish - hdr))
++    length = finish - hdr;
++
++  /* Report the next unit offset to the caller.  */
++  *unit_offset = (hdr - section->start) + length;
++
+   /* Check the fields.  */
+   if (segment_selector_size != 0)
+     {
+       warn (_("The %s section contains "
+ 	      "unsupported segment selector size: %d.\n"),
+ 	    section->name, segment_selector_size);
+-      return 0;
++      return false;
+     }
+ 
+   if (version < 5)
+     {
+       warn (_("Only DWARF version 5+ debug_rnglists info "
+ 	      "is currently supported.\n"));
+-      return 0;
++      return false;
+     }
+ 
++  uint64_t max_off_count = (length - 8) / offset_size;
++  if (offset_entry_count > max_off_count)
++    offset_entry_count = max_off_count;
+   if (offset_entry_count != 0)
+     {
+       printf (_("\n   Offsets starting at %#tx:\n"), p - section->start);
+@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
+ 	}
+     }
+ 
+-  return 1;
++  return true;
+ }
+ 
+ static bool
+@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section,
+   uint64_t last_offset = 0;
+   uint64_t next_rnglists_cu_offset = 0;
+   unsigned char offset_size;
++  bool ok_header = true;
+ 
+   if (bytes == 0)
+     {
+@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section,
+       /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s).  */
+       if (is_rnglists && next_rnglists_cu_offset < offset)
+ 	{
+-	  while (next_rnglists_cu_offset < offset)
+-	    display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
++	  while (ok_header && next_rnglists_cu_offset < offset)
++	    ok_header = display_debug_rnglists_unit_header (section,
++							    &next_rnglists_cu_offset,
++							    &offset_size);
++	  if (!ok_header)
++	    break;
+ 	  printf (_("    Offset   Begin    End\n"));
+ 	}
+ 
+@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section,
+     }
+ 
+   /* Display trailing empty (or unreferenced) compile units, if any.  */
+-  if (is_rnglists)
++  if (is_rnglists && ok_header)
+     while (next_rnglists_cu_offset < section->size)
+-      display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
+-
++      if (!display_debug_rnglists_unit_header (section,
++					       &next_rnglists_cu_offset,
++					       &offset_size))
++	break;
+   putchar ('\n');
+ 
+   free (range_entries);
+-- 
+2.35.6
+
-- 
2.34.1

Re: [OE-core][scarthgap][PATCH 2/4] binutils: fix CVE-2025-69648

[Fabien Thomas]

On Wed Apr 22, 2026 at 3:03 PM CEST, Adarsh Jagadish Kamini via lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>
> Backport upstream fix for CVE-2025-69648 [1].
>
> [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
>
> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> ---
>  .../binutils/binutils-2.42.inc                |   1 +
>  .../binutils/binutils/CVE-2025-69648.patch    | 190 ++++++++++++++++++
>  2 files changed, 191 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
> index a337a3e850..6c1f9dc870 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
> @@ -72,5 +72,6 @@ SRC_URI = "\
>       file://0029-CVE-2025-11839.patch \
>       file://0030-CVE-2025-11840.patch \
>       file://CVE-2025-69647.patch \
> +     file://CVE-2025-69648.patch \
>  "
>  S  = "${WORKDIR}/git"
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> new file mode 100644
> index 0000000000..e04d7ed6c2
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> @@ -0,0 +1,190 @@
> +From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Sat, 22 Nov 2025 09:22:10 +1030
> +Subject: [PATCH] PR 33638, debug_rnglists output
> +
> +The fuzzed testcase in this PR continuously outputs an error about
> +the debug_rnglists header.  Fixed by taking notice of the error and
> +stopping output.  The patch also limits the length in all cases, not
> +just when a relocation is present, and limits the offset entry count
> +read from the header.  I removed the warning and the test for relocs
> +because the code can't work reliably with unresolved relocs in the
> +length field.
> +
> +	PR 33638
> +	* dwarf.c (display_debug_rnglists_list): Return bool.  Rename
> +	"inital_length" to plain "length".  Verify length is large
> +	enough to read header.  Limit length to rest of section.
> +	Similarly limit offset_entry_count.
> +	(display_debug_ranges): Check display_debug_rnglists_unit_header
> +	return status.  Stop output on error.
> +
> +CVE: CVE-2025-69648
> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
> +
> +(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> +---
> + binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------
> + 1 file changed, 34 insertions(+), 33 deletions(-)
> +
> +diff --git a/binutils/dwarf.c b/binutils/dwarf.c
> +index f4bcb677761..b4fb56351ec 100644
> +--- a/binutils/dwarf.c
> ++++ b/binutils/dwarf.c
> +@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start,
> +   return start;
> + }
> + 
> +-static int
> ++static bool
> + display_debug_rnglists_unit_header (struct dwarf_section *  section,
> + 				    uint64_t *              unit_offset,
> + 				    unsigned char *         poffset_size)
> +@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
> +   uint64_t        start_offset = *unit_offset;
> +   unsigned char * p = section->start + start_offset;
> +   unsigned char * finish = section->start + section->size;
> +-  uint64_t        initial_length;
> ++  unsigned char * hdr;
> ++  uint64_t        length;
> +   unsigned char   segment_selector_size;
> +   unsigned int    offset_entry_count;
> +   unsigned int    i;
> +@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
> +   unsigned char   offset_size;
> + 
> +   /* Get and check the length of the block.  */
> +-  SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish);
> ++  SAFE_BYTE_GET_AND_INC (length, p, 4, finish);
> + 
> +-  if (initial_length == 0xffffffff)
> ++  if (length == 0xffffffff)
> +     {
> +       /* This section is 64-bit DWARF 3.  */
> +-      SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish);
> ++      SAFE_BYTE_GET_AND_INC (length, p, 8, finish);
> +       *poffset_size = offset_size = 8;
> +     }
> +   else
> +     *poffset_size = offset_size = 4;
> + 
> +-  if (initial_length > (size_t) (finish - p))
> +-    {
> +-      /* If the length field has a relocation against it, then we should
> +-	 not complain if it is inaccurate (and probably negative).
> +-	 It is copied from .debug_line handling code.  */
> +-      if (reloc_at (section, (p - section->start) - offset_size))
> +-	initial_length = finish - p;
> +-      else
> +-	{
> +-	  warn (_("The length field (%#" PRIx64
> +-		  ") in the debug_rnglists header is wrong"
> +-		  " - the section is too small\n"),
> +-		initial_length);
> +-	  return 0;
> +-	}
> +-    }
> +-
> +-  /* Report the next unit offset to the caller.  */
> +-  *unit_offset = (p - section->start) + initial_length;
> ++  if (length < 8)
> ++    return false;
> + 
> +   /* Get the other fields in the header.  */
> ++  hdr = p;
> +   SAFE_BYTE_GET_AND_INC (version, p, 2, finish);
> +   SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish);
> +   SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish);
> +   SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish);
> + 
> +   printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset);
> +-  printf (_("  Length:          %#" PRIx64 "\n"), initial_length);
> ++  printf (_("  Length:          %#" PRIx64 "\n"), length);
> +   printf (_("  DWARF version:   %u\n"), version);
> +   printf (_("  Address size:    %u\n"), address_size);
> +   printf (_("  Segment size:    %u\n"), segment_selector_size);
> +   printf (_("  Offset entries:  %u\n"), offset_entry_count);
> + 
> ++  if (length > (size_t) (finish - hdr))
> ++    length = finish - hdr;
> ++
> ++  /* Report the next unit offset to the caller.  */
> ++  *unit_offset = (hdr - section->start) + length;
> ++
> +   /* Check the fields.  */
> +   if (segment_selector_size != 0)
> +     {
> +       warn (_("The %s section contains "
> + 	      "unsupported segment selector size: %d.\n"),
> + 	    section->name, segment_selector_size);
> +-      return 0;
> ++      return false;
> +     }
> + 
> +   if (version < 5)
> +     {
> +       warn (_("Only DWARF version 5+ debug_rnglists info "
> + 	      "is currently supported.\n"));
> +-      return 0;
> ++      return false;
> +     }
> + 
> ++  uint64_t max_off_count = (length - 8) / offset_size;
> ++  if (offset_entry_count > max_off_count)
> ++    offset_entry_count = max_off_count;
> +   if (offset_entry_count != 0)
> +     {
> +       printf (_("\n   Offsets starting at %#tx:\n"), p - section->start);
> +@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
> + 	}
> +     }
> + 
> +-  return 1;
> ++  return true;
> + }
> + 
> + static bool
> +@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section,
> +   uint64_t last_offset = 0;
> +   uint64_t next_rnglists_cu_offset = 0;
> +   unsigned char offset_size;
> ++  bool ok_header = true;
> + 
> +   if (bytes == 0)
> +     {
> +@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section,
> +       /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s).  */
> +       if (is_rnglists && next_rnglists_cu_offset < offset)
> + 	{
> +-	  while (next_rnglists_cu_offset < offset)
> +-	    display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> ++	  while (ok_header && next_rnglists_cu_offset < offset)
> ++	    ok_header = display_debug_rnglists_unit_header (section,
> ++							    &next_rnglists_cu_offset,
> ++							    &offset_size);
> ++	  if (!ok_header)
> ++	    break;
> + 	  printf (_("    Offset   Begin    End\n"));
> + 	}
> + 
> +@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section,
> +     }
> + 
> +   /* Display trailing empty (or unreferenced) compile units, if any.  */
> +-  if (is_rnglists)
> ++  if (is_rnglists && ok_header)
> +     while (next_rnglists_cu_offset < section->size)
> +-      display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> +-
> ++      if (!display_debug_rnglists_unit_header (section,
> ++					       &next_rnglists_cu_offset,
> ++					       &offset_size))
> ++	break;
> +   putchar ('\n');
> + 
> +   free (range_entries);
> +-- 
> +2.35.6
> +

Hello Adarsh,

I'm filling in for Yoann while he's on leave.

Thank you for these pathes. A few notes, however: for future binutils projects, 
please include links to the CVE (ideally NVD or NIST), as well as the link 
to the Bugzilla entry mentioned in the patch that indicates that the patch 
is resolved and in which version (especially when there are “duplicates”).

All of these elements make it easier for us to validate the patch.

And for this second patch, I see a Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Are there two of you from different companies who made this backport, 
or is this a mistake?

Thank for your reply.
--
Fabien Thomas
Smile ECS

Re: [OE-core][scarthgap][PATCH 2/4] binutils: fix CVE-2025-69648

[Adarsh Jagadish Kamini]

[-- Attachment #1: Type: text/plain, Size: 10428 bytes --]

Hi,
The original patch was submitted to whinlatter by Deepak. So, I kept it to pass the credits.

Thanks!
________________________________
From: Fabien Thomas <fabien.thomas@smile.fr>
Sent: Monday, April 27, 2026 17:33
To: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][scarthgap][PATCH 2/4] binutils: fix CVE-2025-69648

On Wed Apr 22, 2026 at 3:03 PM CEST, Adarsh Jagadish Kamini via lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>
> Backport upstream fix for CVE-2025-69648 [1].
>
> [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
>
> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> ---
>  .../binutils/binutils-2.42.inc                |   1 +
>  .../binutils/binutils/CVE-2025-69648.patch    | 190 ++++++++++++++++++
>  2 files changed, 191 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
> index a337a3e850..6c1f9dc870 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
> @@ -72,5 +72,6 @@ SRC_URI = "\
>       file://0029-CVE-2025-11839.patch \
>       file://0030-CVE-2025-11840.patch \
>       file://CVE-2025-69647.patch \
> +     file://CVE-2025-69648.patch \
>  "
>  S  = "${WORKDIR}/git"
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> new file mode 100644
> index 0000000000..e04d7ed6c2
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
> @@ -0,0 +1,190 @@
> +From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Sat, 22 Nov 2025 09:22:10 +1030
> +Subject: [PATCH] PR 33638, debug_rnglists output
> +
> +The fuzzed testcase in this PR continuously outputs an error about
> +the debug_rnglists header.  Fixed by taking notice of the error and
> +stopping output.  The patch also limits the length in all cases, not
> +just when a relocation is present, and limits the offset entry count
> +read from the header.  I removed the warning and the test for relocs
> +because the code can't work reliably with unresolved relocs in the
> +length field.
> +
> +     PR 33638
> +     * dwarf.c (display_debug_rnglists_list): Return bool.  Rename
> +     "inital_length" to plain "length".  Verify length is large
> +     enough to read header.  Limit length to rest of section.
> +     Similarly limit offset_entry_count.
> +     (display_debug_ranges): Check display_debug_rnglists_unit_header
> +     return status.  Stop output on error.
> +
> +CVE: CVE-2025-69648
> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
> +
> +(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> +---
> + binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------
> + 1 file changed, 34 insertions(+), 33 deletions(-)
> +
> +diff --git a/binutils/dwarf.c b/binutils/dwarf.c
> +index f4bcb677761..b4fb56351ec 100644
> +--- a/binutils/dwarf.c
> ++++ b/binutils/dwarf.c
> +@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start,
> +   return start;
> + }
> +
> +-static int
> ++static bool
> + display_debug_rnglists_unit_header (struct dwarf_section *  section,
> +                                  uint64_t *              unit_offset,
> +                                  unsigned char *         poffset_size)
> +@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
> +   uint64_t        start_offset = *unit_offset;
> +   unsigned char * p = section->start + start_offset;
> +   unsigned char * finish = section->start + section->size;
> +-  uint64_t        initial_length;
> ++  unsigned char * hdr;
> ++  uint64_t        length;
> +   unsigned char   segment_selector_size;
> +   unsigned int    offset_entry_count;
> +   unsigned int    i;
> +@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
> +   unsigned char   offset_size;
> +
> +   /* Get and check the length of the block.  */
> +-  SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish);
> ++  SAFE_BYTE_GET_AND_INC (length, p, 4, finish);
> +
> +-  if (initial_length == 0xffffffff)
> ++  if (length == 0xffffffff)
> +     {
> +       /* This section is 64-bit DWARF 3.  */
> +-      SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish);
> ++      SAFE_BYTE_GET_AND_INC (length, p, 8, finish);
> +       *poffset_size = offset_size = 8;
> +     }
> +   else
> +     *poffset_size = offset_size = 4;
> +
> +-  if (initial_length > (size_t) (finish - p))
> +-    {
> +-      /* If the length field has a relocation against it, then we should
> +-     not complain if it is inaccurate (and probably negative).
> +-     It is copied from .debug_line handling code.  */
> +-      if (reloc_at (section, (p - section->start) - offset_size))
> +-    initial_length = finish - p;
> +-      else
> +-    {
> +-      warn (_("The length field (%#" PRIx64
> +-              ") in the debug_rnglists header is wrong"
> +-              " - the section is too small\n"),
> +-            initial_length);
> +-      return 0;
> +-    }
> +-    }
> +-
> +-  /* Report the next unit offset to the caller.  */
> +-  *unit_offset = (p - section->start) + initial_length;
> ++  if (length < 8)
> ++    return false;
> +
> +   /* Get the other fields in the header.  */
> ++  hdr = p;
> +   SAFE_BYTE_GET_AND_INC (version, p, 2, finish);
> +   SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish);
> +   SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish);
> +   SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish);
> +
> +   printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset);
> +-  printf (_("  Length:          %#" PRIx64 "\n"), initial_length);
> ++  printf (_("  Length:          %#" PRIx64 "\n"), length);
> +   printf (_("  DWARF version:   %u\n"), version);
> +   printf (_("  Address size:    %u\n"), address_size);
> +   printf (_("  Segment size:    %u\n"), segment_selector_size);
> +   printf (_("  Offset entries:  %u\n"), offset_entry_count);
> +
> ++  if (length > (size_t) (finish - hdr))
> ++    length = finish - hdr;
> ++
> ++  /* Report the next unit offset to the caller.  */
> ++  *unit_offset = (hdr - section->start) + length;
> ++
> +   /* Check the fields.  */
> +   if (segment_selector_size != 0)
> +     {
> +       warn (_("The %s section contains "
> +            "unsupported segment selector size: %d.\n"),
> +          section->name, segment_selector_size);
> +-      return 0;
> ++      return false;
> +     }
> +
> +   if (version < 5)
> +     {
> +       warn (_("Only DWARF version 5+ debug_rnglists info "
> +            "is currently supported.\n"));
> +-      return 0;
> ++      return false;
> +     }
> +
> ++  uint64_t max_off_count = (length - 8) / offset_size;
> ++  if (offset_entry_count > max_off_count)
> ++    offset_entry_count = max_off_count;
> +   if (offset_entry_count != 0)
> +     {
> +       printf (_("\n   Offsets starting at %#tx:\n"), p - section->start);
> +@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
> +      }
> +     }
> +
> +-  return 1;
> ++  return true;
> + }
> +
> + static bool
> +@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section,
> +   uint64_t last_offset = 0;
> +   uint64_t next_rnglists_cu_offset = 0;
> +   unsigned char offset_size;
> ++  bool ok_header = true;
> +
> +   if (bytes == 0)
> +     {
> +@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section,
> +       /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s).  */
> +       if (is_rnglists && next_rnglists_cu_offset < offset)
> +      {
> +-      while (next_rnglists_cu_offset < offset)
> +-        display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> ++      while (ok_header && next_rnglists_cu_offset < offset)
> ++        ok_header = display_debug_rnglists_unit_header (section,
> ++                                                        &next_rnglists_cu_offset,
> ++                                                        &offset_size);
> ++      if (!ok_header)
> ++        break;
> +        printf (_("    Offset   Begin    End\n"));
> +      }
> +
> +@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section,
> +     }
> +
> +   /* Display trailing empty (or unreferenced) compile units, if any.  */
> +-  if (is_rnglists)
> ++  if (is_rnglists && ok_header)
> +     while (next_rnglists_cu_offset < section->size)
> +-      display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
> +-
> ++      if (!display_debug_rnglists_unit_header (section,
> ++                                           &next_rnglists_cu_offset,
> ++                                           &offset_size))
> ++    break;
> +   putchar ('\n');
> +
> +   free (range_entries);
> +--
> +2.35.6
> +

Hello Adarsh,

I'm filling in for Yoann while he's on leave.

Thank you for these pathes. A few notes, however: for future binutils projects,
please include links to the CVE (ideally NVD or NIST), as well as the link
to the Bugzilla entry mentioned in the patch that indicates that the patch
is resolved and in which version (especially when there are “duplicates”).

All of these elements make it easier for us to validate the patch.

And for this second patch, I see a Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Are there two of you from different companies who made this backport,
or is this a mistake?

Thank for your reply.
--
Fabien Thomas
Smile ECS


[-- Attachment #2: Type: text/html, Size: 18441 bytes --]

Re: [OE-core][scarthgap][PATCH 2/4] binutils: fix CVE-2025-69648

[Fabien Thomas]

On Tue Apr 28, 2026 at 10:42 AM CEST, Adarsh Jagadish Kamini wrote:
> Hi,
> The original patch was submitted to whinlatter by Deepak. So, I kept it to pass the credits.

Oh, right, good point.
Noted, thanks.

>
> Thanks!
> ________________________________
> From: Fabien Thomas <fabien.thomas@smile.fr>
> Sent: Monday, April 27, 2026 17:33
> To: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core][scarthgap][PATCH 2/4] binutils: fix CVE-2025-69648
>
> On Wed Apr 22, 2026 at 3:03 PM CEST, Adarsh Jagadish Kamini via lists.openembedded.org wrote:
>> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>>
>> Backport upstream fix for CVE-2025-69648 [1].
>>
>> [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
>>
>> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>> ---
>>  .../binutils/binutils-2.42.inc                |   1 +
>>  .../binutils/binutils/CVE-2025-69648.patch    | 190 ++++++++++++++++++
>>  2 files changed, 191 insertions(+)
>>  create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
>>
>> diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
>> index a337a3e850..6c1f9dc870 100644
>> --- a/meta/recipes-devtools/binutils/binutils-2.42.inc
>> +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
>> @@ -72,5 +72,6 @@ SRC_URI = "\
>>       file://0029-CVE-2025-11839.patch \
>>       file://0030-CVE-2025-11840.patch \
>>       file://CVE-2025-69647.patch \
>> +     file://CVE-2025-69648.patch \
>>  "
>>  S  = "${WORKDIR}/git"
>> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
>> new file mode 100644
>> index 0000000000..e04d7ed6c2
>> --- /dev/null
>> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
>> @@ -0,0 +1,190 @@
>> +From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001
>> +From: Alan Modra <amodra@gmail.com>
>> +Date: Sat, 22 Nov 2025 09:22:10 +1030
>> +Subject: [PATCH] PR 33638, debug_rnglists output
>> +
>> +The fuzzed testcase in this PR continuously outputs an error about
>> +the debug_rnglists header.  Fixed by taking notice of the error and
>> +stopping output.  The patch also limits the length in all cases, not
>> +just when a relocation is present, and limits the offset entry count
>> +read from the header.  I removed the warning and the test for relocs
>> +because the code can't work reliably with unresolved relocs in the
>> +length field.
>> +
>> +     PR 33638
>> +     * dwarf.c (display_debug_rnglists_list): Return bool.  Rename
>> +     "inital_length" to plain "length".  Verify length is large
>> +     enough to read header.  Limit length to rest of section.
>> +     Similarly limit offset_entry_count.
>> +     (display_debug_ranges): Check display_debug_rnglists_unit_header
>> +     return status.  Stop output on error.
>> +
>> +CVE: CVE-2025-69648
>> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
>> +
>> +(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
>> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
>> +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>> +---
>> + binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------
>> + 1 file changed, 34 insertions(+), 33 deletions(-)
>> +
>> +diff --git a/binutils/dwarf.c b/binutils/dwarf.c
>> +index f4bcb677761..b4fb56351ec 100644
>> +--- a/binutils/dwarf.c
>> ++++ b/binutils/dwarf.c
>> +@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start,
>> +   return start;
>> + }
>> +
>> +-static int
>> ++static bool
>> + display_debug_rnglists_unit_header (struct dwarf_section *  section,
>> +                                  uint64_t *              unit_offset,
>> +                                  unsigned char *         poffset_size)
>> +@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
>> +   uint64_t        start_offset = *unit_offset;
>> +   unsigned char * p = section->start + start_offset;
>> +   unsigned char * finish = section->start + section->size;
>> +-  uint64_t        initial_length;
>> ++  unsigned char * hdr;
>> ++  uint64_t        length;
>> +   unsigned char   segment_selector_size;
>> +   unsigned int    offset_entry_count;
>> +   unsigned int    i;
>> +@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
>> +   unsigned char   offset_size;
>> +
>> +   /* Get and check the length of the block.  */
>> +-  SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish);
>> ++  SAFE_BYTE_GET_AND_INC (length, p, 4, finish);
>> +
>> +-  if (initial_length == 0xffffffff)
>> ++  if (length == 0xffffffff)
>> +     {
>> +       /* This section is 64-bit DWARF 3.  */
>> +-      SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish);
>> ++      SAFE_BYTE_GET_AND_INC (length, p, 8, finish);
>> +       *poffset_size = offset_size = 8;
>> +     }
>> +   else
>> +     *poffset_size = offset_size = 4;
>> +
>> +-  if (initial_length > (size_t) (finish - p))
>> +-    {
>> +-      /* If the length field has a relocation against it, then we should
>> +-     not complain if it is inaccurate (and probably negative).
>> +-     It is copied from .debug_line handling code.  */
>> +-      if (reloc_at (section, (p - section->start) - offset_size))
>> +-    initial_length = finish - p;
>> +-      else
>> +-    {
>> +-      warn (_("The length field (%#" PRIx64
>> +-              ") in the debug_rnglists header is wrong"
>> +-              " - the section is too small\n"),
>> +-            initial_length);
>> +-      return 0;
>> +-    }
>> +-    }
>> +-
>> +-  /* Report the next unit offset to the caller.  */
>> +-  *unit_offset = (p - section->start) + initial_length;
>> ++  if (length < 8)
>> ++    return false;
>> +
>> +   /* Get the other fields in the header.  */
>> ++  hdr = p;
>> +   SAFE_BYTE_GET_AND_INC (version, p, 2, finish);
>> +   SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish);
>> +   SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish);
>> +   SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish);
>> +
>> +   printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset);
>> +-  printf (_("  Length:          %#" PRIx64 "\n"), initial_length);
>> ++  printf (_("  Length:          %#" PRIx64 "\n"), length);
>> +   printf (_("  DWARF version:   %u\n"), version);
>> +   printf (_("  Address size:    %u\n"), address_size);
>> +   printf (_("  Segment size:    %u\n"), segment_selector_size);
>> +   printf (_("  Offset entries:  %u\n"), offset_entry_count);
>> +
>> ++  if (length > (size_t) (finish - hdr))
>> ++    length = finish - hdr;
>> ++
>> ++  /* Report the next unit offset to the caller.  */
>> ++  *unit_offset = (hdr - section->start) + length;
>> ++
>> +   /* Check the fields.  */
>> +   if (segment_selector_size != 0)
>> +     {
>> +       warn (_("The %s section contains "
>> +            "unsupported segment selector size: %d.\n"),
>> +          section->name, segment_selector_size);
>> +-      return 0;
>> ++      return false;
>> +     }
>> +
>> +   if (version < 5)
>> +     {
>> +       warn (_("Only DWARF version 5+ debug_rnglists info "
>> +            "is currently supported.\n"));
>> +-      return 0;
>> ++      return false;
>> +     }
>> +
>> ++  uint64_t max_off_count = (length - 8) / offset_size;
>> ++  if (offset_entry_count > max_off_count)
>> ++    offset_entry_count = max_off_count;
>> +   if (offset_entry_count != 0)
>> +     {
>> +       printf (_("\n   Offsets starting at %#tx:\n"), p - section->start);
>> +@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section *  section,
>> +      }
>> +     }
>> +
>> +-  return 1;
>> ++  return true;
>> + }
>> +
>> + static bool
>> +@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section,
>> +   uint64_t last_offset = 0;
>> +   uint64_t next_rnglists_cu_offset = 0;
>> +   unsigned char offset_size;
>> ++  bool ok_header = true;
>> +
>> +   if (bytes == 0)
>> +     {
>> +@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section,
>> +       /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s).  */
>> +       if (is_rnglists && next_rnglists_cu_offset < offset)
>> +      {
>> +-      while (next_rnglists_cu_offset < offset)
>> +-        display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
>> ++      while (ok_header && next_rnglists_cu_offset < offset)
>> ++        ok_header = display_debug_rnglists_unit_header (section,
>> ++                                                        &next_rnglists_cu_offset,
>> ++                                                        &offset_size);
>> ++      if (!ok_header)
>> ++        break;
>> +        printf (_("    Offset   Begin    End\n"));
>> +      }
>> +
>> +@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section,
>> +     }
>> +
>> +   /* Display trailing empty (or unreferenced) compile units, if any.  */
>> +-  if (is_rnglists)
>> ++  if (is_rnglists && ok_header)
>> +     while (next_rnglists_cu_offset < section->size)
>> +-      display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
>> +-
>> ++      if (!display_debug_rnglists_unit_header (section,
>> ++                                           &next_rnglists_cu_offset,
>> ++                                           &offset_size))
>> ++    break;
>> +   putchar ('\n');
>> +
>> +   free (range_entries);
>> +--
>> +2.35.6
>> +
>
> Hello Adarsh,
>
> I'm filling in for Yoann while he's on leave.
>
> Thank you for these pathes. A few notes, however: for future binutils projects,
> please include links to the CVE (ideally NVD or NIST), as well as the link
> to the Bugzilla entry mentioned in the patch that indicates that the patch
> is resolved and in which version (especially when there are “duplicates”).
>
> All of these elements make it easier for us to validate the patch.
>
> And for this second patch, I see a Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> Are there two of you from different companies who made this backport,
> or is this a mistake?
>
> Thank for your reply.
> --
> Fabien Thomas
> Smile ECS




-- 
Fabien Thomas
Smile ECS