diff --git a/binutils-CVE-2025-11083.patch b/binutils-CVE-2025-11083.patch new file mode 100644 index 0000000..18c3d98 --- /dev/null +++ b/binutils-CVE-2025-11083.patch @@ -0,0 +1,79 @@ +From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 18 Sep 2025 16:59:25 -0700 +Subject: [PATCH] elf: Don't match corrupt section header in linker input + +Don't swap in nor match corrupt section header in linker input to avoid +linker crash later. + + PR ld/33457 + * elfcode.h (elf_swap_shdr_in): Changed to return bool. Return + false for corrupt section header in linker input. + (elf_object_p): Reject if elf_swap_shdr_in returns false. + +Signed-off-by: H.J. Lu +--- + bfd/elfcode.h | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- binutils-2.35.2.orig/bfd/elfcode.h 2025-11-11 11:51:18.923256541 +0000 ++++ binutils-2.35.2/bfd/elfcode.h 2025-11-11 11:56:54.539093437 +0000 +@@ -298,7 +298,7 @@ elf_swap_ehdr_out (bfd *abfd, + /* Translate an ELF section header table entry in external format into an + ELF section header table entry in internal format. */ + +-static void ++static bfd_boolean + elf_swap_shdr_in (bfd *abfd, + const Elf_External_Shdr *src, + Elf_Internal_Shdr *dst) +@@ -322,10 +322,13 @@ elf_swap_shdr_in (bfd *abfd, + ufile_ptr filesize = bfd_get_file_size (abfd); + + if (filesize != 0 && dst->sh_size > filesize) +- _bfd_error_handler +- (_("warning: %pB has a corrupt section with a size (%" +- BFD_VMA_FMT "x) larger than the file size"), +- abfd, dst->sh_size); ++ { ++ _bfd_error_handler ++ (_("warning: %pB has a corrupt section with a size (%" ++ BFD_VMA_FMT "x) larger than the file size"), ++ abfd, dst->sh_size); ++ return FALSE; ++ } + } + dst->sh_link = H_GET_32 (abfd, src->sh_link); + dst->sh_info = H_GET_32 (abfd, src->sh_info); +@@ -333,6 +336,7 @@ elf_swap_shdr_in (bfd *abfd, + dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize); + dst->bfd_section = NULL; + dst->contents = NULL; ++ return TRUE; + } + + /* Translate an ELF section header table entry in internal format into an +@@ -625,9 +629,9 @@ elf_object_p (bfd *abfd) + + /* Read the first section header at index 0, and convert to internal + form. */ +- if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, &i_shdr); + + /* If the section count is zero, the actual count is in the first + section header. */ +@@ -710,9 +714,9 @@ elf_object_p (bfd *abfd) + to internal form. */ + for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++) + { +- if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex); + + /* Sanity check sh_link and sh_info. */ + if (i_shdrp[shindex].sh_link >= num_sec) diff --git a/binutils.spec b/binutils.spec index b27c690..e8ee60e 100644 --- a/binutils.spec +++ b/binutils.spec @@ -2,7 +2,7 @@ Summary: A GNU collection of binary utilities Name: binutils%{?_with_debug:-debug} Version: 2.35.2 -Release: 68%{?dist} +Release: 69%{?dist} License: GPLv3+ URL: https://sourceware.org/binutils @@ -533,6 +533,11 @@ Patch105: binutils-AArch64-missing-assembler-tests-12.patch # Lifetime: Fixed in 2.46 Patch106: binutils-execstack-error-tests.patch +# Purpose: Stops a potential illegal memory access when linking a corrupt +# input file. PR 33457 +# Lifetime: Fixed in 2.46 +Patch107: binutils-CVE-2025-11083.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -1392,6 +1397,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Tue Nov 11 2025 Nick Clifton - 2.35.2-69 +- Fix a potential illegal memory access when linking a corrupt input file. (RHEL-126883) + * Wed Sep 10 2025 Nick Clifton - 2.35.2-68 - Add missing space to ppc476-shared2 linker test. (RHEL-113842)