From a53ca8c0aaaf5c3c15e93414b932b2d648128a15 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 18 Dec 2025 11:31:13 +0000
Subject: [PATCH] import UBI binutils-2.41-58.el10_1.2

---
 binutils-CVE-2025-11082.patch | 42 +++++++++++++++++++++
 binutils-CVE-2025-11083.patch | 71 +++++++++++++++++++++++++++++++++++
 binutils.spec                 | 18 ++++++++-
 3 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 binutils-CVE-2025-11082.patch
 create mode 100644 binutils-CVE-2025-11083.patch

diff --git a/binutils-CVE-2025-11082.patch b/binutils-CVE-2025-11082.patch
new file mode 100644
index 0000000..b773a43
--- /dev/null
+++ b/binutils-CVE-2025-11082.patch
@@ -0,0 +1,42 @@
+From ea1a0737c7692737a644af0486b71e4a392cbca8 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 22 Sep 2025 15:20:34 +0800
+Subject: [PATCH] elf: Don't read beyond .eh_frame section size
+
+	PR ld/33464
+	* elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond
+	.eh_frame section size.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+---
+ bfd/elf-eh-frame.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff -rup binutils-2.43.1.orig/bfd/elf-eh-frame.c binutils-2.43.1/bfd/elf-eh-frame.c
+--- binutils-2.43.1.orig/bfd/elf-eh-frame.c	2025-10-03 12:00:40.473590498 +0100
++++ binutils-2.43.1/bfd/elf-eh-frame.c	2025-10-03 12:00:59.521264872 +0100
+@@ -734,6 +734,7 @@ _bfd_elf_parse_eh_frame (bfd *abfd, stru
+       if (hdr_id == 0)
+ 	{
+ 	  unsigned int initial_insn_length;
++	  char *null_byte;
+ 
+ 	  /* CIE  */
+ 	  this_inf->cie = 1;
+@@ -750,10 +751,13 @@ _bfd_elf_parse_eh_frame (bfd *abfd, stru
+ 	  REQUIRE (cie->version == 1
+ 		   || cie->version == 3
+ 		   || cie->version == 4);
+-	  REQUIRE (strlen ((char *) buf) < sizeof (cie->augmentation));
++	  null_byte = memchr ((char *) buf, 0, end - buf);
++	  REQUIRE (null_byte != NULL);
++	  REQUIRE ((size_t) (null_byte - (char *) buf)
++		   < sizeof (cie->augmentation));
+ 
+ 	  strcpy (cie->augmentation, (char *) buf);
+-	  buf = (bfd_byte *) strchr ((char *) buf, '\0') + 1;
++	  buf = (bfd_byte *) null_byte + 1;
+ 	  this_inf->u.cie.aug_str_len = buf - start - 1;
+ 	  ENSURE_NO_RELOCS (buf);
+ 	  if (buf[0] == 'e' && buf[1] == 'h')
+
diff --git a/binutils-CVE-2025-11083.patch b/binutils-CVE-2025-11083.patch
new file mode 100644
index 0000000..e235846
--- /dev/null
+++ b/binutils-CVE-2025-11083.patch
@@ -0,0 +1,71 @@
+From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Thu, 18 Sep 2025 16:59:25 -0700
+Subject: [PATCH] elf: Don't match corrupt section header in linker input
+
+Don't swap in nor match corrupt section header in linker input to avoid
+linker crash later.
+
+	PR ld/33457
+	* elfcode.h (elf_swap_shdr_in): Changed to return bool.  Return
+	false for corrupt section header in linker input.
+	(elf_object_p): Reject if elf_swap_shdr_in returns false.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+---
+ bfd/elfcode.h | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- binutils-2.41.orig/bfd/elfcode.h	2025-11-10 13:05:26.741890763 +0000
++++ binutils-2.41/bfd/elfcode.h	2025-11-10 13:07:45.446523690 +0000
+@@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd,
+ /* Translate an ELF section header table entry in external format into an
+    ELF section header table entry in internal format.  */
+ 
+-static void
++static bool
+ elf_swap_shdr_in (bfd *abfd,
+ 		  const Elf_External_Shdr *src,
+ 		  Elf_Internal_Shdr *dst)
+@@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd,
+ 	{
+ 	  _bfd_error_handler (_("warning: %pB has a section "
+ 				"extending past end of file"), abfd);
++	  /* PR ld/33457: Don't match corrupt section header.  */
++	  if (abfd->is_linker_input)
++	    return false;
+ 	  abfd->read_only = 1;
+ 	}
+     }
+@@ -350,6 +353,7 @@ elf_swap_shdr_in (bfd *abfd,
+   dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
+   dst->bfd_section = NULL;
+   dst->contents = NULL;
++  return true;
+ }
+ 
+ /* Translate an ELF section header table entry in internal format into an
+@@ -642,9 +646,9 @@ elf_object_p (bfd *abfd)
+ 
+       /* Read the first section header at index 0, and convert to internal
+ 	 form.  */
+-      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
++	  || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
+ 	goto got_no_match;
+-      elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
+ 
+       /* If the section count is zero, the actual count is in the first
+ 	 section header.  */
+@@ -730,9 +734,9 @@ elf_object_p (bfd *abfd)
+ 	 to internal form.  */
+       for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
+ 	{
+-	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
++	      || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
+ 	    goto got_no_match;
+-	  elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
+ 
+ 	  /* Sanity check sh_link and sh_info.  */
+ 	  if (i_shdrp[shindex].sh_link >= num_sec)
diff --git a/binutils.spec b/binutils.spec
index 0209dbd..2ab4aa4 100644
--- a/binutils.spec
+++ b/binutils.spec
@@ -2,7 +2,7 @@
 Summary: A GNU collection of binary utilities
 Name: binutils%{?_with_debug:-debug}
 Version: 2.41
-Release: 58%{?dist}
+Release: 58%{?dist}.2
 License: GPL-3.0-or-later AND (GPL-3.0-or-later WITH Bison-exception-2.2) AND (LGPL-2.0-or-later WITH GCC-exception-2.0) AND BSD-3-Clause AND GFDL-1.3-or-later AND GPL-2.0-or-later AND LGPL-2.1-or-later AND LGPL-2.0-or-later
 URL: https://sourceware.org/binutils
 
@@ -387,6 +387,16 @@ Patch61: binutils-riscv-efi.patch
 # Lifetime: Fixed in 2.45
 Patch62: binutils-CVE-2025-5244.patch
 
+# Purpose:  Stops a potential illegal memory access when linking a corrupt
+#            input file.  PR 33464
+# Lifetime: Fixed in 2.46
+Patch63: binutils-CVE-2025-11082.patch
+
+# Purpose:  Stops a potential illegal memory access when linking a corrupt
+#            input file.  PR 33457
+# Lifetime: Fixed in 2.46
+Patch64: binutils-CVE-2025-11083.patch
+
 #----------------------------------------------------------------------------
 
 # Purpose:  Suppress the x86 linker's p_align-1 tests due to kernel bug on CentOS-10
@@ -1426,6 +1436,12 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Mon Nov 10 2025 Nick Clifton  <nickc@redhat.com> - 2.41-58.2
+- Fix a potential illegal memory access when linking a corrupt input file.  (RHEL-126875)
+
+* Wed Nov 05 2025 Nick Clifton  <nickc@redhat.com> - 2.41-58.1
+- Fix a potential illegal memory access when linking a corrupt input file.  (RHEL-125206)
+
 * Wed Aug 06 2025 Nick Clifton  <nickc@redhat.com> - 2.41-58
 - Remove workaround for CVE-2025-5702.  (RHEL-100159)