binutils: fix CVE-2025-11081

CVE: CVE-2025-11081 Trying to dump .sframe in a PE file results in a segfault accessing elf_section_data. * objdump (dump_sframe_section, dump_dwarf_section): Don't access elf_section_type without first checking the file is ELF. PR 33406 SEGV in dump_dwarf_section [https://sourceware.org/bugzilla/show_bug.cgi?id=33406] Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b] (From OE-Core rev: d1eb65d2e9365f6bd2acf450496d3bfeda6aedc1) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-27 12:32:13 +02:00 · 2025-10-10 04:59:11 -07:00
parent bd0535ddf8
commit 932a695838
2 changed files with 52 additions and 0 deletions
--- a/meta/recipes-devtools/binutils/binutils-2.45.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.45.inc
@@ -36,4 +36,5 @@ SRC_URI = "\
     file://0012-Only-generate-an-RPATH-entry-if-LD_RUN_PATH-is-not-e.patch \
     file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
     file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
+     file://0015-CVE-2025-11081.patch \
 "
--- a/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
+++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2025-11081.patch
@@ -0,0 +1,51 @@
+From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 9 Sep 2025 18:32:09 +0930
+Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section
+
+Trying to dump .sframe in a PE file results in a segfault accessing
+elf_section_data.
+
+	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
+	elf_section_type without first checking the file is ELF.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
+CVE: CVE-2025-11081
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 290f7e51f66..ee8823da05a 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -4485,7 +4485,8 @@ dump_dwarf_section (bfd *abfd, asection *section,
+   else
+     match = name;
+ 
+-  if (elf_section_type (section) == SHT_GNU_SFRAME)
+  if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
+      && elf_section_type (section) == SHT_GNU_SFRAME)
+     match = ".sframe";
+ 
+   for (i = 0; i < max; i++)
+@@ -4993,9 +4994,10 @@ dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile)
+ 	 SHT_GNU_SFRAME.  For SFrame sections from Binutils 2.44 or earlier,
+ 	 check explcitly for SFrame sections of type SHT_PROGBITS and name
+ 	 ".sframe" to allow them.  */
+-      else if (elf_section_type (sec) != SHT_GNU_SFRAME
+-	       && !(elf_section_type (sec) == SHT_PROGBITS
+-		    && strcmp (sect_name, ".sframe") == 0))
+      else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
+	       || (elf_section_type (sec) != SHT_GNU_SFRAME
+		   && !(elf_section_type (sec) == SHT_PROGBITS
+			&& strcmp (sect_name, ".sframe") == 0)))
+ 	{
+ 	  printf (_("Section %s does not contain SFrame data\n\n"),
+ 		  sanitize_string (sect_name));
+-- 
+2.43.7
+