From c2ae07edbc0f799d6565cb0079091f77453b5bd6 Mon Sep 17 00:00:00 2001 From: eastb233 Date: Sat, 30 Aug 2025 16:55:02 +0800 Subject: [PATCH] Fix CVE-2022-44840, CVE-2025-5244, CVE-2025-5245, CVE-2025-7546 --- backport-CVE-2022-44840.patch | 148 ++++++++++++++++++++++++++++++++++ backport-CVE-2025-5244.patch | 30 +++++++ backport-CVE-2025-5245.patch | 44 ++++++++++ backport-CVE-2025-7546.patch | 42 ++++++++++ binutils.spec | 9 ++- 5 files changed, 272 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-44840.patch create mode 100644 backport-CVE-2025-5244.patch create mode 100644 backport-CVE-2025-5245.patch create mode 100644 backport-CVE-2025-7546.patch diff --git a/backport-CVE-2022-44840.patch b/backport-CVE-2022-44840.patch new file mode 100644 index 0000000..b365216 --- /dev/null +++ b/backport-CVE-2022-44840.patch @@ -0,0 +1,148 @@ +From 28750e3b967da2207d51cbce9fc8be262817ee59 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sun, 30 Oct 2022 19:08:51 +1030 +Subject: [PATCH] Pool section entries for DWP version 1 + +Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 + +Fuzzers have found a weakness in the code stashing pool section +entries. With random nonsensical values in the index entries (rather +than each index pointing to its own set distinct from other sets), +it's possible to overflow the space allocated, losing the NULL +terminator. Without a terminator, find_section_in_set can run off the +end of the shndx_pool buffer. Fix this by scanning the pool directly. + +binutils/ + * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. + (end_cu_tu_entry): Likewise. + (process_cu_tu_index): Fill shndx_pool by directly scanning + pool, rather than indirectly from index entries. +--- + binutils/dwarf.c | 90 ++++++++++++++++++++++-------------------------- + 1 file changed, 41 insertions(+), 49 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index c6340a28906..7730293326a 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx) + static void + add_shndx_to_cu_tu_entry (unsigned int shndx) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = shndx; + } + + static void + end_cu_tu_entry (void) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = 0; + } + +@@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) + + if (version == 1) + { ++ unsigned char *shndx_list; ++ unsigned int shndx; ++ + if (!do_display) +- prealloc_cu_tu_list ((limit - ppool) / 4); +- for (i = 0; i < nslots; i++) + { +- unsigned char *shndx_list; +- unsigned int shndx; +- +- SAFE_BYTE_GET (signature, phash, 8, limit); +- if (signature != 0) ++ prealloc_cu_tu_list ((limit - ppool) / 4); ++ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4) + { +- SAFE_BYTE_GET (j, pindex, 4, limit); +- shndx_list = ppool + j * 4; +- /* PR 17531: file: 705e010d. */ +- if (shndx_list < ppool) +- { +- warn (_("Section index pool located before start of section\n")); +- return 0; +- } ++ shndx = byte_get (shndx_list, 4); ++ add_shndx_to_cu_tu_entry (shndx); ++ } ++ end_cu_tu_entry (); ++ } ++ else ++ for (i = 0; i < nslots; i++) ++ { ++ SAFE_BYTE_GET (signature, phash, 8, limit); ++ if (signature != 0) ++ { ++ SAFE_BYTE_GET (j, pindex, 4, limit); ++ shndx_list = ppool + j * 4; ++ /* PR 17531: file: 705e010d. */ ++ if (shndx_list < ppool) ++ { ++ warn (_("Section index pool located before start of section\n")); ++ return 0; ++ } + +- if (do_display) + printf (_(" [%3d] Signature: 0x%s Sections: "), + i, dwarf_vmatoa ("x", signature)); +- for (;;) +- { +- if (shndx_list >= limit) +- { +- warn (_("Section %s too small for shndx pool\n"), +- section->name); +- return 0; +- } +- SAFE_BYTE_GET (shndx, shndx_list, 4, limit); +- if (shndx == 0) +- break; +- if (do_display) ++ for (;;) ++ { ++ if (shndx_list >= limit) ++ { ++ warn (_("Section %s too small for shndx pool\n"), ++ section->name); ++ return 0; ++ } ++ SAFE_BYTE_GET (shndx, shndx_list, 4, limit); ++ if (shndx == 0) ++ break; + printf (" %d", shndx); +- else +- add_shndx_to_cu_tu_entry (shndx); +- shndx_list += 4; +- } +- if (do_display) ++ shndx_list += 4; ++ } + printf ("\n"); +- else +- end_cu_tu_entry (); +- } +- phash += 8; +- pindex += 4; +- } ++ } ++ phash += 8; ++ pindex += 4; ++ } + } + else if (version == 2) + { +-- +2.43.0 + diff --git a/backport-CVE-2025-5244.patch b/backport-CVE-2025-5244.patch new file mode 100644 index 0000000..045e111 --- /dev/null +++ b/backport-CVE-2025-5244.patch @@ -0,0 +1,30 @@ +From d1458933830456e54223d9fc61f0d9b3a19256f5 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 10 Apr 2025 19:41:49 +0930 +Subject: [PATCH] PR32858 ld segfault on fuzzed object + +We missed one place where it is necessary to check for empty groups. + + PR 32858 + * elflink.c (elf_gc_sweep): Protect against empty group. +--- + bfd/elflink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index a76e8e38da7..549b7b7dd92 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14408,7 +14408,8 @@ elf_gc_sweep (bfd *abfd, struct bfd_link_info *info) + if (o->flags & SEC_GROUP) + { + asection *first = elf_next_in_group (o); +- o->gc_mark = first->gc_mark; ++ if (first != NULL) ++ o->gc_mark = first->gc_mark; + } + + if (o->gc_mark) +-- +2.43.0 + diff --git a/backport-CVE-2025-5245.patch b/backport-CVE-2025-5245.patch new file mode 100644 index 0000000..4eca04b --- /dev/null +++ b/backport-CVE-2025-5245.patch @@ -0,0 +1,44 @@ +From 6c3458a8b7ee7d39f070c7b2350851cb2110c65a Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Tue, 1 Apr 2025 22:36:54 +1030 +Subject: [PATCH] PR32829, SEGV on objdump function debug_type_samep + +u.kenum is always non-NULL, see debug_make_enum_type. + +PR 32829 +* debug.c (debug_type_samep): Correct incomplete enum test. +(debug_write_type): Remove dead code. +--- + binutils/debug.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/binutils/debug.c b/binutils/debug.c +index 022fa4ed..49b5ec69 100644 +--- a/binutils/debug.c ++++ b/binutils/debug.c +@@ -2545,9 +2545,6 @@ debug_write_type (struct debug_handle *info, + case DEBUG_KIND_UNION_CLASS: + return debug_write_class_type (info, fns, fhandle, type, tag); + case DEBUG_KIND_ENUM: +- if (type->u.kenum == NULL) +- return (*fns->enum_type) (fhandle, tag, (const char **) NULL, +- (bfd_signed_vma *) NULL); + return (*fns->enum_type) (fhandle, tag, type->u.kenum->names, + type->u.kenum->values); + case DEBUG_KIND_POINTER: +@@ -3089,9 +3086,9 @@ debug_type_samep (struct debug_handle *info, struct debug_type_s *t1, + break; + + case DEBUG_KIND_ENUM: +- if (t1->u.kenum == NULL) +- ret = t2->u.kenum == NULL; +- else if (t2->u.kenum == NULL) ++ if (t1->u.kenum->names == NULL) ++ ret = t2->u.kenum->names == NULL; ++ else if (t2->u.kenum->names == NULL) + ret = false; + else + { +-- +2.43.0 + diff --git a/backport-CVE-2025-7546.patch b/backport-CVE-2025-7546.patch new file mode 100644 index 0000000..9f51efc --- /dev/null +++ b/backport-CVE-2025-7546.patch @@ -0,0 +1,42 @@ +From 41461010eb7c79fee7a9d5f6209accdaac66cc6b Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Sat, 21 Jun 2025 06:52:00 +0800 +Subject: [PATCH 1/1] elf: Report corrupted group section + +Report corrupted group section instead of trying to recover. + + PR binutils/33050 + * elf.c (bfd_elf_set_group_contents): Report corrupted group + section. + +Signed-off-by: H.J. Lu +--- + bfd/elf.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index 14ce15c7254..ee894eb05f2 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -3971,8 +3971,18 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec, void *failedptrarg) + break; + } + ++ /* We should always get here with loc == sec->contents + 4. Return ++ an error for bogus SHT_GROUP sections. */ + loc -= 4; +- BFD_ASSERT (loc == sec->contents); ++ if (loc != sec->contents) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: corrupted group section: `%pA'"), ++ abfd, sec); ++ bfd_set_error (bfd_error_bad_value); ++ *failedptr = true; ++ return; ++ } + + H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc); + } +-- +2.43.7 diff --git a/binutils.spec b/binutils.spec index d06a8d6..6dedf85 100644 --- a/binutils.spec +++ b/binutils.spec @@ -1,7 +1,7 @@ Summary: Binary utilities Name: binutils Version: 2.37 -Release: 35 +Release: 36 License: GPLv3+ URL: https://sourceware.org/binutils @@ -93,6 +93,10 @@ Patch3065: backport-libctf-fix-ref-leak-of-names-of-newly-inserted-non-r.patch Patch3066: backport-CVE-2024-57630.patch Patch3067: backport-CVE-2025-0840.patch Patch3068: backport-CVE-2025-7545.patch +Patch3069: backport-CVE-2022-44840.patch +Patch3070: backport-CVE-2025-5244.patch +Patch3071: backport-CVE-2025-5245.patch +Patch3072: backport-CVE-2025-7546.patch %ifarch loongarch64 # LoongArch @@ -476,6 +480,9 @@ fi %{_infodir}/bfd*info* %changelog +* Sat Aug 30 2025 eastb233 - 2.37-36 +- Fix CVE-2022-44840, CVE-2025-5244, CVE-2025-5245, CVE-2025-7546 + * Wed Aug 20 2025 Yu Peng - 2.37-35 - Fix CVE-2025-7545:objcopy: Don't extend the output section size -- Gitee