diff --git a/backport-0001-CVE-2025-11083.patch b/backport-0001-CVE-2025-11083.patch new file mode 100644 index 0000000000000000000000000000000000000000..1268803c92cba70fd353f9d5de922aa705b62783 --- /dev/null +++ b/backport-0001-CVE-2025-11083.patch @@ -0,0 +1,143 @@ +From 7c5fa58ea907c46817b915ec8b9b35a180e0e74c Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 19 Feb 2020 13:14:05 +1030 +Subject: [PATCH] bfd_get_file_size calls + +bfd_get_file_size can return 0, meaning the file size is unknown. + + * coffgen.c (_bfd_coff_get_external_symbols): Don't call + bfd_get_file_size twice. + (_bfd_coff_read_string_table): Allow for bfd_get_file_size + zero, ie. unknown, return. + * elf-attrs.c (_bfd_elf_parse_attributes): Likewise. + * elfcode.h (elf_swap_shdr_in): Likewise. + (elf_object_p): Don't call bfd_get_file_size twice and correct + file size check. + +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7c5fa58ea907c46817b915ec8b9b35a180e0e74c +Conflict:Remove bfd/ChangeLog +--- + bfd/ChangeLog | 11 +++++++++++ + bfd/coffgen.c | 12 ++++++++---- + bfd/elf-attrs.c | 5 ++++- + bfd/elfcode.h | 23 +++++++++++++++-------- + 4 files changed, 38 insertions(+), 13 deletions(-) + +diff --git a/bfd/coffgen.c b/bfd/coffgen.c +index cf115d48c85..5287130490e 100644 +--- a/bfd/coffgen.c ++++ b/bfd/coffgen.c +@@ -1642,19 +1642,20 @@ _bfd_coff_get_external_symbols (bfd *abfd) + bfd_size_type symesz; + bfd_size_type size; + void * syms; ++ ufile_ptr filesize; + + if (obj_coff_external_syms (abfd) != NULL) + return TRUE; + + symesz = bfd_coff_symesz (abfd); +- + size = obj_raw_syment_count (abfd) * symesz; + if (size == 0) + return TRUE; ++ + /* Check for integer overflow and for unreasonable symbol counts. */ ++ filesize = bfd_get_file_size (abfd); + if (size < obj_raw_syment_count (abfd) +- || (bfd_get_file_size (abfd) > 0 +- && size > bfd_get_file_size (abfd))) ++ || (filesize != 0 && size > filesize)) + + { + _bfd_error_handler (_("%pB: corrupt symbol count: %#" PRIx64 ""), +@@ -1698,6 +1699,7 @@ _bfd_coff_read_string_table (bfd *abfd) + bfd_size_type strsize; + char *strings; + file_ptr pos; ++ ufile_ptr filesize; + + if (obj_coff_strings (abfd) != NULL) + return obj_coff_strings (abfd); +@@ -1731,7 +1733,9 @@ _bfd_coff_read_string_table (bfd *abfd) + #endif + } + +- if (strsize < STRING_SIZE_SIZE || strsize > bfd_get_file_size (abfd)) ++ filesize = bfd_get_file_size (abfd); ++ if (strsize < STRING_SIZE_SIZE ++ || (filesize != 0 && strsize > filesize)) + { + _bfd_error_handler + /* xgettext: c-format */ +diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c +index 169b6973810..070104c2734 100644 +--- a/bfd/elf-attrs.c ++++ b/bfd/elf-attrs.c +@@ -436,11 +436,14 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr) + bfd_byte *p_end; + bfd_vma len; + const char *std_sec; ++ ufile_ptr filesize; + + /* PR 17512: file: 2844a11d. */ + if (hdr->sh_size == 0) + return; +- if (hdr->sh_size > bfd_get_file_size (abfd)) ++ ++ filesize = bfd_get_file_size (abfd); ++ if (filesize != 0 && hdr->sh_size > filesize) + { + /* xgettext:c-format */ + _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"), +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index e1e89cf78f2..a6b0c613ba2 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -317,11 +317,16 @@ elf_swap_shdr_in (bfd *abfd, + /* PR 23657. Check for invalid section size, in sections with contents. + Note - we do not set an error value here because the contents + of this particular section might not be needed by the consumer. */ +- if (dst->sh_type != SHT_NOBITS +- && dst->sh_size > bfd_get_file_size (abfd)) +- _bfd_error_handler +- (_("warning: %pB has a corrupt section with a size (%" BFD_VMA_FMT "x) larger than the file size"), +- abfd, dst->sh_size); ++ if (dst->sh_type != SHT_NOBITS) ++ { ++ ufile_ptr filesize = bfd_get_file_size (abfd); ++ ++ if (filesize != 0 && dst->sh_size > filesize) ++ _bfd_error_handler ++ (_("warning: %pB has a corrupt section with a size (%" ++ BFD_VMA_FMT "x) larger than the file size"), ++ abfd, dst->sh_size); ++ } + dst->sh_link = H_GET_32 (abfd, src->sh_link); + dst->sh_info = H_GET_32 (abfd, src->sh_info); + dst->sh_addralign = H_GET_WORD (abfd, src->sh_addralign); +@@ -775,6 +780,7 @@ elf_object_p (bfd *abfd) + { + Elf_Internal_Phdr *i_phdr; + unsigned int i; ++ ufile_ptr filesize; + + #ifndef BFD64 + if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr)) +@@ -782,9 +788,10 @@ elf_object_p (bfd *abfd) + #endif + /* Check for a corrupt input file with an impossibly large number + of program headers. */ +- if (bfd_get_file_size (abfd) > 0 +- && i_ehdrp->e_phnum > bfd_get_file_size (abfd)) +- goto got_no_match; ++ filesize = bfd_get_file_size (abfd); ++ if (filesize != 0 ++ && i_ehdrp->e_phnum > filesize / sizeof (Elf_External_Phdr)) ++ goto got_wrong_format_error; + elf_tdata (abfd)->phdr + = (Elf_Internal_Phdr *) bfd_alloc2 (abfd, i_ehdrp->e_phnum, + sizeof (*i_phdr)); +-- +2.43.0 + diff --git a/backport-0002-CVE-2025-11083.patch b/backport-0002-CVE-2025-11083.patch new file mode 100644 index 0000000000000000000000000000000000000000..bdf0743b6501ac191a585b5fa4ab0e7196e7d1d7 --- /dev/null +++ b/backport-0002-CVE-2025-11083.patch @@ -0,0 +1,113 @@ +From 75e100a30d5dfdd3ac2b0391c17173645fc77633 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 12 Aug 2020 20:18:43 +0930 +Subject: [PATCH] PR26348, Malloc error in write_zeros + +This adds a few more sanity checks on ELF objects, and a BFD flag to +disable objcopy and strip when fuzzed input files belong in the "too +hard" basket. + +bfd/ + PR 26348 + * bfd.c (struct bfd): Add read_only. + * elfcode.h (elf_swap_shdr_in): Test both sh_offset and sh_size. + Set read_only on warning. + (elf_object_p): Sanity check program header alignment. Set + read_only on warning. + * bfd-in2.h: Regenerate. +binutils/ + PR 26348 + * objcopy.c (copy_object): Report file name with endian error. + Error and return on abfd->read_only. + +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75e100a30d5dfdd3ac2b0391c17173645fc77633 +Conflict:Remove bfd/ChangeLog binutils/ChangeLog binutils/objcopy.c +--- + bfd/ChangeLog | 10 ++++++++++ + bfd/bfd-in2.h | 4 ++++ + bfd/bfd.c | 4 ++++ + bfd/elfcode.h | 22 +++++++++++++++++----- + binutils/ChangeLog | 6 ++++++ + binutils/objcopy.c | 10 +++++++++- + 6 files changed, 50 insertions(+), 6 deletions(-) + +diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h +index 35ef4d755bb..94d3195836a 100644 +--- a/bfd/bfd-in2.h ++++ b/bfd/bfd-in2.h +@@ -6678,6 +6678,10 @@ struct bfd + /* Set if this is a slim LTO object not loaded with a compiler plugin. */ + unsigned int lto_slim_object : 1; + ++ /* Do not attempt to modify this file. Set when detecting errors ++ that BFD is not prepared to handle for objcopy/strip. */ ++ unsigned int read_only : 1; ++ + /* Set to dummy BFD created when claimed by a compiler plug-in + library. */ + bfd *plugin_dummy_bfd; +diff --git a/bfd/bfd.c b/bfd/bfd.c +index 538bdfa5d7d..ec38a0673c7 100644 +--- a/bfd/bfd.c ++++ b/bfd/bfd.c +@@ -245,6 +245,10 @@ CODE_FRAGMENT + . {* Set if this is a slim LTO object not loaded with a compiler plugin. *} + . unsigned int lto_slim_object : 1; + . ++. {* Do not attempt to modify this file. Set when detecting errors ++. that BFD is not prepared to handle for objcopy/strip. *} ++. unsigned int read_only : 1; ++. + . {* Set to dummy BFD created when claimed by a compiler plug-in + . library. *} + . bfd *plugin_dummy_bfd; +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index 2e2c5343f2c..84b08b57ebc 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -321,11 +321,14 @@ elf_swap_shdr_in (bfd *abfd, + { + ufile_ptr filesize = bfd_get_file_size (abfd); + +- if (filesize != 0 && dst->sh_size > filesize) +- _bfd_error_handler +- (_("warning: %pB has a corrupt section with a size (%" +- BFD_VMA_FMT "x) larger than the file size"), +- abfd, dst->sh_size); ++ if (filesize != 0 ++ && ((ufile_ptr) dst->sh_offset > filesize ++ || dst->sh_size > filesize - dst->sh_offset)) ++ { ++ abfd->read_only = 1; ++ _bfd_error_handler (_("warning: %pB has a section " ++ "extending past end of file"), abfd); ++ } + } + dst->sh_link = H_GET_32 (abfd, src->sh_link); + dst->sh_info = H_GET_32 (abfd, src->sh_info); +@@ -764,6 +767,7 @@ elf_object_p (bfd *abfd) + So we are kind, and reset the string index value to 0 + so that at least some processing can be done. */ + i_ehdrp->e_shstrndx = SHN_UNDEF; ++ abfd->read_only = 1; + _bfd_error_handler + (_("warning: %pB has a corrupt string table index - ignoring"), + abfd); +@@ -804,6 +808,14 @@ elf_object_p (bfd *abfd) + if (bfd_bread (&x_phdr, sizeof x_phdr, abfd) != sizeof x_phdr) + goto got_no_match; + elf_swap_phdr_in (abfd, &x_phdr, i_phdr); ++ /* Too much code in BFD relies on alignment being a power of ++ two, as required by the ELF spec. */ ++ if (i_phdr->p_align != (i_phdr->p_align & -i_phdr->p_align)) ++ { ++ abfd->read_only = 1; ++ _bfd_error_handler (_("warning: %pB has a program header " ++ "with invalid alignment"), abfd); ++ } + } + } + +-- +2.43.0 + diff --git a/backport-0003-CVE-2025-11083.patch b/backport-0003-CVE-2025-11083.patch new file mode 100644 index 0000000000000000000000000000000000000000..0ba215c2f8e7c6c274f9124543bffc8de36e6cba --- /dev/null +++ b/backport-0003-CVE-2025-11083.patch @@ -0,0 +1,95 @@ +From c45c3dba8cc80a41c4e0839df43c435c7aa0996d Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Fri, 29 Oct 2021 15:09:52 +1030 +Subject: [PATCH] ELF core file size checks + +Catch fuzzed segments where p_offset + p_filesz wraps, and limit error +output. + + * elfcore.h (elf_core_file_p): Rewrite segment checks using + bfd_get_file_size. Set read_only on file size errors. + * elfcode.h (elf_swap_shdr_in): Don't repeat error message. +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c45c3dba8cc80a41c4e0839df43c435c7aa0996d +Conflict:NA +--- + bfd/elfcode.h | 5 +++-- + bfd/elfcore.h | 39 ++++++++++++++++----------------------- + 2 files changed, 19 insertions(+), 25 deletions(-) + +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index 7eb27c2e16d..ee88fce487d 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -325,9 +325,10 @@ elf_swap_shdr_in (bfd *abfd, + && ((ufile_ptr) dst->sh_offset > filesize + || dst->sh_size > filesize - dst->sh_offset)) + { ++ if (!abfd->read_only) ++ _bfd_error_handler (_("warning: %pB has a section " ++ "extending past end of file"), abfd); + abfd->read_only = 1; +- _bfd_error_handler (_("warning: %pB has a section " +- "extending past end of file"), abfd); + } + } + dst->sh_link = H_GET_32 (abfd, src->sh_link); +diff --git a/bfd/elfcore.h b/bfd/elfcore.h +index c0cdceba42a..832818f6cd1 100644 +--- a/bfd/elfcore.h ++++ b/bfd/elfcore.h +@@ -92,6 +92,7 @@ elf_core_file_p (bfd *abfd) + unsigned int phindex; + const struct elf_backend_data *ebd; + bfd_size_type amt; ++ ufile_ptr filesize; + + /* Read in the ELF header in external format. */ + if (bfd_bread (&x_ehdr, sizeof (x_ehdr), abfd) != sizeof (x_ehdr)) +@@ -286,29 +287,21 @@ elf_core_file_p (bfd *abfd) + goto fail; + + /* Check for core truncation. */ +- { +- bfd_size_type high = 0; +- struct stat statbuf; +- for (phindex = 0; phindex < i_ehdrp->e_phnum; ++phindex) +- { +- Elf_Internal_Phdr *p = i_phdrp + phindex; +- if (p->p_filesz) +- { +- bfd_size_type current = p->p_offset + p->p_filesz; +- if (high < current) +- high = current; +- } +- } +- if (bfd_stat (abfd, &statbuf) == 0) +- { +- if ((bfd_size_type) statbuf.st_size < high) +- { +- _bfd_error_handler +- /* xgettext:c-format */ +- (_("warning: %pB is truncated: expected core file " +- "size >= %" PRIu64 ", found: %" PRIu64), +- abfd, (uint64_t) high, (uint64_t) statbuf.st_size); +- } ++ filesize = bfd_get_file_size (abfd); ++ if (filesize != 0) ++ { ++ for (phindex = 0; phindex < i_ehdrp->e_phnum; ++phindex) ++ { ++ Elf_Internal_Phdr *p = i_phdrp + phindex; ++ if (p->p_filesz ++ && (p->p_offset >= filesize ++ || p->p_filesz > filesize - p->p_offset)) ++ { ++ _bfd_error_handler (_("warning: %pB has a segment " ++ "extending past end of file"), abfd); ++ abfd->read_only = 1; ++ break; ++ } + } + } + +-- +2.43.0 + diff --git a/backport-0004-CVE-2025-11083.patch b/backport-0004-CVE-2025-11083.patch new file mode 100644 index 0000000000000000000000000000000000000000..03f6d00d1615a3fac7ad55385eef7a2acebd4ad0 --- /dev/null +++ b/backport-0004-CVE-2025-11083.patch @@ -0,0 +1,79 @@ +From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 18 Sep 2025 16:59:25 -0700 +Subject: [PATCH] elf: Don't match corrupt section header in linker input + +Don't swap in nor match corrupt section header in linker input to avoid +linker crash later. + + PR ld/33457 + * elfcode.h (elf_swap_shdr_in): Changed to return bool. Return + false for corrupt section header in linker input. + (elf_object_p): Reject if elf_swap_shdr_in returns false. + +Signed-off-by: H.J. Lu + +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490 +Conflict:Adapt patch context +--- + bfd/elfcode.h | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index 9c65852e103..5224a1abee6 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd, + /* Translate an ELF section header table entry in external format into an + ELF section header table entry in internal format. */ + +-static void ++static bfd_boolean + elf_swap_shdr_in (bfd *abfd, + const Elf_External_Shdr *src, + Elf_Internal_Shdr *dst) +@@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd, + if (!abfd->read_only) + _bfd_error_handler (_("warning: %pB has a section " + "extending past end of file"), abfd); ++ /* PR ld/33457: Don't match corrupt section header. */ ++ if (abfd->is_linker_input) ++ return FALSE; + abfd->read_only = 1; + } + } +@@ -350,6 +353,7 @@ elf_swap_shdr_in (bfd *abfd, + dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize); + dst->bfd_section = NULL; + dst->contents = NULL; ++ return TRUE; + } + + /* Translate an ELF section header table entry in internal format into an +@@ -642,9 +646,9 @@ elf_object_p (bfd *abfd) + + /* Read the first section header at index 0, and convert to internal + form. */ +- if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, &i_shdr); + + /* If the section count is zero, the actual count is in the first + section header. */ +@@ -730,9 +734,9 @@ elf_object_p (bfd *abfd) + to internal form. */ + for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++) + { +- if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex); + + /* Sanity check sh_link and sh_info. */ + if (i_shdrp[shindex].sh_link >= num_sec) +-- +2.43.0 + diff --git a/gdb.spec b/gdb.spec index e078367fb5aa4dfdd4d7968f816c20b64213d95e..63a74fc145ae6212090ec11d8b88ffd7c0e29a2c 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 9.2 -Release: 12 +Release: 13 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz @@ -155,6 +155,10 @@ Patch105: gdb-Set-entry-point-when-text-segment-is.patch Patch106: backport-CVE-2022-48064.patch Patch107: backport-CVE-2025-11082.patch Patch108: backport-CVE-2025-11494.patch +Patch109: backport-0001-CVE-2025-11083.patch +Patch110: backport-0002-CVE-2025-11083.patch +Patch111: backport-0003-CVE-2025-11083.patch +Patch112: backport-0004-CVE-2025-11083.patch BuildRequires: rpm-libs autoconf BuildRequires: readline-devel >= 6.2-4 @@ -401,6 +405,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/gdb.info* %changelog +* Mon Oct 27 2025 wangxiao - 9.2-13 +- fix CVE-2025-11083 + * Fri Oct 10 2025 Deyuan Fan - 9.2-12 - fix CVE-2025-11494