From b0a18777ee7674be27b162d32298926fd4ca1de2 Mon Sep 17 00:00:00 2001 From: wangxiao65 Date: Fri, 31 Oct 2025 09:03:34 +0000 Subject: [PATCH] fix CVE-2025-11412 (cherry picked from commit 4527dbea27b3da190a20169a8bacc9b1d3705a91) --- backport-CVE-2025-11412.patch | 37 +++++++++++++++++++++++++++++++++++ gdb.spec | 6 +++++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-11412.patch diff --git a/backport-CVE-2025-11412.patch b/backport-CVE-2025-11412.patch new file mode 100644 index 0000000..3978786 --- /dev/null +++ b/backport-CVE-2025-11412.patch @@ -0,0 +1,37 @@ +From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 25 Sep 2025 08:22:24 +0930 +Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry + +Limit addends on vtentry relocs, otherwise ld might attempt to +allocate a stupidly large array. This also fixes the expression +overflow leading to pr33452. A vtable of 33M entries on a 64-bit +host is surely large enough, especially considering that VTINHERIT +and VTENTRY relocations are to support -fvtable-gc that disappeared +from gcc over 20 years ago. + + PR ld/33452 + * elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend. + +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc +Conflict:NA +--- + bfd/elflink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 54f0d6e957e..0a0456177c2 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14865,7 +14865,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec, + const struct elf_backend_data *bed = get_elf_backend_data (abfd); + unsigned int log_file_align = bed->s->log_file_align; + +- if (!h) ++ if (!h || addend > 1u << 28) + { + /* xgettext:c-format */ + _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"), +-- +2.33.0 + diff --git a/gdb.spec b/gdb.spec index db5b1a0..7051e56 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 14.1 -Release: 9 +Release: 10 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3 Source: https://ftp.gnu.org/gnu/gdb/gdb-%{version}.tar.xz @@ -63,6 +63,7 @@ Patch49: gdb-rhbz2259850-list-period-crash-fix.patch Patch50: backport-CVE-2025-11082.patch Patch51: backport-CVE-2025-11494.patch Patch52: backport-CVE-2025-11083.patch +Patch53: backport-CVE-2025-11412.patch Patch9000: 0001-set-entry-point-when-text-segment-is-missing.patch @@ -340,6 +341,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/ctf-spec.info* %changelog +* Fri Oct 31 2025 wangxiao - 14.1-10 +- fix CVE-2025-11412 + * Mon Oct 20 2025 yujingbo - 14.1-9 - fix CVE-2025-11083 -- Gitee