diff --git a/backport-CVE-2025-11412-PR-33452-SEGV-in-bfd_elf_gc_record_vtentry.patch b/backport-CVE-2025-11412-PR-33452-SEGV-in-bfd_elf_gc_record_vtentry.patch new file mode 100644 index 0000000000000000000000000000000000000000..fb3df2a41ca1ac84b54e5cc2b8448f429c781b60 --- /dev/null +++ b/backport-CVE-2025-11412-PR-33452-SEGV-in-bfd_elf_gc_record_vtentry.patch @@ -0,0 +1,34 @@ +From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 25 Sep 2025 08:22:24 +0930 +Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry + +Limit addends on vtentry relocs, otherwise ld might attempt to +allocate a stupidly large array. This also fixes the expression +overflow leading to pr33452. A vtable of 33M entries on a 64-bit +host is surely large enough, especially considering that VTINHERIT +and VTENTRY relocations are to support -fvtable-gc that disappeared +from gcc over 20 years ago. + + PR ld/33452 + * elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend. +--- + bfd/elflink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 54f0d6e957e..0a0456177c2 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14865,7 +14865,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec, + const struct elf_backend_data *bed = get_elf_backend_data (abfd); + unsigned int log_file_align = bed->s->log_file_align; + +- if (!h) ++ if (!h || addend > 1u << 28) + { + /* xgettext:c-format */ + _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"), +-- +2.43.0 + diff --git a/binutils.spec b/binutils.spec index 5a96ba97ee01d29717f28017f1962e492ecf2a7f..682da95696ebff71d3a4f2a37b93ad2efad95925 100644 --- a/binutils.spec +++ b/binutils.spec @@ -2,7 +2,7 @@ Summary: A GNU collection of binary utilities Name: binutils%{?_with_debug:-debug} Version: 2.41 -Release: 27 +Release: 28 License: GPL-3.0-or-later AND (GPL-3.0-or-later WITH Bison-exception-2.2) AND (LGPL-2.0-or-later WITH GCC-exception-2.0) AND BSD-3-Clause AND GFDL-1.3-or-later AND GPL-2.0-or-later AND LGPL-2.1-or-later AND LGPL-2.0-or-later URL: https://sourceware.org/binutils @@ -434,6 +434,10 @@ Patch5029: backport-CVE-2025-5244.patch # Lifetime: Fixed in 2.45 Patch5030: backport-CVE-2025-5245.patch +# Purpose: PR binutils/33452 +# Lifetime: Fixed in 2.46 +Patch5031: backport-CVE-2025-11412-PR-33452-SEGV-in-bfd_elf_gc_record_vtentry.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -1448,6 +1452,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Wed Dec 10 2025 Linux_zhang - 2.41-28 +- Fix CVE-2025-11412 + * Thu Dec 04 2025 eastb233 - 2.41-27 - Bump to release 27