From ad7bd5ee365b43a3a54c840c10569fa2beb79bea Mon Sep 17 00:00:00 2001 From: mgb01105731 Date: Wed, 27 Aug 2025 16:42:29 +0800 Subject: [PATCH] Add patch to fix CVE-2025-0840 --- 0047-fix-CVE-2025-0840.patch | 54 ++++++++++++++++++++++++++++++++++++ binutils.spec | 8 +++++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 0047-fix-CVE-2025-0840.patch diff --git a/0047-fix-CVE-2025-0840.patch b/0047-fix-CVE-2025-0840.patch new file mode 100644 index 0000000..6cd6b0d --- /dev/null +++ b/0047-fix-CVE-2025-0840.patch @@ -0,0 +1,54 @@ +From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 15 Jan 2025 19:13:43 +1030 +Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes + +There's always someone pushing the boundaries. + + PR 32560 + * objdump.c (MAX_INSN_WIDTH): Define. + (insn_width): Make it an unsigned long. + (disassemble_bytes): Use MAX_INSN_WIDTH to size buffer. + (main ): Restrict size of insn_width. +--- + binutils/objdump.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index ecbe39e942e..80044dea580 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -117,7 +117,8 @@ static bool disassemble_all; /* -D */ + static int disassemble_zeroes; /* --disassemble-zeroes */ + static bool formats_info; /* -i */ + int wide_output; /* -w */ +-static int insn_width; /* --insn-width */ ++#define MAX_INSN_WIDTH 49 ++static unsigned long insn_width; /* --insn-width */ + static bfd_vma start_address = (bfd_vma) -1; /* --start-address */ + static bfd_vma stop_address = (bfd_vma) -1; /* --stop-address */ + static int dump_debugging; /* --debugging */ +@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf, + } + else + { +- char buf[50]; ++ char buf[MAX_INSN_WIDTH + 1]; + unsigned int bpc = 0; + unsigned int pb = 0; + +@@ -6070,8 +6071,9 @@ main (int argc, char **argv) + break; + case OPTION_INSN_WIDTH: + insn_width = strtoul (optarg, NULL, 0); +- if (insn_width <= 0) +- fatal (_("error: instruction width must be positive")); ++ if (insn_width - 1 >= MAX_INSN_WIDTH) ++ fatal (_("error: instruction width must be in the range 1 to " ++ XSTRING (MAX_INSN_WIDTH))); + break; + case OPTION_INLINES: + unwind_inlines = true; +-- +2.43.5 + diff --git a/binutils.spec b/binutils.spec index 43a5c7f..d00c0f3 100644 --- a/binutils.spec +++ b/binutils.spec @@ -1,4 +1,4 @@ -%define anolis_release 11 +%define anolis_release 12 # Determine if this is a native build or a cross build. # # For a cross build add --define "binutils_target " to the command @@ -375,6 +375,9 @@ Patch0045: 0045-fix-CVE-2025-5245.patch # Lifetime: Fixed in 2.44 Patch0046: 0046-Support-x86-Zhaoxin-GMI-PadLock.patch +# https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893 +Patch0047: 0047-fix-CVE-2025-0840.patch + # Purpose: Suppress the x86 linker's p_align-1 tests due to kernel bug on CentOS-10 # Lifetime: TEMPORARY Patch0099: 0099-binutils-suppress-ld-align-tests.patch @@ -1154,6 +1157,9 @@ exit 0 %doc README ChangeLog MAINTAINERS README-maintainer-mode %changelog +* Wed Aug 27 2025 mgb01105731 - 2.41-12 +- Add patch to fix CVE-2025-0840 + * Fri Aug 06 2025 timhu_806d - 2.41-11 - x86: add support for Zhaoxin GMI and PadLock instructions. -- Gitee