From e88d8905886d89503d063bfa8eb42c54e51fb567 Mon Sep 17 00:00:00 2001
From: yujingbo <yujingbo@kylinos.cn>
Date: Mon, 20 Oct 2025 14:07:22 +0800
Subject: [PATCH] fix CVE-2025-11083

---
 backport-CVE-2025-11083.patch | 79 +++++++++++++++++++++++++++++++++++
 gdb.spec                      |  6 ++-
 2 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-11083.patch

diff --git a/backport-CVE-2025-11083.patch b/backport-CVE-2025-11083.patch
new file mode 100644
index 00000000..c9ec0285
--- /dev/null
+++ b/backport-CVE-2025-11083.patch
@@ -0,0 +1,79 @@
+From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Thu, 18 Sep 2025 16:59:25 -0700
+Subject: [PATCH] elf: Don't match corrupt section header in linker input
+
+Don't swap in nor match corrupt section header in linker input to avoid
+linker crash later.
+
+	PR ld/33457
+	* elfcode.h (elf_swap_shdr_in): Changed to return bool.  Return
+	false for corrupt section header in linker input.
+	(elf_object_p): Reject if elf_swap_shdr_in returns false.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+---
+ bfd/elfcode.h | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index 7eb27c2..c2d05c5 100644
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -298,7 +298,7 @@ elf_swap_ehdr_out (bfd *abfd,
+ /* Translate an ELF section header table entry in external format into an
+    ELF section header table entry in internal format.  */
+ 
+-static void
++static bool
+ elf_swap_shdr_in (bfd *abfd,
+ 		  const Elf_External_Shdr *src,
+ 		  Elf_Internal_Shdr *dst)
+@@ -325,9 +325,12 @@ elf_swap_shdr_in (bfd *abfd,
+ 	  && ((ufile_ptr) dst->sh_offset > filesize
+ 	      || dst->sh_size > filesize - dst->sh_offset))
+ 	{
+-	  abfd->read_only = 1;
+ 	  _bfd_error_handler (_("warning: %pB has a section "
+ 				"extending past end of file"), abfd);
++	  /* PR ld/33457: Don't match corrupt section header.  */
++	  if (abfd->is_linker_input)
++	    return false;
++	  abfd->read_only = 1;
+ 	}
+     }
+   dst->sh_link = H_GET_32 (abfd, src->sh_link);
+@@ -336,6 +339,7 @@ elf_swap_shdr_in (bfd *abfd,
+   dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
+   dst->bfd_section = NULL;
+   dst->contents = NULL;
++  return true;
+ }
+ 
+ /* Translate an ELF section header table entry in internal format into an
+@@ -628,9 +632,9 @@ elf_object_p (bfd *abfd)
+ 
+       /* Read the first section header at index 0, and convert to internal
+ 	 form.  */
+-      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++      if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
++	  || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
+ 	goto got_no_match;
+-      elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
+ 
+       /* If the section count is zero, the actual count is in the first
+ 	 section header.  */
+@@ -716,9 +720,9 @@ elf_object_p (bfd *abfd)
+ 	 to internal form.  */
+       for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
+ 	{
+-	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++	  if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
++	      || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
+ 	    goto got_no_match;
+-	  elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
+ 
+ 	  /* Sanity check sh_link and sh_info.  */
+ 	  if (i_shdrp[shindex].sh_link >= num_sec)
+-- 
+2.33.0
diff --git a/gdb.spec b/gdb.spec
index 716d694c..f5d1186a 100644
--- a/gdb.spec
+++ b/gdb.spec
@@ -1,6 +1,6 @@
 Name: gdb
 Version: 11.1
-Release: 12
+Release: 13
 
 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3
 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz
@@ -109,6 +109,7 @@ Patch90: backport-CVE-2023-39130.patch
 Patch91: backport-CVE-2022-48064.patch
 Patch92: backport-CVE-2025-11082.patch
 Patch93: backport-CVE-2025-11494.patch
+Patch94: backport-CVE-2025-11083.patch
 
 %global gdb_src gdb-%{version}
 %global gdb_build build-%{_target_platform}
@@ -385,6 +386,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py
 %{_infodir}/gdb.info*
 
 %changelog
+* Mon Oct 20 2025 yujingbo <yujingbo@kylinos.cn> - 11.1-13
+- fix CVE-2025-11083
+
 * Fri Oct 10 2025 Deyuan Fan <fandeyuan@kylinos.cn> - 11.1-12
 - fix CVE-2025-11494
 
-- 
Gitee