From 4f309389af263a377c40da3ca1b9698bda64e0e2 Mon Sep 17 00:00:00 2001 From: wangxiao65 Date: Mon, 27 Oct 2025 15:39:00 +0800 Subject: [PATCH] fix CVE-2025-11083 (cherry picked from commit c601f59ba29e915d6e594d7c156093ecc21e2bec) --- backport-0001-CVE-2025-11083.patch | 95 ++++++++++++++++++++++++++++++ backport-0002-CVE-2025-11083.patch | 79 +++++++++++++++++++++++++ gdb.spec | 7 ++- 3 files changed, 180 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2025-11083.patch create mode 100644 backport-0002-CVE-2025-11083.patch diff --git a/backport-0001-CVE-2025-11083.patch b/backport-0001-CVE-2025-11083.patch new file mode 100644 index 0000000..0ba215c --- /dev/null +++ b/backport-0001-CVE-2025-11083.patch @@ -0,0 +1,95 @@ +From c45c3dba8cc80a41c4e0839df43c435c7aa0996d Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Fri, 29 Oct 2021 15:09:52 +1030 +Subject: [PATCH] ELF core file size checks + +Catch fuzzed segments where p_offset + p_filesz wraps, and limit error +output. + + * elfcore.h (elf_core_file_p): Rewrite segment checks using + bfd_get_file_size. Set read_only on file size errors. + * elfcode.h (elf_swap_shdr_in): Don't repeat error message. +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c45c3dba8cc80a41c4e0839df43c435c7aa0996d +Conflict:NA +--- + bfd/elfcode.h | 5 +++-- + bfd/elfcore.h | 39 ++++++++++++++++----------------------- + 2 files changed, 19 insertions(+), 25 deletions(-) + +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index 7eb27c2e16d..ee88fce487d 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -325,9 +325,10 @@ elf_swap_shdr_in (bfd *abfd, + && ((ufile_ptr) dst->sh_offset > filesize + || dst->sh_size > filesize - dst->sh_offset)) + { ++ if (!abfd->read_only) ++ _bfd_error_handler (_("warning: %pB has a section " ++ "extending past end of file"), abfd); + abfd->read_only = 1; +- _bfd_error_handler (_("warning: %pB has a section " +- "extending past end of file"), abfd); + } + } + dst->sh_link = H_GET_32 (abfd, src->sh_link); +diff --git a/bfd/elfcore.h b/bfd/elfcore.h +index c0cdceba42a..832818f6cd1 100644 +--- a/bfd/elfcore.h ++++ b/bfd/elfcore.h +@@ -92,6 +92,7 @@ elf_core_file_p (bfd *abfd) + unsigned int phindex; + const struct elf_backend_data *ebd; + bfd_size_type amt; ++ ufile_ptr filesize; + + /* Read in the ELF header in external format. */ + if (bfd_bread (&x_ehdr, sizeof (x_ehdr), abfd) != sizeof (x_ehdr)) +@@ -286,29 +287,21 @@ elf_core_file_p (bfd *abfd) + goto fail; + + /* Check for core truncation. */ +- { +- bfd_size_type high = 0; +- struct stat statbuf; +- for (phindex = 0; phindex < i_ehdrp->e_phnum; ++phindex) +- { +- Elf_Internal_Phdr *p = i_phdrp + phindex; +- if (p->p_filesz) +- { +- bfd_size_type current = p->p_offset + p->p_filesz; +- if (high < current) +- high = current; +- } +- } +- if (bfd_stat (abfd, &statbuf) == 0) +- { +- if ((bfd_size_type) statbuf.st_size < high) +- { +- _bfd_error_handler +- /* xgettext:c-format */ +- (_("warning: %pB is truncated: expected core file " +- "size >= %" PRIu64 ", found: %" PRIu64), +- abfd, (uint64_t) high, (uint64_t) statbuf.st_size); +- } ++ filesize = bfd_get_file_size (abfd); ++ if (filesize != 0) ++ { ++ for (phindex = 0; phindex < i_ehdrp->e_phnum; ++phindex) ++ { ++ Elf_Internal_Phdr *p = i_phdrp + phindex; ++ if (p->p_filesz ++ && (p->p_offset >= filesize ++ || p->p_filesz > filesize - p->p_offset)) ++ { ++ _bfd_error_handler (_("warning: %pB has a segment " ++ "extending past end of file"), abfd); ++ abfd->read_only = 1; ++ break; ++ } + } + } + +-- +2.43.0 + diff --git a/backport-0002-CVE-2025-11083.patch b/backport-0002-CVE-2025-11083.patch new file mode 100644 index 0000000..e58156c --- /dev/null +++ b/backport-0002-CVE-2025-11083.patch @@ -0,0 +1,79 @@ +From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 18 Sep 2025 16:59:25 -0700 +Subject: [PATCH] elf: Don't match corrupt section header in linker input + +Don't swap in nor match corrupt section header in linker input to avoid +linker crash later. + + PR ld/33457 + * elfcode.h (elf_swap_shdr_in): Changed to return bool. Return + false for corrupt section header in linker input. + (elf_object_p): Reject if elf_swap_shdr_in returns false. + +Signed-off-by: H.J. Lu + +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490 +Conflict:Adapt patch context +--- + bfd/elfcode.h | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index 9c65852e103..5224a1abee6 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd, + /* Translate an ELF section header table entry in external format into an + ELF section header table entry in internal format. */ + +-static void ++static bool + elf_swap_shdr_in (bfd *abfd, + const Elf_External_Shdr *src, + Elf_Internal_Shdr *dst) +@@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd, + if (!abfd->read_only) + _bfd_error_handler (_("warning: %pB has a section " + "extending past end of file"), abfd); ++ /* PR ld/33457: Don't match corrupt section header. */ ++ if (abfd->is_linker_input) ++ return false; + abfd->read_only = 1; + } + } +@@ -350,6 +353,7 @@ elf_swap_shdr_in (bfd *abfd, + dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize); + dst->bfd_section = NULL; + dst->contents = NULL; ++ return true; + } + + /* Translate an ELF section header table entry in internal format into an +@@ -642,9 +646,9 @@ elf_object_p (bfd *abfd) + + /* Read the first section header at index 0, and convert to internal + form. */ +- if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, &i_shdr); + + /* If the section count is zero, the actual count is in the first + section header. */ +@@ -730,9 +734,9 @@ elf_object_p (bfd *abfd) + to internal form. */ + for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++) + { +- if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex); + + /* Sanity check sh_link and sh_info. */ + if (i_shdrp[shindex].sh_link >= num_sec) +-- +2.43.0 + diff --git a/gdb.spec b/gdb.spec index 3ac5bd1..90473e8 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 11.1 -Release: 13 +Release: 14 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz @@ -112,6 +112,8 @@ Patch93: backport-CVE-2025-11494.patch Patch94: backport-0001-CVE-2021-32256.patch Patch95: backport-0002-CVE-2021-32256.patch Patch96: backport-0003-CVE-2021-32256.patch +Patch97: backport-0001-CVE-2025-11083.patch +Patch98: backport-0002-CVE-2025-11083.patch %global gdb_src gdb-%{version} %global gdb_build build-%{_target_platform} @@ -388,6 +390,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/gdb.info* %changelog +* Mon Oct 27 2025 wangxiao - 11.1-14 +- fix CVE-2025-11083 + * Thu Oct 23 2025 wangxiao - 11.1-13 - fix CVE-2021-32256 -- Gitee