From 85d83a2439f47420e3763729384efd4dcf3cbc71 Mon Sep 17 00:00:00 2001 From: yujingbo Date: Mon, 20 Oct 2025 14:15:53 +0800 Subject: [PATCH] fix CVE-2025-11083 (cherry picked from commit 323ec27967567fd96aa5f1d2e8454e7d3d61ee6f) --- backport-CVE-2025-11083.patch | 76 +++++++++++++++++++++++++++++++++++ gdb.spec | 6 ++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-11083.patch diff --git a/backport-CVE-2025-11083.patch b/backport-CVE-2025-11083.patch new file mode 100644 index 0000000..ba2c41b --- /dev/null +++ b/backport-CVE-2025-11083.patch @@ -0,0 +1,76 @@ +From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 18 Sep 2025 16:59:25 -0700 +Subject: [PATCH] elf: Don't match corrupt section header in linker input + +Don't swap in nor match corrupt section header in linker input to avoid +linker crash later. + + PR ld/33457 + * elfcode.h (elf_swap_shdr_in): Changed to return bool. Return + false for corrupt section header in linker input. + (elf_object_p): Reject if elf_swap_shdr_in returns false. + +Signed-off-by: H.J. Lu +--- + bfd/elfcode.h | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index 9c65852e103..5224a1abee6 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd, + /* Translate an ELF section header table entry in external format into an + ELF section header table entry in internal format. */ + +-static void ++static bool + elf_swap_shdr_in (bfd *abfd, + const Elf_External_Shdr *src, + Elf_Internal_Shdr *dst) +@@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd, + { + _bfd_error_handler (_("warning: %pB has a section " + "extending past end of file"), abfd); ++ /* PR ld/33457: Don't match corrupt section header. */ ++ if (abfd->is_linker_input) ++ return false; + abfd->read_only = 1; + } + } +@@ -350,6 +353,7 @@ elf_swap_shdr_in (bfd *abfd, + dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize); + dst->bfd_section = NULL; + dst->contents = NULL; ++ return true; + } + + /* Translate an ELF section header table entry in internal format into an +@@ -642,9 +646,9 @@ elf_object_p (bfd *abfd) + + /* Read the first section header at index 0, and convert to internal + form. */ +- if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, &i_shdr); + + /* If the section count is zero, the actual count is in the first + section header. */ +@@ -730,9 +734,9 @@ elf_object_p (bfd *abfd) + to internal form. */ + for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++) + { +- if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) ++ if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) ++ || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex)) + goto got_no_match; +- elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex); + + /* Sanity check sh_link and sh_info. */ + if (i_shdrp[shindex].sh_link >= num_sec) +-- +2.43.7 + diff --git a/gdb.spec b/gdb.spec index 5e52680..db5b1a0 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 14.1 -Release: 8 +Release: 9 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3 Source: https://ftp.gnu.org/gnu/gdb/gdb-%{version}.tar.xz @@ -62,6 +62,7 @@ Patch48: Fix-CVE-2025-7546.patch Patch49: gdb-rhbz2259850-list-period-crash-fix.patch Patch50: backport-CVE-2025-11082.patch Patch51: backport-CVE-2025-11494.patch +Patch52: backport-CVE-2025-11083.patch Patch9000: 0001-set-entry-point-when-text-segment-is-missing.patch @@ -339,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/ctf-spec.info* %changelog +* Mon Oct 20 2025 yujingbo - 14.1-9 +- fix CVE-2025-11083 + * Fri Oct 10 2025 Deyuan Fan - 14.1-8 - fix CVE-2025-11494 -- Gitee