diff --git a/SPECS/gdb/CVE-2025-1176.patch b/SPECS/gdb/CVE-2025-1176.patch new file mode 100644 index 00000000000..47a5e59035b --- /dev/null +++ b/SPECS/gdb/CVE-2025-1176.patch @@ -0,0 +1,159 @@ +From 762fa3949f284e522629846fd9824cd9368dbb75 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Wed, 5 Feb 2025 11:15:11 +0000 +Subject: [PATCH] Prevent illegal memory access when indexing into the + sym_hashes array of the elf bfd cookie structure. + +PR 32636 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=f9978defb6fab0bd8583942d97c112b0932ac814 +--- + bfd/elflink.c | 90 +++++++++++++++++++++++++-------------------------- + 1 file changed, 45 insertions(+), 45 deletions(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index fc3edef..afafbbb 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -62,22 +62,37 @@ struct elf_find_verdep_info + static bool _bfd_elf_fix_symbol_flags + (struct elf_link_hash_entry *, struct elf_info_failed *); + +-asection * +-_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, +- unsigned long r_symndx, +- bool discard) ++static struct elf_link_hash_entry * ++get_ext_sym_hash (struct elf_reloc_cookie *cookie, unsigned long r_symndx) + { +- if (r_symndx >= cookie->locsymcount +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) +- { +- struct elf_link_hash_entry *h; ++ struct elf_link_hash_entry *h = NULL; + ++ if ((r_symndx >= cookie->locsymcount ++ || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) ++ /* Guard against corrupt input. See PR 32636 for an example. */ ++ && r_symndx >= cookie->extsymoff) ++ { + h = cookie->sym_hashes[r_symndx - cookie->extsymoff]; + + while (h->root.type == bfd_link_hash_indirect + || h->root.type == bfd_link_hash_warning) + h = (struct elf_link_hash_entry *) h->root.u.i.link; ++ } ++ ++ return h; ++} + ++asection * ++_bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, ++ unsigned long r_symndx, ++ bool discard) ++{ ++ struct elf_link_hash_entry *h; ++ ++ h = get_ext_sym_hash (cookie, r_symndx); ++ ++ if (h != NULL) ++ { + if ((h->root.type == bfd_link_hash_defined + || h->root.type == bfd_link_hash_defweak) + && discarded_section (h->root.u.def.section)) +@@ -85,21 +100,20 @@ _bfd_elf_section_for_symbol (struct elf_reloc_cookie *cookie, + else + return NULL; + } +- else +- { +- /* It's not a relocation against a global symbol, +- but it could be a relocation against a local +- symbol for a discarded section. */ +- asection *isec; +- Elf_Internal_Sym *isym; + +- /* Need to: get the symbol; get the section. */ +- isym = &cookie->locsyms[r_symndx]; +- isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx); +- if (isec != NULL +- && discard ? discarded_section (isec) : 1) +- return isec; +- } ++ /* It's not a relocation against a global symbol, ++ but it could be a relocation against a local ++ symbol for a discarded section. */ ++ asection *isec; ++ Elf_Internal_Sym *isym; ++ ++ /* Need to: get the symbol; get the section. */ ++ isym = &cookie->locsyms[r_symndx]; ++ isec = bfd_section_from_elf_index (cookie->abfd, isym->st_shndx); ++ if (isec != NULL ++ && discard ? discarded_section (isec) : 1) ++ return isec; ++ + return NULL; + } + +@@ -13707,22 +13721,12 @@ _bfd_elf_gc_mark_rsec (struct bfd_link_info *info, asection *sec, + if (r_symndx == STN_UNDEF) + return NULL; + +- if (r_symndx >= cookie->locsymcount +- || ELF_ST_BIND (cookie->locsyms[r_symndx].st_info) != STB_LOCAL) ++ h = get_ext_sym_hash (cookie, r_symndx); ++ ++ if (h != NULL) + { + bool was_marked; + +- h = cookie->sym_hashes[r_symndx - cookie->extsymoff]; +- if (h == NULL) +- { +- info->callbacks->einfo (_("%F%P: corrupt input: %pB\n"), +- sec->owner); +- return NULL; +- } +- while (h->root.type == bfd_link_hash_indirect +- || h->root.type == bfd_link_hash_warning) +- h = (struct elf_link_hash_entry *) h->root.u.i.link; +- + was_marked = h->mark; + h->mark = 1; + /* Keep all aliases of the symbol too. If an object symbol +@@ -14768,17 +14772,12 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie) + if (r_symndx == STN_UNDEF) + return true; + +- if (r_symndx >= rcookie->locsymcount +- || ELF_ST_BIND (rcookie->locsyms[r_symndx].st_info) != STB_LOCAL) +- { +- struct elf_link_hash_entry *h; +- +- h = rcookie->sym_hashes[r_symndx - rcookie->extsymoff]; +- +- while (h->root.type == bfd_link_hash_indirect +- || h->root.type == bfd_link_hash_warning) +- h = (struct elf_link_hash_entry *) h->root.u.i.link; ++ struct elf_link_hash_entry *h; + ++ h = get_ext_sym_hash (rcookie, r_symndx); ++ ++ if (h != NULL) ++ { + if ((h->root.type == bfd_link_hash_defined + || h->root.type == bfd_link_hash_defweak) + && (h->root.u.def.section->owner != rcookie->abfd +@@ -14802,6 +14801,7 @@ bfd_elf_reloc_symbol_deleted_p (bfd_vma offset, void *cookie) + || discarded_section (isec))) + return true; + } ++ + return false; + } + return false; +-- +2.45.4 + diff --git a/SPECS/gdb/CVE-2025-1178.patch b/SPECS/gdb/CVE-2025-1178.patch new file mode 100644 index 00000000000..bc62f2250f5 --- /dev/null +++ b/SPECS/gdb/CVE-2025-1178.patch @@ -0,0 +1,37 @@ +From f0e64304059decf627cee992330188eaf87761aa Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Wed, 5 Feb 2025 13:26:51 +0000 +Subject: [PATCH] Prevent an abort in the bfd linker when attempting to + generate dynamic relocs for a corrupt input file. + +PR 32638 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0;a=patch; +--- + bfd/elf64-x86-64.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c +index 8cf733d..4fd5d01 100644 +--- a/bfd/elf64-x86-64.c ++++ b/bfd/elf64-x86-64.c +@@ -4646,6 +4646,15 @@ elf_x86_64_finish_dynamic_symbol (bfd *output_bfd, + + if (generate_dynamic_reloc) + { ++ /* If the relgot section has not been created, then ++ generate an error instead of a reloc. cf PR 32638. */ ++ if (relgot == NULL || relgot->size == 0) ++ { ++ info->callbacks->einfo (_("%F%pB: Unable to generate dynamic relocs because a suitable section does not exist\n"), ++ output_bfd); ++ return false; ++ } ++ + if (relative_reloc_name != NULL + && htab->params->report_relative_reloc) + _bfd_x86_elf_link_report_relative_reloc +-- +2.45.4 + diff --git a/SPECS/gdb/gdb.spec b/SPECS/gdb/gdb.spec index a7fa3dd8ddb..6787481c5b0 100644 --- a/SPECS/gdb/gdb.spec +++ b/SPECS/gdb/gdb.spec @@ -1,7 +1,7 @@ Summary: C debugger Name: gdb Version: 13.2 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -15,6 +15,8 @@ Patch3: CVE-2025-7546.patch Patch4: CVE-2025-11082.patch Patch5: CVE-2026-4647.patch Patch6: CVE-2026-6846.patch +Patch7: CVE-2025-1178.patch +Patch8: CVE-2025-1176.patch BuildRequires: expat-devel BuildRequires: gcc-c++ @@ -109,6 +111,9 @@ make check TESTS='gdb.base/default.exp' %{_mandir}/*/* %changelog +* Tue May 19 2026 Azure Linux Security Servicing Account - 13.2-9 +- Patch for CVE-2025-1178, CVE-2025-1176 + * Mon May 04 2026 Azure Linux Security Servicing Account - 13.2-8 - Patch for CVE-2026-6846