3 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc
index 2219ada4ac..3313e011bf 100644
--- a/meta/recipes-devtools/binutils/binutils-2.44.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.44.inc
@@ -43,4 +43,6 @@ SRC_URI = "\
     file://0018-CVE-2025-5245.patch \
     file://0019-CVE-2025-5244.patch \
     file://0019-CVE-2025-3198.patch \
+     file://0020-CVE-2025-7546.patch \
+     file://0020-CVE-2025-7545.patch \
 "
diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7545.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7545.patch
new file mode 100644
index 0000000000..062d6721b6
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7545.patch
@@ -0,0 +1,39 @@
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 21 Jun 2025 06:36:56 +0800
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944]
+CVE: CVE-2025-7545
+Since the output section contents are copied from the input, don't
+extend the output section size beyond the input section size.
+        PR binutils/33049
+        * objcopy.c (copy_section): Don't extend the output section
+        size beyond the input section size.
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index e2e6bd7e..3cbb3977 100644
+--- a/binutils/objcopy.c
+++ b/binutils/objcopy.c
+@@ -4634,6 +4634,7 @@ copy_section (bfd *ibfd, sec_ptr isection, bfd *obfd)
+          char *to = (char *) memhunk;
+          char *end = (char *) memhunk + size;
+          int i;
+         bfd_size_type memhunk_size = size;
+ 
+          /* If the section address is not exactly divisible by the interleave,
+             then we must bias the from address.  If the copy_byte is less than
+@@ -4653,6 +4654,11 @@ copy_section (bfd *ibfd, sec_ptr isection, bfd *obfd)
+              }
+ 
+          size = (size + interleave - 1 - copy_byte) / interleave * copy_width;
+
+          /* Don't extend the output section size.  */
+          if (size > memhunk_size)
+            size = memhunk_size;
+         
+          osection->lma /= interleave;
+          if (copy_byte < extra)
+            osection->lma++;
diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7546.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7546.patch
new file mode 100644
index 0000000000..23c38091a2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7546.patch
@@ -0,0 +1,58 @@
+From 41461010eb7c79fee7a9d5f6209accdaac66cc6b Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Sat, 21 Jun 2025 06:52:00 +0800
+Subject: [PATCH] elf: Report corrupted group section
+Report corrupted group section instead of trying to recover.
+        PR binutils/33050
+        * elf.c (bfd_elf_set_group_contents): Report corrupted group
+        section.
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b]
+CVE: CVE-2025-7546
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+---
+ bfd/elf.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 14ce15c7254..ee894eb05f2 100644
+--- a/bfd/elf.c
+++ b/bfd/elf.c
+@@ -3971,20 +3971,17 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec, void *failedptrarg)
+        break;
+     }
+ 
+-  /* We should always get here with loc == sec->contents + 4, but it is
+-     possible to craft bogus SHT_GROUP sections that will cause segfaults
+-     in objcopy without checking loc here and in the loop above.  */
+-  if (loc == sec->contents)
+-    BFD_ASSERT (0);
+-  else
+  /* We should always get here with loc == sec->contents + 4.  Return
+     an error for bogus SHT_GROUP sections.  */
+  loc -= 4;
+  if (loc != sec->contents)
+     {
+-      loc -= 4;
+-      if (loc != sec->contents)
+-       {
+-         BFD_ASSERT (0);
+-         memset (sec->contents + 4, 0, loc - sec->contents);
+-         loc = sec->contents;
+-       }
+      /* xgettext:c-format */
+      _bfd_error_handler (_("%pB: corrupted group section: `%pA'"),
+                         abfd, sec);
+      bfd_set_error (bfd_error_bad_value);
+      *failedptr = true;
+      return;
+     }
+ 
+   H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
+-- 
+2.43.5

diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc index 2219ada4ac..3313e011bf 100644 --- a/meta/recipes-devtools/binutils/binutils-2.44.inc +++ b/meta/recipes-devtools/binutils/binutils-2.44.inc
@@ -43,4 +43,6 @@ SRC_URI = "\
43	file://0018-CVE-2025-5245.patch \	43	file://0018-CVE-2025-5245.patch \
44	file://0019-CVE-2025-5244.patch \	44	file://0019-CVE-2025-5244.patch \
45	file://0019-CVE-2025-3198.patch \	45	file://0019-CVE-2025-3198.patch \
		46	file://0020-CVE-2025-7546.patch \
		47	file://0020-CVE-2025-7545.patch \
46	"	48	"


diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7545.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7545.patch new file mode 100644 index 0000000000..062d6721b6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7545.patch
@@ -0,0 +1,39 @@
		1	From: "H.J. Lu" <hjl.tools@gmail.com>
		2	Date: Sat, 21 Jun 2025 06:36:56 +0800
		3
		4	Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944]
		5	CVE: CVE-2025-7545
		6
		7	Since the output section contents are copied from the input, don't
		8	extend the output section size beyond the input section size.
		9
		10	PR binutils/33049
		11	* objcopy.c (copy_section): Don't extend the output section
		12	size beyond the input section size.
		13
		14	Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
		15
		16	diff --git a/binutils/objcopy.c b/binutils/objcopy.c
		17	index e2e6bd7e..3cbb3977 100644
		18	--- a/binutils/objcopy.c
		19	+++ b/binutils/objcopy.c
		20	@@ -4634,6 +4634,7 @@ copy_section (bfd ibfd, sec_ptr isection, bfd obfd)
		21	char to = (char ) memhunk;
		22	char end = (char ) memhunk + size;
		23	int i;
		24	+ bfd_size_type memhunk_size = size;
		25
		26	/* If the section address is not exactly divisible by the interleave,
		27	then we must bias the from address. If the copy_byte is less than
		28	@@ -4653,6 +4654,11 @@ copy_section (bfd ibfd, sec_ptr isection, bfd obfd)
		29	}
		30
		31	size = (size + interleave - 1 - copy_byte) / interleave * copy_width;
		32	+
		33	+ /* Don't extend the output section size. */
		34	+ if (size > memhunk_size)
		35	+ size = memhunk_size;
		36	+
		37	osection->lma /= interleave;
		38	if (copy_byte < extra)
		39	osection->lma++;


diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7546.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7546.patch new file mode 100644 index 0000000000..23c38091a2 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2025-7546.patch
@@ -0,0 +1,58 @@
		1	From 41461010eb7c79fee7a9d5f6209accdaac66cc6b Mon Sep 17 00:00:00 2001
		2	From: "H.J. Lu" <hjl.tools@gmail.com>
		3	Date: Sat, 21 Jun 2025 06:52:00 +0800
		4	Subject: [PATCH] elf: Report corrupted group section
		5
		6	Report corrupted group section instead of trying to recover.
		7
		8	PR binutils/33050
		9	* elf.c (bfd_elf_set_group_contents): Report corrupted group
		10	section.
		11
		12	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b]
		13	CVE: CVE-2025-7546
		14
		15	Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
		16	Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
		17	---
		18	bfd/elf.c \| 23 ++++++++++-------------
		19	1 file changed, 10 insertions(+), 13 deletions(-)
		20
		21	diff --git a/bfd/elf.c b/bfd/elf.c
		22	index 14ce15c7254..ee894eb05f2 100644
		23	--- a/bfd/elf.c
		24	+++ b/bfd/elf.c
		25	@@ -3971,20 +3971,17 @@ bfd_elf_set_group_contents (bfd abfd, asection sec, void *failedptrarg)
		26	break;
		27	}
		28
		29	- /* We should always get here with loc == sec->contents + 4, but it is
		30	- possible to craft bogus SHT_GROUP sections that will cause segfaults
		31	- in objcopy without checking loc here and in the loop above. */
		32	- if (loc == sec->contents)
		33	- BFD_ASSERT (0);
		34	- else
		35	+ /* We should always get here with loc == sec->contents + 4. Return
		36	+ an error for bogus SHT_GROUP sections. */
		37	+ loc -= 4;
		38	+ if (loc != sec->contents)
		39	{
		40	- loc -= 4;
		41	- if (loc != sec->contents)
		42	- {
		43	- BFD_ASSERT (0);
		44	- memset (sec->contents + 4, 0, loc - sec->contents);
		45	- loc = sec->contents;
		46	- }
		47	+ /* xgettext:c-format */
		48	+ _bfd_error_handler (_("%pB: corrupted group section: `%pA'"),
		49	+ abfd, sec);
		50	+ bfd_set_error (bfd_error_bad_value);
		51	+ *failedptr = true;
		52	+ return;
		53	}
		54
		55	H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
		56	--
		57	2.43.5
		58