From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 9 Sep 2025 18:32:09 +0930
Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section

Trying to dump .sframe in a PE file results in a segfault accessing
elf_section_data.

	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
	elf_section_type without first checking the file is ELF.
---
 binutils/objdump.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
CVE: CVE-2025-11081

Signed-off-by: Alan Modra <amodra@gmail.com>
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>

diff --git a/binutils/objdump.c b/binutils/objdump.c
index 290f7e51f66..ee8823da05a 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -4418,6 +4418,10 @@
   else
     match = name;
 
+  if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
+      && elf_section_type (section) == SHT_GNU_SFRAME)
+    match = ".sframe";
+
   for (i = 0; i < max; i++)
     if ((strcmp (debug_displays [i].section.uncompressed_name, match) == 0
	 || strcmp (debug_displays [i].section.compressed_name, match) == 0
@@ -4923,6 +4927,36 @@
 }
 
+static void
+dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile)
+
+{
+  /* Error checking for user provided SFrame section name, if any.  */
+  if (sect_name)
+    {
+      asection *sec = bfd_get_section_by_name (abfd, sect_name);
+      if (sec == NULL)
+       {
+         printf (_("No %s section present\n\n"), sanitize_string (sect_name));
+         return;
+       }
+      /* Starting with Binutils 2.45, SFrame sections have section type
+        SHT_GNU_SFRAME.  For SFrame sections from Binutils 2.44 or earlier,
+        check explcitly for SFrame sections of type SHT_PROGBITS and name
+        ".sframe" to allow them.  */
+      else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
+              || (elf_section_type (sec) != SHT_GNU_SFRAME
+                  && !(elf_section_type (sec) == SHT_PROGBITS
+                       && strcmp (sect_name, ".sframe") == 0)))
+       {
+         printf (_("Section %s does not contain SFrame data\n\n"),
+                 sanitize_string (sect_name));
+         return;
+       }
+    }
+  dump_dwarf (abfd, is_mainfile);
+}
+
 static void
 dump_target_specific (bfd *abfd)
 {
   const struct objdump_private_desc * const *desc;
diff --git a/include/elf/common.h b/include/elf/common.h
--- a/include/elf/common.h
+++ b/include/elf/common.h 
@@ -528,6 +528,8 @@
 #define SHT_LOOS	0x60000000	/* First of OS specific semantics */
 #define SHT_HIOS	0x6fffffff	/* Last of OS specific semantics */
 
+#define SHT_GNU_SFRAME	0x6ffffff4	/* SFrame stack trace information.  */
+
 #define SHT_GNU_INCREMENTAL_INPUTS 0x6fff4700   /* incremental build data */
 #define SHT_GNU_ATTRIBUTES 0x6ffffff5	/* Object attributes */
 #define SHT_GNU_HASH	0x6ffffff6	/* GNU style symbol hash table */