binutils: CVE-2017-12449, CVE-2017_12455, CVE-2017-12457, CVE-2017-12458, CVE-2017-12459

Source: git://sourceware.org/git/binutils-gdb.git MR: 73867, 73788, 73762, 73749, 73734 Type: Security Fix Disposition: Backport from binutils-2_29-branch ChangeID: 29a1fd75a879d40560b3891305b7d9577e26ffe5 Description: Fix address violation issues encountered when parsing corrupt binaries. PR 21840 * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab size is -1. * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion with error return. * section.c (bfd_make_section_with_flags): Fail if the name or bfd are NULL. * vms-alpha.c (bfd_make_section_with_flags): Correct computation of end pointer. (evax_bfd_print_emh): Check for invalid string lengths. Fix address violations when reading corrupt VMS records. PR binutils/21618 * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record length. (evax_bfd_print_eeom): Likewise. (evax_bfd_print_egsd): Check for an overlarge record length. (evax_bfd_print_etir): Likewise. Affects: <= 2.29 (From OE-Core rev: 62c4dc16dd8fe99cba970c5e7d8dfc063855d4b9) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-08-30 17:54:52 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:07 +0000
commit: 1ffd39135ac29b976cb86d30a0e640e782a6cbe9 (patch)
tree: 02c8fdf27a606327dbb6efd29ea9e6a53785a857
parent: 7963e14e406ce4bb596d1928e5623a7a0911837e (diff)
download: poky-1ffd39135ac29b976cb86d30a0e640e782a6cbe9.tar.gz
3 files changed, 339 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 772df0af30..8cb7abc08a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -54,6 +54,8 @@ SRC_URI = "\
     file://CVE-2017-9041_2.patch \
     file://CVE-2017-7226.patch \
     file://CVE-2017-12448.patch \
+     file://CVE-2017-12449_12455_12457_1.patch \
+     file://CVE-2017-12449_12455_12457.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch
new file mode 100644
index 0000000000..d7512b3829
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch
@@ -0,0 +1,240 @@
+commit 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Thu Jul 27 12:04:50 2017 +0100
+    Fix address violation issues encountered when parsing corrupt binaries.
+    
+        PR 21840
+        * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
+        size is -1.
+        * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
+        with error return.
+        * section.c (bfd_make_section_with_flags): Fail if the name or bfd
+        are NULL.
+        * vms-alpha.c (bfd_make_section_with_flags): Correct computation
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+Upstream-Status: Backport
+CVE: CVE-2017-12449_12455_12457
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/mach-o.c
+===================================================================
+--- git.orig/bfd/mach-o.c       2017-08-30 17:21:59.684671218 +0530
+++ git/bfd/mach-o.c    2017-08-30 17:22:19.136813620 +0530
+@@ -3739,6 +3739,9 @@
+     }
+   else
+     {
+      /* See PR 21840 for a reproducer.  */
+      if ((sym->strsize + 1) == 0)
+       return FALSE;
+       sym->strtab = bfd_alloc (abfd, sym->strsize + 1);
+       if (sym->strtab == NULL)
+         return FALSE;
+Index: git/bfd/nlmcode.h
+===================================================================
+--- git.orig/bfd/nlmcode.h      2017-08-30 17:21:59.688671247 +0530
+++ git/bfd/nlmcode.h   2017-08-30 17:22:19.140813649 +0530
+@@ -351,7 +351,9 @@
+              bfd_byte *contents;
+              bfd_byte *p, *pend;
+ 
+-             BFD_ASSERT (hdrLength == 0 && hdr == NULL);
+             /* See PR 21840 for a reproducer.  */
+             if (hdrLength != 0 || hdr != NULL)
+               return FALSE;
+ 
+              pos = bfd_tell (abfd);
+              if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0)
+Index: git/bfd/section.c
+===================================================================
+--- git.orig/bfd/section.c      2017-08-30 17:21:59.708671392 +0530
+++ git/bfd/section.c   2017-08-30 17:22:19.140813649 +0530
+@@ -1240,7 +1240,7 @@
+   struct section_hash_entry *sh;
+   asection *newsect;
+ 
+-  if (abfd->output_has_begun)
+  if (abfd == NULL || name == NULL || abfd->output_has_begun)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return NULL;
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c    2017-08-30 17:22:19.080813209 +0530
+++ git/bfd/vms-alpha.c 2017-08-30 17:22:19.140813649 +0530
+@@ -5562,8 +5562,9 @@
+ {
+   struct vms_emh_common *emh = (struct vms_emh_common *)rec;
+   unsigned int subtype;
+  int extra;
+ 
+-  subtype = (unsigned)bfd_getl16 (emh->subtyp);
+  subtype = (unsigned) bfd_getl16 (emh->subtyp);
+ 
+   fprintf (file, _("  EMH %u (len=%u): "), subtype, rec_len);
+ 
+@@ -5573,58 +5574,82 @@
+       fprintf (file, _("   Error: The length is less than the length of an EMH record\n"));
+       return;
+     }
+-  
+  extra = rec_len - sizeof (struct vms_emh_common);
+
+   switch (subtype)
+     {
+     case EMH__C_MHD:
+       {
+-        struct vms_emh_mhd *mhd = (struct vms_emh_mhd *)rec;
+-        const char *name;
+        struct vms_emh_mhd *mhd = (struct vms_emh_mhd *) rec;
+        const char * name;
+       const char * nextname;
+       const char * maxname;
+ 
+       /* PR 21840: Check for invalid lengths.  */
+       if (rec_len < sizeof (* mhd))
+         {
+           fprintf (file, _("   Error: The record length is less than the size of an EMH_MHD record\n"));
+           return;
+         }
+         fprintf (file, _("Module header\n"));
+         fprintf (file, _("   structure level: %u\n"), mhd->strlvl);
+         fprintf (file, _("   max record size: %u\n"),
+-                 (unsigned)bfd_getl32 (mhd->recsiz));
+                 (unsigned) bfd_getl32 (mhd->recsiz));
+         name = (char *)(mhd + 1);
+       maxname = (char *) rec + rec_len;
+       if (name > maxname - 2)
+         {
+           fprintf (file, _("   Error: The module name is missing\n"));
+           return;
+         }
+       nextname = name + name[0] + 1;
+       if (nextname >= maxname)
+         {
+           fprintf (file, _("   Error: The module name is too long\n"));
+           return;
+         }
+         fprintf (file, _("   module name    : %.*s\n"), name[0], name + 1);
+-        name += name[0] + 1;
+        name = nextname;
+       if (name > maxname - 2)
+         {
+           fprintf (file, _("   Error: The module version is missing\n"));
+           return;
+         }
+       nextname = name + name[0] + 1;
+       if (nextname >= maxname)
+         {
+           fprintf (file, _("   Error: The module version is too long\n"));
+           return;
+         }
+         fprintf (file, _("   module version : %.*s\n"), name[0], name + 1);
+-        name += name[0] + 1;
+-        fprintf (file, _("   compile date   : %.17s\n"), name);
+        name = nextname;
+       if ((maxname - name) < 17 && maxname[-1] != 0)
+         fprintf (file, _("   Error: The compile date is truncated\n"));
+       else
+         fprintf (file, _("   compile date   : %.17s\n"), name);
+       }
+       break;
+
+     case EMH__C_LNM:
+-      {
+-        fprintf (file, _("Language Processor Name\n"));
+-        fprintf (file, _("   language name: %.*s\n"),
+-                 (int)(rec_len - sizeof (struct vms_emh_common)),
+-                 (char *)rec + sizeof (struct vms_emh_common));
+-      }
+      fprintf (file, _("Language Processor Name\n"));
+      fprintf (file, _("   language name: %.*s\n"), extra, (char *)(emh + 1));
+       break;
+
+     case EMH__C_SRC:
+-      {
+-        fprintf (file, _("Source Files Header\n"));
+-        fprintf (file, _("   file: %.*s\n"),
+-                 (int)(rec_len - sizeof (struct vms_emh_common)),
+-                 (char *)rec + sizeof (struct vms_emh_common));
+-      }
+      fprintf (file, _("Source Files Header\n"));
+      fprintf (file, _("   file: %.*s\n"), extra, (char *)(emh + 1));
+       break;
+
+     case EMH__C_TTL:
+-      {
+-        fprintf (file, _("Title Text Header\n"));
+-        fprintf (file, _("   title: %.*s\n"),
+-                 (int)(rec_len - sizeof (struct vms_emh_common)),
+-                 (char *)rec + sizeof (struct vms_emh_common));
+-      }
+      fprintf (file, _("Title Text Header\n"));
+      fprintf (file, _("   title: %.*s\n"), extra, (char *)(emh + 1));
+       break;
+
+     case EMH__C_CPR:
+-      {
+-        fprintf (file, _("Copyright Header\n"));
+-        fprintf (file, _("   copyright: %.*s\n"),
+-                 (int)(rec_len - sizeof (struct vms_emh_common)),
+-                 (char *)rec + sizeof (struct vms_emh_common));
+-      }
+      fprintf (file, _("Copyright Header\n"));
+      fprintf (file, _("   copyright: %.*s\n"), extra, (char *)(emh + 1));
+       break;
+
+     default:
+       fprintf (file, _("unhandled emh subtype %u\n"), subtype);
+       break;
+Index: git/bfd/vms-misc.c
+===================================================================
+--- git.orig/bfd/vms-misc.c     2017-08-30 17:21:59.716671451 +0530
+++ git/bfd/vms-misc.c  2017-08-30 17:22:19.140813649 +0530
+@@ -135,8 +135,8 @@
+ #endif
+ 
+ 
+-/* Copy sized string (string with fixed size) to new allocated area
+-   size is string size (size of record)  */
+/* Copy sized string (string with fixed size) to new allocated area.
+   Size is string size (size of record).  */
+ 
+ char *
+ _bfd_vms_save_sized_string (unsigned char *str, int size)
+@@ -151,8 +151,8 @@
+   return newstr;
+ }
+ 
+-/* Copy counted string (string with size at first byte) to new allocated area
+-   ptr points to size byte on entry  */
+/* Copy counted string (string with size at first byte) to new allocated area.
+   PTR points to size byte on entry.  */
+ 
+ char *
+ _bfd_vms_save_counted_string (unsigned char *ptr)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-08-30 17:22:19.080813209 +0530
+++ git/bfd/ChangeLog   2017-08-30 17:23:51.069502425 +0530
+@@ -1,3 +1,16 @@
+2017-07-27  Nick Clifton  <nickc@redhat.com>
+
+       PR 21840
+       * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
+       size is -1.
+       * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
+       with error return.
+       * section.c (bfd_make_section_with_flags): Fail if the name or bfd
+       are NULL.
+       * vms-alpha.c (bfd_make_section_with_flags): Correct computation
+       of end pointer.
+       (evax_bfd_print_emh): Check for invalid string lengths.
+
+ 2017-07-19  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 21787
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch
new file mode 100644
index 0000000000..6dae0f6c24
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch
@@ -0,0 +1,97 @@
+commit bc21b167eb0106eb31d946a0eb5acfb7e4d5d8a1
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Mon Jun 19 14:52:36 2017 +0100
+    Fix address violations when reading corrupt VMS records.
+    
+        PR binutils/21618
+        * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record
+        length.
+        (evax_bfd_print_eeom): Likewise.
+        (evax_bfd_print_egsd): Check for an overlarge record length.
+        (evax_bfd_print_etir): Likewise.
+Upstream-Status: Backport
+CVE: CVE-2017-12449_12455_12457
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c    2017-08-30 17:08:27.408159234 +0530
+++ git/bfd/vms-alpha.c 2017-08-30 17:12:07.289044702 +0530
+@@ -5567,6 +5567,13 @@
+ 
+   fprintf (file, _("  EMH %u (len=%u): "), subtype, rec_len);
+ 
+  /* PR 21618: Check for invalid lengths.  */
+  if (rec_len < sizeof (* emh))
+    {
+      fprintf (file, _("   Error: The length is less than the length of an EMH record\n"));
+      return;
+    }
+  
+   switch (subtype)
+     {
+     case EMH__C_MHD:
+@@ -5630,6 +5637,14 @@
+   struct vms_eeom *eeom = (struct vms_eeom *)rec;
+ 
+   fprintf (file, _("  EEOM (len=%u):\n"), rec_len);
+
+  /* PR 21618: Check for invalid lengths.  */
+  if (rec_len < sizeof (* eeom))
+    {
+      fprintf (file, _("   Error: The length is less than the length of an EEOM record\n"));
+      return;
+    }
+  
+   fprintf (file, _("   number of cond linkage pairs: %u\n"),
+            (unsigned)bfd_getl32 (eeom->total_lps));
+   fprintf (file, _("   completion code: %u\n"),
+@@ -5718,6 +5733,12 @@
+                n, type, len);
+       n++;
+ 
+      if (off + len > rec_len || off + len < off)
+       {
+         fprintf (file, _("   Error: length larger than remaining space in record\n"));
+         return;
+       }
+
+       switch (type)
+         {
+         case EGSD__C_PSC:
+@@ -5958,6 +5979,12 @@
+       size = bfd_getl16 (etir->size);
+       buf = rec + off + sizeof (struct vms_etir);
+ 
+      if (off + size > rec_len || off + size < off)
+       {
+         fprintf (file, _("   Error: length larger than remaining space in record\n"));
+         return;
+       }
+
+       fprintf (file, _("   (type: %3u, size: 4+%3u): "), type, size - 4);
+       switch (type)
+         {
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-08-30 17:08:43.612213596 +0530
+++ git/bfd/ChangeLog   2017-08-30 17:13:27.217438742 +0530
+@@ -5,6 +5,15 @@
+        correct magic bytes at the start, set the error to wrong format
+        and clear the format selector before returning NULL.
+ 
+ 2017-06-19  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21618
+       * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record
+       length.
+       (evax_bfd_print_eeom): Likewise.
+       (evax_bfd_print_egsd): Check for an overlarge record length.
+       (evax_bfd_print_etir): Likewise.
+
+ 2017-04-25  Maciej W. Rozycki  <macro@imgtec.com>
+ 
+        * readelf.c (process_mips_specific): Remove error reporting from
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-08-30 17:54:52 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:07 +0000
commit	1ffd39135ac29b976cb86d30a0e640e782a6cbe9 (patch)
tree	02c8fdf27a606327dbb6efd29ea9e6a53785a857
parent	7963e14e406ce4bb596d1928e5623a7a0911837e (diff)
download	poky-1ffd39135ac29b976cb86d30a0e640e782a6cbe9.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 772df0af30..8cb7abc08a 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -54,6 +54,8 @@ SRC_URI = "\
54	file://CVE-2017-9041_2.patch \	54	file://CVE-2017-9041_2.patch \
55	file://CVE-2017-7226.patch \	55	file://CVE-2017-7226.patch \
56	file://CVE-2017-12448.patch \	56	file://CVE-2017-12448.patch \
		57	file://CVE-2017-12449_12455_12457_1.patch \
		58	file://CVE-2017-12449_12455_12457.patch \
57	"	59	"
58	S = "${WORKDIR}/git"	60	S = "${WORKDIR}/git"
59		61


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch new file mode 100644 index 0000000000..d7512b3829 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch
@@ -0,0 +1,240 @@
		1	commit 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Thu Jul 27 12:04:50 2017 +0100
		4
		5	Fix address violation issues encountered when parsing corrupt binaries.
		6
		7	PR 21840
		8	* mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
		9	size is -1.
		10	* nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
		11	with error return.
		12	* section.c (bfd_make_section_with_flags): Fail if the name or bfd
		13	are NULL.
		14	* vms-alpha.c (bfd_make_section_with_flags): Correct computation
		15	of end pointer.
		16	(evax_bfd_print_emh): Check for invalid string lengths.
		17
		18	Upstream-Status: Backport
		19
		20	CVE: CVE-2017-12449_12455_12457
		21	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		22
		23	Index: git/bfd/mach-o.c
		24	===================================================================
		25	--- git.orig/bfd/mach-o.c 2017-08-30 17:21:59.684671218 +0530
		26	+++ git/bfd/mach-o.c 2017-08-30 17:22:19.136813620 +0530
		27	@@ -3739,6 +3739,9 @@
		28	}
		29	else
		30	{
		31	+ /* See PR 21840 for a reproducer. */
		32	+ if ((sym->strsize + 1) == 0)
		33	+ return FALSE;
		34	sym->strtab = bfd_alloc (abfd, sym->strsize + 1);
		35	if (sym->strtab == NULL)
		36	return FALSE;
		37	Index: git/bfd/nlmcode.h
		38	===================================================================
		39	--- git.orig/bfd/nlmcode.h 2017-08-30 17:21:59.688671247 +0530
		40	+++ git/bfd/nlmcode.h 2017-08-30 17:22:19.140813649 +0530
		41	@@ -351,7 +351,9 @@
		42	bfd_byte *contents;
		43	bfd_byte p, pend;
		44
		45	- BFD_ASSERT (hdrLength == 0 && hdr == NULL);
		46	+ /* See PR 21840 for a reproducer. */
		47	+ if (hdrLength != 0 \|\| hdr != NULL)
		48	+ return FALSE;
		49
		50	pos = bfd_tell (abfd);
		51	if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0)
		52	Index: git/bfd/section.c
		53	===================================================================
		54	--- git.orig/bfd/section.c 2017-08-30 17:21:59.708671392 +0530
		55	+++ git/bfd/section.c 2017-08-30 17:22:19.140813649 +0530
		56	@@ -1240,7 +1240,7 @@
		57	struct section_hash_entry *sh;
		58	asection *newsect;
		59
		60	- if (abfd->output_has_begun)
		61	+ if (abfd == NULL \|\| name == NULL \|\| abfd->output_has_begun)
		62	{
		63	bfd_set_error (bfd_error_invalid_operation);
		64	return NULL;
		65	Index: git/bfd/vms-alpha.c
		66	===================================================================
		67	--- git.orig/bfd/vms-alpha.c 2017-08-30 17:22:19.080813209 +0530
		68	+++ git/bfd/vms-alpha.c 2017-08-30 17:22:19.140813649 +0530
		69	@@ -5562,8 +5562,9 @@
		70	{
		71	struct vms_emh_common emh = (struct vms_emh_common )rec;
		72	unsigned int subtype;
		73	+ int extra;
		74
		75	- subtype = (unsigned)bfd_getl16 (emh->subtyp);
		76	+ subtype = (unsigned) bfd_getl16 (emh->subtyp);
		77
		78	fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len);
		79
		80	@@ -5573,58 +5574,82 @@
		81	fprintf (file, _(" Error: The length is less than the length of an EMH record\n"));
		82	return;
		83	}
		84	-
		85	+ extra = rec_len - sizeof (struct vms_emh_common);
		86	+
		87	switch (subtype)
		88	{
		89	case EMH__C_MHD:
		90	{
		91	- struct vms_emh_mhd mhd = (struct vms_emh_mhd )rec;
		92	- const char *name;
		93	+ struct vms_emh_mhd mhd = (struct vms_emh_mhd ) rec;
		94	+ const char * name;
		95	+ const char * nextname;
		96	+ const char * maxname;
		97
		98	+ /* PR 21840: Check for invalid lengths. */
		99	+ if (rec_len < sizeof (* mhd))
		100	+ {
		101	+ fprintf (file, _(" Error: The record length is less than the size of an EMH_MHD record\n"));
		102	+ return;
		103	+ }
		104	fprintf (file, _("Module header\n"));
		105	fprintf (file, _(" structure level: %u\n"), mhd->strlvl);
		106	fprintf (file, _(" max record size: %u\n"),
		107	- (unsigned)bfd_getl32 (mhd->recsiz));
		108	+ (unsigned) bfd_getl32 (mhd->recsiz));
		109	name = (char *)(mhd + 1);
		110	+ maxname = (char *) rec + rec_len;
		111	+ if (name > maxname - 2)
		112	+ {
		113	+ fprintf (file, _(" Error: The module name is missing\n"));
		114	+ return;
		115	+ }
		116	+ nextname = name + name[0] + 1;
		117	+ if (nextname >= maxname)
		118	+ {
		119	+ fprintf (file, _(" Error: The module name is too long\n"));
		120	+ return;
		121	+ }
		122	fprintf (file, _(" module name : %.*s\n"), name[0], name + 1);
		123	- name += name[0] + 1;
		124	+ name = nextname;
		125	+ if (name > maxname - 2)
		126	+ {
		127	+ fprintf (file, _(" Error: The module version is missing\n"));
		128	+ return;
		129	+ }
		130	+ nextname = name + name[0] + 1;
		131	+ if (nextname >= maxname)
		132	+ {
		133	+ fprintf (file, _(" Error: The module version is too long\n"));
		134	+ return;
		135	+ }
		136	fprintf (file, _(" module version : %.*s\n"), name[0], name + 1);
		137	- name += name[0] + 1;
		138	- fprintf (file, _(" compile date : %.17s\n"), name);
		139	+ name = nextname;
		140	+ if ((maxname - name) < 17 && maxname[-1] != 0)
		141	+ fprintf (file, _(" Error: The compile date is truncated\n"));
		142	+ else
		143	+ fprintf (file, _(" compile date : %.17s\n"), name);
		144	}
		145	break;
		146	+
		147	case EMH__C_LNM:
		148	- {
		149	- fprintf (file, _("Language Processor Name\n"));
		150	- fprintf (file, _(" language name: %.*s\n"),
		151	- (int)(rec_len - sizeof (struct vms_emh_common)),
		152	- (char *)rec + sizeof (struct vms_emh_common));
		153	- }
		154	+ fprintf (file, _("Language Processor Name\n"));
		155	+ fprintf (file, _(" language name: %.s\n"), extra, (char )(emh + 1));
		156	break;
		157	+
		158	case EMH__C_SRC:
		159	- {
		160	- fprintf (file, _("Source Files Header\n"));
		161	- fprintf (file, _(" file: %.*s\n"),
		162	- (int)(rec_len - sizeof (struct vms_emh_common)),
		163	- (char *)rec + sizeof (struct vms_emh_common));
		164	- }
		165	+ fprintf (file, _("Source Files Header\n"));
		166	+ fprintf (file, _(" file: %.s\n"), extra, (char )(emh + 1));
		167	break;
		168	+
		169	case EMH__C_TTL:
		170	- {
		171	- fprintf (file, _("Title Text Header\n"));
		172	- fprintf (file, _(" title: %.*s\n"),
		173	- (int)(rec_len - sizeof (struct vms_emh_common)),
		174	- (char *)rec + sizeof (struct vms_emh_common));
		175	- }
		176	+ fprintf (file, _("Title Text Header\n"));
		177	+ fprintf (file, _(" title: %.s\n"), extra, (char )(emh + 1));
		178	break;
		179	+
		180	case EMH__C_CPR:
		181	- {
		182	- fprintf (file, _("Copyright Header\n"));
		183	- fprintf (file, _(" copyright: %.*s\n"),
		184	- (int)(rec_len - sizeof (struct vms_emh_common)),
		185	- (char *)rec + sizeof (struct vms_emh_common));
		186	- }
		187	+ fprintf (file, _("Copyright Header\n"));
		188	+ fprintf (file, _(" copyright: %.s\n"), extra, (char )(emh + 1));
		189	break;
		190	+
		191	default:
		192	fprintf (file, _("unhandled emh subtype %u\n"), subtype);
		193	break;
		194	Index: git/bfd/vms-misc.c
		195	===================================================================
		196	--- git.orig/bfd/vms-misc.c 2017-08-30 17:21:59.716671451 +0530
		197	+++ git/bfd/vms-misc.c 2017-08-30 17:22:19.140813649 +0530
		198	@@ -135,8 +135,8 @@
		199	#endif
		200
		201
		202	-/* Copy sized string (string with fixed size) to new allocated area
		203	- size is string size (size of record) */
		204	+/* Copy sized string (string with fixed size) to new allocated area.
		205	+ Size is string size (size of record). */
		206
		207	char *
		208	_bfd_vms_save_sized_string (unsigned char *str, int size)
		209	@@ -151,8 +151,8 @@
		210	return newstr;
		211	}
		212
		213	-/* Copy counted string (string with size at first byte) to new allocated area
		214	- ptr points to size byte on entry */
		215	+/* Copy counted string (string with size at first byte) to new allocated area.
		216	+ PTR points to size byte on entry. */
		217
		218	char *
		219	_bfd_vms_save_counted_string (unsigned char *ptr)
		220	Index: git/bfd/ChangeLog
		221	===================================================================
		222	--- git.orig/bfd/ChangeLog 2017-08-30 17:22:19.080813209 +0530
		223	+++ git/bfd/ChangeLog 2017-08-30 17:23:51.069502425 +0530
		224	@@ -1,3 +1,16 @@
		225	+2017-07-27 Nick Clifton <nickc@redhat.com>
		226	+
		227	+ PR 21840
		228	+ * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
		229	+ size is -1.
		230	+ * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
		231	+ with error return.
		232	+ * section.c (bfd_make_section_with_flags): Fail if the name or bfd
		233	+ are NULL.
		234	+ * vms-alpha.c (bfd_make_section_with_flags): Correct computation
		235	+ of end pointer.
		236	+ (evax_bfd_print_emh): Check for invalid string lengths.
		237	+
		238	2017-07-19 Nick Clifton <nickc@redhat.com>
		239
		240	PR 21787


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch new file mode 100644 index 0000000000..6dae0f6c24 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch
@@ -0,0 +1,97 @@
		1	commit bc21b167eb0106eb31d946a0eb5acfb7e4d5d8a1
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Mon Jun 19 14:52:36 2017 +0100
		4
		5	Fix address violations when reading corrupt VMS records.
		6
		7	PR binutils/21618
		8	* vms-alpha.c (evax_bfd_print_emh): Check for insufficient record
		9	length.
		10	(evax_bfd_print_eeom): Likewise.
		11	(evax_bfd_print_egsd): Check for an overlarge record length.
		12	(evax_bfd_print_etir): Likewise.
		13
		14	Upstream-Status: Backport
		15
		16	CVE: CVE-2017-12449_12455_12457
		17	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		18
		19	Index: git/bfd/vms-alpha.c
		20	===================================================================
		21	--- git.orig/bfd/vms-alpha.c 2017-08-30 17:08:27.408159234 +0530
		22	+++ git/bfd/vms-alpha.c 2017-08-30 17:12:07.289044702 +0530
		23	@@ -5567,6 +5567,13 @@
		24
		25	fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len);
		26
		27	+ /* PR 21618: Check for invalid lengths. */
		28	+ if (rec_len < sizeof (* emh))
		29	+ {
		30	+ fprintf (file, _(" Error: The length is less than the length of an EMH record\n"));
		31	+ return;
		32	+ }
		33	+
		34	switch (subtype)
		35	{
		36	case EMH__C_MHD:
		37	@@ -5630,6 +5637,14 @@
		38	struct vms_eeom eeom = (struct vms_eeom )rec;
		39
		40	fprintf (file, _(" EEOM (len=%u):\n"), rec_len);
		41	+
		42	+ /* PR 21618: Check for invalid lengths. */
		43	+ if (rec_len < sizeof (* eeom))
		44	+ {
		45	+ fprintf (file, _(" Error: The length is less than the length of an EEOM record\n"));
		46	+ return;
		47	+ }
		48	+
		49	fprintf (file, _(" number of cond linkage pairs: %u\n"),
		50	(unsigned)bfd_getl32 (eeom->total_lps));
		51	fprintf (file, _(" completion code: %u\n"),
		52	@@ -5718,6 +5733,12 @@
		53	n, type, len);
		54	n++;
		55
		56	+ if (off + len > rec_len \|\| off + len < off)
		57	+ {
		58	+ fprintf (file, _(" Error: length larger than remaining space in record\n"));
		59	+ return;
		60	+ }
		61	+
		62	switch (type)
		63	{
		64	case EGSD__C_PSC:
		65	@@ -5958,6 +5979,12 @@
		66	size = bfd_getl16 (etir->size);
		67	buf = rec + off + sizeof (struct vms_etir);
		68
		69	+ if (off + size > rec_len \|\| off + size < off)
		70	+ {
		71	+ fprintf (file, _(" Error: length larger than remaining space in record\n"));
		72	+ return;
		73	+ }
		74	+
		75	fprintf (file, _(" (type: %3u, size: 4+%3u): "), type, size - 4);
		76	switch (type)
		77	{
		78	Index: git/bfd/ChangeLog
		79	===================================================================
		80	--- git.orig/bfd/ChangeLog 2017-08-30 17:08:43.612213596 +0530
		81	+++ git/bfd/ChangeLog 2017-08-30 17:13:27.217438742 +0530
		82	@@ -5,6 +5,15 @@
		83	correct magic bytes at the start, set the error to wrong format
		84	and clear the format selector before returning NULL.
		85
		86	+ 2017-06-19 Nick Clifton <nickc@redhat.com>
		87	+
		88	+ PR binutils/21618
		89	+ * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record
		90	+ length.
		91	+ (evax_bfd_print_eeom): Likewise.
		92	+ (evax_bfd_print_egsd): Check for an overlarge record length.
		93	+ (evax_bfd_print_etir): Likewise.
		94	+
		95	2017-04-25 Maciej W. Rozycki <macro@imgtec.com>
		96
		97	* readelf.c (process_mips_specific): Remove error reporting from