binutils: Fix 4 CVEs

Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and CVE-2018-1000876 for binutils 2.31.1. (From OE-Core rev: 981eeec0f26f25db444782f40a86c558a2358215) Signed-off-by: Dan Tran <dantran@microsoft.com> [fixed up .inc for thud-next context] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Dan Tran <dantran@microsoft.com> 2019-09-09 17:31:25 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-08 22:52:28 +0100
commit: 45cebeda6e501b9c31ab40030267ea1d6840f34b (patch)
tree: 6ae14795341bebe2889342ee1d7d23ba95977705
parent: 36fa7fce0212e5b8eb9913996156cb5db5c104f3 (diff)
download: poky-45cebeda6e501b9c31ab40030267ea1d6840f34b.tar.gz
5 files changed, 342 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc
index e1a6673b7f..c9a3610e72 100644
--- a/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -48,6 +48,10 @@ SRC_URI = "\
     file://CVE-2018-18607.patch \
     file://CVE-2019-14444.patch \
     file://CVE-2019-12972.patch \
+     file://CVE-2018-20623.patch \
+     file://CVE-2018-20651.patch \
+     file://CVE-2018-20671.patch \
+     file://CVE-2018-1000876.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
new file mode 100644
index 0000000000..ff853511f9
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
@@ -0,0 +1,180 @@
+From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 16 Dec 2018 23:02:50 +1030
+Subject: [PATCH] PR23994, libbfd integer overflow
+        PR 23994
+        * aoutx.h: Include limits.h.
+        (get_reloc_upper_bound): Detect long overflow and return a file
+        too big error if it occurs.
+        * elf.c: Include limits.h.
+        (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
+        a file too big error if it occurs.
+        (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
+        (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
+CVE: CVE-2018-1000876
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ bfd/aoutx.h | 40 +++++++++++++++++++++-------------------
+ bfd/elf.c   | 32 ++++++++++++++++++++++++--------
+ 2 files changed, 45 insertions(+), 27 deletions(-)
+diff --git a/bfd/aoutx.h b/bfd/aoutx.h
+index 023843b0be..78eaa9c503 100644
+--- a/bfd/aoutx.h
+++ b/bfd/aoutx.h
+@@ -117,6 +117,7 @@ DESCRIPTION
+ #define KEEPIT udata.i
+ 
+ #include "sysdep.h"
+#include <limits.h>
+ #include "bfd.h"
+ #include "safe-ctype.h"
+ #include "bfdlink.h"
+@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
+ long
+ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+ {
+  bfd_size_type count;
+
+   if (bfd_get_format (abfd) != bfd_object)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+     }
+ 
+   if (asect->flags & SEC_CONSTRUCTOR)
+-    return sizeof (arelent *) * (asect->reloc_count + 1);
+-
+-  if (asect == obj_datasec (abfd))
+-    return sizeof (arelent *)
+-      * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
+-        + 1);
+-
+-  if (asect == obj_textsec (abfd))
+-    return sizeof (arelent *)
+-      * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
+-        + 1);
+-
+-  if (asect == obj_bsssec (abfd))
+-    return sizeof (arelent *);
+-
+-  if (asect == obj_bsssec (abfd))
+-    return 0;
+    count = asect->reloc_count;
+  else if (asect == obj_datasec (abfd))
+    count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
+  else if (asect == obj_textsec (abfd))
+    count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
+  else if (asect == obj_bsssec (abfd))
+    count = 0;
+  else
+    {
+      bfd_set_error (bfd_error_invalid_operation);
+      return -1;
+    }
+ 
+-  bfd_set_error (bfd_error_invalid_operation);
+-  return -1;
+  if (count >= LONG_MAX / sizeof (arelent *))
+    {
+      bfd_set_error (bfd_error_file_too_big);
+      return -1;
+    }
+  return (count + 1) * sizeof (arelent *);
+ }
+ 
+ long
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 828241d48a..10037176a3 100644
+--- a/bfd/elf.c
+++ b/bfd/elf.c
+@@ -35,6 +35,7 @@ SECTION
+ /* For sparc64-cross-sparc32.  */
+ #define _SYSCALL32
+ #include "sysdep.h"
+#include <limits.h>
+ #include "bfd.h"
+ #include "bfdlink.h"
+ #include "libbfd.h"
+@@ -8114,11 +8115,16 @@ error_return:
+ long
+ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ {
+-  long symcount;
+  bfd_size_type symcount;
+   long symtab_size;
+   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
+ 
+   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
+  if (symcount >= LONG_MAX / sizeof (asymbol *))
+    {
+      bfd_set_error (bfd_error_file_too_big);
+      return -1;
+    }
+   symtab_size = (symcount + 1) * (sizeof (asymbol *));
+   if (symcount > 0)
+     symtab_size -= sizeof (asymbol *);
+@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ long
+ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
+ {
+-  long symcount;
+  bfd_size_type symcount;
+   long symtab_size;
+   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
+ 
+@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
+     }
+ 
+   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
+  if (symcount >= LONG_MAX / sizeof (asymbol *))
+    {
+      bfd_set_error (bfd_error_file_too_big);
+      return -1;
+    }
+   symtab_size = (symcount + 1) * (sizeof (asymbol *));
+   if (symcount > 0)
+     symtab_size -= sizeof (asymbol *);
+@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,
+ long
+ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
+ {
+-  long ret;
+  bfd_size_type count;
+   asection *s;
+ 
+   if (elf_dynsymtab (abfd) == 0)
+@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
+       return -1;
+     }
+ 
+-  ret = sizeof (arelent *);
+  count = 1;
+   for (s = abfd->sections; s != NULL; s = s->next)
+     if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
+        && (elf_section_data (s)->this_hdr.sh_type == SHT_REL
+            || elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
+-      ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
+-             * sizeof (arelent *));
+-
+-  return ret;
+      {
+       count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
+       if (count > LONG_MAX / sizeof (arelent *))
+         {
+           bfd_set_error (bfd_error_file_too_big);
+           return -1;
+         }
+      }
+  return count * sizeof (arelent *);
+ }
+ 
+ /* Canonicalize the dynamic relocation entries.  Note that we return the
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
new file mode 100644
index 0000000000..b44d448fce
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
@@ -0,0 +1,74 @@
+From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 9 Jan 2019 12:25:16 +0000
+Subject: [PATCH] Fix a heap use after free memory access fault when displaying
+ error messages about malformed archives.
+        PR 14049
+        * readelf.c (process_archive): Use arch.file_name in error
+        messages until the qualified name is available.
+CVE: CVE-2018-20623
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ binutils/readelf.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index f4df697a7d..280023d8de 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+       /* Read the next archive header.  */
+       if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0)
+         {
+-          error (_("%s: failed to seek to next archive header\n"), filedata->file_name);
+          error (_("%s: failed to seek to next archive header\n"), arch.file_name);
+           return FALSE;
+         }
+       got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle);
+@@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+         {
+           if (got == 0)
+            break;
+-          error (_("%s: failed to read archive header\n"), filedata->file_name);
+         /* PR 24049 - we cannot use filedata->file_name as this will
+            have already been freed.  */
+         error (_("%s: failed to read archive header\n"), arch.file_name);
+           
+           ret = FALSE;
+           break;
+         }
+@@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+       name = get_archive_member_name (&arch, &nested_arch);
+       if (name == NULL)
+        {
+-         error (_("%s: bad archive file name\n"), filedata->file_name);
+         error (_("%s: bad archive file name\n"), arch.file_name);
+          ret = FALSE;
+          break;
+        }
+@@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+       qualified_name = make_qualified_name (&arch, &nested_arch, name);
+       if (qualified_name == NULL)
+        {
+-         error (_("%s: bad archive file name\n"), filedata->file_name);
+         error (_("%s: bad archive file name\n"), arch.file_name);
+          ret = FALSE;
+          break;
+        }
+@@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+          if (nested_arch.file == NULL)
+            {
+              error (_("%s: contains corrupt thin archive: %s\n"),
+-                    filedata->file_name, name);
+                    qualified_name, name);
+              ret = FALSE;
+              break;
+            }
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
new file mode 100644
index 0000000000..24fb031223
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
@@ -0,0 +1,35 @@
+From 6a29d95602b09bb83d2c82b45ed935157fb780aa Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 31 Dec 2018 15:40:08 +1030
+Subject: [PATCH] PR24041, Invalid Memory Address Dereference in
+ elf_link_add_object_symbols
+        PR 24041
+        * elflink.c (elf_link_add_object_symbols): Don't segfault on
+        crafted ET_DYN with no program headers.
+CVE: CVE-2018-20651
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 46091b6341..557c550082 100644
+--- a/bfd/elflink.c
+++ b/bfd/elflink.c
+@@ -4178,7 +4178,7 @@ error_free_dyn:
+         all sections contained fully therein.  This makes relro
+         shared library sections appear as they will at run-time.  */
+       phdr = elf_tdata (abfd)->phdr + elf_elfheader (abfd)->e_phnum;
+-      while (--phdr >= elf_tdata (abfd)->phdr)
+      while (phdr-- > elf_tdata (abfd)->phdr)
+        if (phdr->p_type == PT_GNU_RELRO)
+          {
+            for (s = abfd->sections; s != NULL; s = s->next)
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
new file mode 100644
index 0000000000..9bd9207bb5
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
@@ -0,0 +1,49 @@
+From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 4 Jan 2019 13:44:34 +0000
+Subject: [PATCH] Fix a possible integer overflow problem when examining
+ corrupt binaries using a 32-bit binutil.
+        PR 24005
+        * objdump.c (load_specific_debug_section): Check for integer
+        overflow before attempting to allocate contents.
+CVE: CVE-2018-20671
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ binutils/objdump.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index f468fcdb59..89ca688938 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
+   section->reloc_info = NULL;
+   section->num_relocs = 0;
+   section->address = bfd_get_section_vma (abfd, sec);
+  section->user_data = sec;
+   section->size = bfd_get_section_size (sec);
+   amt = section->size + 1;
+  if (amt == 0 || amt > bfd_get_file_size (abfd))
+    {
+      section->start = NULL;
+      free_debug_section (debug);
+      printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
+             section->name, (unsigned long long) section->size);
+      return FALSE;
+    }
+   section->start = contents = malloc (amt);
+-  section->user_data = sec;
+-  if (amt == 0
+-      || section->start == NULL
+  if (section->start == NULL
+       || !bfd_get_full_section_contents (abfd, sec, &contents))
+     {
+       free_debug_section (debug);
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
author	Dan Tran <dantran@microsoft.com>	2019-09-09 17:31:25 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +0100
commit	45cebeda6e501b9c31ab40030267ea1d6840f34b (patch)
tree	6ae14795341bebe2889342ee1d7d23ba95977705
parent	36fa7fce0212e5b8eb9913996156cb5db5c104f3 (diff)
download	poky-45cebeda6e501b9c31ab40030267ea1d6840f34b.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index e1a6673b7f..c9a3610e72 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -48,6 +48,10 @@ SRC_URI = "\
48	file://CVE-2018-18607.patch \	48	file://CVE-2018-18607.patch \
49	file://CVE-2019-14444.patch \	49	file://CVE-2019-14444.patch \
50	file://CVE-2019-12972.patch \	50	file://CVE-2019-12972.patch \
		51	file://CVE-2018-20623.patch \
		52	file://CVE-2018-20651.patch \
		53	file://CVE-2018-20671.patch \
		54	file://CVE-2018-1000876.patch \
51	"	55	"
52	S = "${WORKDIR}/git"	56	S = "${WORKDIR}/git"
53		57


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch new file mode 100644 index 0000000000..ff853511f9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
@@ -0,0 +1,180 @@
		1	From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Sun, 16 Dec 2018 23:02:50 +1030
		4	Subject: [PATCH] PR23994, libbfd integer overflow
		5
		6	PR 23994
		7	* aoutx.h: Include limits.h.
		8	(get_reloc_upper_bound): Detect long overflow and return a file
		9	too big error if it occurs.
		10	* elf.c: Include limits.h.
		11	(_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
		12	a file too big error if it occurs.
		13	(_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
		14	(_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
		15
		16	CVE: CVE-2018-1000876
		17	Upstream-Status: Backport
		18	[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
		19
		20	Signed-off-by: Dan Tran <dantran@microsoft.com>
		21	---
		22	bfd/aoutx.h \| 40 +++++++++++++++++++++-------------------
		23	bfd/elf.c \| 32 ++++++++++++++++++++++++--------
		24	2 files changed, 45 insertions(+), 27 deletions(-)
		25
		26	diff --git a/bfd/aoutx.h b/bfd/aoutx.h
		27	index 023843b0be..78eaa9c503 100644
		28	--- a/bfd/aoutx.h
		29	+++ b/bfd/aoutx.h
		30	@@ -117,6 +117,7 @@ DESCRIPTION
		31	#define KEEPIT udata.i
		32
		33	#include "sysdep.h"
		34	+#include <limits.h>
		35	#include "bfd.h"
		36	#include "safe-ctype.h"
		37	#include "bfdlink.h"
		38	@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
		39	long
		40	NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
		41	{
		42	+ bfd_size_type count;
		43	+
		44	if (bfd_get_format (abfd) != bfd_object)
		45	{
		46	bfd_set_error (bfd_error_invalid_operation);
		47	@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
		48	}
		49
		50	if (asect->flags & SEC_CONSTRUCTOR)
		51	- return sizeof (arelent ) (asect->reloc_count + 1);
		52	-
		53	- if (asect == obj_datasec (abfd))
		54	- return sizeof (arelent *)
		55	- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
		56	- + 1);
		57	-
		58	- if (asect == obj_textsec (abfd))
		59	- return sizeof (arelent *)
		60	- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
		61	- + 1);
		62	-
		63	- if (asect == obj_bsssec (abfd))
		64	- return sizeof (arelent *);
		65	-
		66	- if (asect == obj_bsssec (abfd))
		67	- return 0;
		68	+ count = asect->reloc_count;
		69	+ else if (asect == obj_datasec (abfd))
		70	+ count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
		71	+ else if (asect == obj_textsec (abfd))
		72	+ count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
		73	+ else if (asect == obj_bsssec (abfd))
		74	+ count = 0;
		75	+ else
		76	+ {
		77	+ bfd_set_error (bfd_error_invalid_operation);
		78	+ return -1;
		79	+ }
		80
		81	- bfd_set_error (bfd_error_invalid_operation);
		82	- return -1;
		83	+ if (count >= LONG_MAX / sizeof (arelent *))
		84	+ {
		85	+ bfd_set_error (bfd_error_file_too_big);
		86	+ return -1;
		87	+ }
		88	+ return (count + 1) * sizeof (arelent *);
		89	}
		90
		91	long
		92	diff --git a/bfd/elf.c b/bfd/elf.c
		93	index 828241d48a..10037176a3 100644
		94	--- a/bfd/elf.c
		95	+++ b/bfd/elf.c
		96	@@ -35,6 +35,7 @@ SECTION
		97	/* For sparc64-cross-sparc32. */
		98	#define _SYSCALL32
		99	#include "sysdep.h"
		100	+#include <limits.h>
		101	#include "bfd.h"
		102	#include "bfdlink.h"
		103	#include "libbfd.h"
		104	@@ -8114,11 +8115,16 @@ error_return:
		105	long
		106	_bfd_elf_get_symtab_upper_bound (bfd *abfd)
		107	{
		108	- long symcount;
		109	+ bfd_size_type symcount;
		110	long symtab_size;
		111	Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
		112
		113	symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
		114	+ if (symcount >= LONG_MAX / sizeof (asymbol *))
		115	+ {
		116	+ bfd_set_error (bfd_error_file_too_big);
		117	+ return -1;
		118	+ }
		119	symtab_size = (symcount + 1) * (sizeof (asymbol *));
		120	if (symcount > 0)
		121	symtab_size -= sizeof (asymbol *);
		122	@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
		123	long
		124	_bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
		125	{
		126	- long symcount;
		127	+ bfd_size_type symcount;
		128	long symtab_size;
		129	Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
		130
		131	@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
		132	}
		133
		134	symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
		135	+ if (symcount >= LONG_MAX / sizeof (asymbol *))
		136	+ {
		137	+ bfd_set_error (bfd_error_file_too_big);
		138	+ return -1;
		139	+ }
		140	symtab_size = (symcount + 1) * (sizeof (asymbol *));
		141	if (symcount > 0)
		142	symtab_size -= sizeof (asymbol *);
		143	@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,
		144	long
		145	_bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
		146	{
		147	- long ret;
		148	+ bfd_size_type count;
		149	asection *s;
		150
		151	if (elf_dynsymtab (abfd) == 0)
		152	@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
		153	return -1;
		154	}
		155
		156	- ret = sizeof (arelent *);
		157	+ count = 1;
		158	for (s = abfd->sections; s != NULL; s = s->next)
		159	if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
		160	&& (elf_section_data (s)->this_hdr.sh_type == SHT_REL
		161	\|\| elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
		162	- ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
		163	- * sizeof (arelent *));
		164	-
		165	- return ret;
		166	+ {
		167	+ count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
		168	+ if (count > LONG_MAX / sizeof (arelent *))
		169	+ {
		170	+ bfd_set_error (bfd_error_file_too_big);
		171	+ return -1;
		172	+ }
		173	+ }
		174	+ return count * sizeof (arelent *);
		175	}
		176
		177	/* Canonicalize the dynamic relocation entries. Note that we return the
		178	--
		179	2.22.0.vfs.1.1.57.gbaf16c8
		180


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch new file mode 100644 index 0000000000..b44d448fce --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
@@ -0,0 +1,74 @@
		1	From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 9 Jan 2019 12:25:16 +0000
		4	Subject: [PATCH] Fix a heap use after free memory access fault when displaying
		5	error messages about malformed archives.
		6
		7	PR 14049
		8	* readelf.c (process_archive): Use arch.file_name in error
		9	messages until the qualified name is available.
		10
		11	CVE: CVE-2018-20623
		12	Upstream-Status: Backport
		13	[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837]
		14
		15	Signed-off-by: Dan Tran <dantran@microsoft.com>
		16	---
		17	binutils/readelf.c \| 13 ++++++++-----
		18	1 file changed, 8 insertions(+), 5 deletions(-)
		19
		20	diff --git a/binutils/readelf.c b/binutils/readelf.c
		21	index f4df697a7d..280023d8de 100644
		22	--- a/binutils/readelf.c
		23	+++ b/binutils/readelf.c
		24	@@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
		25	/* Read the next archive header. */
		26	if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0)
		27	{
		28	- error (_("%s: failed to seek to next archive header\n"), filedata->file_name);
		29	+ error (_("%s: failed to seek to next archive header\n"), arch.file_name);
		30	return FALSE;
		31	}
		32	got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle);
		33	@@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
		34	{
		35	if (got == 0)
		36	break;
		37	- error (_("%s: failed to read archive header\n"), filedata->file_name);
		38	+ /* PR 24049 - we cannot use filedata->file_name as this will
		39	+ have already been freed. */
		40	+ error (_("%s: failed to read archive header\n"), arch.file_name);
		41	+
		42	ret = FALSE;
		43	break;
		44	}
		45	@@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
		46	name = get_archive_member_name (&arch, &nested_arch);
		47	if (name == NULL)
		48	{
		49	- error (_("%s: bad archive file name\n"), filedata->file_name);
		50	+ error (_("%s: bad archive file name\n"), arch.file_name);
		51	ret = FALSE;
		52	break;
		53	}
		54	@@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
		55	qualified_name = make_qualified_name (&arch, &nested_arch, name);
		56	if (qualified_name == NULL)
		57	{
		58	- error (_("%s: bad archive file name\n"), filedata->file_name);
		59	+ error (_("%s: bad archive file name\n"), arch.file_name);
		60	ret = FALSE;
		61	break;
		62	}
		63	@@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
		64	if (nested_arch.file == NULL)
		65	{
		66	error (_("%s: contains corrupt thin archive: %s\n"),
		67	- filedata->file_name, name);
		68	+ qualified_name, name);
		69	ret = FALSE;
		70	break;
		71	}
		72	--
		73	2.22.0.vfs.1.1.57.gbaf16c8
		74


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch new file mode 100644 index 0000000000..24fb031223 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
@@ -0,0 +1,35 @@
		1	From 6a29d95602b09bb83d2c82b45ed935157fb780aa Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Mon, 31 Dec 2018 15:40:08 +1030
		4	Subject: [PATCH] PR24041, Invalid Memory Address Dereference in
		5	elf_link_add_object_symbols
		6
		7	PR 24041
		8	* elflink.c (elf_link_add_object_symbols): Don't segfault on
		9	crafted ET_DYN with no program headers.
		10
		11	CVE: CVE-2018-20651
		12	Upstream-Status: Backport
		13	[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f]
		14
		15	Signed-off-by: Dan Tran <dantran@microsoft.com>
		16	---
		17	bfd/elflink.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/bfd/elflink.c b/bfd/elflink.c
		21	index 46091b6341..557c550082 100644
		22	--- a/bfd/elflink.c
		23	+++ b/bfd/elflink.c
		24	@@ -4178,7 +4178,7 @@ error_free_dyn:
		25	all sections contained fully therein. This makes relro
		26	shared library sections appear as they will at run-time. */
		27	phdr = elf_tdata (abfd)->phdr + elf_elfheader (abfd)->e_phnum;
		28	- while (--phdr >= elf_tdata (abfd)->phdr)
		29	+ while (phdr-- > elf_tdata (abfd)->phdr)
		30	if (phdr->p_type == PT_GNU_RELRO)
		31	{
		32	for (s = abfd->sections; s != NULL; s = s->next)
		33	--
		34	2.22.0.vfs.1.1.57.gbaf16c8
		35


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch new file mode 100644 index 0000000000..9bd9207bb5 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
@@ -0,0 +1,49 @@
		1	From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Fri, 4 Jan 2019 13:44:34 +0000
		4	Subject: [PATCH] Fix a possible integer overflow problem when examining
		5	corrupt binaries using a 32-bit binutil.
		6
		7	PR 24005
		8	* objdump.c (load_specific_debug_section): Check for integer
		9	overflow before attempting to allocate contents.
		10
		11	CVE: CVE-2018-20671
		12	Upstream-Status: Backport
		13	[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca]
		14
		15	Signed-off-by: Dan Tran <dantran@microsoft.com>
		16	---
		17	binutils/objdump.c \| 13 ++++++++++---
		18	1 file changed, 10 insertions(+), 3 deletions(-)
		19
		20	diff --git a/binutils/objdump.c b/binutils/objdump.c
		21	index f468fcdb59..89ca688938 100644
		22	--- a/binutils/objdump.c
		23	+++ b/binutils/objdump.c
		24	@@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
		25	section->reloc_info = NULL;
		26	section->num_relocs = 0;
		27	section->address = bfd_get_section_vma (abfd, sec);
		28	+ section->user_data = sec;
		29	section->size = bfd_get_section_size (sec);
		30	amt = section->size + 1;
		31	+ if (amt == 0 \|\| amt > bfd_get_file_size (abfd))
		32	+ {
		33	+ section->start = NULL;
		34	+ free_debug_section (debug);
		35	+ printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
		36	+ section->name, (unsigned long long) section->size);
		37	+ return FALSE;
		38	+ }
		39	section->start = contents = malloc (amt);
		40	- section->user_data = sec;
		41	- if (amt == 0
		42	- \|\| section->start == NULL
		43	+ if (section->start == NULL
		44	\|\| !bfd_get_full_section_contents (abfd, sec, &contents))
		45	{
		46	free_debug_section (debug);
		47	--
		48	2.22.0.vfs.1.1.57.gbaf16c8
		49