binutls: Security fix for CVE-2017-9955

Affects: <= 2.28

[v2]
Fixed signed-off-by for CVE-2017-9955_9

(From OE-Core rev: ccb2651cc736a6efd7e69a5afecd6aa975ee914c)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 80 insertions, 0 deletions

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch
new file mode 100644
index 0000000000..2cae63b4fc
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch
@@ -0,0 +1,80 @@
+From 60a02042bacf8d25814430080adda61ed086bca6 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 30 Jun 2017 11:03:37 +0100
+Subject: [PATCH] Fix failures in MMIX linker tests introduced by fix for PR
+ 21665.
+
+        PR binutils/21665
+        * objdump.c (disassemble_section): Move check for an overlarge
+        section to just before the allocation of memory.  Do not check
+        section size against file size, but instead use an arbitrary 2Gb
+        limit.  Issue a warning message if the section is too big.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #7
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  8 ++++++++
+ binutils/objdump.c | 25 ++++++++++++++++++++++++-
+ 2 files changed, 32 insertions(+), 1 deletion(-)
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection
+     return;
+ 
+   datasize = bfd_get_section_size (section);
+-  if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
++  if (datasize == 0)
+     return;
+ 
+   if (start_address == (bfd_vma) -1
+@@ -2112,6 +2112,29 @@ disassemble_section (bfd *abfd, asection
+     }
+   rel_ppend = rel_pp + rel_count;
+ 
++  /* PR 21665: Check for overlarge datasizes.
++     Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
++     this fails when using compressed sections or compressed file formats
++     (eg MMO, tekhex).
++
++     The call to xmalloc below will fail if too much memory is requested,
++     which will catch the problem in the normal use case.  But if a memory
++     checker is in use, eg valgrind or sanitize, then an exception will
++     be still generated, so we try to catch the problem first.
++
++     Unfortunately there is no simple way to determine how much memory can
++     be allocated by calling xmalloc.  So instead we use a simple, arbitrary
++     limit of 2Gb.  Hopefully this should be enough for most users.  If
++     someone does start trying to disassemble sections larger then 2Gb in
++     size they will doubtless complain and we can increase the limit.  */
++#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
++  if (datasize > MAX_XMALLOC)
++    {
++      non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
++                section->name, (unsigned long) datasize);
++      return;
++    }
++
+   data = (bfd_byte *) xmalloc (datasize);
+ 
+   bfd_get_section_contents (abfd, section, data, 0, datasize);
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,11 @@
++2017-06-30  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21665
++       * objdump.c (disassemble_section): Move check for an overlarge
++       section to just before the allocation of memory.  Do not check
++       section size against file size, but instead use an arbitrary 2Gb
++       limit.  Issue a warning message if the section is too big.
++
+ 2017-06-26  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21665