Binutils: Security fix for CVE-2017-17121

Affects: <= 2.29.1 (From OE-Core rev: 942e7f65fd656f2cc526a3c99edcea60f341132c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-07 21:00:50 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: 4e970e640940fe59afda9ce9b3a28cf72d0d6b6c (patch)
tree: bfcf8b6e5e5094a5c08f24d7dd590bdd377eab97 /meta/recipes-devtools/binutils
parent: ad4d04429ac4f8b19f04b4c439ee6e815e699136 (diff)
download: poky-4e970e640940fe59afda9ce9b3a28cf72d0d6b6c.tar.gz
2 files changed, 367 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 2a713caf5d..27d77cc409 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -61,6 +61,7 @@ SRC_URI = "\
     file://CVE-2017-16831.patch \
     file://CVE-2017-16832.patch \
     file://CVE-2017-17080.patch \
+     file://CVE-2017-17121.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch
new file mode 100644
index 0000000000..4b675f7b72
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch
@@ -0,0 +1,366 @@
+From b23dc97fe237a1d9e850d7cbeee066183a00630b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 28 Nov 2017 13:20:31 +0000
+Subject: [PATCH] Fix a memory access violation when attempting to parse a
+ corrupt COFF binary with a relocation that points beyond the end of the
+ section to be relocated.
+        PR 22506
+        * reloc.c (reloc_offset_in_range): Rename to
+        bfd_reloc_offset_in_range and export.
+        (bfd_perform_relocation): Rename function invocation.
+        (bfd_install_relocation): Likewise.
+        (bfd_final_link_relocate): Likewise.
+        * bfd-in2.h: Regenerate.
+        * coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range.
+        * coff-i386.c (coff_i386_reloc): Likewise.
+        * coff-i860.c (coff_i860_reloc): Likewise.
+        * coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise.
+        * coff-m88k.c (m88k_special_reloc): Likewise.
+        * coff-mips.c (mips_reflo_reloc): Likewise.
+        * coff-x86_64.c (coff_amd64_reloc): Likewise.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-17121
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog     | 17 +++++++++++++++
+ bfd/bfd-in2.h     |  6 +++++
+ bfd/coff-arm.c    | 65 ++++++++++++++++++++++++++++++-------------------------
+ bfd/coff-i386.c   |  5 +++++
+ bfd/coff-i860.c   |  5 +++++
+ bfd/coff-m68k.c   |  5 +++++
+ bfd/coff-m88k.c   |  9 +++++++-
+ bfd/coff-mips.c   |  6 +++++
+ bfd/coff-x86_64.c | 16 +++++---------
+ bfd/reloc.c       | 40 +++++++++++++++++++++++++++++-----
+ 10 files changed, 126 insertions(+), 48 deletions(-)
+Index: git/bfd/bfd-in2.h
+===================================================================
+--- git.orig/bfd/bfd-in2.h
+++ git/bfd/bfd-in2.h
+@@ -2661,6 +2661,12 @@ bfd_reloc_status_type bfd_check_overflow
+     unsigned int addrsize,
+     bfd_vma relocation);
+ 
+bfd_boolean bfd_reloc_offset_in_range
+   (reloc_howto_type *howto,
+    bfd *abfd,
+    asection *section,
+    bfd_size_type offset);
+
+ bfd_reloc_status_type bfd_perform_relocation
+    (bfd *abfd,
+     arelent *reloc_entry,
+Index: git/bfd/coff-arm.c
+===================================================================
+--- git.orig/bfd/coff-arm.c
+++ git/bfd/coff-arm.c
+@@ -109,41 +109,46 @@ coff_arm_reloc (bfd *abfd,
+   x = ((x & ~howto->dst_mask)                                  \
+        | (((x & howto->src_mask) + diff) & howto->dst_mask))
+ 
+-    if (diff != 0)
+-      {
+-       reloc_howto_type *howto = reloc_entry->howto;
+-       unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+  if (diff != 0)
+    {
+      reloc_howto_type *howto = reloc_entry->howto;
+      unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+
+      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
+                                      reloc_entry->address
+                                      * bfd_octets_per_byte (abfd)))
+       return bfd_reloc_outofrange;
+
+      switch (howto->size)
+       {
+       case 0:
+         {
+           char x = bfd_get_8 (abfd, addr);
+           DOIT (x);
+           bfd_put_8 (abfd, x, addr);
+         }
+         break;
+ 
+-       switch (howto->size)
+       case 1:
+          {
+-         case 0:
+-           {
+-             char x = bfd_get_8 (abfd, addr);
+-             DOIT (x);
+-             bfd_put_8 (abfd, x, addr);
+-           }
+-           break;
+-
+-         case 1:
+-           {
+-             short x = bfd_get_16 (abfd, addr);
+-             DOIT (x);
+-             bfd_put_16 (abfd, (bfd_vma) x, addr);
+-           }
+-           break;
+-
+-         case 2:
+-           {
+-             long x = bfd_get_32 (abfd, addr);
+-             DOIT (x);
+-             bfd_put_32 (abfd, (bfd_vma) x, addr);
+-           }
+-           break;
+           short x = bfd_get_16 (abfd, addr);
+           DOIT (x);
+           bfd_put_16 (abfd, (bfd_vma) x, addr);
+         }
+         break;
+ 
+-         default:
+-           abort ();
+       case 2:
+         {
+           long x = bfd_get_32 (abfd, addr);
+           DOIT (x);
+           bfd_put_32 (abfd, (bfd_vma) x, addr);
+          }
+-      }
+         break;
+
+       default:
+         abort ();
+       }
+    }
+ 
+   /* Now let bfd_perform_relocation finish everything up.  */
+   return bfd_reloc_continue;
+Index: git/bfd/coff-i386.c
+===================================================================
+--- git.orig/bfd/coff-i386.c
+++ git/bfd/coff-i386.c
+@@ -144,6 +144,11 @@ coff_i386_reloc (bfd *abfd,
+       reloc_howto_type *howto = reloc_entry->howto;
+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+ 
+      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
+                                      reloc_entry->address
+                                      * bfd_octets_per_byte (abfd)))
+       return bfd_reloc_outofrange;
+
+       switch (howto->size)
+        {
+        case 0:
+Index: git/bfd/coff-i860.c
+===================================================================
+--- git.orig/bfd/coff-i860.c
+++ git/bfd/coff-i860.c
+@@ -95,6 +95,11 @@ coff_i860_reloc (bfd *abfd,
+        reloc_howto_type *howto = reloc_entry->howto;
+        unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+ 
+       if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
+                                        reloc_entry->address
+                                        * bfd_octets_per_byte (abfd)))
+         return bfd_reloc_outofrange;
+
+        switch (howto->size)
+          {
+          case 0:
+Index: git/bfd/coff-m68k.c
+===================================================================
+--- git.orig/bfd/coff-m68k.c
+++ git/bfd/coff-m68k.c
+@@ -305,6 +305,11 @@ m68kcoff_common_addend_special_fn (bfd *
+       reloc_howto_type *howto = reloc_entry->howto;
+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+ 
+      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
+                                      reloc_entry->address
+                                      * bfd_octets_per_byte (abfd)))
+       return bfd_reloc_outofrange;
+
+       switch (howto->size)
+        {
+        case 0:
+Index: git/bfd/coff-m88k.c
+===================================================================
+--- git.orig/bfd/coff-m88k.c
+++ git/bfd/coff-m88k.c
+@@ -72,10 +72,17 @@ m88k_special_reloc (bfd *abfd,
+        {
+          bfd_vma output_base = 0;
+          bfd_vma addr = reloc_entry->address;
+-         bfd_vma x = bfd_get_16 (abfd, (bfd_byte *) data + addr);
+         bfd_vma x;
+          asection *reloc_target_output_section;
+          long relocation = 0;
+ 
+         if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
+                                          reloc_entry->address
+                                          * bfd_octets_per_byte (abfd)))
+           return bfd_reloc_outofrange;
+
+         x = bfd_get_16 (abfd, (bfd_byte *) data + addr);
+
+          /* Work out which section the relocation is targeted at and the
+             initial relocation command value.  */
+ 
+Index: git/bfd/coff-mips.c
+===================================================================
+--- git.orig/bfd/coff-mips.c
+++ git/bfd/coff-mips.c
+@@ -504,6 +504,12 @@ mips_reflo_reloc (bfd *abfd ATTRIBUTE_UN
+          unsigned long vallo;
+          struct mips_hi *next;
+ 
+         if (! bfd_reloc_offset_in_range (reloc_entry->howto, abfd,
+                                          input_section,
+                                          reloc_entry->address
+                                          * bfd_octets_per_byte (abfd)))
+           return bfd_reloc_outofrange;
+
+          /* Do the REFHI relocation.  Note that we actually don't
+             need to know anything about the REFLO itself, except
+             where to find the low 16 bits of the addend needed by the
+Index: git/bfd/coff-x86_64.c
+===================================================================
+--- git.orig/bfd/coff-x86_64.c
+++ git/bfd/coff-x86_64.c
+@@ -143,16 +143,10 @@ coff_amd64_reloc (bfd *abfd,
+       reloc_howto_type *howto = reloc_entry->howto;
+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+ 
+-      /* FIXME: We do not have an end address for data, so we cannot
+-        accurately range check any addresses computed against it.
+-        cf: PR binutils/17512: file: 1085-1761-0.004.
+-        For now we do the best that we can.  */
+-      if (addr < (unsigned char *) data
+-         || addr > ((unsigned char *) data) + input_section->size)
+-       {
+-         bfd_set_error (bfd_error_bad_value);
+-         return bfd_reloc_notsupported;
+-       }
+      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
+                                      reloc_entry->address
+                                      * bfd_octets_per_byte (abfd)))
+       return bfd_reloc_outofrange;
+ 
+       switch (howto->size)
+        {
+Index: git/bfd/reloc.c
+===================================================================
+--- git.orig/bfd/reloc.c
+++ git/bfd/reloc.c
+@@ -538,12 +538,31 @@ bfd_check_overflow (enum complain_overfl
+   return flag;
+ }
+ 
+/*
+FUNCTION
+       bfd_reloc_offset_in_range
+
+SYNOPSIS
+       bfd_boolean bfd_reloc_offset_in_range
+          (reloc_howto_type *howto,
+           bfd *abfd,
+           asection *section,
+           bfd_size_type offset);
+
+DESCRIPTION
+        Returns TRUE if the reloc described by @var{HOWTO} can be
+       applied at @var{OFFSET} octets in @var{SECTION}.
+
+*/
+
+ /* HOWTO describes a relocation, at offset OCTET.  Return whether the
+    relocation field is within SECTION of ABFD.  */
+ 
+-static bfd_boolean
+-reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd,
+-                      asection *section, bfd_size_type octet)
+bfd_boolean
+bfd_reloc_offset_in_range (reloc_howto_type *howto,
+                          bfd *abfd,
+                          asection *section,
+                          bfd_size_type octet)
+ {
+   bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section);
+   bfd_size_type reloc_size = bfd_get_reloc_size (howto);
+@@ -617,6 +636,11 @@ bfd_perform_relocation (bfd *abfd,
+   if (howto && howto->special_function)
+     {
+       bfd_reloc_status_type cont;
+
+      /* Note - we do not call bfd_reloc_offset_in_range here as the
+        reloc_entry->address field might actually be valid for the
+        backend concerned.  It is up to the special_function itself
+        to call bfd_reloc_offset_in_range if needed.  */
+       cont = howto->special_function (abfd, reloc_entry, symbol, data,
+                                      input_section, output_bfd,
+                                      error_message);
+@@ -637,7 +661,7 @@ bfd_perform_relocation (bfd *abfd,
+ 
+   /* Is the address of the relocation really within the section?  */
+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
+-  if (!reloc_offset_in_range (howto, abfd, input_section, octets))
+  if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* Work out which section the relocation is targeted at and the
+@@ -1003,6 +1027,10 @@ bfd_install_relocation (bfd *abfd,
+     {
+       bfd_reloc_status_type cont;
+ 
+      /* Note - we do not call bfd_reloc_offset_in_range here as the
+        reloc_entry->address field might actually be valid for the
+        backend concerned.  It is up to the special_function itself
+        to call bfd_reloc_offset_in_range if needed.  */
+       /* XXX - The special_function calls haven't been fixed up to deal
+         with creating new relocations and section contents.  */
+       cont = howto->special_function (abfd, reloc_entry, symbol,
+@@ -1025,7 +1053,7 @@ bfd_install_relocation (bfd *abfd,
+ 
+   /* Is the address of the relocation really within the section?  */
+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
+-  if (!reloc_offset_in_range (howto, abfd, input_section, octets))
+  if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* Work out which section the relocation is targeted at and the
+@@ -1363,7 +1391,7 @@ _bfd_final_link_relocate (reloc_howto_ty
+   bfd_size_type octets = address * bfd_octets_per_byte (input_bfd);
+ 
+   /* Sanity check the address.  */
+-  if (!reloc_offset_in_range (howto, input_bfd, input_section, octets))
+  if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* This function assumes that we are dealing with a basic relocation
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,20 @@
+2017-11-28  Nick Clifton  <nickc@redhat.com>
+
+       PR 22506
+       * reloc.c (reloc_offset_in_range): Rename to
+      bfd_reloc_offset_in_range and export.
+       (bfd_perform_relocation): Rename function invocation.
+       (bfd_install_relocation): Likewise.
+       (bfd_final_link_relocate): Likewise.
+       * bfd-in2.h: Regenerate.
+       * coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range.
+       * coff-i386.c (coff_i386_reloc): Likewise.
+       * coff-i860.c (coff_i860_reloc): Likewise.
+       * coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise.
+       * coff-m88k.c (m88k_special_reloc): Likewise.
+       * coff-mips.c (mips_reflo_reloc): Likewise.
+       * coff-x86_64.c (coff_amd64_reloc): Likewise.
+
+ 2017-11-16  Nick Clifton  <nickc@redhat.com>
+  
+        PR 22421
author	Armin Kuster <akuster@mvista.com>	2018-08-07 21:00:50 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	4e970e640940fe59afda9ce9b3a28cf72d0d6b6c (patch)
tree	bfcf8b6e5e5094a5c08f24d7dd590bdd377eab97 /meta/recipes-devtools/binutils
parent	ad4d04429ac4f8b19f04b4c439ee6e815e699136 (diff)
download	poky-4e970e640940fe59afda9ce9b3a28cf72d0d6b6c.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 2a713caf5d..27d77cc409 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -61,6 +61,7 @@ SRC_URI = "\
61	file://CVE-2017-16831.patch \	61	file://CVE-2017-16831.patch \
62	file://CVE-2017-16832.patch \	62	file://CVE-2017-16832.patch \
63	file://CVE-2017-17080.patch \	63	file://CVE-2017-17080.patch \
		64	file://CVE-2017-17121.patch \
64	"	65	"
65	S = "${WORKDIR}/git"	66	S = "${WORKDIR}/git"
66		67


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch new file mode 100644 index 0000000000..4b675f7b72 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch
@@ -0,0 +1,366 @@
		1	From b23dc97fe237a1d9e850d7cbeee066183a00630b Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Tue, 28 Nov 2017 13:20:31 +0000
		4	Subject: [PATCH] Fix a memory access violation when attempting to parse a
		5	corrupt COFF binary with a relocation that points beyond the end of the
		6	section to be relocated.
		7
		8	PR 22506
		9	* reloc.c (reloc_offset_in_range): Rename to
		10	bfd_reloc_offset_in_range and export.
		11	(bfd_perform_relocation): Rename function invocation.
		12	(bfd_install_relocation): Likewise.
		13	(bfd_final_link_relocate): Likewise.
		14	* bfd-in2.h: Regenerate.
		15	* coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range.
		16	* coff-i386.c (coff_i386_reloc): Likewise.
		17	* coff-i860.c (coff_i860_reloc): Likewise.
		18	* coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise.
		19	* coff-m88k.c (m88k_special_reloc): Likewise.
		20	* coff-mips.c (mips_reflo_reloc): Likewise.
		21	* coff-x86_64.c (coff_amd64_reloc): Likewise.
		22
		23	Upstream-Status: Backport
		24	Affects: <= 2.29.1
		25	CVE: CVE-2017-17121
		26	Signed-off-by: Armin Kuster <akuster@mvista.com>
		27
		28	---
		29	bfd/ChangeLog \| 17 +++++++++++++++
		30	bfd/bfd-in2.h \| 6 +++++
		31	bfd/coff-arm.c \| 65 ++++++++++++++++++++++++++++++-------------------------
		32	bfd/coff-i386.c \| 5 +++++
		33	bfd/coff-i860.c \| 5 +++++
		34	bfd/coff-m68k.c \| 5 +++++
		35	bfd/coff-m88k.c \| 9 +++++++-
		36	bfd/coff-mips.c \| 6 +++++
		37	bfd/coff-x86_64.c \| 16 +++++---------
		38	bfd/reloc.c \| 40 +++++++++++++++++++++++++++++-----
		39	10 files changed, 126 insertions(+), 48 deletions(-)
		40
		41	Index: git/bfd/bfd-in2.h
		42	===================================================================
		43	--- git.orig/bfd/bfd-in2.h
		44	+++ git/bfd/bfd-in2.h
		45	@@ -2661,6 +2661,12 @@ bfd_reloc_status_type bfd_check_overflow
		46	unsigned int addrsize,
		47	bfd_vma relocation);
		48
		49	+bfd_boolean bfd_reloc_offset_in_range
		50	+ (reloc_howto_type *howto,
		51	+ bfd *abfd,
		52	+ asection *section,
		53	+ bfd_size_type offset);
		54	+
		55	bfd_reloc_status_type bfd_perform_relocation
		56	(bfd *abfd,
		57	arelent *reloc_entry,
		58	Index: git/bfd/coff-arm.c
		59	===================================================================
		60	--- git.orig/bfd/coff-arm.c
		61	+++ git/bfd/coff-arm.c
		62	@@ -109,41 +109,46 @@ coff_arm_reloc (bfd *abfd,
		63	x = ((x & ~howto->dst_mask) \
		64	\| (((x & howto->src_mask) + diff) & howto->dst_mask))
		65
		66	- if (diff != 0)
		67	- {
		68	- reloc_howto_type *howto = reloc_entry->howto;
		69	- unsigned char addr = (unsigned char ) data + reloc_entry->address;
		70	+ if (diff != 0)
		71	+ {
		72	+ reloc_howto_type *howto = reloc_entry->howto;
		73	+ unsigned char addr = (unsigned char ) data + reloc_entry->address;
		74	+
		75	+ if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
		76	+ reloc_entry->address
		77	+ * bfd_octets_per_byte (abfd)))
		78	+ return bfd_reloc_outofrange;
		79	+
		80	+ switch (howto->size)
		81	+ {
		82	+ case 0:
		83	+ {
		84	+ char x = bfd_get_8 (abfd, addr);
		85	+ DOIT (x);
		86	+ bfd_put_8 (abfd, x, addr);
		87	+ }
		88	+ break;
		89
		90	- switch (howto->size)
		91	+ case 1:
		92	{
		93	- case 0:
		94	- {
		95	- char x = bfd_get_8 (abfd, addr);
		96	- DOIT (x);
		97	- bfd_put_8 (abfd, x, addr);
		98	- }
		99	- break;
		100	-
		101	- case 1:
		102	- {
		103	- short x = bfd_get_16 (abfd, addr);
		104	- DOIT (x);
		105	- bfd_put_16 (abfd, (bfd_vma) x, addr);
		106	- }
		107	- break;
		108	-
		109	- case 2:
		110	- {
		111	- long x = bfd_get_32 (abfd, addr);
		112	- DOIT (x);
		113	- bfd_put_32 (abfd, (bfd_vma) x, addr);
		114	- }
		115	- break;
		116	+ short x = bfd_get_16 (abfd, addr);
		117	+ DOIT (x);
		118	+ bfd_put_16 (abfd, (bfd_vma) x, addr);
		119	+ }
		120	+ break;
		121
		122	- default:
		123	- abort ();
		124	+ case 2:
		125	+ {
		126	+ long x = bfd_get_32 (abfd, addr);
		127	+ DOIT (x);
		128	+ bfd_put_32 (abfd, (bfd_vma) x, addr);
		129	}
		130	- }
		131	+ break;
		132	+
		133	+ default:
		134	+ abort ();
		135	+ }
		136	+ }
		137
		138	/* Now let bfd_perform_relocation finish everything up. */
		139	return bfd_reloc_continue;
		140	Index: git/bfd/coff-i386.c
		141	===================================================================
		142	--- git.orig/bfd/coff-i386.c
		143	+++ git/bfd/coff-i386.c
		144	@@ -144,6 +144,11 @@ coff_i386_reloc (bfd *abfd,
		145	reloc_howto_type *howto = reloc_entry->howto;
		146	unsigned char addr = (unsigned char ) data + reloc_entry->address;
		147
		148	+ if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
		149	+ reloc_entry->address
		150	+ * bfd_octets_per_byte (abfd)))
		151	+ return bfd_reloc_outofrange;
		152	+
		153	switch (howto->size)
		154	{
		155	case 0:
		156	Index: git/bfd/coff-i860.c
		157	===================================================================
		158	--- git.orig/bfd/coff-i860.c
		159	+++ git/bfd/coff-i860.c
		160	@@ -95,6 +95,11 @@ coff_i860_reloc (bfd *abfd,
		161	reloc_howto_type *howto = reloc_entry->howto;
		162	unsigned char addr = (unsigned char ) data + reloc_entry->address;
		163
		164	+ if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
		165	+ reloc_entry->address
		166	+ * bfd_octets_per_byte (abfd)))
		167	+ return bfd_reloc_outofrange;
		168	+
		169	switch (howto->size)
		170	{
		171	case 0:
		172	Index: git/bfd/coff-m68k.c
		173	===================================================================
		174	--- git.orig/bfd/coff-m68k.c
		175	+++ git/bfd/coff-m68k.c
		176	@@ -305,6 +305,11 @@ m68kcoff_common_addend_special_fn (bfd *
		177	reloc_howto_type *howto = reloc_entry->howto;
		178	unsigned char addr = (unsigned char ) data + reloc_entry->address;
		179
		180	+ if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
		181	+ reloc_entry->address
		182	+ * bfd_octets_per_byte (abfd)))
		183	+ return bfd_reloc_outofrange;
		184	+
		185	switch (howto->size)
		186	{
		187	case 0:
		188	Index: git/bfd/coff-m88k.c
		189	===================================================================
		190	--- git.orig/bfd/coff-m88k.c
		191	+++ git/bfd/coff-m88k.c
		192	@@ -72,10 +72,17 @@ m88k_special_reloc (bfd *abfd,
		193	{
		194	bfd_vma output_base = 0;
		195	bfd_vma addr = reloc_entry->address;
		196	- bfd_vma x = bfd_get_16 (abfd, (bfd_byte *) data + addr);
		197	+ bfd_vma x;
		198	asection *reloc_target_output_section;
		199	long relocation = 0;
		200
		201	+ if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
		202	+ reloc_entry->address
		203	+ * bfd_octets_per_byte (abfd)))
		204	+ return bfd_reloc_outofrange;
		205	+
		206	+ x = bfd_get_16 (abfd, (bfd_byte *) data + addr);
		207	+
		208	/* Work out which section the relocation is targeted at and the
		209	initial relocation command value. */
		210
		211	Index: git/bfd/coff-mips.c
		212	===================================================================
		213	--- git.orig/bfd/coff-mips.c
		214	+++ git/bfd/coff-mips.c
		215	@@ -504,6 +504,12 @@ mips_reflo_reloc (bfd *abfd ATTRIBUTE_UN
		216	unsigned long vallo;
		217	struct mips_hi *next;
		218
		219	+ if (! bfd_reloc_offset_in_range (reloc_entry->howto, abfd,
		220	+ input_section,
		221	+ reloc_entry->address
		222	+ * bfd_octets_per_byte (abfd)))
		223	+ return bfd_reloc_outofrange;
		224	+
		225	/* Do the REFHI relocation. Note that we actually don't
		226	need to know anything about the REFLO itself, except
		227	where to find the low 16 bits of the addend needed by the
		228	Index: git/bfd/coff-x86_64.c
		229	===================================================================
		230	--- git.orig/bfd/coff-x86_64.c
		231	+++ git/bfd/coff-x86_64.c
		232	@@ -143,16 +143,10 @@ coff_amd64_reloc (bfd *abfd,
		233	reloc_howto_type *howto = reloc_entry->howto;
		234	unsigned char addr = (unsigned char ) data + reloc_entry->address;
		235
		236	- /* FIXME: We do not have an end address for data, so we cannot
		237	- accurately range check any addresses computed against it.
		238	- cf: PR binutils/17512: file: 1085-1761-0.004.
		239	- For now we do the best that we can. */
		240	- if (addr < (unsigned char *) data
		241	- \|\| addr > ((unsigned char *) data) + input_section->size)
		242	- {
		243	- bfd_set_error (bfd_error_bad_value);
		244	- return bfd_reloc_notsupported;
		245	- }
		246	+ if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
		247	+ reloc_entry->address
		248	+ * bfd_octets_per_byte (abfd)))
		249	+ return bfd_reloc_outofrange;
		250
		251	switch (howto->size)
		252	{
		253	Index: git/bfd/reloc.c
		254	===================================================================
		255	--- git.orig/bfd/reloc.c
		256	+++ git/bfd/reloc.c
		257	@@ -538,12 +538,31 @@ bfd_check_overflow (enum complain_overfl
		258	return flag;
		259	}
		260
		261	+/*
		262	+FUNCTION
		263	+ bfd_reloc_offset_in_range
		264	+
		265	+SYNOPSIS
		266	+ bfd_boolean bfd_reloc_offset_in_range
		267	+ (reloc_howto_type *howto,
		268	+ bfd *abfd,
		269	+ asection *section,
		270	+ bfd_size_type offset);
		271	+
		272	+DESCRIPTION
		273	+ Returns TRUE if the reloc described by @var{HOWTO} can be
		274	+ applied at @var{OFFSET} octets in @var{SECTION}.
		275	+
		276	+*/
		277	+
		278	/* HOWTO describes a relocation, at offset OCTET. Return whether the
		279	relocation field is within SECTION of ABFD. */
		280
		281	-static bfd_boolean
		282	-reloc_offset_in_range (reloc_howto_type howto, bfd abfd,
		283	- asection *section, bfd_size_type octet)
		284	+bfd_boolean
		285	+bfd_reloc_offset_in_range (reloc_howto_type *howto,
		286	+ bfd *abfd,
		287	+ asection *section,
		288	+ bfd_size_type octet)
		289	{
		290	bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section);
		291	bfd_size_type reloc_size = bfd_get_reloc_size (howto);
		292	@@ -617,6 +636,11 @@ bfd_perform_relocation (bfd *abfd,
		293	if (howto && howto->special_function)
		294	{
		295	bfd_reloc_status_type cont;
		296	+
		297	+ /* Note - we do not call bfd_reloc_offset_in_range here as the
		298	+ reloc_entry->address field might actually be valid for the
		299	+ backend concerned. It is up to the special_function itself
		300	+ to call bfd_reloc_offset_in_range if needed. */
		301	cont = howto->special_function (abfd, reloc_entry, symbol, data,
		302	input_section, output_bfd,
		303	error_message);
		304	@@ -637,7 +661,7 @@ bfd_perform_relocation (bfd *abfd,
		305
		306	/* Is the address of the relocation really within the section? */
		307	octets = reloc_entry->address * bfd_octets_per_byte (abfd);
		308	- if (!reloc_offset_in_range (howto, abfd, input_section, octets))
		309	+ if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets))
		310	return bfd_reloc_outofrange;
		311
		312	/* Work out which section the relocation is targeted at and the
		313	@@ -1003,6 +1027,10 @@ bfd_install_relocation (bfd *abfd,
		314	{
		315	bfd_reloc_status_type cont;
		316
		317	+ /* Note - we do not call bfd_reloc_offset_in_range here as the
		318	+ reloc_entry->address field might actually be valid for the
		319	+ backend concerned. It is up to the special_function itself
		320	+ to call bfd_reloc_offset_in_range if needed. */
		321	/* XXX - The special_function calls haven't been fixed up to deal
		322	with creating new relocations and section contents. */
		323	cont = howto->special_function (abfd, reloc_entry, symbol,
		324	@@ -1025,7 +1053,7 @@ bfd_install_relocation (bfd *abfd,
		325
		326	/* Is the address of the relocation really within the section? */
		327	octets = reloc_entry->address * bfd_octets_per_byte (abfd);
		328	- if (!reloc_offset_in_range (howto, abfd, input_section, octets))
		329	+ if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets))
		330	return bfd_reloc_outofrange;
		331
		332	/* Work out which section the relocation is targeted at and the
		333	@@ -1363,7 +1391,7 @@ _bfd_final_link_relocate (reloc_howto_ty
		334	bfd_size_type octets = address * bfd_octets_per_byte (input_bfd);
		335
		336	/* Sanity check the address. */
		337	- if (!reloc_offset_in_range (howto, input_bfd, input_section, octets))
		338	+ if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, octets))
		339	return bfd_reloc_outofrange;
		340
		341	/* This function assumes that we are dealing with a basic relocation
		342	Index: git/bfd/ChangeLog
		343	===================================================================
		344	--- git.orig/bfd/ChangeLog
		345	+++ git/bfd/ChangeLog
		346	@@ -1,3 +1,20 @@
		347	+2017-11-28 Nick Clifton <nickc@redhat.com>
		348	+
		349	+ PR 22506
		350	+ * reloc.c (reloc_offset_in_range): Rename to
		351	+ bfd_reloc_offset_in_range and export.
		352	+ (bfd_perform_relocation): Rename function invocation.
		353	+ (bfd_install_relocation): Likewise.
		354	+ (bfd_final_link_relocate): Likewise.
		355	+ * bfd-in2.h: Regenerate.
		356	+ * coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range.
		357	+ * coff-i386.c (coff_i386_reloc): Likewise.
		358	+ * coff-i860.c (coff_i860_reloc): Likewise.
		359	+ * coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise.
		360	+ * coff-m88k.c (m88k_special_reloc): Likewise.
		361	+ * coff-mips.c (mips_reflo_reloc): Likewise.
		362	+ * coff-x86_64.c (coff_amd64_reloc): Likewise.
		363	+
		364	2017-11-16 Nick Clifton <nickc@redhat.com>
		365
		366	PR 22421