Binutils: Security fix for CVE-2018-10535

Affects: <= 2.30

(From OE-Core rev: 5fc41ff3341074497a1359969baf880d8035826b)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

2 files changed, 64 insertions, 0 deletions

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index ab6174559d..4d9983b984 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -68,6 +68,7 @@ SRC_URI = "\
      file://CVE-2018-10372.patch \
      file://CVE-2018-10373.patch \
      file://CVE-2018-10534.patch \
+     file://CVE-2018-10535.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch
new file mode 100644
index 0000000000..29b834337e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch
@@ -0,0 +1,63 @@
+From db0c309f4011ca94a4abc8458e27f3734dab92ac Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 24 Apr 2018 16:57:04 +0100
+Subject: [PATCH] Fix an illegal memory access when trying to copy an ELF
+ binary with corrupt section symbols.
+
+        PR 23113
+        * elf.c (ignore_section_sym): Check for the output_section pointer
+        being NULL before dereferencing it.
+
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-10535
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 4 ++++
+ bfd/elf.c     | 9 ++++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -3994,15 +3994,22 @@ ignore_section_sym (bfd *abfd, asymbol *
+ {
+   elf_symbol_type *type_ptr;
+ 
++  if (sym == NULL)
++    return FALSE;
++
+   if ((sym->flags & BSF_SECTION_SYM) == 0)
+     return FALSE;
+ 
++  if (sym->section == NULL)
++    return TRUE;
++
+   type_ptr = elf_symbol_from (abfd, sym);
+   return ((type_ptr != NULL
+           && type_ptr->internal_elf_sym.st_shndx != 0
+           && bfd_is_abs_section (sym->section))
+          || !(sym->section->owner == abfd
+-              || (sym->section->output_section->owner == abfd
++              || (sym->section->output_section != NULL
++                  && sym->section->output_section->owner == abfd
+                   && sym->section->output_offset == 0)
+               || bfd_is_abs_section (sym->section)));
+ }
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,10 @@
+ 2018-04-24  Nick Clifton  <nickc@redhat.com>
++ 
++       PR 23113
++       * elf.c (ignore_section_sym): Check for the output_section pointer
++       being NULL before dereferencing it.
++
++2018-04-24  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 23110
+        * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for