binutils: CVE-2017-9955

Source: binutils-gdb.git
MR: 73893
Type: Security Fix
Disposition: Backport from 'binutils-gdb.git/master' branch
ChangeID: 94c3ef8c1fa2e84e84ad76fb45307848d98817c8
Description:

PR 21665 : Fixed multiple heap based buffer overflow

Affects: <= 2.28
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: a36978f0dd372ec836f63942f965652ca3716e3f)

Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

10 files changed, 1061 insertions, 0 deletions

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index fdc1252c23..b38a9583cf 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -91,6 +91,15 @@ SRC_URI = "\
      file://CVE-2017-9756.patch \
      file://CVE-2017-9745.patch \
      file://CVE-2017-9954.patch \
+     file://CVE-2017-9955_1.patch \
+     file://CVE-2017-9955_2.patch \
+     file://CVE-2017-9955_3.patch \
+     file://CVE-2017-9955_4.patch \
+     file://CVE-2017-9955_5.patch \
+     file://CVE-2017-9955_6.patch \
+     file://CVE-2017-9955_7.patch \
+     file://CVE-2017-9955_8.patch \
+     file://CVE-2017-9955_9.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
new file mode 100644
index 0000000000..6cd86c2a30
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
@@ -0,0 +1,93 @@
+commit cfd14a500e0485374596234de4db10e88ebc7618
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Mon Jun 26 15:25:08 2017 +0100
+
+    Fix address violations when atempting to parse fuzzed binaries.
+    
+        PR binutils/21665
+        * compress.c (bfd_get_full_section_contents): Check for and reject
+        a section whoes size is greater than the size of the entire file.
+        * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+        contain a notes section.
+    
+    binutils* objdump.c (disassemble_section): Skip any section that is bigger
+        than the entire file.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c     2017-09-21 17:32:51.645611404 +0530
++++ git/bfd/compress.c  2017-09-21 17:32:52.965622987 +0530
+@@ -239,6 +239,12 @@
+       *ptr = NULL;
+       return TRUE;
+     }
++  else if (bfd_get_file_size (abfd) > 0
++          && sz > (bfd_size_type) bfd_get_file_size (abfd))
++    {
++      *ptr = NULL;
++      return FALSE;
++    }
+ 
+   switch (sec->compress_status)
+     {
+Index: git/bfd/elf32-v850.c
+===================================================================
+--- git.orig/bfd/elf32-v850.c   2017-09-21 17:32:35.053465773 +0530
++++ git/bfd/elf32-v850.c        2017-09-21 17:32:52.965622987 +0530
+@@ -2448,7 +2448,9 @@
+        BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
+ 
+       if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
+-       BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
++       /* If the output is being stripped then it is possible for
++          the notes section to disappear.  In this case do nothing.  */
++       return;
+ 
+       /* Copy/overwrite notes from the input to the output.  */
+       memcpy (ocont, icont, bfd_section_size (obfd, onotes));
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c 2017-09-21 17:32:52.337617476 +0530
++++ git/binutils/objdump.c      2017-09-21 17:32:52.965622987 +0530
+@@ -1973,7 +1973,7 @@
+     return;
+ 
+   datasize = bfd_get_section_size (section);
+-  if (datasize == 0)
++  if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
+     return;
+ 
+   if (start_address == (bfd_vma) -1
+@@ -2839,7 +2839,7 @@
+ static void
+ dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED)
+ {
+-  bfd_byte *data = 0;
++  bfd_byte *data = NULL;
+   bfd_size_type datasize;
+   bfd_vma addr_offset;
+   bfd_vma start_offset;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 17:32:52.909622495 +0530
++++ git/bfd/ChangeLog   2017-09-21 17:35:57.863164167 +0530
+@@ -11,6 +11,14 @@
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+ 
++2017-06-26  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21665
++       * compress.c (bfd_get_full_section_contents): Check for and reject
++       a section whoes size is greater than the size of the entire file.
++       * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
++       contain a notes section.
++
+  2017-07-24  Nick Clifton  <nickc@redhat.com>
+  
+        PR 21813
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
new file mode 100644
index 0000000000..6e1824bbab
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
@@ -0,0 +1,112 @@
+commit 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Mon Jun 26 09:24:49 2017 -0700
+
+    Check file size before getting section contents
+    
+    Don't check the section size in bfd_get_full_section_contents since
+    the size of a decompressed section may be larger than the file size.
+    Instead, check file size in _bfd_generic_get_section_contents.
+    
+        PR binutils/21665
+        * compress.c (bfd_get_full_section_contents): Don't check the
+        file size here.
+        * libbfd.c (_bfd_generic_get_section_contents): Check for and
+        reject a section whoes size + offset is greater than the size
+        of the entire file.
+        (_bfd_generic_get_section_contents_in_window): Likewise.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c       2017-09-21 17:41:59.457841691 +0530
++++ git/bfd/libbfd.c    2017-09-21 17:42:18.269987768 +0530
+@@ -780,6 +780,7 @@
+                                   bfd_size_type count)
+ {
+   bfd_size_type sz;
++  file_ptr filesz;
+   if (count == 0)
+     return TRUE;
+ 
+@@ -801,8 +802,15 @@
+     sz = section->rawsize;
+   else
+     sz = section->size;
++  filesz = bfd_get_file_size (abfd);
++  if (filesz < 0)
++    {
++      /* This should never happen.  */
++      abort ();
++    }
+   if (offset + count < count
+-      || offset + count > sz)
++      || offset + count > sz
++      || (section->filepos + offset + sz) > (bfd_size_type) filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+@@ -825,6 +833,7 @@
+ {
+ #ifdef USE_MMAP
+   bfd_size_type sz;
++  file_ptr filesz;
+ 
+   if (count == 0)
+     return TRUE;
+@@ -857,7 +866,13 @@
+     sz = section->rawsize;
+   else
+     sz = section->size;
++  filesz = bfd_get_file_size (abfd);
++    {
++      /* This should never happen.  */
++      abort ();
++    }
+   if (offset + count > sz
++      || (section->filepos + offset + sz) > (bfd_size_type) filesz
+       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
+                                TRUE))
+     return FALSE;
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c     2017-09-21 17:42:18.213987332 +0530
++++ git/bfd/compress.c  2017-09-21 17:45:17.107399434 +0530
+@@ -239,12 +239,6 @@
+       *ptr = NULL;
+       return TRUE;
+     }
+-  else if (bfd_get_file_size (abfd) > 0
+-          && sz > (bfd_size_type) bfd_get_file_size (abfd))
+-    {
+-      *ptr = NULL;
+-      return FALSE;
+-    }
+ 
+   switch (sec->compress_status)
+     {
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 17:42:18.213987332 +0530
++++ git/bfd/ChangeLog   2017-09-21 17:47:03.668256850 +0530
+@@ -11,6 +11,16 @@
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+ 
++2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
++
++       PR binutils/21665
++       * compress.c (bfd_get_full_section_contents): Don't check the
++       file size here.
++       * libbfd.c (_bfd_generic_get_section_contents): Check for and
++       reject a section whoes size + offset is greater than the size
++       of the entire file.
++       (_bfd_generic_get_section_contents_in_window): Likewise.
++
+ 2017-06-26  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21665
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch
new file mode 100644
index 0000000000..c8741b13ca
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch
@@ -0,0 +1,44 @@
+commit 1f473e3d0ad285195934e6a077c7ed32afe66437
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Mon Jun 26 15:47:16 2017 -0700
+
+    Add a missing line to _bfd_generic_get_section_contents_in_window
+    
+        PR binutils/21665
+        * libbfd.c (_bfd_generic_get_section_contents_in_window): Add
+        a missing line.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c       2017-09-21 17:57:11.424955516 +0530
++++ git/bfd/libbfd.c    2017-09-21 17:58:57.000000000 +0530
+@@ -867,6 +867,7 @@
+   else
+     sz = section->size;
+   filesz = bfd_get_file_size (abfd);
++  if (filesz < 0)
+     {
+       /* This should never happen.  */
+       abort ();
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 17:57:11.424955516 +0530
++++ git/bfd/ChangeLog   2017-09-21 18:01:32.258884464 +0530
+@@ -14,6 +14,12 @@
+ 2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        PR binutils/21665
++       * libbfd.c (_bfd_generic_get_section_contents_in_window): Add
++       a missing line.
++
++2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
++
++       PR binutils/21665
+        * compress.c (bfd_get_full_section_contents): Don't check the
+        file size here.
+        * libbfd.c (_bfd_generic_get_section_contents): Check for and
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch
new file mode 100644
index 0000000000..d6b6a14254
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch
@@ -0,0 +1,50 @@
+commit ab27f80c5dceaa23c4ba7f62c0d5d22a5d5dd7a1
+Author: Pedro Alves <palves@redhat.com>
+Date:   Tue Jun 27 00:21:25 2017 +0100
+
+    Fix GDB regressions caused by previous bfd_get_section_contents changes
+    
+    Ref: https://sourceware.org/ml/binutils/2017-06/msg00343.html
+    
+    bfd/ChangeLog:
+    2017-06-26  Pedro Alves  <palves@redhat.com>
+    
+        PR binutils/21665
+        * libbfd.c (_bfd_generic_get_section_contents): Add "count", not
+        "sz".
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c       2017-09-21 18:01:58.079078554 +0530
++++ git/bfd/libbfd.c    2017-09-21 18:01:58.063078433 +0530
+@@ -810,7 +810,7 @@
+     }
+   if (offset + count < count
+       || offset + count > sz
+-      || (section->filepos + offset + sz) > (bfd_size_type) filesz)
++      || (section->filepos + offset + count) > (bfd_size_type) filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 18:01:32.258884464 +0530
++++ git/bfd/ChangeLog   2017-09-21 18:03:42.955872017 +0530
+@@ -11,6 +11,12 @@
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+ 
++2017-06-26  Pedro Alves  <palves@redhat.com>
++
++       PR binutils/21665
++       * libbfd.c (_bfd_generic_get_section_contents): Add "count", not
++       "sz".
++
+ 2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        PR binutils/21665
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch
new file mode 100644
index 0000000000..3634421923
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch
@@ -0,0 +1,89 @@
+commit 7211ae501eb0de1044983f2dfb00091a58fbd66c
+Author: Alan Modra <amodra@gmail.com>
+Date:   Tue Jun 27 09:45:04 2017 +0930
+
+    More fixes for bfd_get_section_contents change
+    
+        PR binutils/21665
+        * libbfd.c (_bfd_generic_get_section_contents): Delete abort.
+        Use unsigned file pointer type, and remove cast.
+        * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise.
+        Add "count", not "sz".
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c       2017-09-21 18:04:47.316362760 +0530
++++ git/bfd/libbfd.c    2017-09-21 18:04:47.300362638 +0530
+@@ -780,7 +780,7 @@
+                                   bfd_size_type count)
+ {
+   bfd_size_type sz;
+-  file_ptr filesz;
++  ufile_ptr filesz;
+   if (count == 0)
+     return TRUE;
+ 
+@@ -803,14 +803,9 @@
+   else
+     sz = section->size;
+   filesz = bfd_get_file_size (abfd);
+-  if (filesz < 0)
+-    {
+-      /* This should never happen.  */
+-      abort ();
+-    }
+   if (offset + count < count
+       || offset + count > sz
+-      || (section->filepos + offset + count) > (bfd_size_type) filesz)
++      || section->filepos + offset + count > filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+@@ -833,7 +828,7 @@
+ {
+ #ifdef USE_MMAP
+   bfd_size_type sz;
+-  file_ptr filesz;
++  ufile_ptr filesz;
+ 
+   if (count == 0)
+     return TRUE;
+@@ -867,13 +862,8 @@
+   else
+     sz = section->size;
+   filesz = bfd_get_file_size (abfd);
+-  if (filesz < 0)
+-    {
+-      /* This should never happen.  */
+-      abort ();
+-    }
+   if (offset + count > sz
+-      || (section->filepos + offset + sz) > (bfd_size_type) filesz
++      || section->filepos + offset + count > filesz
+       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
+                                TRUE))
+     return FALSE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 18:03:42.955872017 +0530
++++ git/bfd/ChangeLog   2017-09-21 18:06:39.973228125 +0530
+@@ -11,6 +11,14 @@
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+ 
++2017-06-27  Alan Modra  <amodra@gmail.com>
++
++       PR binutils/21665
++       * libbfd.c (_bfd_generic_get_section_contents): Delete abort.
++       Use unsigned file pointer type, and remove cast.
++       * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise.
++       Add "count", not "sz".
++
+ 2017-06-26  Pedro Alves  <palves@redhat.com>
+ 
+        PR binutils/21665
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch
new file mode 100644
index 0000000000..55feb79c17
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch
@@ -0,0 +1,55 @@
+commit ea9aafc41a764e4e2dbb88a7b031e886b481b99a
+Author: Alan Modra <amodra@gmail.com>
+Date:   Tue Jun 27 14:43:49 2017 +0930
+
+    Warning fix
+    
+        PR binutils/21665
+        * libbfd.c (_bfd_generic_get_section_contents): Warning fix.
+        (_bfd_generic_get_section_contents_in_window): Likewise.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c       2017-09-21 18:07:34.777651818 +0530
++++ git/bfd/libbfd.c    2017-09-21 18:07:34.761651695 +0530
+@@ -805,7 +805,7 @@
+   filesz = bfd_get_file_size (abfd);
+   if (offset + count < count
+       || offset + count > sz
+-      || section->filepos + offset + count > filesz)
++      || (ufile_ptr) section->filepos + offset + count > filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+@@ -863,7 +863,7 @@
+     sz = section->size;
+   filesz = bfd_get_file_size (abfd);
+   if (offset + count > sz
+-      || section->filepos + offset + count > filesz
++      || (ufile_ptr) section->filepos + offset + count > filesz
+       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
+                                TRUE))
+     return FALSE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 18:06:39.973228125 +0530
++++ git/bfd/ChangeLog   2017-09-21 18:09:41.798640031 +0530
+@@ -19,6 +19,12 @@
+        * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise.
+        Add "count", not "sz".
+ 
++2017-06-27  Alan Modra  <amodra@gmail.com>
++
++       PR binutils/21665
++       * libbfd.c (_bfd_generic_get_section_contents): Warning fix.
++       (_bfd_generic_get_section_contents_in_window): Likewise.
++
+ 2017-06-26  Pedro Alves  <palves@redhat.com>
+ 
+        PR binutils/21665
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch
new file mode 100644
index 0000000000..0950561e10
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch
@@ -0,0 +1,79 @@
+commit 60a02042bacf8d25814430080adda61ed086bca6
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Fri Jun 30 11:03:37 2017 +0100
+
+    Fix failures in MMIX linker tests introduced by fix for PR 21665.
+    
+        PR binutils/21665
+        * objdump.c (disassemble_section): Move check for an overlarge
+        section to just before the allocation of memory.  Do not check
+        section size against file size, but instead use an arbitrary 2Gb
+        limit.  Issue a warning message if the section is too big.
+
+Upstream-Status: CVE-2017-9955
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c 2017-09-21 18:10:55.499217078 +0530
++++ git/binutils/objdump.c      2017-09-21 18:10:55.483216953 +0530
+@@ -1973,7 +1973,7 @@
+     return;
+ 
+   datasize = bfd_get_section_size (section);
+-  if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
++  if (datasize == 0)
+     return;
+ 
+   if (start_address == (bfd_vma) -1
+@@ -2037,6 +2037,29 @@
+     }
+   rel_ppend = rel_pp + rel_count;
+ 
++  /* PR 21665: Check for overlarge datasizes.
++     Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
++     this fails when using compressed sections or compressed file formats
++     (eg MMO, tekhex).
++
++     The call to xmalloc below will fail if too much memory is requested,
++     which will catch the problem in the normal use case.  But if a memory
++     checker is in use, eg valgrind or sanitize, then an exception will
++     be still generated, so we try to catch the problem first.
++
++     Unfortunately there is no simple way to determine how much memory can
++     be allocated by calling xmalloc.  So instead we use a simple, arbitrary
++     limit of 2Gb.  Hopefully this should be enough for most users.  If
++     someone does start trying to disassemble sections larger then 2Gb in
++     size they will doubtless complain and we can increase the limit.  */
++#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
++  if (datasize > MAX_XMALLOC)
++    {
++      non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
++                section->name, (unsigned long) datasize);
++      return;
++    }
++
+   data = (bfd_byte *) xmalloc (datasize);
+ 
+   bfd_get_section_contents (abfd, section, data, 0, datasize);
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog 2017-09-21 17:57:10.448948416 +0530
++++ git/binutils/ChangeLog      2017-09-21 18:13:09.052268892 +0530
+@@ -4,6 +4,14 @@
+        * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
+        string whilst concatenating symbol names.
+ 
++2017-06-30  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21665
++       * objdump.c (disassemble_section): Move check for an overlarge
++       section to just before the allocation of memory.  Do not check
++       section size against file size, but instead use an arbitrary 2Gb
++       limit.  Issue a warning message if the section is too big.
++
+ 2017-05-02  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 21440
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
new file mode 100644
index 0000000000..8035ab38cb
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
@@ -0,0 +1,170 @@
+commit bae7501e87ab614115d9d3213b4dd18d96e604db
+Author: Alan Modra <amodra@gmail.com>
+Date:   Sat Jul 1 21:58:10 2017 +0930
+
+    Use bfd_malloc_and_get_section
+    
+    It's nicer than xmalloc followed by bfd_get_section_contents, since
+    xmalloc exits on failure and needs a check that its size_t arg doesn't
+    lose high bits when converted from bfd_size_type.
+    
+        PR binutils/21665
+        * objdump.c (strtab): Make var a bfd_byte*.
+        (disassemble_section): Don't limit malloc size.  Instead, use
+        bfd_malloc_and_get_section.
+        (read_section_stabs): Use bfd_malloc_and_get_section.  Return
+        bfd_byte*.
+        (find_stabs_section): Remove now unnecessary cast.
+        * objcopy.c (copy_object): Use bfd_malloc_and_get_section.  Free
+        contents on error return.
+        * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/binutils/nlmconv.c
+===================================================================
+--- git.orig/binutils/nlmconv.c 2017-09-21 18:14:15.792797232 +0530
++++ git/binutils/nlmconv.c      2017-09-21 18:14:15.776797105 +0530
+@@ -1224,7 +1224,7 @@
+   const char *inname;
+   asection *outsec;
+   bfd_size_type size;
+-  void *contents;
++  bfd_byte *contents;
+   long reloc_size;
+   bfd_byte buf[4];
+   bfd_size_type add;
+@@ -1240,9 +1240,7 @@
+     contents = NULL;
+   else
+     {
+-      contents = xmalloc (size);
+-      if (! bfd_get_section_contents (inbfd, insec, contents,
+-                                     (file_ptr) 0, size))
++      if (!bfd_malloc_and_get_section (inbfd, insec, &contents))
+        bfd_fatal (bfd_get_filename (inbfd));
+     }
+ 
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c 2017-09-21 18:14:15.792797232 +0530
++++ git/binutils/objdump.c      2017-09-21 18:23:30.420895459 +0530
+@@ -180,7 +180,7 @@
+ static bfd_byte *stabs;
+ static bfd_size_type stab_size;
+ 
+-static char *strtab;
++static bfd_byte *strtab;
+ static bfd_size_type stabstr_size;
+ 
+ static bfd_boolean is_relocatable = FALSE;
+@@ -2037,33 +2037,13 @@
+     }
+   rel_ppend = rel_pp + rel_count;
+ 
+-  /* PR 21665: Check for overlarge datasizes.
+-     Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
+-     this fails when using compressed sections or compressed file formats
+-     (eg MMO, tekhex).
+-
+-     The call to xmalloc below will fail if too much memory is requested,
+-     which will catch the problem in the normal use case.  But if a memory
+-     checker is in use, eg valgrind or sanitize, then an exception will
+-     be still generated, so we try to catch the problem first.
+-
+-     Unfortunately there is no simple way to determine how much memory can
+-     be allocated by calling xmalloc.  So instead we use a simple, arbitrary
+-     limit of 2Gb.  Hopefully this should be enough for most users.  If
+-     someone does start trying to disassemble sections larger then 2Gb in
+-     size they will doubtless complain and we can increase the limit.  */
+-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
+-  if (datasize > MAX_XMALLOC)
++  if (!bfd_malloc_and_get_section (abfd, section, &data))
+     {
+-      non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
+-                section->name, (unsigned long) datasize);
++      non_fatal (_("Reading section %s failed because: %s"),
++                section->name, bfd_errmsg (bfd_get_error ()));
+       return;
+     }
+ 
+-  data = (bfd_byte *) xmalloc (datasize);
+-
+-  bfd_get_section_contents (abfd, section, data, 0, datasize);
+-
+   paux->sec = section;
+   pinfo->buffer = data;
+   pinfo->buffer_vma = section->vma;
+@@ -2579,12 +2559,11 @@
+ /* Read ABFD's stabs section STABSECT_NAME, and return a pointer to
+    it.  Return NULL on failure.   */
+ 
+-static char *
++static bfd_byte *
+ read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr)
+ {
+   asection *stabsect;
+-  bfd_size_type size;
+-  char *contents;
++  bfd_byte *contents;
+ 
+   stabsect = bfd_get_section_by_name (abfd, sect_name);
+   if (stabsect == NULL)
+@@ -2593,10 +2572,7 @@
+       return FALSE;
+     }
+ 
+-  size = bfd_section_size (abfd, stabsect);
+-  contents  = (char *) xmalloc (size);
+-
+-  if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size))
++  if (!bfd_malloc_and_get_section (abfd, stabsect, &contents))
+     {
+       non_fatal (_("reading %s section of %s failed: %s"),
+                 sect_name, bfd_get_filename (abfd),
+@@ -2606,7 +2582,7 @@
+       return NULL;
+     }
+ 
+-  *size_ptr = size;
++  *size_ptr = bfd_section_size (abfd, stabsect);
+ 
+   return contents;
+ }
+@@ -2733,8 +2709,7 @@
+ 
+       if (strtab)
+        {
+-         stabs = (bfd_byte *) read_section_stabs (abfd, section->name,
+-                                                  &stab_size);
++         stabs = read_section_stabs (abfd, section->name, &stab_size);
+          if (stabs)
+            print_section_stabs (abfd, section->name, &sought->string_offset);
+        }
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog 2017-09-21 18:13:09.052268892 +0530
++++ git/binutils/ChangeLog      2017-09-21 18:25:00.195937741 +0530
+@@ -4,6 +4,19 @@
+        * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
+        string whilst concatenating symbol names.
+ 
++2017-07-01  Alan Modra  <amodra@gmail.com>
++
++       PR binutils/21665
++       * objdump.c (strtab): Make var a bfd_byte*.
++       (disassemble_section): Don't limit malloc size.  Instead, use
++       bfd_malloc_and_get_section.
++       (read_section_stabs): Use bfd_malloc_and_get_section.  Return
++       bfd_byte*.
++       (find_stabs_section): Remove now unnecessary cast.
++       * objcopy.c (copy_object): Use bfd_malloc_and_get_section.  Free
++       contents on error return.
++       * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
++
+ 2017-06-30  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21665
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch
new file mode 100644
index 0000000000..2f50337dab
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch
@@ -0,0 +1,360 @@
+commit 8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Tue May 30 06:34:05 2017 -0700
+
+    Add bfd_get_file_size to get archive element size
+    
+    We can't use stat() to get archive element size.  Add bfd_get_file_size
+    to get size for both normal files and archive elements.
+    
+    bfd/
+    
+        PR binutils/21519
+        * bfdio.c (bfd_get_file_size): New function.
+        * bfd-in2.h: Regenerated.
+    
+    binutils/
+    
+        PR binutils/21519
+        * objdump.c (dump_relocs_in_section): Replace get_file_size
+        with bfd_get_file_size to get archive element size.
+        * testsuite/binutils-all/objdump.exp (test_objdump_f): New
+        proc.
+        (test_objdump_h): Likewise.
+        (test_objdump_t): Likewise.
+        (test_objdump_r): Likewise.
+        (test_objdump_s): Likewise.
+        Add objdump tests on archive.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/bfd-in2.h
+===================================================================
+--- git.orig/bfd/bfd-in2.h      2017-09-21 20:09:13.475032861 +0530
++++ git/bfd/bfd-in2.h   2017-09-21 20:09:16.375051269 +0530
+@@ -1208,6 +1208,8 @@
+ 
+ file_ptr bfd_get_size (bfd *abfd);
+ 
++file_ptr bfd_get_file_size (bfd *abfd);
++
+ void *bfd_mmap (bfd *abfd, void *addr, bfd_size_type len,
+     int prot, int flags, file_ptr offset,
+     void **map_addr, bfd_size_type *map_len);
+Index: git/bfd/bfdio.c
+===================================================================
+--- git.orig/bfd/bfdio.c        2017-09-21 20:08:55.774919453 +0530
++++ git/bfd/bfdio.c     2017-09-21 20:09:16.375051269 +0530
+@@ -434,6 +434,29 @@
+   return buf.st_size;
+ }
+ 
++/*
++FUNCTION
++       bfd_get_file_size
++
++SYNOPSIS
++       file_ptr bfd_get_file_size (bfd *abfd);
++
++DESCRIPTION
++       Return the file size (as read from file system) for the file
++       associated with BFD @var{abfd}.  It supports both normal files
++       and archive elements.
++
++*/
++
++file_ptr
++bfd_get_file_size (bfd *abfd)
++{
++  if (abfd->my_archive != NULL
++      && !bfd_is_thin_archive (abfd->my_archive))
++    return arelt_size (abfd);
++
++  return bfd_get_size (abfd);
++}
+ 
+ /*
+ FUNCTION
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c 2017-09-21 20:09:16.319050914 +0530
++++ git/binutils/objdump.c      2017-09-21 20:09:16.375051269 +0530
+@@ -3240,7 +3240,7 @@
+     }
+ 
+   if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
+-      && relsize > get_file_size (bfd_get_filename (abfd)))
++      && relsize > bfd_get_file_size (abfd))
+     {
+       printf (" (too many: 0x%x)\n", section->reloc_count);
+       bfd_set_error (bfd_error_file_truncated);
+Index: git/binutils/testsuite/binutils-all/objdump.exp
+===================================================================
+--- git.orig/binutils/testsuite/binutils-all/objdump.exp        2017-09-21 20:08:55.982920797 +0530
++++ git/binutils/testsuite/binutils-all/objdump.exp     2017-09-21 20:09:16.375051269 +0530
+@@ -64,96 +64,168 @@
+ if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest.o]} then {
+     return
+ }
++if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest2.o]} then {
++    return
++}
+ if [is_remote host] {
+     set testfile [remote_download host tmpdir/bintest.o]
++    set testfile2 [remote_download host tmpdir/bintest2.o]
+ } else {
+     set testfile tmpdir/bintest.o
++    set testfile2 tmpdir/bintest2.o
++}
++
++if { ![istarget "alpha-*-*"] || [is_elf_format] } then {
++    remote_file host file delete tmpdir/bintest.a
++    set got [binutils_run $AR "rc tmpdir/bintest.a $testfile2"]
++    if ![string match "" $got] then {
++       fail "bintest.a"
++       remote_file host delete tmpdir/bintest.a
++    } else {
++       if [is_remote host] {
++           set testarchive [remote_download host tmpdir/bintest.a]
++       } else {
++           set testarchive tmpdir/bintest.a
++       }
++    }
++    remote_file host delete tmpdir/bintest2.o
+ }
+ 
+ # Test objdump -f
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"]
++proc test_objdump_f { testfile dumpfile } {
++    global OBJDUMP
++    global OBJDUMPFLAGS
++    global cpus_regex
+ 
+-set want "$testfile:\[         \]*file format.*architecture:\[         \]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS"
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"]
+ 
+-if ![regexp $want $got] then {
+-    fail "objdump -f"
+-} else {
+-    pass "objdump -f"
++    set want "$dumpfile:\[     \]*file format.*architecture:\[         \]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS"
++
++    if ![regexp $want $got] then {
++       fail "objdump -f ($testfile, $dumpfile)"
++    } else {
++       pass "objdump -f ($testfile, $dumpfile)"
++    }
++}
++
++test_objdump_f $testfile $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_f $testarchive bintest2.o
+ }
+ 
+ # Test objdump -h
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"]
++proc test_objdump_h { testfile dumpfile } {
++    global OBJDUMP
++    global OBJDUMPFLAGS
+ 
+-set want "$testfile:\[         \]*file format.*Sections.*\[0-9\]+\[    \]+\[^  \]*(text|TEXT|P|\\\$CODE\\\$)\[^        \]*\[   \]*(\[0-9a-fA-F\]+).*\[0-9\]+\[         \]+\[^  \]*(\\.data|DATA|D_1)\[^        \]*\[   \]*(\[0-9a-fA-F\]+)"
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"]
+ 
+-if ![regexp $want $got all text_name text_size data_name data_size] then {
+-    fail "objdump -h"
+-} else {
+-    verbose "text name is $text_name size is $text_size"
+-    verbose "data name is $data_name size is $data_size"
+-    set ets 8
+-    set eds 4
+-    # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1
+-    if [istarget *c4x*-*-*] then {
+-        set ets 2
+-        set eds 1
+-    }
+-    # c54x section sizes are in bytes, not octets; adjust accordingly
+-    if [istarget *c54x*-*-*] then {
+-       set ets 4
+-       set eds 2
+-    }
+-    if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then {
+-       send_log "sizes too small\n"
+-       fail "objdump -h"
++    set want "$dumpfile:\[     \]*file format.*Sections.*\[0-9\]+\[    \]+\[^  \]*(text|TEXT|P|\\\$CODE\\\$)\[^        \]*\[   \]*(\[0-9a-fA-F\]+).*\[0-9\]+\[         \]+\[^  \]*(\\.data|DATA|D_1)\[^        \]*\[   \]*(\[0-9a-fA-F\]+)"
++
++    if ![regexp $want $got all text_name text_size data_name data_size] then {
++       fail "objdump -h ($testfile, $dumpfile)"
+     } else {
+-       pass "objdump -h"
++       verbose "text name is $text_name size is $text_size"
++       verbose "data name is $data_name size is $data_size"
++       set ets 8
++       set eds 4
++       # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1
++       if [istarget *c4x*-*-*] then {
++            set ets 2
++            set eds 1
++       }
++       # c54x section sizes are in bytes, not octets; adjust accordingly
++       if [istarget *c54x*-*-*] then {
++           set ets 4
++           set eds 2
++        }
++       if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then {
++           send_log "sizes too small\n"
++           fail "objdump -h ($testfile, $dumpfile)"
++       } else {
++           pass "objdump -h ($testfile, $dumpfile)"
++       }
+     }
+ }
+ 
++test_objdump_h $testfile $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_h $testarchive bintest2.o
++}
++
+ # Test objdump -t
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"]
++proc test_objdump_t { testfile} {
++    global OBJDUMP
++    global OBJDUMPFLAGS
++
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"]
++
++    if [info exists vars] then { unset vars }
++    while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} {
++       set vars($symbol) 1
++       set got $rest
++    }
+ 
+-if [info exists vars] then { unset vars }
+-while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} {
+-    set vars($symbol) 1
+-    set got $rest
++    if {![info exists vars(text_symbol)] \
++        || ![info exists vars(data_symbol)] \
++        || ![info exists vars(common_symbol)] \
++        || ![info exists vars(external_symbol)]} then {
++       fail "objdump -t ($testfile)"
++    } else {
++       pass "objdump -t ($testfile)"
++    }
+ }
+ 
+-if {![info exists vars(text_symbol)] \
+-     || ![info exists vars(data_symbol)] \
+-     || ![info exists vars(common_symbol)] \
+-     || ![info exists vars(external_symbol)]} then {
+-    fail "objdump -t"
+-} else {
+-    pass "objdump -t"
++test_objdump_t $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_t $testarchive
+ }
+ 
+ # Test objdump -r
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"]
++proc test_objdump_r { testfile dumpfile } {
++    global OBJDUMP
++    global OBJDUMPFLAGS
+ 
+-set want "$testfile:\[         \]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol"
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"]
+ 
+-if [regexp $want $got] then {
+-    pass "objdump -r"
+-} else {
+-    fail "objdump -r"
++    set want "$dumpfile:\[     \]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol"
++
++    if [regexp $want $got] then {
++       pass "objdump -r ($testfile, $dumpfile)"
++    } else {
++       fail "objdump -r ($testfile, $dumpfile)"
++    }
++}
++
++test_objdump_r $testfile $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_r $testarchive bintest2.o
+ }
+ 
+ # Test objdump -s
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"]
++proc test_objdump_s { testfile dumpfile } {
++    global OBJDUMP
++    global OBJDUMPFLAGS
+ 
+-set want "$testfile:\[         \]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[         \]*\[0-9a-fA-F\]*\[     \]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[   \]*\[0-9a-fA-F\]*\[     \]*(00000002|02000000|00000200)"
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"]
+ 
+-if [regexp $want $got] then {
+-    pass "objdump -s"
+-} else {
+-    fail "objdump -s"
++    set want "$dumpfile:\[     \]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[         \]*\[0-9a-fA-F\]*\[     \]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[   \]*\[0-9a-fA-F\]*\[     \]*(00000002|02000000|00000200)"
++
++    if [regexp $want $got] then {
++       pass "objdump -s ($testfile, $dumpfile)"
++    } else {
++       fail "objdump -s ($testfile, $dumpfile)"
++    }
++}
++
++test_objdump_s $testfile $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_s $testarchive bintest2.o
+ }
+ 
+ # Test objdump -s on a file that contains a compressed .debug section
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 20:09:16.207050204 +0530
++++ git/bfd/ChangeLog   2017-09-21 20:13:41.504562787 +0530
+@@ -158,6 +158,12 @@
+        (bfd_perform_relocation, bfd_install_relocation): Use it.
+        (_bfd_final_link_relocate): Likewise.
+ 
++2017-05-30  H.J. Lu  <hongjiu.lu@intel.com>
++
++       PR binutils/21519
++       * bfdio.c (bfd_get_file_size): New function.
++       * bfd-in2.h: Regenerated.
++
+ 2017-04-26  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21434
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog 2017-09-21 20:09:16.319050914 +0530
++++ git/binutils/ChangeLog      2017-09-21 20:12:42.624252645 +0530
+@@ -25,6 +25,19 @@
+        section size against file size, but instead use an arbitrary 2Gb
+        limit.  Issue a warning message if the section is too big.
+ 
++2017-05-30  H.J. Lu  <hongjiu.lu@intel.com>
++
++       PR binutils/21519
++       * objdump.c (dump_relocs_in_section): Replace get_file_size
++       with bfd_get_file_size to get archive element size.
++       * testsuite/binutils-all/objdump.exp (test_objdump_f): New
++       proc.
++       (test_objdump_h): Likewise.
++       (test_objdump_t): Likewise.
++       (test_objdump_r): Likewise.
++       (test_objdump_s): Likewise.
++       Add objdump tests on archive.
++
+ 2017-05-02  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 21440