3 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc
index 76add0fe4b..27a643d765 100644
--- a/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -41,6 +41,8 @@ SRC_URI = "\
     file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \
     file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \
     file://0021-PLT-information-was-still-being-generated-when-symbo.patch \
+     file://CVE-2018-17358.patch \
+     file://CVE-2018-17360.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
new file mode 100644
index 0000000000..813509160f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
@@ -0,0 +1,144 @@
+From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 20 Sep 2018 15:29:17 +0930
+Subject: [PATCH] Bug 23686, two segment faults in nm
+Fixes the bugs exposed by the testcases in the PR, plus two more bugs
+I noticed when looking at _bfd_stab_section_find_nearest_line.
+        PR 23686
+        * dwarf2.c (read_section): Error when attempting to malloc
+        "(bfd_size_type) -1".
+        * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
+        function_name.  Bounds check reloc address.  Formatting.  Ensure
+        .stabstr zero terminated.
+CVE: CVE-2018-17358 and CVE-2018-17359
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog |  9 +++++++++
+ bfd/dwarf2.c  |  9 ++++++++-
+ bfd/syms.c    | 22 ++++++++++++++++------
+ 3 files changed, 33 insertions(+), 7 deletions(-)
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 04c0c2a..fef5479 100644
+--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
+@@ -1,3 +1,12 @@
+2018-09-20  Alan Modra  <amodra@gmail.com>
+
+       PR 23686
+       * dwarf2.c (read_section): Error when attempting to malloc
+       "(bfd_size_type) -1".
+       * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
+       function_name.  Bounds check reloc address.  Formatting.  Ensure
+       .stabstr zero terminated.
+
+ 2018-08-12  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        PR ld/23428
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 3b28855..77a7368 100644
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -527,6 +527,7 @@ read_section (bfd *       abfd,
+   asection *msec;
+   const char *section_name = sec->uncompressed_name;
+   bfd_byte *contents = *section_buffer;
+  bfd_size_type amt;
+ 
+   /* The section may have already been read.  */
+   if (contents == NULL)
+@@ -549,7 +550,13 @@ read_section (bfd *              abfd,
+       *section_size = msec->rawsize ? msec->rawsize : msec->size;
+       /* Paranoia - alloc one extra so that we can make sure a string
+         section is NUL terminated.  */
+-      contents = (bfd_byte *) bfd_malloc (*section_size + 1);
+      amt = *section_size + 1;
+      if (amt == 0)
+       {
+         bfd_set_error (bfd_error_no_memory);
+         return FALSE;
+       }
+      contents = (bfd_byte *) bfd_malloc (amt);
+       if (contents == NULL)
+        return FALSE;
+       if (syms
+diff --git a/bfd/syms.c b/bfd/syms.c
+index 187071f..e09640a 100644
+--- a/bfd/syms.c
+++ b/bfd/syms.c
+@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+                                         0, strsize))
+        return FALSE;
+ 
+      /* Stab strings ought to be nul terminated.  Ensure the last one
+        is, to prevent running off the end of the buffer.  */
+      info->strs[strsize - 1] = 0;
+
+       /* If this is a relocatable object file, we have to relocate
+         the entries in .stab.  This should always be simple 32 bit
+         relocations against symbols defined in this object file, so
+@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+                  || r->howto->bitsize != 32
+                  || r->howto->pc_relative
+                  || r->howto->bitpos != 0
+-                 || r->howto->dst_mask != 0xffffffff)
+                 || r->howto->dst_mask != 0xffffffff
+                 || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
+                {
+                  _bfd_error_handler
+                    (_("unsupported .stab relocation"));
+@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+                {
+                  nul_fun = stab;
+                  nul_str = str;
+-                 if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+                 if (file_name >= (char *) info->strs + strsize
+                     || file_name < (char *) str)
+                    file_name = NULL;
+                  if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
+                      && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
+@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+                      directory_name = file_name;
+                      file_name = ((char *) str
+                                   + bfd_get_32 (abfd, stab + STRDXOFF));
+-                     if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+                     if (file_name >= (char *) info->strs + strsize
+                         || file_name < (char *) str)
+                        file_name = NULL;
+                    }
+                }
+@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+              file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+              /* PR 17512: file: 0c680a1f.  */
+              /* PR 17512: file: 5da8aec4.  */
+-             if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+             if (file_name >= (char *) info->strs + strsize
+                 || file_name < (char *) str)
+                file_name = NULL;
+              break;
+ 
+@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+              function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+              if (function_name == (char *) str)
+                continue;
+-             if (function_name >= (char *) info->strs + strsize)
+             if (function_name >= (char *) info->strs + strsize
+                 || function_name < (char *) str)
+                function_name = NULL;
+ 
+              nul_fun = NULL;
+@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+          if (val <= offset)
+            {
+              file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+-             if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+             if (file_name >= (char *) info->strs + strsize
+                 || file_name < (char *) str)
+                file_name = NULL;
+              *pline = 0;
+            }
+-- 
+2.9.3
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch
new file mode 100644
index 0000000000..cef10a7546
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch
@@ -0,0 +1,65 @@
+From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 20 Sep 2018 18:23:17 +0930
+Subject: [PATCH] PR23685, buffer overflow
+        PR 23685
+        * peXXigen.c (pe_print_edata): Correct export address table
+        overflow checks.  Check dataoff against section size too.
+CVE: CVE-2018-17360
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog  |  6 ++++++
+ bfd/peXXigen.c | 11 ++++++-----
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index fef5479..81b9e56 100644
+--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
+@@ -1,5 +1,11 @@
+ 2018-09-20  Alan Modra  <amodra@gmail.com>
+ 
+       PR 23685
+       * peXXigen.c (pe_print_edata): Correct export address table
+       overflow checks.  Check dataoff against section size too.
+
+2018-09-20  Alan Modra  <amodra@gmail.com>
+
+        PR 23686
+        * dwarf2.c (read_section): Error when attempting to malloc
+        "(bfd_size_type) -1".
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index 598f2ca..1645ef4 100644
+--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
+@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile)
+ 
+       dataoff = addr - section->vma;
+       datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
+-      if (datasize > section->size - dataoff)
+      if (dataoff > section->size
+         || datasize > section->size - dataoff)
+        {
+          fprintf (file,
+                   _("\nThere is an export table in %s, but it does not fit into that section\n"),
+@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile)
+          edt.base);
+ 
+   /* PR 17512: Handle corrupt PE binaries.  */
+-  if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize
+  /* PR 17512 file: 140-165018-0.004.  */
+  if (edt.eat_addr - adj >= datasize
+       /* PR 17512: file: 092b1829 */
+-      || (edt.num_functions * 4) < edt.num_functions
+-      /* PR 17512 file: 140-165018-0.004.  */
+-      || data + edt.eat_addr - adj < data)
+      || (edt.num_functions + 1) * 4 < edt.num_functions
+      || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize)
+     fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
+             (long) edt.eat_addr,
+             (long) edt.num_functions);
+-- 
+2.9.3

diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index 76add0fe4b..27a643d765 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -41,6 +41,8 @@ SRC_URI = "\
41	file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \	41	file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \
42	file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \	42	file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \
43	file://0021-PLT-information-was-still-being-generated-when-symbo.patch \	43	file://0021-PLT-information-was-still-being-generated-when-symbo.patch \
		44	file://CVE-2018-17358.patch \
		45	file://CVE-2018-17360.patch \
44	"	46	"
45	S = "${WORKDIR}/git"	47	S = "${WORKDIR}/git"
46		48


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch new file mode 100644 index 0000000000..813509160f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
@@ -0,0 +1,144 @@
		1	From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Thu, 20 Sep 2018 15:29:17 +0930
		4	Subject: [PATCH] Bug 23686, two segment faults in nm
		5
		6	Fixes the bugs exposed by the testcases in the PR, plus two more bugs
		7	I noticed when looking at _bfd_stab_section_find_nearest_line.
		8
		9	PR 23686
		10	* dwarf2.c (read_section): Error when attempting to malloc
		11	"(bfd_size_type) -1".
		12	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
		13	function_name. Bounds check reloc address. Formatting. Ensure
		14	.stabstr zero terminated.
		15	CVE: CVE-2018-17358 and CVE-2018-17359
		16	Upstream-Status: Backport
		17	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		18	---
		19	bfd/ChangeLog \| 9 +++++++++
		20	bfd/dwarf2.c \| 9 ++++++++-
		21	bfd/syms.c \| 22 ++++++++++++++++------
		22	3 files changed, 33 insertions(+), 7 deletions(-)
		23
		24	diff --git a/bfd/ChangeLog b/bfd/ChangeLog
		25	index 04c0c2a..fef5479 100644
		26	--- a/bfd/ChangeLog
		27	+++ b/bfd/ChangeLog
		28	@@ -1,3 +1,12 @@
		29	+2018-09-20 Alan Modra <amodra@gmail.com>
		30	+
		31	+ PR 23686
		32	+ * dwarf2.c (read_section): Error when attempting to malloc
		33	+ "(bfd_size_type) -1".
		34	+ * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
		35	+ function_name. Bounds check reloc address. Formatting. Ensure
		36	+ .stabstr zero terminated.
		37	+
		38	2018-08-12 H.J. Lu <hongjiu.lu@intel.com>
		39
		40	PR ld/23428
		41	diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
		42	index 3b28855..77a7368 100644
		43	--- a/bfd/dwarf2.c
		44	+++ b/bfd/dwarf2.c
		45	@@ -527,6 +527,7 @@ read_section (bfd * abfd,
		46	asection *msec;
		47	const char *section_name = sec->uncompressed_name;
		48	bfd_byte contents = section_buffer;
		49	+ bfd_size_type amt;
		50
		51	/* The section may have already been read. */
		52	if (contents == NULL)
		53	@@ -549,7 +550,13 @@ read_section (bfd * abfd,
		54	*section_size = msec->rawsize ? msec->rawsize : msec->size;
		55	/* Paranoia - alloc one extra so that we can make sure a string
		56	section is NUL terminated. */
		57	- contents = (bfd_byte ) bfd_malloc (section_size + 1);
		58	+ amt = *section_size + 1;
		59	+ if (amt == 0)
		60	+ {
		61	+ bfd_set_error (bfd_error_no_memory);
		62	+ return FALSE;
		63	+ }
		64	+ contents = (bfd_byte *) bfd_malloc (amt);
		65	if (contents == NULL)
		66	return FALSE;
		67	if (syms
		68	diff --git a/bfd/syms.c b/bfd/syms.c
		69	index 187071f..e09640a 100644
		70	--- a/bfd/syms.c
		71	+++ b/bfd/syms.c
		72	@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
		73	0, strsize))
		74	return FALSE;
		75
		76	+ /* Stab strings ought to be nul terminated. Ensure the last one
		77	+ is, to prevent running off the end of the buffer. */
		78	+ info->strs[strsize - 1] = 0;
		79	+
		80	/* If this is a relocatable object file, we have to relocate
		81	the entries in .stab. This should always be simple 32 bit
		82	relocations against symbols defined in this object file, so
		83	@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
		84	\|\| r->howto->bitsize != 32
		85	\|\| r->howto->pc_relative
		86	\|\| r->howto->bitpos != 0
		87	- \|\| r->howto->dst_mask != 0xffffffff)
		88	+ \|\| r->howto->dst_mask != 0xffffffff
		89	+ \|\| r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
		90	{
		91	_bfd_error_handler
		92	(_("unsupported .stab relocation"));
		93	@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
		94	{
		95	nul_fun = stab;
		96	nul_str = str;
		97	- if (file_name >= (char ) info->strs + strsize \|\| file_name < (char ) str)
		98	+ if (file_name >= (char *) info->strs + strsize
		99	+ \|\| file_name < (char *) str)
		100	file_name = NULL;
		101	if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
		102	&& *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
		103	@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
		104	directory_name = file_name;
		105	file_name = ((char *) str
		106	+ bfd_get_32 (abfd, stab + STRDXOFF));
		107	- if (file_name >= (char ) info->strs + strsize \|\| file_name < (char ) str)
		108	+ if (file_name >= (char *) info->strs + strsize
		109	+ \|\| file_name < (char *) str)
		110	file_name = NULL;
		111	}
		112	}
		113	@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
		114	file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
		115	/* PR 17512: file: 0c680a1f. */
		116	/* PR 17512: file: 5da8aec4. */
		117	- if (file_name >= (char ) info->strs + strsize \|\| file_name < (char ) str)
		118	+ if (file_name >= (char *) info->strs + strsize
		119	+ \|\| file_name < (char *) str)
		120	file_name = NULL;
		121	break;
		122
		123	@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
		124	function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
		125	if (function_name == (char *) str)
		126	continue;
		127	- if (function_name >= (char *) info->strs + strsize)
		128	+ if (function_name >= (char *) info->strs + strsize
		129	+ \|\| function_name < (char *) str)
		130	function_name = NULL;
		131
		132	nul_fun = NULL;
		133	@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
		134	if (val <= offset)
		135	{
		136	file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
		137	- if (file_name >= (char ) info->strs + strsize \|\| file_name < (char ) str)
		138	+ if (file_name >= (char *) info->strs + strsize
		139	+ \|\| file_name < (char *) str)
		140	file_name = NULL;
		141	*pline = 0;
		142	}
		143	--
		144	2.9.3


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch new file mode 100644 index 0000000000..cef10a7546 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch
@@ -0,0 +1,65 @@
		1	From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Thu, 20 Sep 2018 18:23:17 +0930
		4	Subject: [PATCH] PR23685, buffer overflow
		5
		6	PR 23685
		7	* peXXigen.c (pe_print_edata): Correct export address table
		8	overflow checks. Check dataoff against section size too.
		9
		10	CVE: CVE-2018-17360
		11	Upstream-Status: Backport
		12	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		13	---
		14	bfd/ChangeLog \| 6 ++++++
		15	bfd/peXXigen.c \| 11 ++++++-----
		16	2 files changed, 12 insertions(+), 5 deletions(-)
		17
		18	diff --git a/bfd/ChangeLog b/bfd/ChangeLog
		19	index fef5479..81b9e56 100644
		20	--- a/bfd/ChangeLog
		21	+++ b/bfd/ChangeLog
		22	@@ -1,5 +1,11 @@
		23	2018-09-20 Alan Modra <amodra@gmail.com>
		24
		25	+ PR 23685
		26	+ * peXXigen.c (pe_print_edata): Correct export address table
		27	+ overflow checks. Check dataoff against section size too.
		28	+
		29	+2018-09-20 Alan Modra <amodra@gmail.com>
		30	+
		31	PR 23686
		32	* dwarf2.c (read_section): Error when attempting to malloc
		33	"(bfd_size_type) -1".
		34	diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
		35	index 598f2ca..1645ef4 100644
		36	--- a/bfd/peXXigen.c
		37	+++ b/bfd/peXXigen.c
		38	@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile)
		39
		40	dataoff = addr - section->vma;
		41	datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
		42	- if (datasize > section->size - dataoff)
		43	+ if (dataoff > section->size
		44	+ \|\| datasize > section->size - dataoff)
		45	{
		46	fprintf (file,
		47	_("\nThere is an export table in %s, but it does not fit into that section\n"),
		48	@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile)
		49	edt.base);
		50
		51	/* PR 17512: Handle corrupt PE binaries. */
		52	- if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize
		53	+ /* PR 17512 file: 140-165018-0.004. */
		54	+ if (edt.eat_addr - adj >= datasize
		55	/* PR 17512: file: 092b1829 */
		56	- \|\| (edt.num_functions * 4) < edt.num_functions
		57	- /* PR 17512 file: 140-165018-0.004. */
		58	- \|\| data + edt.eat_addr - adj < data)
		59	+ \|\| (edt.num_functions + 1) * 4 < edt.num_functions
		60	+ \|\| edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize)
		61	fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
		62	(long) edt.eat_addr,
		63	(long) edt.num_functions);
		64	--
		65	2.9.3