2 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc
index 3a39d5f7b8..32eb44e08b 100644
--- a/meta/recipes-devtools/binutils/binutils-2.30.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -41,6 +41,7 @@ SRC_URI = "\
     file://CVE-2018-6759.patch \
     file://CVE-2018-7642.patch \
     file://CVE-2018-7208.patch \
+     file://CVE-2018-7569.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
new file mode 100644
index 0000000000..96c0fd2422
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,119 @@
+From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 28 Feb 2018 11:50:49 +0000
+Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
+ FORM blocks.
+        PR 22895
+        PR 22893
+        * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+        pointer.  Drop unused abfd parameter.  Check the size of the block
+        before initialising the data field.  Return the end pointer if the
+        size is invalid.
+        (read_attribute_value): Adjust invocations of read_n_bytes.
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-7569
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/dwarf2.c  | 36 +++++++++++++++++++++---------------
+ 2 files changed, 29 insertions(+), 15 deletions(-)
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
+@@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
+ }
+ 
+ static bfd_byte *
+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
+-             bfd_byte *buf,
+-             bfd_byte *end,
+-             unsigned int size ATTRIBUTE_UNUSED)
+-{
+-  if (buf + size > end)
+-    return NULL;
+-  return buf;
+read_n_bytes (bfd_byte *           buf,
+             bfd_byte *           end,
+             struct dwarf_block * block)
+{
+  unsigned int  size = block->size;
+  bfd_byte *    block_end = buf + size;
+
+  if (block_end > end || block_end < buf)
+    {
+      block->data = NULL;
+      block->size = 0;
+      return end;
+    }
+  else
+    {
+      block->data = buf;
+      return block_end;
+    }
+ }
+ 
+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
+@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute *
+        return NULL;
+       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 2;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block4:
+@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute *
+        return NULL;
+       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 4;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data2:
+@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute *
+       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
+                                         FALSE, info_ptr_end);
+       info_ptr += bytes_read;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block1:
+@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute *
+        return NULL;
+       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
+       info_ptr += 1;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data1:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -6,6 +6,14 @@
+ 
+ 2018-02-28  Alan Modra  <amodra@gmail.com>
+ 
+       PR 22895
+       PR 22893
+       * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+       pointer.  Drop unused abfd parameter.  Check the size of the block
+       before initialising the data field.  Return the end pointer if the
+       size is invalid.
+       (read_attribute_value): Adjust invocations of read_n_bytes.
+
+        PR 22887
+        * aoutx.h (swap_std_reloc_in): Correct r_index bound check.
+

diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc index 3a39d5f7b8..32eb44e08b 100644 --- a/meta/recipes-devtools/binutils/binutils-2.30.inc +++ b/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -41,6 +41,7 @@ SRC_URI = "\
41	file://CVE-2018-6759.patch \	41	file://CVE-2018-6759.patch \
42	file://CVE-2018-7642.patch \	42	file://CVE-2018-7642.patch \
43	file://CVE-2018-7208.patch \	43	file://CVE-2018-7208.patch \
		44	file://CVE-2018-7569.patch \
44	"	45	"
45	S = "${WORKDIR}/git"	46	S = "${WORKDIR}/git"
46		47


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch new file mode 100644 index 0000000000..96c0fd2422 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,119 @@
		1	From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 28 Feb 2018 11:50:49 +0000
		4	Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
		5	FORM blocks.
		6
		7	PR 22895
		8	PR 22893
		9	* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
		10	pointer. Drop unused abfd parameter. Check the size of the block
		11	before initialising the data field. Return the end pointer if the
		12	size is invalid.
		13	(read_attribute_value): Adjust invocations of read_n_bytes.
		14
		15	Upstream-Status: Backport
		16	Affects: Binutils <= 2.30
		17	CVE: CVE-2018-7569
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19	---
		20	bfd/ChangeLog \| 8 ++++++++
		21	bfd/dwarf2.c \| 36 +++++++++++++++++++++---------------
		22	2 files changed, 29 insertions(+), 15 deletions(-)
		23
		24	Index: git/bfd/dwarf2.c
		25	===================================================================
		26	--- git.orig/bfd/dwarf2.c
		27	+++ git/bfd/dwarf2.c
		28	@@ -622,14 +622,24 @@ read_8_bytes (bfd abfd, bfd_byte buf,
		29	}
		30
		31	static bfd_byte *
		32	-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
		33	- bfd_byte *buf,
		34	- bfd_byte *end,
		35	- unsigned int size ATTRIBUTE_UNUSED)
		36	-{
		37	- if (buf + size > end)
		38	- return NULL;
		39	- return buf;
		40	+read_n_bytes (bfd_byte * buf,
		41	+ bfd_byte * end,
		42	+ struct dwarf_block * block)
		43	+{
		44	+ unsigned int size = block->size;
		45	+ bfd_byte * block_end = buf + size;
		46	+
		47	+ if (block_end > end \|\| block_end < buf)
		48	+ {
		49	+ block->data = NULL;
		50	+ block->size = 0;
		51	+ return end;
		52	+ }
		53	+ else
		54	+ {
		55	+ block->data = buf;
		56	+ return block_end;
		57	+ }
		58	}
		59
		60	/* Scans a NUL terminated string starting at BUF, returning a pointer to it.
		61	@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute *
		62	return NULL;
		63	blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
		64	info_ptr += 2;
		65	- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
		66	- info_ptr += blk->size;
		67	+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
		68	attr->u.blk = blk;
		69	break;
		70	case DW_FORM_block4:
		71	@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute *
		72	return NULL;
		73	blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
		74	info_ptr += 4;
		75	- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
		76	- info_ptr += blk->size;
		77	+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
		78	attr->u.blk = blk;
		79	break;
		80	case DW_FORM_data2:
		81	@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute *
		82	blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
		83	FALSE, info_ptr_end);
		84	info_ptr += bytes_read;
		85	- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
		86	- info_ptr += blk->size;
		87	+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
		88	attr->u.blk = blk;
		89	break;
		90	case DW_FORM_block1:
		91	@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute *
		92	return NULL;
		93	blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
		94	info_ptr += 1;
		95	- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
		96	- info_ptr += blk->size;
		97	+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
		98	attr->u.blk = blk;
		99	break;
		100	case DW_FORM_data1:
		101	Index: git/bfd/ChangeLog
		102	===================================================================
		103	--- git.orig/bfd/ChangeLog
		104	+++ git/bfd/ChangeLog
		105	@@ -6,6 +6,14 @@
		106
		107	2018-02-28 Alan Modra <amodra@gmail.com>
		108
		109	+ PR 22895
		110	+ PR 22893
		111	+ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
		112	+ pointer. Drop unused abfd parameter. Check the size of the block
		113	+ before initialising the data field. Return the end pointer if the
		114	+ size is invalid.
		115	+ (read_attribute_value): Adjust invocations of read_n_bytes.
		116	+
		117	PR 22887
		118	* aoutx.h (swap_std_reloc_in): Correct r_index bound check.
		119