2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 73af74c0a8..e6cfe33859 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -53,6 +53,7 @@ SRC_URI = "\
     file://CVE-2017-15939.patch \
     file://CVE-2017-15996.patch \
     file://CVE-2017-16826.patch \
+     file://CVE-2017-16827.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
new file mode 100644
index 0000000000..dbc577c8e0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
@@ -0,0 +1,95 @@
+From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 17 Oct 2017 16:43:47 +1030
+Subject: [PATCH] PR22306, Invalid free() in slurp_symtab()
+        PR 22306
+        * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
+        and error for any other size that doesn't cover the header word.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16827
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/aoutx.h   | 45 ++++++++++++++++++++++++++++++---------------
+ 2 files changed, 36 insertions(+), 15 deletions(-)
+Index: git/bfd/aoutx.h
+===================================================================
+--- git.orig/bfd/aoutx.h
+++ git/bfd/aoutx.h
+@@ -1352,27 +1352,42 @@ aout_get_external_symbols (bfd *abfd)
+          || bfd_bread ((void *) string_chars, amt, abfd) != amt)
+        return FALSE;
+       stringsize = GET_WORD (abfd, string_chars);
+      if (stringsize == 0)
+       stringsize = 1;
+      else if (stringsize < BYTES_IN_WORD
+              || (size_t) stringsize != stringsize)
+       {
+         bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+       }
+ 
+ #ifdef USE_MMAP
+-      if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
+-                                &obj_aout_string_window (abfd), TRUE))
+-       return FALSE;
+-      strings = (char *) obj_aout_string_window (abfd).data;
+-#else
+-      strings = (char *) bfd_malloc (stringsize + 1);
+-      if (strings == NULL)
+-       return FALSE;
+-
+-      /* Skip space for the string count in the buffer for convenience
+-        when using indexes.  */
+-      amt = stringsize - BYTES_IN_WORD;
+-      if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
+      if (stringsize >= BYTES_IN_WORD)
+        {
+-         free (strings);
+-         return FALSE;
+         if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
+                                    &obj_aout_string_window (abfd), TRUE))
+           return FALSE;
+         strings = (char *) obj_aout_string_window (abfd).data;
+        }
+      else
+ #endif
+       {
+         strings = (char *) bfd_malloc (stringsize);
+         if (strings == NULL)
+           return FALSE;
+ 
+         if (stringsize >= BYTES_IN_WORD)
+           {
+             /* Keep the string count in the buffer for convenience
+                when indexing with e_strx.  */
+             amt = stringsize - BYTES_IN_WORD;
+             if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
+               {
+                 free (strings);
+                 return FALSE;
+               }
+           }
+       }
+       /* Ensure that a zero index yields an empty string.  */
+       strings[0] = '\0';
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
+2017-10-17  Alan Modra  <amodra@gmail.com>
+
+       PR 22306
+       * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
+       and error for any other size that doesn't cover the header word.
+
+ 2017-11-01  Nick Clifton  <nickc@redhat.com>
+  
+        PR 22376

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 73af74c0a8..e6cfe33859 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -53,6 +53,7 @@ SRC_URI = "\
53	file://CVE-2017-15939.patch \	53	file://CVE-2017-15939.patch \
54	file://CVE-2017-15996.patch \	54	file://CVE-2017-15996.patch \
55	file://CVE-2017-16826.patch \	55	file://CVE-2017-16826.patch \
		56	file://CVE-2017-16827.patch \
56	"	57	"
57	S = "${WORKDIR}/git"	58	S = "${WORKDIR}/git"
58		59


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch new file mode 100644 index 0000000000..dbc577c8e0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
@@ -0,0 +1,95 @@
		1	From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Tue, 17 Oct 2017 16:43:47 +1030
		4	Subject: [PATCH] PR22306, Invalid free() in slurp_symtab()
		5
		6	PR 22306
		7	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
		8	and error for any other size that doesn't cover the header word.
		9
		10	Upstream-Status: Backport
		11	Affects: <= 2.29.1
		12	CVE: CVE-2017-16827
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	bfd/ChangeLog \| 6 ++++++
		17	bfd/aoutx.h \| 45 ++++++++++++++++++++++++++++++---------------
		18	2 files changed, 36 insertions(+), 15 deletions(-)
		19
		20	Index: git/bfd/aoutx.h
		21	===================================================================
		22	--- git.orig/bfd/aoutx.h
		23	+++ git/bfd/aoutx.h
		24	@@ -1352,27 +1352,42 @@ aout_get_external_symbols (bfd *abfd)
		25	\|\| bfd_bread ((void *) string_chars, amt, abfd) != amt)
		26	return FALSE;
		27	stringsize = GET_WORD (abfd, string_chars);
		28	+ if (stringsize == 0)
		29	+ stringsize = 1;
		30	+ else if (stringsize < BYTES_IN_WORD
		31	+ \|\| (size_t) stringsize != stringsize)
		32	+ {
		33	+ bfd_set_error (bfd_error_bad_value);
		34	+ return FALSE;
		35	+ }
		36
		37	#ifdef USE_MMAP
		38	- if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
		39	- &obj_aout_string_window (abfd), TRUE))
		40	- return FALSE;
		41	- strings = (char *) obj_aout_string_window (abfd).data;
		42	-#else
		43	- strings = (char *) bfd_malloc (stringsize + 1);
		44	- if (strings == NULL)
		45	- return FALSE;
		46	-
		47	- /* Skip space for the string count in the buffer for convenience
		48	- when using indexes. */
		49	- amt = stringsize - BYTES_IN_WORD;
		50	- if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
		51	+ if (stringsize >= BYTES_IN_WORD)
		52	{
		53	- free (strings);
		54	- return FALSE;
		55	+ if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
		56	+ &obj_aout_string_window (abfd), TRUE))
		57	+ return FALSE;
		58	+ strings = (char *) obj_aout_string_window (abfd).data;
		59	}
		60	+ else
		61	#endif
		62	+ {
		63	+ strings = (char *) bfd_malloc (stringsize);
		64	+ if (strings == NULL)
		65	+ return FALSE;
		66
		67	+ if (stringsize >= BYTES_IN_WORD)
		68	+ {
		69	+ /* Keep the string count in the buffer for convenience
		70	+ when indexing with e_strx. */
		71	+ amt = stringsize - BYTES_IN_WORD;
		72	+ if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
		73	+ {
		74	+ free (strings);
		75	+ return FALSE;
		76	+ }
		77	+ }
		78	+ }
		79	/* Ensure that a zero index yields an empty string. */
		80	strings[0] = '\0';
		81
		82	Index: git/bfd/ChangeLog
		83	===================================================================
		84	--- git.orig/bfd/ChangeLog
		85	+++ git/bfd/ChangeLog
		86	@@ -1,3 +1,9 @@
		87	+2017-10-17 Alan Modra <amodra@gmail.com>
		88	+
		89	+ PR 22306
		90	+ * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
		91	+ and error for any other size that doesn't cover the header word.
		92	+
		93	2017-11-01 Nick Clifton <nickc@redhat.com>
		94
		95	PR 22376