1 files changed, 240 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch
new file mode 100644
index 0000000000..d7512b3829
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch
@@ -0,0 +1,240 @@
+commit 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Thu Jul 27 12:04:50 2017 +0100
+    Fix address violation issues encountered when parsing corrupt binaries.
+    
+        PR 21840
+        * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
+        size is -1.
+        * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
+        with error return.
+        * section.c (bfd_make_section_with_flags): Fail if the name or bfd
+        are NULL.
+        * vms-alpha.c (bfd_make_section_with_flags): Correct computation
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+Upstream-Status: Backport
+CVE: CVE-2017-12449_12455_12457
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/mach-o.c
+===================================================================
+--- git.orig/bfd/mach-o.c       2017-08-30 17:21:59.684671218 +0530
+++ git/bfd/mach-o.c    2017-08-30 17:22:19.136813620 +0530
+@@ -3739,6 +3739,9 @@
+     }
+   else
+     {
+      /* See PR 21840 for a reproducer.  */
+      if ((sym->strsize + 1) == 0)
+       return FALSE;
+       sym->strtab = bfd_alloc (abfd, sym->strsize + 1);
+       if (sym->strtab == NULL)
+         return FALSE;
+Index: git/bfd/nlmcode.h
+===================================================================
+--- git.orig/bfd/nlmcode.h      2017-08-30 17:21:59.688671247 +0530
+++ git/bfd/nlmcode.h   2017-08-30 17:22:19.140813649 +0530
+@@ -351,7 +351,9 @@
+              bfd_byte *contents;
+              bfd_byte *p, *pend;
+ 
+-             BFD_ASSERT (hdrLength == 0 && hdr == NULL);
+             /* See PR 21840 for a reproducer.  */
+             if (hdrLength != 0 || hdr != NULL)
+               return FALSE;
+ 
+              pos = bfd_tell (abfd);
+              if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0)
+Index: git/bfd/section.c
+===================================================================
+--- git.orig/bfd/section.c      2017-08-30 17:21:59.708671392 +0530
+++ git/bfd/section.c   2017-08-30 17:22:19.140813649 +0530
+@@ -1240,7 +1240,7 @@
+   struct section_hash_entry *sh;
+   asection *newsect;
+ 
+-  if (abfd->output_has_begun)
+  if (abfd == NULL || name == NULL || abfd->output_has_begun)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return NULL;
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c    2017-08-30 17:22:19.080813209 +0530
+++ git/bfd/vms-alpha.c 2017-08-30 17:22:19.140813649 +0530
+@@ -5562,8 +5562,9 @@
+ {
+   struct vms_emh_common *emh = (struct vms_emh_common *)rec;
+   unsigned int subtype;
+  int extra;
+ 
+-  subtype = (unsigned)bfd_getl16 (emh->subtyp);
+  subtype = (unsigned) bfd_getl16 (emh->subtyp);
+ 
+   fprintf (file, _("  EMH %u (len=%u): "), subtype, rec_len);
+ 
+@@ -5573,58 +5574,82 @@
+       fprintf (file, _("   Error: The length is less than the length of an EMH record\n"));
+       return;
+     }
+-  
+  extra = rec_len - sizeof (struct vms_emh_common);
+
+   switch (subtype)
+     {
+     case EMH__C_MHD:
+       {
+-        struct vms_emh_mhd *mhd = (struct vms_emh_mhd *)rec;
+-        const char *name;
+        struct vms_emh_mhd *mhd = (struct vms_emh_mhd *) rec;
+        const char * name;
+       const char * nextname;
+       const char * maxname;
+ 
+       /* PR 21840: Check for invalid lengths.  */
+       if (rec_len < sizeof (* mhd))
+         {
+           fprintf (file, _("   Error: The record length is less than the size of an EMH_MHD record\n"));
+           return;
+         }
+         fprintf (file, _("Module header\n"));
+         fprintf (file, _("   structure level: %u\n"), mhd->strlvl);
+         fprintf (file, _("   max record size: %u\n"),
+-                 (unsigned)bfd_getl32 (mhd->recsiz));
+                 (unsigned) bfd_getl32 (mhd->recsiz));
+         name = (char *)(mhd + 1);
+       maxname = (char *) rec + rec_len;
+       if (name > maxname - 2)
+         {
+           fprintf (file, _("   Error: The module name is missing\n"));
+           return;
+         }
+       nextname = name + name[0] + 1;
+       if (nextname >= maxname)
+         {
+           fprintf (file, _("   Error: The module name is too long\n"));
+           return;
+         }
+         fprintf (file, _("   module name    : %.*s\n"), name[0], name + 1);
+-        name += name[0] + 1;
+        name = nextname;
+       if (name > maxname - 2)
+         {
+           fprintf (file, _("   Error: The module version is missing\n"));
+           return;
+         }
+       nextname = name + name[0] + 1;
+       if (nextname >= maxname)
+         {
+           fprintf (file, _("   Error: The module version is too long\n"));
+           return;
+         }
+         fprintf (file, _("   module version : %.*s\n"), name[0], name + 1);
+-        name += name[0] + 1;
+-        fprintf (file, _("   compile date   : %.17s\n"), name);
+        name = nextname;
+       if ((maxname - name) < 17 && maxname[-1] != 0)
+         fprintf (file, _("   Error: The compile date is truncated\n"));
+       else
+         fprintf (file, _("   compile date   : %.17s\n"), name);
+       }
+       break;
+
+     case EMH__C_LNM:
+-      {
+-        fprintf (file, _("Language Processor Name\n"));
+-        fprintf (file, _("   language name: %.*s\n"),
+-                 (int)(rec_len - sizeof (struct vms_emh_common)),
+-                 (char *)rec + sizeof (struct vms_emh_common));
+-      }
+      fprintf (file, _("Language Processor Name\n"));
+      fprintf (file, _("   language name: %.*s\n"), extra, (char *)(emh + 1));
+       break;
+
+     case EMH__C_SRC:
+-      {
+-        fprintf (file, _("Source Files Header\n"));
+-        fprintf (file, _("   file: %.*s\n"),
+-                 (int)(rec_len - sizeof (struct vms_emh_common)),
+-                 (char *)rec + sizeof (struct vms_emh_common));
+-      }
+      fprintf (file, _("Source Files Header\n"));
+      fprintf (file, _("   file: %.*s\n"), extra, (char *)(emh + 1));
+       break;
+
+     case EMH__C_TTL:
+-      {
+-        fprintf (file, _("Title Text Header\n"));
+-        fprintf (file, _("   title: %.*s\n"),
+-                 (int)(rec_len - sizeof (struct vms_emh_common)),
+-                 (char *)rec + sizeof (struct vms_emh_common));
+-      }
+      fprintf (file, _("Title Text Header\n"));
+      fprintf (file, _("   title: %.*s\n"), extra, (char *)(emh + 1));
+       break;
+
+     case EMH__C_CPR:
+-      {
+-        fprintf (file, _("Copyright Header\n"));
+-        fprintf (file, _("   copyright: %.*s\n"),
+-                 (int)(rec_len - sizeof (struct vms_emh_common)),
+-                 (char *)rec + sizeof (struct vms_emh_common));
+-      }
+      fprintf (file, _("Copyright Header\n"));
+      fprintf (file, _("   copyright: %.*s\n"), extra, (char *)(emh + 1));
+       break;
+
+     default:
+       fprintf (file, _("unhandled emh subtype %u\n"), subtype);
+       break;
+Index: git/bfd/vms-misc.c
+===================================================================
+--- git.orig/bfd/vms-misc.c     2017-08-30 17:21:59.716671451 +0530
+++ git/bfd/vms-misc.c  2017-08-30 17:22:19.140813649 +0530
+@@ -135,8 +135,8 @@
+ #endif
+ 
+ 
+-/* Copy sized string (string with fixed size) to new allocated area
+-   size is string size (size of record)  */
+/* Copy sized string (string with fixed size) to new allocated area.
+   Size is string size (size of record).  */
+ 
+ char *
+ _bfd_vms_save_sized_string (unsigned char *str, int size)
+@@ -151,8 +151,8 @@
+   return newstr;
+ }
+ 
+-/* Copy counted string (string with size at first byte) to new allocated area
+-   ptr points to size byte on entry  */
+/* Copy counted string (string with size at first byte) to new allocated area.
+   PTR points to size byte on entry.  */
+ 
+ char *
+ _bfd_vms_save_counted_string (unsigned char *ptr)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-08-30 17:22:19.080813209 +0530
+++ git/bfd/ChangeLog   2017-08-30 17:23:51.069502425 +0530
+@@ -1,3 +1,16 @@
+2017-07-27  Nick Clifton  <nickc@redhat.com>
+
+       PR 21840
+       * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
+       size is -1.
+       * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
+       with error return.
+       * section.c (bfd_make_section_with_flags): Fail if the name or bfd
+       are NULL.
+       * vms-alpha.c (bfd_make_section_with_flags): Correct computation
+       of end pointer.
+       (evax_bfd_print_emh): Check for invalid string lengths.
+
+ 2017-07-19  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 21787

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch new file mode 100644 index 0000000000..d7512b3829 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch
@@ -0,0 +1,240 @@
	1	commit 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc
	2	Author: Nick Clifton <nickc@redhat.com>
	3	Date: Thu Jul 27 12:04:50 2017 +0100
	4
	5	Fix address violation issues encountered when parsing corrupt binaries.
	6
	7	PR 21840
	8	* mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
	9	size is -1.
	10	* nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
	11	with error return.
	12	* section.c (bfd_make_section_with_flags): Fail if the name or bfd
	13	are NULL.
	14	* vms-alpha.c (bfd_make_section_with_flags): Correct computation
	15	of end pointer.
	16	(evax_bfd_print_emh): Check for invalid string lengths.
	17
	18	Upstream-Status: Backport
	19
	20	CVE: CVE-2017-12449_12455_12457
	21	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
	22
	23	Index: git/bfd/mach-o.c
	24	===================================================================
	25	--- git.orig/bfd/mach-o.c 2017-08-30 17:21:59.684671218 +0530
	26	+++ git/bfd/mach-o.c 2017-08-30 17:22:19.136813620 +0530
	27	@@ -3739,6 +3739,9 @@
	28	}
	29	else
	30	{
	31	+ /* See PR 21840 for a reproducer. */
	32	+ if ((sym->strsize + 1) == 0)
	33	+ return FALSE;
	34	sym->strtab = bfd_alloc (abfd, sym->strsize + 1);
	35	if (sym->strtab == NULL)
	36	return FALSE;
	37	Index: git/bfd/nlmcode.h
	38	===================================================================
	39	--- git.orig/bfd/nlmcode.h 2017-08-30 17:21:59.688671247 +0530
	40	+++ git/bfd/nlmcode.h 2017-08-30 17:22:19.140813649 +0530
	41	@@ -351,7 +351,9 @@
	42	bfd_byte *contents;
	43	bfd_byte p, pend;
	44
	45	- BFD_ASSERT (hdrLength == 0 && hdr == NULL);
	46	+ /* See PR 21840 for a reproducer. */
	47	+ if (hdrLength != 0 \|\| hdr != NULL)
	48	+ return FALSE;
	49
	50	pos = bfd_tell (abfd);
	51	if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0)
	52	Index: git/bfd/section.c
	53	===================================================================
	54	--- git.orig/bfd/section.c 2017-08-30 17:21:59.708671392 +0530
	55	+++ git/bfd/section.c 2017-08-30 17:22:19.140813649 +0530
	56	@@ -1240,7 +1240,7 @@
	57	struct section_hash_entry *sh;
	58	asection *newsect;
	59
	60	- if (abfd->output_has_begun)
	61	+ if (abfd == NULL \|\| name == NULL \|\| abfd->output_has_begun)
	62	{
	63	bfd_set_error (bfd_error_invalid_operation);
	64	return NULL;
	65	Index: git/bfd/vms-alpha.c
	66	===================================================================
	67	--- git.orig/bfd/vms-alpha.c 2017-08-30 17:22:19.080813209 +0530
	68	+++ git/bfd/vms-alpha.c 2017-08-30 17:22:19.140813649 +0530
	69	@@ -5562,8 +5562,9 @@
	70	{
	71	struct vms_emh_common emh = (struct vms_emh_common )rec;
	72	unsigned int subtype;
	73	+ int extra;
	74
	75	- subtype = (unsigned)bfd_getl16 (emh->subtyp);
	76	+ subtype = (unsigned) bfd_getl16 (emh->subtyp);
	77
	78	fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len);
	79
	80	@@ -5573,58 +5574,82 @@
	81	fprintf (file, _(" Error: The length is less than the length of an EMH record\n"));
	82	return;
	83	}
	84	-
	85	+ extra = rec_len - sizeof (struct vms_emh_common);
	86	+
	87	switch (subtype)
	88	{
	89	case EMH__C_MHD:
	90	{
	91	- struct vms_emh_mhd mhd = (struct vms_emh_mhd )rec;
	92	- const char *name;
	93	+ struct vms_emh_mhd mhd = (struct vms_emh_mhd ) rec;
	94	+ const char * name;
	95	+ const char * nextname;
	96	+ const char * maxname;
	97
	98	+ /* PR 21840: Check for invalid lengths. */
	99	+ if (rec_len < sizeof (* mhd))
	100	+ {
	101	+ fprintf (file, _(" Error: The record length is less than the size of an EMH_MHD record\n"));
	102	+ return;
	103	+ }
	104	fprintf (file, _("Module header\n"));
	105	fprintf (file, _(" structure level: %u\n"), mhd->strlvl);
	106	fprintf (file, _(" max record size: %u\n"),
	107	- (unsigned)bfd_getl32 (mhd->recsiz));
	108	+ (unsigned) bfd_getl32 (mhd->recsiz));
	109	name = (char *)(mhd + 1);
	110	+ maxname = (char *) rec + rec_len;
	111	+ if (name > maxname - 2)
	112	+ {
	113	+ fprintf (file, _(" Error: The module name is missing\n"));
	114	+ return;
	115	+ }
	116	+ nextname = name + name[0] + 1;
	117	+ if (nextname >= maxname)
	118	+ {
	119	+ fprintf (file, _(" Error: The module name is too long\n"));
	120	+ return;
	121	+ }
	122	fprintf (file, _(" module name : %.*s\n"), name[0], name + 1);
	123	- name += name[0] + 1;
	124	+ name = nextname;
	125	+ if (name > maxname - 2)
	126	+ {
	127	+ fprintf (file, _(" Error: The module version is missing\n"));
	128	+ return;
	129	+ }
	130	+ nextname = name + name[0] + 1;
	131	+ if (nextname >= maxname)
	132	+ {
	133	+ fprintf (file, _(" Error: The module version is too long\n"));
	134	+ return;
	135	+ }
	136	fprintf (file, _(" module version : %.*s\n"), name[0], name + 1);
	137	- name += name[0] + 1;
	138	- fprintf (file, _(" compile date : %.17s\n"), name);
	139	+ name = nextname;
	140	+ if ((maxname - name) < 17 && maxname[-1] != 0)
	141	+ fprintf (file, _(" Error: The compile date is truncated\n"));
	142	+ else
	143	+ fprintf (file, _(" compile date : %.17s\n"), name);
	144	}
	145	break;
	146	+
	147	case EMH__C_LNM:
	148	- {
	149	- fprintf (file, _("Language Processor Name\n"));
	150	- fprintf (file, _(" language name: %.*s\n"),
	151	- (int)(rec_len - sizeof (struct vms_emh_common)),
	152	- (char *)rec + sizeof (struct vms_emh_common));
	153	- }
	154	+ fprintf (file, _("Language Processor Name\n"));
	155	+ fprintf (file, _(" language name: %.s\n"), extra, (char )(emh + 1));
	156	break;
	157	+
	158	case EMH__C_SRC:
	159	- {
	160	- fprintf (file, _("Source Files Header\n"));
	161	- fprintf (file, _(" file: %.*s\n"),
	162	- (int)(rec_len - sizeof (struct vms_emh_common)),
	163	- (char *)rec + sizeof (struct vms_emh_common));
	164	- }
	165	+ fprintf (file, _("Source Files Header\n"));
	166	+ fprintf (file, _(" file: %.s\n"), extra, (char )(emh + 1));
	167	break;
	168	+
	169	case EMH__C_TTL:
	170	- {
	171	- fprintf (file, _("Title Text Header\n"));
	172	- fprintf (file, _(" title: %.*s\n"),
	173	- (int)(rec_len - sizeof (struct vms_emh_common)),
	174	- (char *)rec + sizeof (struct vms_emh_common));
	175	- }
	176	+ fprintf (file, _("Title Text Header\n"));
	177	+ fprintf (file, _(" title: %.s\n"), extra, (char )(emh + 1));
	178	break;
	179	+
	180	case EMH__C_CPR:
	181	- {
	182	- fprintf (file, _("Copyright Header\n"));
	183	- fprintf (file, _(" copyright: %.*s\n"),
	184	- (int)(rec_len - sizeof (struct vms_emh_common)),
	185	- (char *)rec + sizeof (struct vms_emh_common));
	186	- }
	187	+ fprintf (file, _("Copyright Header\n"));
	188	+ fprintf (file, _(" copyright: %.s\n"), extra, (char )(emh + 1));
	189	break;
	190	+
	191	default:
	192	fprintf (file, _("unhandled emh subtype %u\n"), subtype);
	193	break;
	194	Index: git/bfd/vms-misc.c
	195	===================================================================
	196	--- git.orig/bfd/vms-misc.c 2017-08-30 17:21:59.716671451 +0530
	197	+++ git/bfd/vms-misc.c 2017-08-30 17:22:19.140813649 +0530
	198	@@ -135,8 +135,8 @@
	199	#endif
	200
	201
	202	-/* Copy sized string (string with fixed size) to new allocated area
	203	- size is string size (size of record) */
	204	+/* Copy sized string (string with fixed size) to new allocated area.
	205	+ Size is string size (size of record). */
	206
	207	char *
	208	_bfd_vms_save_sized_string (unsigned char *str, int size)
	209	@@ -151,8 +151,8 @@
	210	return newstr;
	211	}
	212
	213	-/* Copy counted string (string with size at first byte) to new allocated area
	214	- ptr points to size byte on entry */
	215	+/* Copy counted string (string with size at first byte) to new allocated area.
	216	+ PTR points to size byte on entry. */
	217
	218	char *
	219	_bfd_vms_save_counted_string (unsigned char *ptr)
	220	Index: git/bfd/ChangeLog
	221	===================================================================
	222	--- git.orig/bfd/ChangeLog 2017-08-30 17:22:19.080813209 +0530
	223	+++ git/bfd/ChangeLog 2017-08-30 17:23:51.069502425 +0530
	224	@@ -1,3 +1,16 @@
	225	+2017-07-27 Nick Clifton <nickc@redhat.com>
	226	+
	227	+ PR 21840
	228	+ * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
	229	+ size is -1.
	230	+ * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
	231	+ with error return.
	232	+ * section.c (bfd_make_section_with_flags): Fail if the name or bfd
	233	+ are NULL.
	234	+ * vms-alpha.c (bfd_make_section_with_flags): Correct computation
	235	+ of end pointer.
	236	+ (evax_bfd_print_emh): Check for invalid string lengths.
	237	+
	238	2017-07-19 Nick Clifton <nickc@redhat.com>
	239
	240	PR 21787