1 files changed, 79 insertions, 0 deletions

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
new file mode 100644
index 0000000000..310908f86d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
@@ -0,0 +1,79 @@
+From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 5 Oct 2017 17:32:18 +1030
+Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames
+
+Pointer comparisons have traps for the unwary.  After adding a large
+unknown value to "start", the test "start < end" depends on where
+"start" is originally in memory.
+
+        PR 22239
+        * dwarf.c (read_cie): Don't compare "start" and "end" pointers
+        after adding a possibly wild length to "start", compare the length
+        to the difference of the pointers instead.  Remove now redundant
+        "negative" length test.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16828 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  8 ++++++++
+ binutils/dwarf.c   | 15 ++++-----------
+ 2 files changed, 12 insertions(+), 11 deletions(-)
+
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
++++ git/binutils/dwarf.c
+@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned
+     {
+       READ_ULEB (augmentation_data_len);
+       augmentation_data = start;
+-      start += augmentation_data_len;
+       /* PR 17512: file: 11042-2589-0.004.  */
+-      if (start > end)
++      if (augmentation_data_len > (size_t) (end - start))
+        {
+          warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
+-               augmentation_data_len, (long)((end - start) + augmentation_data_len));
++               augmentation_data_len, (unsigned long) (end - start));
+          return end;
+        }
++      start += augmentation_data_len;
+     }
+ 
+   if (augmentation_data_len)
+@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned
+       q = augmentation_data;
+       qend = q + augmentation_data_len;
+ 
+-      /* PR 17531: file: 015adfaa.  */
+-      if (qend < q)
+-       {
+-         warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
+-         augmentation_data_len = 0;
+-       }
+-
+-      while (p < end && q < augmentation_data + augmentation_data_len)
++      while (p < end && q < qend)
+        {
+          if (*p == 'L')
+            q++;
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,11 @@
++2017-10-05  Alan Modra  <amodra@gmail.com>
++
++       PR 22239
++       * dwarf.c (read_cie): Don't compare "start" and "end" pointers
++       after adding a possibly wild length to "start", compare the length
++       to the difference of the pointers instead.  Remove now redundant
++       "negative" length test.
++
+ 2017-09-27  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22219