1 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
new file mode 100644
index 0000000000..f9410e2728
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
@@ -0,0 +1,82 @@
+From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 17 Oct 2017 21:57:29 +1030
+Subject: [PATCH] PR22307, Heap out of bounds read in
+ _bfd_elf_parse_gnu_properties
+When adding an unbounded increment to a pointer, you can't just check
+against the end of the buffer but also must check that overflow
+doesn't result in "negative" pointer movement.  Pointer comparisons
+are signed.  Better, check the increment against the space left using
+an unsigned comparison.
+        PR 22307
+        * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
+        against size left rather than comparing pointers.  Reorganise loop.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16829
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog        |  6 ++++++
+ bfd/elf-properties.c | 18 +++++++++---------
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+Index: git/bfd/elf-properties.c
+===================================================================
+--- git.orig/bfd/elf-properties.c
+++ git/bfd/elf-properties.c
+@@ -93,15 +93,20 @@ bad_size:
+       return FALSE;
+     }
+ 
+-  while (1)
+  while (ptr != ptr_end)
+     {
+-      unsigned int type = bfd_h_get_32 (abfd, ptr);
+-      unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);
+      unsigned int type;
+      unsigned int datasz;
+       elf_property *prop;
+ 
+      if ((size_t) (ptr_end - ptr) < 8)
+       goto bad_size;
+
+      type = bfd_h_get_32 (abfd, ptr);
+      datasz = bfd_h_get_32 (abfd, ptr + 4);
+       ptr += 8;
+ 
+-      if ((ptr + datasz) > ptr_end)
+      if (datasz > (size_t) (ptr_end - ptr))
+        {
+          _bfd_error_handler
+            (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),
+@@ -182,11 +187,6 @@ bad_size:
+ 
+ next:
+       ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);
+-      if (ptr == ptr_end)
+-       break;
+-
+-      if (ptr > (ptr_end - 8))
+-       goto bad_size;
+     }
+ 
+   return TRUE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,4 +1,10 @@
+ 2017-10-17  Alan Modra  <amodra@gmail.com>
+ 
+       PR 22307
+       * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
+       against size left rather than comparing pointers.  Reorganise loop.
+
+2017-10-17  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22306
+        * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch new file mode 100644 index 0000000000..f9410e2728 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
@@ -0,0 +1,82 @@
	1	From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Tue, 17 Oct 2017 21:57:29 +1030
	4	Subject: [PATCH] PR22307, Heap out of bounds read in
	5	_bfd_elf_parse_gnu_properties
	6
	7	When adding an unbounded increment to a pointer, you can't just check
	8	against the end of the buffer but also must check that overflow
	9	doesn't result in "negative" pointer movement. Pointer comparisons
	10	are signed. Better, check the increment against the space left using
	11	an unsigned comparison.
	12
	13	PR 22307
	14	* elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
	15	against size left rather than comparing pointers. Reorganise loop.
	16
	17	Upstream-Status: Backport
	18	Affects: <= 2.29.1
	19	CVE: CVE-2017-16829
	20	Signed-off-by: Armin Kuster <akuster@mvista.com>
	21
	22	---
	23	bfd/ChangeLog \| 6 ++++++
	24	bfd/elf-properties.c \| 18 +++++++++---------
	25	2 files changed, 15 insertions(+), 9 deletions(-)
	26
	27	Index: git/bfd/elf-properties.c
	28	===================================================================
	29	--- git.orig/bfd/elf-properties.c
	30	+++ git/bfd/elf-properties.c
	31	@@ -93,15 +93,20 @@ bad_size:
	32	return FALSE;
	33	}
	34
	35	- while (1)
	36	+ while (ptr != ptr_end)
	37	{
	38	- unsigned int type = bfd_h_get_32 (abfd, ptr);
	39	- unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);
	40	+ unsigned int type;
	41	+ unsigned int datasz;
	42	elf_property *prop;
	43
	44	+ if ((size_t) (ptr_end - ptr) < 8)
	45	+ goto bad_size;
	46	+
	47	+ type = bfd_h_get_32 (abfd, ptr);
	48	+ datasz = bfd_h_get_32 (abfd, ptr + 4);
	49	ptr += 8;
	50
	51	- if ((ptr + datasz) > ptr_end)
	52	+ if (datasz > (size_t) (ptr_end - ptr))
	53	{
	54	_bfd_error_handler
	55	(_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),
	56	@@ -182,11 +187,6 @@ bad_size:
	57
	58	next:
	59	ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);
	60	- if (ptr == ptr_end)
	61	- break;
	62	-
	63	- if (ptr > (ptr_end - 8))
	64	- goto bad_size;
	65	}
	66
	67	return TRUE;
	68	Index: git/bfd/ChangeLog
	69	===================================================================
	70	--- git.orig/bfd/ChangeLog
	71	+++ git/bfd/ChangeLog
	72	@@ -1,4 +1,10 @@
	73	2017-10-17 Alan Modra <amodra@gmail.com>
	74	+
	75	+ PR 22307
	76	+ * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
	77	+ against size left rather than comparing pointers. Reorganise loop.
	78	+
	79	+2017-10-17 Alan Modra <amodra@gmail.com>
	80
	81	PR 22306
	82	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,