1 files changed, 168 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
new file mode 100644
index 0000000000..774670fb0e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
@@ -0,0 +1,168 @@
+From cfd14a500e0485374596234de4db10e88ebc7618 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 26 Jun 2017 15:25:08 +0100
+Subject: [PATCH] Fix address violations when atempting to parse fuzzed
+ binaries.
+        PR binutils/21665
+bfd     * opncls.c (get_build_id): Check that the section is beig enough
+        to contain the whole note.
+        * compress.c (bfd_get_full_section_contents): Check for and reject
+        a section whoes size is greater than the size of the entire file.
+        * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+        contain a notes section.
+binutils* objdump.c (disassemble_section): Skip any section that is bigger
+        than the entire file.
+Upstream-Status: Backport 
+CVE: CVE-2017-9955 #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog      | 10 ++++++++++
+ bfd/compress.c     |  6 ++++++
+ bfd/elf32-v850.c   |  4 +++-
+ bfd/opncls.c       | 18 ++++++++++++++++--
+ binutils/ChangeLog |  6 ++++++
+ binutils/objdump.c |  4 ++--
+ 6 files changed, 43 insertions(+), 5 deletions(-)
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c
+++ git/bfd/compress.c
+@@ -239,6 +239,12 @@ bfd_get_full_section_contents (bfd *abfd
+       *ptr = NULL;
+       return TRUE;
+     }
+  else if (bfd_get_file_size (abfd) > 0
+          && sz > (bfd_size_type) bfd_get_file_size (abfd))
+    {
+      *ptr = NULL;
+      return FALSE;
+    }
+ 
+   switch (sec->compress_status)
+     {
+Index: git/bfd/elf32-v850.c
+===================================================================
+--- git.orig/bfd/elf32-v850.c
+++ git/bfd/elf32-v850.c
+@@ -2450,7 +2450,9 @@ v850_elf_copy_notes (bfd *ibfd, bfd *obf
+        BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
+ 
+       if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
+-       BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
+       /* If the output is being stripped then it is possible for
+          the notes section to disappear.  In this case do nothing.  */
+       return;
+ 
+       /* Copy/overwrite notes from the input to the output.  */
+       memcpy (ocont, icont, bfd_section_size (obfd, onotes));
+Index: git/bfd/opncls.c
+===================================================================
+--- git.orig/bfd/opncls.c
+++ git/bfd/opncls.c
+@@ -1776,6 +1776,7 @@ get_build_id (bfd *abfd)
+   Elf_External_Note *enote;
+   bfd_byte *contents;
+   asection *sect;
+  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+ 
+@@ -1790,8 +1791,9 @@ get_build_id (bfd *abfd)
+       return NULL;
+     }
+ 
+  size = bfd_get_section_size (sect);
+   /* FIXME: Should we support smaller build-id notes ?  */
+-  if (bfd_get_section_size (sect) < 0x24)
+  if (size < 0x24)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return NULL;
+@@ -1804,6 +1806,17 @@ get_build_id (bfd *abfd)
+       return NULL;
+     }
+ 
+  /* FIXME: Paranoia - allow for compressed build-id sections.
+     Maybe we should complain if this size is different from
+     the one obtained above...  */
+  size = bfd_get_section_size (sect);
+  if (size < sizeof (Elf_External_Note))
+    {
+      bfd_set_error (bfd_error_invalid_operation);
+      free (contents);
+      return NULL;
+    }
+
+   enote = (Elf_External_Note *) contents;
+   inote.type = H_GET_32 (abfd, enote->type);
+   inote.namesz = H_GET_32 (abfd, enote->namesz);
+@@ -1815,7 +1828,8 @@ get_build_id (bfd *abfd)
+   if (inote.descsz == 0
+       || inote.type != NT_GNU_BUILD_ID
+       || inote.namesz != 4 /* sizeof "GNU"  */
+-      || strcmp (inote.namedata, "GNU") != 0)
+      || strncmp (inote.namedata, "GNU", 4) != 0
+      || size < (12 + BFD_ALIGN (inote.namesz, 4) + inote.descsz))
+     {
+       free (contents);
+       bfd_set_error (bfd_error_invalid_operation);
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
+++ git/binutils/objdump.c
+@@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection
+     return;
+ 
+   datasize = bfd_get_section_size (section);
+-  if (datasize == 0)
+  if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
+     return;
+ 
+   if (start_address == (bfd_vma) -1
+@@ -2912,7 +2912,7 @@ dump_target_specific (bfd *abfd)
+ static void
+ dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED)
+ {
+-  bfd_byte *data = 0;
+  bfd_byte *data = NULL;
+   bfd_size_type datasize;
+   bfd_vma addr_offset;
+   bfd_vma start_offset;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,4 +1,14 @@
+ 2017-06-26  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21665
+       * opncls.c (get_build_id): Check that the section is beig enough
+       to contain the whole note.
+       * compress.c (bfd_get_full_section_contents): Check for and reject
+       a section whoes size is greater than the size of the entire file.
+       * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+       contain a notes section.
+
+2017-06-26  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21670
+        * tekhex.c (getvalue): Check for the source pointer exceeding the
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
+2017-06-26  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21665
+       * objdump.c (disassemble_section): Skip any section that is bigger
+       than the entire file.
+
+ 2017-04-03  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21345

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch new file mode 100644 index 0000000000..774670fb0e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
@@ -0,0 +1,168 @@
	1	From cfd14a500e0485374596234de4db10e88ebc7618 Mon Sep 17 00:00:00 2001
	2	From: Nick Clifton <nickc@redhat.com>
	3	Date: Mon, 26 Jun 2017 15:25:08 +0100
	4	Subject: [PATCH] Fix address violations when atempting to parse fuzzed
	5	binaries.
	6
	7	PR binutils/21665
	8	bfd * opncls.c (get_build_id): Check that the section is beig enough
	9	to contain the whole note.
	10	* compress.c (bfd_get_full_section_contents): Check for and reject
	11	a section whoes size is greater than the size of the entire file.
	12	* elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
	13	contain a notes section.
	14
	15	binutils* objdump.c (disassemble_section): Skip any section that is bigger
	16	than the entire file.
	17
	18	Upstream-Status: Backport
	19	CVE: CVE-2017-9955 #1
	20	Signed-off-by: Armin Kuster <akuster@mvista.com>
	21
	22	---
	23	bfd/ChangeLog \| 10 ++++++++++
	24	bfd/compress.c \| 6 ++++++
	25	bfd/elf32-v850.c \| 4 +++-
	26	bfd/opncls.c \| 18 ++++++++++++++++--
	27	binutils/ChangeLog \| 6 ++++++
	28	binutils/objdump.c \| 4 ++--
	29	6 files changed, 43 insertions(+), 5 deletions(-)
	30
	31	Index: git/bfd/compress.c
	32	===================================================================
	33	--- git.orig/bfd/compress.c
	34	+++ git/bfd/compress.c
	35	@@ -239,6 +239,12 @@ bfd_get_full_section_contents (bfd *abfd
	36	*ptr = NULL;
	37	return TRUE;
	38	}
	39	+ else if (bfd_get_file_size (abfd) > 0
	40	+ && sz > (bfd_size_type) bfd_get_file_size (abfd))
	41	+ {
	42	+ *ptr = NULL;
	43	+ return FALSE;
	44	+ }
	45
	46	switch (sec->compress_status)
	47	{
	48	Index: git/bfd/elf32-v850.c
	49	===================================================================
	50	--- git.orig/bfd/elf32-v850.c
	51	+++ git/bfd/elf32-v850.c
	52	@@ -2450,7 +2450,9 @@ v850_elf_copy_notes (bfd ibfd, bfd obf
	53	BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
	54
	55	if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
	56	- BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
	57	+ /* If the output is being stripped then it is possible for
	58	+ the notes section to disappear. In this case do nothing. */
	59	+ return;
	60
	61	/* Copy/overwrite notes from the input to the output. */
	62	memcpy (ocont, icont, bfd_section_size (obfd, onotes));
	63	Index: git/bfd/opncls.c
	64	===================================================================
	65	--- git.orig/bfd/opncls.c
	66	+++ git/bfd/opncls.c
	67	@@ -1776,6 +1776,7 @@ get_build_id (bfd *abfd)
	68	Elf_External_Note *enote;
	69	bfd_byte *contents;
	70	asection *sect;
	71	+ bfd_size_type size;
	72
	73	BFD_ASSERT (abfd);
	74
	75	@@ -1790,8 +1791,9 @@ get_build_id (bfd *abfd)
	76	return NULL;
	77	}
	78
	79	+ size = bfd_get_section_size (sect);
	80	/* FIXME: Should we support smaller build-id notes ? */
	81	- if (bfd_get_section_size (sect) < 0x24)
	82	+ if (size < 0x24)
	83	{
	84	bfd_set_error (bfd_error_invalid_operation);
	85	return NULL;
	86	@@ -1804,6 +1806,17 @@ get_build_id (bfd *abfd)
	87	return NULL;
	88	}
	89
	90	+ /* FIXME: Paranoia - allow for compressed build-id sections.
	91	+ Maybe we should complain if this size is different from
	92	+ the one obtained above... */
	93	+ size = bfd_get_section_size (sect);
	94	+ if (size < sizeof (Elf_External_Note))
	95	+ {
	96	+ bfd_set_error (bfd_error_invalid_operation);
	97	+ free (contents);
	98	+ return NULL;
	99	+ }
	100	+
	101	enote = (Elf_External_Note *) contents;
	102	inote.type = H_GET_32 (abfd, enote->type);
	103	inote.namesz = H_GET_32 (abfd, enote->namesz);
	104	@@ -1815,7 +1828,8 @@ get_build_id (bfd *abfd)
	105	if (inote.descsz == 0
	106	\|\| inote.type != NT_GNU_BUILD_ID
	107	\|\| inote.namesz != 4 /* sizeof "GNU" */
	108	- \|\| strcmp (inote.namedata, "GNU") != 0)
	109	+ \|\| strncmp (inote.namedata, "GNU", 4) != 0
	110	+ \|\| size < (12 + BFD_ALIGN (inote.namesz, 4) + inote.descsz))
	111	{
	112	free (contents);
	113	bfd_set_error (bfd_error_invalid_operation);
	114	Index: git/binutils/objdump.c
	115	===================================================================
	116	--- git.orig/binutils/objdump.c
	117	+++ git/binutils/objdump.c
	118	@@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection
	119	return;
	120
	121	datasize = bfd_get_section_size (section);
	122	- if (datasize == 0)
	123	+ if (datasize == 0 \|\| datasize >= (bfd_size_type) bfd_get_file_size (abfd))
	124	return;
	125
	126	if (start_address == (bfd_vma) -1
	127	@@ -2912,7 +2912,7 @@ dump_target_specific (bfd *abfd)
	128	static void
	129	dump_section (bfd abfd, asection section, void *dummy ATTRIBUTE_UNUSED)
	130	{
	131	- bfd_byte *data = 0;
	132	+ bfd_byte *data = NULL;
	133	bfd_size_type datasize;
	134	bfd_vma addr_offset;
	135	bfd_vma start_offset;
	136	Index: git/bfd/ChangeLog
	137	===================================================================
	138	--- git.orig/bfd/ChangeLog
	139	+++ git/bfd/ChangeLog
	140	@@ -1,4 +1,14 @@
	141	2017-06-26 Nick Clifton <nickc@redhat.com>
	142	+
	143	+ PR binutils/21665
	144	+ * opncls.c (get_build_id): Check that the section is beig enough
	145	+ to contain the whole note.
	146	+ * compress.c (bfd_get_full_section_contents): Check for and reject
	147	+ a section whoes size is greater than the size of the entire file.
	148	+ * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
	149	+ contain a notes section.
	150	+
	151	+2017-06-26 Nick Clifton <nickc@redhat.com>
	152
	153	PR binutils/21670
	154	* tekhex.c (getvalue): Check for the source pointer exceeding the
	155	Index: git/binutils/ChangeLog
	156	===================================================================
	157	--- git.orig/binutils/ChangeLog
	158	+++ git/binutils/ChangeLog
	159	@@ -1,3 +1,9 @@
	160	+2017-06-26 Nick Clifton <nickc@redhat.com>
	161	+
	162	+ PR binutils/21665
	163	+ * objdump.c (disassemble_section): Skip any section that is bigger
	164	+ than the entire file.
	165	+
	166	2017-04-03 Nick Clifton <nickc@redhat.com>
	167
	168	PR binutils/21345