1 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
new file mode 100644
index 0000000000..6cd86c2a30
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
@@ -0,0 +1,93 @@
+commit cfd14a500e0485374596234de4db10e88ebc7618
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Mon Jun 26 15:25:08 2017 +0100
+    Fix address violations when atempting to parse fuzzed binaries.
+    
+        PR binutils/21665
+        * compress.c (bfd_get_full_section_contents): Check for and reject
+        a section whoes size is greater than the size of the entire file.
+        * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+        contain a notes section.
+    
+    binutils* objdump.c (disassemble_section): Skip any section that is bigger
+        than the entire file.
+Upstream-Status: Backport
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c     2017-09-21 17:32:51.645611404 +0530
+++ git/bfd/compress.c  2017-09-21 17:32:52.965622987 +0530
+@@ -239,6 +239,12 @@
+       *ptr = NULL;
+       return TRUE;
+     }
+  else if (bfd_get_file_size (abfd) > 0
+          && sz > (bfd_size_type) bfd_get_file_size (abfd))
+    {
+      *ptr = NULL;
+      return FALSE;
+    }
+ 
+   switch (sec->compress_status)
+     {
+Index: git/bfd/elf32-v850.c
+===================================================================
+--- git.orig/bfd/elf32-v850.c   2017-09-21 17:32:35.053465773 +0530
+++ git/bfd/elf32-v850.c        2017-09-21 17:32:52.965622987 +0530
+@@ -2448,7 +2448,9 @@
+        BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
+ 
+       if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
+-       BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
+       /* If the output is being stripped then it is possible for
+          the notes section to disappear.  In this case do nothing.  */
+       return;
+ 
+       /* Copy/overwrite notes from the input to the output.  */
+       memcpy (ocont, icont, bfd_section_size (obfd, onotes));
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c 2017-09-21 17:32:52.337617476 +0530
+++ git/binutils/objdump.c      2017-09-21 17:32:52.965622987 +0530
+@@ -1973,7 +1973,7 @@
+     return;
+ 
+   datasize = bfd_get_section_size (section);
+-  if (datasize == 0)
+  if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
+     return;
+ 
+   if (start_address == (bfd_vma) -1
+@@ -2839,7 +2839,7 @@
+ static void
+ dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED)
+ {
+-  bfd_byte *data = 0;
+  bfd_byte *data = NULL;
+   bfd_size_type datasize;
+   bfd_vma addr_offset;
+   bfd_vma start_offset;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 17:32:52.909622495 +0530
+++ git/bfd/ChangeLog   2017-09-21 17:35:57.863164167 +0530
+@@ -11,6 +11,14 @@
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+ 
+2017-06-26  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21665
+       * compress.c (bfd_get_full_section_contents): Check for and reject
+       a section whoes size is greater than the size of the entire file.
+       * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+       contain a notes section.
+
+  2017-07-24  Nick Clifton  <nickc@redhat.com>
+  
+        PR 21813

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch new file mode 100644 index 0000000000..6cd86c2a30 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
@@ -0,0 +1,93 @@
	1	commit cfd14a500e0485374596234de4db10e88ebc7618
	2	Author: Nick Clifton <nickc@redhat.com>
	3	Date: Mon Jun 26 15:25:08 2017 +0100
	4
	5	Fix address violations when atempting to parse fuzzed binaries.
	6
	7	PR binutils/21665
	8	* compress.c (bfd_get_full_section_contents): Check for and reject
	9	a section whoes size is greater than the size of the entire file.
	10	* elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
	11	contain a notes section.
	12
	13	binutils* objdump.c (disassemble_section): Skip any section that is bigger
	14	than the entire file.
	15
	16	Upstream-Status: Backport
	17
	18	CVE: CVE-2017-9955
	19	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
	20
	21	Index: git/bfd/compress.c
	22	===================================================================
	23	--- git.orig/bfd/compress.c 2017-09-21 17:32:51.645611404 +0530
	24	+++ git/bfd/compress.c 2017-09-21 17:32:52.965622987 +0530
	25	@@ -239,6 +239,12 @@
	26	*ptr = NULL;
	27	return TRUE;
	28	}
	29	+ else if (bfd_get_file_size (abfd) > 0
	30	+ && sz > (bfd_size_type) bfd_get_file_size (abfd))
	31	+ {
	32	+ *ptr = NULL;
	33	+ return FALSE;
	34	+ }
	35
	36	switch (sec->compress_status)
	37	{
	38	Index: git/bfd/elf32-v850.c
	39	===================================================================
	40	--- git.orig/bfd/elf32-v850.c 2017-09-21 17:32:35.053465773 +0530
	41	+++ git/bfd/elf32-v850.c 2017-09-21 17:32:52.965622987 +0530
	42	@@ -2448,7 +2448,9 @@
	43	BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
	44
	45	if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
	46	- BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
	47	+ /* If the output is being stripped then it is possible for
	48	+ the notes section to disappear. In this case do nothing. */
	49	+ return;
	50
	51	/* Copy/overwrite notes from the input to the output. */
	52	memcpy (ocont, icont, bfd_section_size (obfd, onotes));
	53	Index: git/binutils/objdump.c
	54	===================================================================
	55	--- git.orig/binutils/objdump.c 2017-09-21 17:32:52.337617476 +0530
	56	+++ git/binutils/objdump.c 2017-09-21 17:32:52.965622987 +0530
	57	@@ -1973,7 +1973,7 @@
	58	return;
	59
	60	datasize = bfd_get_section_size (section);
	61	- if (datasize == 0)
	62	+ if (datasize == 0 \|\| datasize >= (bfd_size_type) bfd_get_file_size (abfd))
	63	return;
	64
	65	if (start_address == (bfd_vma) -1
	66	@@ -2839,7 +2839,7 @@
	67	static void
	68	dump_section (bfd abfd, asection section, void *dummy ATTRIBUTE_UNUSED)
	69	{
	70	- bfd_byte *data = 0;
	71	+ bfd_byte *data = NULL;
	72	bfd_size_type datasize;
	73	bfd_vma addr_offset;
	74	bfd_vma start_offset;
	75	Index: git/bfd/ChangeLog
	76	===================================================================
	77	--- git.orig/bfd/ChangeLog 2017-09-21 17:32:52.909622495 +0530
	78	+++ git/bfd/ChangeLog 2017-09-21 17:35:57.863164167 +0530
	79	@@ -11,6 +11,14 @@
	80	of end pointer.
	81	(evax_bfd_print_emh): Check for invalid string lengths.
	82
	83	+2017-06-26 Nick Clifton <nickc@redhat.com>
	84	+
	85	+ PR binutils/21665
	86	+ * compress.c (bfd_get_full_section_contents): Check for and reject
	87	+ a section whoes size is greater than the size of the entire file.
	88	+ * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
	89	+ contain a notes section.
	90	+
	91	2017-07-24 Nick Clifton <nickc@redhat.com>
	92
	93	PR 21813