1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
new file mode 100644
index 0000000000..6e1824bbab
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
@@ -0,0 +1,112 @@
+commit 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Mon Jun 26 09:24:49 2017 -0700
+    Check file size before getting section contents
+    
+    Don't check the section size in bfd_get_full_section_contents since
+    the size of a decompressed section may be larger than the file size.
+    Instead, check file size in _bfd_generic_get_section_contents.
+    
+        PR binutils/21665
+        * compress.c (bfd_get_full_section_contents): Don't check the
+        file size here.
+        * libbfd.c (_bfd_generic_get_section_contents): Check for and
+        reject a section whoes size + offset is greater than the size
+        of the entire file.
+        (_bfd_generic_get_section_contents_in_window): Likewise.
+Upstream-Status: Backport
+CVE: CVE-2017-9955
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c       2017-09-21 17:41:59.457841691 +0530
+++ git/bfd/libbfd.c    2017-09-21 17:42:18.269987768 +0530
+@@ -780,6 +780,7 @@
+                                   bfd_size_type count)
+ {
+   bfd_size_type sz;
+  file_ptr filesz;
+   if (count == 0)
+     return TRUE;
+ 
+@@ -801,8 +802,15 @@
+     sz = section->rawsize;
+   else
+     sz = section->size;
+  filesz = bfd_get_file_size (abfd);
+  if (filesz < 0)
+    {
+      /* This should never happen.  */
+      abort ();
+    }
+   if (offset + count < count
+-      || offset + count > sz)
+      || offset + count > sz
+      || (section->filepos + offset + sz) > (bfd_size_type) filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+@@ -825,6 +833,7 @@
+ {
+ #ifdef USE_MMAP
+   bfd_size_type sz;
+  file_ptr filesz;
+ 
+   if (count == 0)
+     return TRUE;
+@@ -857,7 +866,13 @@
+     sz = section->rawsize;
+   else
+     sz = section->size;
+  filesz = bfd_get_file_size (abfd);
+    {
+      /* This should never happen.  */
+      abort ();
+    }
+   if (offset + count > sz
+      || (section->filepos + offset + sz) > (bfd_size_type) filesz
+       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
+                                TRUE))
+     return FALSE;
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c     2017-09-21 17:42:18.213987332 +0530
+++ git/bfd/compress.c  2017-09-21 17:45:17.107399434 +0530
+@@ -239,12 +239,6 @@
+       *ptr = NULL;
+       return TRUE;
+     }
+-  else if (bfd_get_file_size (abfd) > 0
+-          && sz > (bfd_size_type) bfd_get_file_size (abfd))
+-    {
+-      *ptr = NULL;
+-      return FALSE;
+-    }
+ 
+   switch (sec->compress_status)
+     {
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 17:42:18.213987332 +0530
+++ git/bfd/ChangeLog   2017-09-21 17:47:03.668256850 +0530
+@@ -11,6 +11,16 @@
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+ 
+2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
+
+       PR binutils/21665
+       * compress.c (bfd_get_full_section_contents): Don't check the
+       file size here.
+       * libbfd.c (_bfd_generic_get_section_contents): Check for and
+       reject a section whoes size + offset is greater than the size
+       of the entire file.
+       (_bfd_generic_get_section_contents_in_window): Likewise.
+
+ 2017-06-26  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21665

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch new file mode 100644 index 0000000000..6e1824bbab --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
@@ -0,0 +1,112 @@
	1	commit 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f
	2	Author: H.J. Lu <hjl.tools@gmail.com>
	3	Date: Mon Jun 26 09:24:49 2017 -0700
	4
	5	Check file size before getting section contents
	6
	7	Don't check the section size in bfd_get_full_section_contents since
	8	the size of a decompressed section may be larger than the file size.
	9	Instead, check file size in _bfd_generic_get_section_contents.
	10
	11	PR binutils/21665
	12	* compress.c (bfd_get_full_section_contents): Don't check the
	13	file size here.
	14	* libbfd.c (_bfd_generic_get_section_contents): Check for and
	15	reject a section whoes size + offset is greater than the size
	16	of the entire file.
	17	(_bfd_generic_get_section_contents_in_window): Likewise.
	18
	19	Upstream-Status: Backport
	20
	21	CVE: CVE-2017-9955
	22	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
	23
	24	Index: git/bfd/libbfd.c
	25	===================================================================
	26	--- git.orig/bfd/libbfd.c 2017-09-21 17:41:59.457841691 +0530
	27	+++ git/bfd/libbfd.c 2017-09-21 17:42:18.269987768 +0530
	28	@@ -780,6 +780,7 @@
	29	bfd_size_type count)
	30	{
	31	bfd_size_type sz;
	32	+ file_ptr filesz;
	33	if (count == 0)
	34	return TRUE;
	35
	36	@@ -801,8 +802,15 @@
	37	sz = section->rawsize;
	38	else
	39	sz = section->size;
	40	+ filesz = bfd_get_file_size (abfd);
	41	+ if (filesz < 0)
	42	+ {
	43	+ /* This should never happen. */
	44	+ abort ();
	45	+ }
	46	if (offset + count < count
	47	- \|\| offset + count > sz)
	48	+ \|\| offset + count > sz
	49	+ \|\| (section->filepos + offset + sz) > (bfd_size_type) filesz)
	50	{
	51	bfd_set_error (bfd_error_invalid_operation);
	52	return FALSE;
	53	@@ -825,6 +833,7 @@
	54	{
	55	#ifdef USE_MMAP
	56	bfd_size_type sz;
	57	+ file_ptr filesz;
	58
	59	if (count == 0)
	60	return TRUE;
	61	@@ -857,7 +866,13 @@
	62	sz = section->rawsize;
	63	else
	64	sz = section->size;
	65	+ filesz = bfd_get_file_size (abfd);
	66	+ {
	67	+ /* This should never happen. */
	68	+ abort ();
	69	+ }
	70	if (offset + count > sz
	71	+ \|\| (section->filepos + offset + sz) > (bfd_size_type) filesz
	72	\|\| ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
	73	TRUE))
	74	return FALSE;
	75	Index: git/bfd/compress.c
	76	===================================================================
	77	--- git.orig/bfd/compress.c 2017-09-21 17:42:18.213987332 +0530
	78	+++ git/bfd/compress.c 2017-09-21 17:45:17.107399434 +0530
	79	@@ -239,12 +239,6 @@
	80	*ptr = NULL;
	81	return TRUE;
	82	}
	83	- else if (bfd_get_file_size (abfd) > 0
	84	- && sz > (bfd_size_type) bfd_get_file_size (abfd))
	85	- {
	86	- *ptr = NULL;
	87	- return FALSE;
	88	- }
	89
	90	switch (sec->compress_status)
	91	{
	92	Index: git/bfd/ChangeLog
	93	===================================================================
	94	--- git.orig/bfd/ChangeLog 2017-09-21 17:42:18.213987332 +0530
	95	+++ git/bfd/ChangeLog 2017-09-21 17:47:03.668256850 +0530
	96	@@ -11,6 +11,16 @@
	97	of end pointer.
	98	(evax_bfd_print_emh): Check for invalid string lengths.
	99
	100	+2017-06-26 H.J. Lu <hongjiu.lu@intel.com>
	101	+
	102	+ PR binutils/21665
	103	+ * compress.c (bfd_get_full_section_contents): Don't check the
	104	+ file size here.
	105	+ * libbfd.c (_bfd_generic_get_section_contents): Check for and
	106	+ reject a section whoes size + offset is greater than the size
	107	+ of the entire file.
	108	+ (_bfd_generic_get_section_contents_in_window): Likewise.
	109	+
	110	2017-06-26 Nick Clifton <nickc@redhat.com>
	111
	112	PR binutils/21665