1 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
new file mode 100644
index 0000000000..f95295f183
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
@@ -0,0 +1,122 @@
+From 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 26 Jun 2017 09:24:49 -0700
+Subject: [PATCH] Check file size before getting section contents
+Don't check the section size in bfd_get_full_section_contents since
+the size of a decompressed section may be larger than the file size.
+Instead, check file size in _bfd_generic_get_section_contents.
+        PR binutils/21665
+        * compress.c (bfd_get_full_section_contents): Don't check the
+        file size here.
+        * libbfd.c (_bfd_generic_get_section_contents): Check for and
+        reject a section whoes size + offset is greater than the size
+        of the entire file.
+        (_bfd_generic_get_section_contents_in_window): Likewise.
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog  | 10 +++++++++-
+ bfd/compress.c |  8 +-------
+ bfd/libbfd.c   | 17 ++++++++++++++++-
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c
+++ git/bfd/compress.c
+@@ -239,12 +239,6 @@ bfd_get_full_section_contents (bfd *abfd
+       *ptr = NULL;
+       return TRUE;
+     }
+-  else if (bfd_get_file_size (abfd) > 0
+-          && sz > (bfd_size_type) bfd_get_file_size (abfd))
+-    {
+-      *ptr = NULL;
+-      return FALSE;
+-    }
+ 
+   switch (sec->compress_status)
+     {
+@@ -260,7 +254,7 @@ bfd_get_full_section_contents (bfd *abfd
+                  /* xgettext:c-format */
+                  (_("error: %B(%A) is too large (%#lx bytes)"),
+                  abfd, sec, (long) sz);
+-           return FALSE;
+             return FALSE;
+            }
+        }
+ 
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c
+++ git/bfd/libbfd.c
+@@ -780,6 +780,7 @@ _bfd_generic_get_section_contents (bfd *
+                                   bfd_size_type count)
+ {
+   bfd_size_type sz;
+  file_ptr filesz;
+   if (count == 0)
+     return TRUE;
+ 
+@@ -802,8 +803,15 @@ _bfd_generic_get_section_contents (bfd *
+     sz = section->rawsize;
+   else
+     sz = section->size;
+  filesz = bfd_get_file_size (abfd);
+  if (filesz < 0)
+    {
+      /* This should never happen.  */
+      abort ();
+    }
+   if (offset + count < count
+-      || offset + count > sz)
+      || offset + count > sz
+      || (section->filepos + offset + sz) > (bfd_size_type) filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+@@ -826,6 +834,7 @@ _bfd_generic_get_section_contents_in_win
+ {
+ #ifdef USE_MMAP
+   bfd_size_type sz;
+  file_ptr filesz;
+ 
+   if (count == 0)
+     return TRUE;
+@@ -858,7 +867,13 @@ _bfd_generic_get_section_contents_in_win
+     sz = section->rawsize;
+   else
+     sz = section->size;
+  filesz = bfd_get_file_size (abfd);
+    {
+      /* This should never happen.  */
+      abort ();
+    }
+   if (offset + count > sz
+      || (section->filepos + offset + sz) > (bfd_size_type) filesz
+       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
+                                TRUE))
+     return FALSE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,13 @@
+2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
+
+       PR binutils/21665
+       * compress.c (bfd_get_full_section_contents): Don't check the
+       file size here.
+       * libbfd.c (_bfd_generic_get_section_contents): Check for and
+       reject a section whoes size + offset is greater than the size
+       of the entire file.
+       (_bfd_generic_get_section_contents_in_window): Likewise.
+
+ 2017-06-26  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21665

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch new file mode 100644 index 0000000000..f95295f183 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
@@ -0,0 +1,122 @@
	1	From 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f Mon Sep 17 00:00:00 2001
	2	From: "H.J. Lu" <hjl.tools@gmail.com>
	3	Date: Mon, 26 Jun 2017 09:24:49 -0700
	4	Subject: [PATCH] Check file size before getting section contents
	5
	6	Don't check the section size in bfd_get_full_section_contents since
	7	the size of a decompressed section may be larger than the file size.
	8	Instead, check file size in _bfd_generic_get_section_contents.
	9
	10	PR binutils/21665
	11	* compress.c (bfd_get_full_section_contents): Don't check the
	12	file size here.
	13	* libbfd.c (_bfd_generic_get_section_contents): Check for and
	14	reject a section whoes size + offset is greater than the size
	15	of the entire file.
	16	(_bfd_generic_get_section_contents_in_window): Likewise.
	17
	18	Upstream-Status: Backport
	19	CVE: CVE-2017-9955 #2
	20	Signed-off-by: Armin Kuster <akuster@mvista.com>
	21
	22	---
	23	bfd/ChangeLog \| 10 +++++++++-
	24	bfd/compress.c \| 8 +-------
	25	bfd/libbfd.c \| 17 ++++++++++++++++-
	26	3 files changed, 26 insertions(+), 9 deletions(-)
	27
	28	Index: git/bfd/compress.c
	29	===================================================================
	30	--- git.orig/bfd/compress.c
	31	+++ git/bfd/compress.c
	32	@@ -239,12 +239,6 @@ bfd_get_full_section_contents (bfd *abfd
	33	*ptr = NULL;
	34	return TRUE;
	35	}
	36	- else if (bfd_get_file_size (abfd) > 0
	37	- && sz > (bfd_size_type) bfd_get_file_size (abfd))
	38	- {
	39	- *ptr = NULL;
	40	- return FALSE;
	41	- }
	42
	43	switch (sec->compress_status)
	44	{
	45	@@ -260,7 +254,7 @@ bfd_get_full_section_contents (bfd *abfd
	46	/* xgettext:c-format */
	47	(_("error: %B(%A) is too large (%#lx bytes)"),
	48	abfd, sec, (long) sz);
	49	- return FALSE;
	50	+ return FALSE;
	51	}
	52	}
	53
	54	Index: git/bfd/libbfd.c
	55	===================================================================
	56	--- git.orig/bfd/libbfd.c
	57	+++ git/bfd/libbfd.c
	58	@@ -780,6 +780,7 @@ _bfd_generic_get_section_contents (bfd *
	59	bfd_size_type count)
	60	{
	61	bfd_size_type sz;
	62	+ file_ptr filesz;
	63	if (count == 0)
	64	return TRUE;
	65
	66	@@ -802,8 +803,15 @@ _bfd_generic_get_section_contents (bfd *
	67	sz = section->rawsize;
	68	else
	69	sz = section->size;
	70	+ filesz = bfd_get_file_size (abfd);
	71	+ if (filesz < 0)
	72	+ {
	73	+ /* This should never happen. */
	74	+ abort ();
	75	+ }
	76	if (offset + count < count
	77	- \|\| offset + count > sz)
	78	+ \|\| offset + count > sz
	79	+ \|\| (section->filepos + offset + sz) > (bfd_size_type) filesz)
	80	{
	81	bfd_set_error (bfd_error_invalid_operation);
	82	return FALSE;
	83	@@ -826,6 +834,7 @@ _bfd_generic_get_section_contents_in_win
	84	{
	85	#ifdef USE_MMAP
	86	bfd_size_type sz;
	87	+ file_ptr filesz;
	88
	89	if (count == 0)
	90	return TRUE;
	91	@@ -858,7 +867,13 @@ _bfd_generic_get_section_contents_in_win
	92	sz = section->rawsize;
	93	else
	94	sz = section->size;
	95	+ filesz = bfd_get_file_size (abfd);
	96	+ {
	97	+ /* This should never happen. */
	98	+ abort ();
	99	+ }
	100	if (offset + count > sz
	101	+ \|\| (section->filepos + offset + sz) > (bfd_size_type) filesz
	102	\|\| ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
	103	TRUE))
	104	return FALSE;
	105	Index: git/bfd/ChangeLog
	106	===================================================================
	107	--- git.orig/bfd/ChangeLog
	108	+++ git/bfd/ChangeLog
	109	@@ -1,3 +1,13 @@
	110	+2017-06-26 H.J. Lu <hongjiu.lu@intel.com>
	111	+
	112	+ PR binutils/21665
	113	+ * compress.c (bfd_get_full_section_contents): Don't check the
	114	+ file size here.
	115	+ * libbfd.c (_bfd_generic_get_section_contents): Check for and
	116	+ reject a section whoes size + offset is greater than the size
	117	+ of the entire file.
	118	+ (_bfd_generic_get_section_contents_in_window): Likewise.
	119	+
	120	2017-06-26 Nick Clifton <nickc@redhat.com>
	121
	122	PR binutils/21665