1 files changed, 187 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
new file mode 100644
index 0000000000..45dd974672
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
@@ -0,0 +1,187 @@
+From bae7501e87ab614115d9d3213b4dd18d96e604db Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 1 Jul 2017 21:58:10 +0930
+Subject: [PATCH] Use bfd_malloc_and_get_section
+It's nicer than xmalloc followed by bfd_get_section_contents, since
+xmalloc exits on failure and needs a check that its size_t arg doesn't
+lose high bits when converted from bfd_size_type.
+        PR binutils/21665
+        * objdump.c (strtab): Make var a bfd_byte*.
+        (disassemble_section): Don't limit malloc size.  Instead, use
+        bfd_malloc_and_get_section.
+        (read_section_stabs): Use bfd_malloc_and_get_section.  Return
+        bfd_byte*.
+        (find_stabs_section): Remove now unnecessary cast.
+        * objcopy.c (copy_object): Use bfd_malloc_and_get_section.  Free
+        contents on error return.
+        * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #8
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/ChangeLog | 13 +++++++++++++
+ binutils/nlmconv.c |  6 ++----
+ binutils/objcopy.c |  5 +++--
+ binutils/objdump.c | 44 +++++++-------------------------------------
+ 4 files changed, 25 insertions(+), 43 deletions(-)
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
+@@ -1,3 +1,16 @@
+2017-07-01  Alan Modra  <amodra@gmail.com>
+
+       PR binutils/21665
+       * objdump.c (strtab): Make var a bfd_byte*.
+       (disassemble_section): Don't limit malloc size.  Instead, use
+       bfd_malloc_and_get_section.
+       (read_section_stabs): Use bfd_malloc_and_get_section.  Return
+       bfd_byte*.
+       (find_stabs_section): Remove now unnecessary cast.
+       * objcopy.c (copy_object): Use bfd_malloc_and_get_section.  Free
+       contents on error return.
+       * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
+
+ 2017-06-30  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21665
+Index: git/binutils/nlmconv.c
+===================================================================
+--- git.orig/binutils/nlmconv.c
+++ git/binutils/nlmconv.c
+@@ -1224,7 +1224,7 @@ copy_sections (bfd *inbfd, asection *ins
+   const char *inname;
+   asection *outsec;
+   bfd_size_type size;
+-  void *contents;
+  bfd_byte *contents;
+   long reloc_size;
+   bfd_byte buf[4];
+   bfd_size_type add;
+@@ -1240,9 +1240,7 @@ copy_sections (bfd *inbfd, asection *ins
+     contents = NULL;
+   else
+     {
+-      contents = xmalloc (size);
+-      if (! bfd_get_section_contents (inbfd, insec, contents,
+-                                     (file_ptr) 0, size))
+      if (!bfd_malloc_and_get_section (inbfd, insec, &contents))
+        bfd_fatal (bfd_get_filename (inbfd));
+     }
+ 
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
+++ git/binutils/objdump.c
+@@ -180,7 +180,7 @@ static long dynsymcount = 0;
+ static bfd_byte *stabs;
+ static bfd_size_type stab_size;
+ 
+-static char *strtab;
+static bfd_byte *strtab;
+ static bfd_size_type stabstr_size;
+ 
+ static bfd_boolean is_relocatable = FALSE;
+@@ -2112,29 +2112,6 @@ disassemble_section (bfd *abfd, asection
+     }
+   rel_ppend = rel_pp + rel_count;
+ 
+-  /* PR 21665: Check for overlarge datasizes.
+-     Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
+-     this fails when using compressed sections or compressed file formats
+-     (eg MMO, tekhex).
+-
+-     The call to xmalloc below will fail if too much memory is requested,
+-     which will catch the problem in the normal use case.  But if a memory
+-     checker is in use, eg valgrind or sanitize, then an exception will
+-     be still generated, so we try to catch the problem first.
+-
+-     Unfortunately there is no simple way to determine how much memory can
+-     be allocated by calling xmalloc.  So instead we use a simple, arbitrary
+-     limit of 2Gb.  Hopefully this should be enough for most users.  If
+-     someone does start trying to disassemble sections larger then 2Gb in
+-     size they will doubtless complain and we can increase the limit.  */
+-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
+-  if (datasize > MAX_XMALLOC)
+-    {
+-      non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
+-                section->name, (unsigned long) datasize);
+-      return;
+-    }
+-
+   data = (bfd_byte *) xmalloc (datasize);
+ 
+   bfd_get_section_contents (abfd, section, data, 0, datasize);
+@@ -2652,12 +2629,11 @@ dump_dwarf (bfd *abfd)
+ /* Read ABFD's stabs section STABSECT_NAME, and return a pointer to
+    it.  Return NULL on failure.   */
+ 
+-static char *
+static bfd_byte *
+ read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr)
+ {
+   asection *stabsect;
+-  bfd_size_type size;
+-  char *contents;
+  bfd_byte *contents;
+ 
+   stabsect = bfd_get_section_by_name (abfd, sect_name);
+   if (stabsect == NULL)
+@@ -2666,10 +2642,7 @@ read_section_stabs (bfd *abfd, const cha
+       return FALSE;
+     }
+ 
+-  size = bfd_section_size (abfd, stabsect);
+-  contents  = (char *) xmalloc (size);
+-
+-  if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size))
+  if (!bfd_malloc_and_get_section (abfd, stabsect, &contents))
+     {
+       non_fatal (_("reading %s section of %s failed: %s"),
+                 sect_name, bfd_get_filename (abfd),
+@@ -2679,7 +2652,7 @@ read_section_stabs (bfd *abfd, const cha
+       return NULL;
+     }
+ 
+-  *size_ptr = size;
+  *size_ptr = bfd_section_size (abfd, stabsect);
+ 
+   return contents;
+ }
+@@ -2806,8 +2779,7 @@ find_stabs_section (bfd *abfd, asection
+ 
+       if (strtab)
+        {
+-         stabs = (bfd_byte *) read_section_stabs (abfd, section->name,
+-                                                  &stab_size);
+         stabs = read_section_stabs (abfd, section->name, &stab_size);
+          if (stabs)
+            print_section_stabs (abfd, section->name, &sought->string_offset);
+        }
+Index: git/binutils/objcopy.c
+===================================================================
+--- git.orig/binutils/objcopy.c
+++ git/binutils/objcopy.c
+@@ -2186,14 +2186,15 @@ copy_object (bfd *ibfd, bfd *obfd, const
+              continue;
+            }
+ 
+-         bfd_byte * contents = xmalloc (size);
+-         if (bfd_get_section_contents (ibfd, sec, contents, 0, size))
+         bfd_byte *contents;
+          if (bfd_malloc_and_get_section (ibfd, sec, &contents))
+            {
+              if (fwrite (contents, 1, size, f) != size)
+                {
+                  non_fatal (_("error writing section contents to %s (error: %s)"),
+                             pdump->filename,
+                             strerror (errno));
+                  free (contents);
+                  return FALSE;
+                }
+            }

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch new file mode 100644 index 0000000000..45dd974672 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
@@ -0,0 +1,187 @@
	1	From bae7501e87ab614115d9d3213b4dd18d96e604db Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Sat, 1 Jul 2017 21:58:10 +0930
	4	Subject: [PATCH] Use bfd_malloc_and_get_section
	5
	6	It's nicer than xmalloc followed by bfd_get_section_contents, since
	7	xmalloc exits on failure and needs a check that its size_t arg doesn't
	8	lose high bits when converted from bfd_size_type.
	9
	10	PR binutils/21665
	11	* objdump.c (strtab): Make var a bfd_byte*.
	12	(disassemble_section): Don't limit malloc size. Instead, use
	13	bfd_malloc_and_get_section.
	14	(read_section_stabs): Use bfd_malloc_and_get_section. Return
	15	bfd_byte*.
	16	(find_stabs_section): Remove now unnecessary cast.
	17	* objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free
	18	contents on error return.
	19	* nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
	20
	21	Upstream-Status: Backport
	22	CVE: CVE-2017-9955 #8
	23	Signed-off-by: Armin Kuster <akuster@mvista.com>
	24
	25	---
	26	binutils/ChangeLog \| 13 +++++++++++++
	27	binutils/nlmconv.c \| 6 ++----
	28	binutils/objcopy.c \| 5 +++--
	29	binutils/objdump.c \| 44 +++++++-------------------------------------
	30	4 files changed, 25 insertions(+), 43 deletions(-)
	31
	32	Index: git/binutils/ChangeLog
	33	===================================================================
	34	--- git.orig/binutils/ChangeLog
	35	+++ git/binutils/ChangeLog
	36	@@ -1,3 +1,16 @@
	37	+2017-07-01 Alan Modra <amodra@gmail.com>
	38	+
	39	+ PR binutils/21665
	40	+ * objdump.c (strtab): Make var a bfd_byte*.
	41	+ (disassemble_section): Don't limit malloc size. Instead, use
	42	+ bfd_malloc_and_get_section.
	43	+ (read_section_stabs): Use bfd_malloc_and_get_section. Return
	44	+ bfd_byte*.
	45	+ (find_stabs_section): Remove now unnecessary cast.
	46	+ * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free
	47	+ contents on error return.
	48	+ * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
	49	+
	50	2017-06-30 Nick Clifton <nickc@redhat.com>
	51
	52	PR binutils/21665
	53	Index: git/binutils/nlmconv.c
	54	===================================================================
	55	--- git.orig/binutils/nlmconv.c
	56	+++ git/binutils/nlmconv.c
	57	@@ -1224,7 +1224,7 @@ copy_sections (bfd inbfd, asection ins
	58	const char *inname;
	59	asection *outsec;
	60	bfd_size_type size;
	61	- void *contents;
	62	+ bfd_byte *contents;
	63	long reloc_size;
	64	bfd_byte buf[4];
	65	bfd_size_type add;
	66	@@ -1240,9 +1240,7 @@ copy_sections (bfd inbfd, asection ins
	67	contents = NULL;
	68	else
	69	{
	70	- contents = xmalloc (size);
	71	- if (! bfd_get_section_contents (inbfd, insec, contents,
	72	- (file_ptr) 0, size))
	73	+ if (!bfd_malloc_and_get_section (inbfd, insec, &contents))
	74	bfd_fatal (bfd_get_filename (inbfd));
	75	}
	76
	77	Index: git/binutils/objdump.c
	78	===================================================================
	79	--- git.orig/binutils/objdump.c
	80	+++ git/binutils/objdump.c
	81	@@ -180,7 +180,7 @@ static long dynsymcount = 0;
	82	static bfd_byte *stabs;
	83	static bfd_size_type stab_size;
	84
	85	-static char *strtab;
	86	+static bfd_byte *strtab;
	87	static bfd_size_type stabstr_size;
	88
	89	static bfd_boolean is_relocatable = FALSE;
	90	@@ -2112,29 +2112,6 @@ disassemble_section (bfd *abfd, asection
	91	}
	92	rel_ppend = rel_pp + rel_count;
	93
	94	- /* PR 21665: Check for overlarge datasizes.
	95	- Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
	96	- this fails when using compressed sections or compressed file formats
	97	- (eg MMO, tekhex).
	98	-
	99	- The call to xmalloc below will fail if too much memory is requested,
	100	- which will catch the problem in the normal use case. But if a memory
	101	- checker is in use, eg valgrind or sanitize, then an exception will
	102	- be still generated, so we try to catch the problem first.
	103	-
	104	- Unfortunately there is no simple way to determine how much memory can
	105	- be allocated by calling xmalloc. So instead we use a simple, arbitrary
	106	- limit of 2Gb. Hopefully this should be enough for most users. If
	107	- someone does start trying to disassemble sections larger then 2Gb in
	108	- size they will doubtless complain and we can increase the limit. */
	109	-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
	110	- if (datasize > MAX_XMALLOC)
	111	- {
	112	- non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
	113	- section->name, (unsigned long) datasize);
	114	- return;
	115	- }
	116	-
	117	data = (bfd_byte *) xmalloc (datasize);
	118
	119	bfd_get_section_contents (abfd, section, data, 0, datasize);
	120	@@ -2652,12 +2629,11 @@ dump_dwarf (bfd *abfd)
	121	/* Read ABFD's stabs section STABSECT_NAME, and return a pointer to
	122	it. Return NULL on failure. */
	123
	124	-static char *
	125	+static bfd_byte *
	126	read_section_stabs (bfd abfd, const char sect_name, bfd_size_type *size_ptr)
	127	{
	128	asection *stabsect;
	129	- bfd_size_type size;
	130	- char *contents;
	131	+ bfd_byte *contents;
	132
	133	stabsect = bfd_get_section_by_name (abfd, sect_name);
	134	if (stabsect == NULL)
	135	@@ -2666,10 +2642,7 @@ read_section_stabs (bfd *abfd, const cha
	136	return FALSE;
	137	}
	138
	139	- size = bfd_section_size (abfd, stabsect);
	140	- contents = (char *) xmalloc (size);
	141	-
	142	- if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size))
	143	+ if (!bfd_malloc_and_get_section (abfd, stabsect, &contents))
	144	{
	145	non_fatal (_("reading %s section of %s failed: %s"),
	146	sect_name, bfd_get_filename (abfd),
	147	@@ -2679,7 +2652,7 @@ read_section_stabs (bfd *abfd, const cha
	148	return NULL;
	149	}
	150
	151	- *size_ptr = size;
	152	+ *size_ptr = bfd_section_size (abfd, stabsect);
	153
	154	return contents;
	155	}
	156	@@ -2806,8 +2779,7 @@ find_stabs_section (bfd *abfd, asection
	157
	158	if (strtab)
	159	{
	160	- stabs = (bfd_byte *) read_section_stabs (abfd, section->name,
	161	- &stab_size);
	162	+ stabs = read_section_stabs (abfd, section->name, &stab_size);
	163	if (stabs)
	164	print_section_stabs (abfd, section->name, &sought->string_offset);
	165	}
	166	Index: git/binutils/objcopy.c
	167	===================================================================
	168	--- git.orig/binutils/objcopy.c
	169	+++ git/binutils/objcopy.c
	170	@@ -2186,14 +2186,15 @@ copy_object (bfd ibfd, bfd obfd, const
	171	continue;
	172	}
	173
	174	- bfd_byte * contents = xmalloc (size);
	175	- if (bfd_get_section_contents (ibfd, sec, contents, 0, size))
	176	+ bfd_byte *contents;
	177	+ if (bfd_malloc_and_get_section (ibfd, sec, &contents))
	178	{
	179	if (fwrite (contents, 1, size, f) != size)
	180	{
	181	non_fatal (_("error writing section contents to %s (error: %s)"),
	182	pdump->filename,
	183	strerror (errno));
	184	+ free (contents);
	185	return FALSE;
	186	}
	187	}