1 files changed, 180 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
new file mode 100644
index 0000000000..ff853511f9
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
@@ -0,0 +1,180 @@
+From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 16 Dec 2018 23:02:50 +1030
+Subject: [PATCH] PR23994, libbfd integer overflow
+        PR 23994
+        * aoutx.h: Include limits.h.
+        (get_reloc_upper_bound): Detect long overflow and return a file
+        too big error if it occurs.
+        * elf.c: Include limits.h.
+        (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
+        a file too big error if it occurs.
+        (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
+        (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
+CVE: CVE-2018-1000876
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ bfd/aoutx.h | 40 +++++++++++++++++++++-------------------
+ bfd/elf.c   | 32 ++++++++++++++++++++++++--------
+ 2 files changed, 45 insertions(+), 27 deletions(-)
+diff --git a/bfd/aoutx.h b/bfd/aoutx.h
+index 023843b0be..78eaa9c503 100644
+--- a/bfd/aoutx.h
+++ b/bfd/aoutx.h
+@@ -117,6 +117,7 @@ DESCRIPTION
+ #define KEEPIT udata.i
+ 
+ #include "sysdep.h"
+#include <limits.h>
+ #include "bfd.h"
+ #include "safe-ctype.h"
+ #include "bfdlink.h"
+@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
+ long
+ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+ {
+  bfd_size_type count;
+
+   if (bfd_get_format (abfd) != bfd_object)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+     }
+ 
+   if (asect->flags & SEC_CONSTRUCTOR)
+-    return sizeof (arelent *) * (asect->reloc_count + 1);
+-
+-  if (asect == obj_datasec (abfd))
+-    return sizeof (arelent *)
+-      * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
+-        + 1);
+-
+-  if (asect == obj_textsec (abfd))
+-    return sizeof (arelent *)
+-      * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
+-        + 1);
+-
+-  if (asect == obj_bsssec (abfd))
+-    return sizeof (arelent *);
+-
+-  if (asect == obj_bsssec (abfd))
+-    return 0;
+    count = asect->reloc_count;
+  else if (asect == obj_datasec (abfd))
+    count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
+  else if (asect == obj_textsec (abfd))
+    count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
+  else if (asect == obj_bsssec (abfd))
+    count = 0;
+  else
+    {
+      bfd_set_error (bfd_error_invalid_operation);
+      return -1;
+    }
+ 
+-  bfd_set_error (bfd_error_invalid_operation);
+-  return -1;
+  if (count >= LONG_MAX / sizeof (arelent *))
+    {
+      bfd_set_error (bfd_error_file_too_big);
+      return -1;
+    }
+  return (count + 1) * sizeof (arelent *);
+ }
+ 
+ long
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 828241d48a..10037176a3 100644
+--- a/bfd/elf.c
+++ b/bfd/elf.c
+@@ -35,6 +35,7 @@ SECTION
+ /* For sparc64-cross-sparc32.  */
+ #define _SYSCALL32
+ #include "sysdep.h"
+#include <limits.h>
+ #include "bfd.h"
+ #include "bfdlink.h"
+ #include "libbfd.h"
+@@ -8114,11 +8115,16 @@ error_return:
+ long
+ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ {
+-  long symcount;
+  bfd_size_type symcount;
+   long symtab_size;
+   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
+ 
+   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
+  if (symcount >= LONG_MAX / sizeof (asymbol *))
+    {
+      bfd_set_error (bfd_error_file_too_big);
+      return -1;
+    }
+   symtab_size = (symcount + 1) * (sizeof (asymbol *));
+   if (symcount > 0)
+     symtab_size -= sizeof (asymbol *);
+@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ long
+ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
+ {
+-  long symcount;
+  bfd_size_type symcount;
+   long symtab_size;
+   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
+ 
+@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
+     }
+ 
+   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
+  if (symcount >= LONG_MAX / sizeof (asymbol *))
+    {
+      bfd_set_error (bfd_error_file_too_big);
+      return -1;
+    }
+   symtab_size = (symcount + 1) * (sizeof (asymbol *));
+   if (symcount > 0)
+     symtab_size -= sizeof (asymbol *);
+@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,
+ long
+ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
+ {
+-  long ret;
+  bfd_size_type count;
+   asection *s;
+ 
+   if (elf_dynsymtab (abfd) == 0)
+@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
+       return -1;
+     }
+ 
+-  ret = sizeof (arelent *);
+  count = 1;
+   for (s = abfd->sections; s != NULL; s = s->next)
+     if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
+        && (elf_section_data (s)->this_hdr.sh_type == SHT_REL
+            || elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
+-      ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
+-             * sizeof (arelent *));
+-
+-  return ret;
+      {
+       count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
+       if (count > LONG_MAX / sizeof (arelent *))
+         {
+           bfd_set_error (bfd_error_file_too_big);
+           return -1;
+         }
+      }
+  return count * sizeof (arelent *);
+ }
+ 
+ /* Canonicalize the dynamic relocation entries.  Note that we return the
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch new file mode 100644 index 0000000000..ff853511f9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
@@ -0,0 +1,180 @@
	1	From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Sun, 16 Dec 2018 23:02:50 +1030
	4	Subject: [PATCH] PR23994, libbfd integer overflow
	5
	6	PR 23994
	7	* aoutx.h: Include limits.h.
	8	(get_reloc_upper_bound): Detect long overflow and return a file
	9	too big error if it occurs.
	10	* elf.c: Include limits.h.
	11	(_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
	12	a file too big error if it occurs.
	13	(_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
	14	(_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
	15
	16	CVE: CVE-2018-1000876
	17	Upstream-Status: Backport
	18	[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
	19
	20	Signed-off-by: Dan Tran <dantran@microsoft.com>
	21	---
	22	bfd/aoutx.h \| 40 +++++++++++++++++++++-------------------
	23	bfd/elf.c \| 32 ++++++++++++++++++++++++--------
	24	2 files changed, 45 insertions(+), 27 deletions(-)
	25
	26	diff --git a/bfd/aoutx.h b/bfd/aoutx.h
	27	index 023843b0be..78eaa9c503 100644
	28	--- a/bfd/aoutx.h
	29	+++ b/bfd/aoutx.h
	30	@@ -117,6 +117,7 @@ DESCRIPTION
	31	#define KEEPIT udata.i
	32
	33	#include "sysdep.h"
	34	+#include <limits.h>
	35	#include "bfd.h"
	36	#include "safe-ctype.h"
	37	#include "bfdlink.h"
	38	@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
	39	long
	40	NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
	41	{
	42	+ bfd_size_type count;
	43	+
	44	if (bfd_get_format (abfd) != bfd_object)
	45	{
	46	bfd_set_error (bfd_error_invalid_operation);
	47	@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
	48	}
	49
	50	if (asect->flags & SEC_CONSTRUCTOR)
	51	- return sizeof (arelent ) (asect->reloc_count + 1);
	52	-
	53	- if (asect == obj_datasec (abfd))
	54	- return sizeof (arelent *)
	55	- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
	56	- + 1);
	57	-
	58	- if (asect == obj_textsec (abfd))
	59	- return sizeof (arelent *)
	60	- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
	61	- + 1);
	62	-
	63	- if (asect == obj_bsssec (abfd))
	64	- return sizeof (arelent *);
	65	-
	66	- if (asect == obj_bsssec (abfd))
	67	- return 0;
	68	+ count = asect->reloc_count;
	69	+ else if (asect == obj_datasec (abfd))
	70	+ count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
	71	+ else if (asect == obj_textsec (abfd))
	72	+ count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
	73	+ else if (asect == obj_bsssec (abfd))
	74	+ count = 0;
	75	+ else
	76	+ {
	77	+ bfd_set_error (bfd_error_invalid_operation);
	78	+ return -1;
	79	+ }
	80
	81	- bfd_set_error (bfd_error_invalid_operation);
	82	- return -1;
	83	+ if (count >= LONG_MAX / sizeof (arelent *))
	84	+ {
	85	+ bfd_set_error (bfd_error_file_too_big);
	86	+ return -1;
	87	+ }
	88	+ return (count + 1) * sizeof (arelent *);
	89	}
	90
	91	long
	92	diff --git a/bfd/elf.c b/bfd/elf.c
	93	index 828241d48a..10037176a3 100644
	94	--- a/bfd/elf.c
	95	+++ b/bfd/elf.c
	96	@@ -35,6 +35,7 @@ SECTION
	97	/* For sparc64-cross-sparc32. */
	98	#define _SYSCALL32
	99	#include "sysdep.h"
	100	+#include <limits.h>
	101	#include "bfd.h"
	102	#include "bfdlink.h"
	103	#include "libbfd.h"
	104	@@ -8114,11 +8115,16 @@ error_return:
	105	long
	106	_bfd_elf_get_symtab_upper_bound (bfd *abfd)
	107	{
	108	- long symcount;
	109	+ bfd_size_type symcount;
	110	long symtab_size;
	111	Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
	112
	113	symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
	114	+ if (symcount >= LONG_MAX / sizeof (asymbol *))
	115	+ {
	116	+ bfd_set_error (bfd_error_file_too_big);
	117	+ return -1;
	118	+ }
	119	symtab_size = (symcount + 1) * (sizeof (asymbol *));
	120	if (symcount > 0)
	121	symtab_size -= sizeof (asymbol *);
	122	@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
	123	long
	124	_bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
	125	{
	126	- long symcount;
	127	+ bfd_size_type symcount;
	128	long symtab_size;
	129	Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
	130
	131	@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
	132	}
	133
	134	symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
	135	+ if (symcount >= LONG_MAX / sizeof (asymbol *))
	136	+ {
	137	+ bfd_set_error (bfd_error_file_too_big);
	138	+ return -1;
	139	+ }
	140	symtab_size = (symcount + 1) * (sizeof (asymbol *));
	141	if (symcount > 0)
	142	symtab_size -= sizeof (asymbol *);
	143	@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,
	144	long
	145	_bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
	146	{
	147	- long ret;
	148	+ bfd_size_type count;
	149	asection *s;
	150
	151	if (elf_dynsymtab (abfd) == 0)
	152	@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
	153	return -1;
	154	}
	155
	156	- ret = sizeof (arelent *);
	157	+ count = 1;
	158	for (s = abfd->sections; s != NULL; s = s->next)
	159	if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
	160	&& (elf_section_data (s)->this_hdr.sh_type == SHT_REL
	161	\|\| elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
	162	- ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
	163	- * sizeof (arelent *));
	164	-
	165	- return ret;
	166	+ {
	167	+ count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
	168	+ if (count > LONG_MAX / sizeof (arelent *))
	169	+ {
	170	+ bfd_set_error (bfd_error_file_too_big);
	171	+ return -1;
	172	+ }
	173	+ }
	174	+ return count * sizeof (arelent *);
	175	}
	176
	177	/* Canonicalize the dynamic relocation entries. Note that we return the
	178	--
	179	2.22.0.vfs.1.1.57.gbaf16c8
	180