1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch
new file mode 100644
index 0000000000..cef10a7546
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch
@@ -0,0 +1,65 @@
+From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 20 Sep 2018 18:23:17 +0930
+Subject: [PATCH] PR23685, buffer overflow
+        PR 23685
+        * peXXigen.c (pe_print_edata): Correct export address table
+        overflow checks.  Check dataoff against section size too.
+CVE: CVE-2018-17360
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog  |  6 ++++++
+ bfd/peXXigen.c | 11 ++++++-----
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index fef5479..81b9e56 100644
+--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
+@@ -1,5 +1,11 @@
+ 2018-09-20  Alan Modra  <amodra@gmail.com>
+ 
+       PR 23685
+       * peXXigen.c (pe_print_edata): Correct export address table
+       overflow checks.  Check dataoff against section size too.
+
+2018-09-20  Alan Modra  <amodra@gmail.com>
+
+        PR 23686
+        * dwarf2.c (read_section): Error when attempting to malloc
+        "(bfd_size_type) -1".
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index 598f2ca..1645ef4 100644
+--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
+@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile)
+ 
+       dataoff = addr - section->vma;
+       datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
+-      if (datasize > section->size - dataoff)
+      if (dataoff > section->size
+         || datasize > section->size - dataoff)
+        {
+          fprintf (file,
+                   _("\nThere is an export table in %s, but it does not fit into that section\n"),
+@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile)
+          edt.base);
+ 
+   /* PR 17512: Handle corrupt PE binaries.  */
+-  if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize
+  /* PR 17512 file: 140-165018-0.004.  */
+  if (edt.eat_addr - adj >= datasize
+       /* PR 17512: file: 092b1829 */
+-      || (edt.num_functions * 4) < edt.num_functions
+-      /* PR 17512 file: 140-165018-0.004.  */
+-      || data + edt.eat_addr - adj < data)
+      || (edt.num_functions + 1) * 4 < edt.num_functions
+      || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize)
+     fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
+             (long) edt.eat_addr,
+             (long) edt.num_functions);
+-- 
+2.9.3

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch new file mode 100644 index 0000000000..cef10a7546 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch
@@ -0,0 +1,65 @@
	1	From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Thu, 20 Sep 2018 18:23:17 +0930
	4	Subject: [PATCH] PR23685, buffer overflow
	5
	6	PR 23685
	7	* peXXigen.c (pe_print_edata): Correct export address table
	8	overflow checks. Check dataoff against section size too.
	9
	10	CVE: CVE-2018-17360
	11	Upstream-Status: Backport
	12	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
	13	---
	14	bfd/ChangeLog \| 6 ++++++
	15	bfd/peXXigen.c \| 11 ++++++-----
	16	2 files changed, 12 insertions(+), 5 deletions(-)
	17
	18	diff --git a/bfd/ChangeLog b/bfd/ChangeLog
	19	index fef5479..81b9e56 100644
	20	--- a/bfd/ChangeLog
	21	+++ b/bfd/ChangeLog
	22	@@ -1,5 +1,11 @@
	23	2018-09-20 Alan Modra <amodra@gmail.com>
	24
	25	+ PR 23685
	26	+ * peXXigen.c (pe_print_edata): Correct export address table
	27	+ overflow checks. Check dataoff against section size too.
	28	+
	29	+2018-09-20 Alan Modra <amodra@gmail.com>
	30	+
	31	PR 23686
	32	* dwarf2.c (read_section): Error when attempting to malloc
	33	"(bfd_size_type) -1".
	34	diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
	35	index 598f2ca..1645ef4 100644
	36	--- a/bfd/peXXigen.c
	37	+++ b/bfd/peXXigen.c
	38	@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile)
	39
	40	dataoff = addr - section->vma;
	41	datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
	42	- if (datasize > section->size - dataoff)
	43	+ if (dataoff > section->size
	44	+ \|\| datasize > section->size - dataoff)
	45	{
	46	fprintf (file,
	47	_("\nThere is an export table in %s, but it does not fit into that section\n"),
	48	@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile)
	49	edt.base);
	50
	51	/* PR 17512: Handle corrupt PE binaries. */
	52	- if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize
	53	+ /* PR 17512 file: 140-165018-0.004. */
	54	+ if (edt.eat_addr - adj >= datasize
	55	/* PR 17512: file: 092b1829 */
	56	- \|\| (edt.num_functions * 4) < edt.num_functions
	57	- /* PR 17512 file: 140-165018-0.004. */
	58	- \|\| data + edt.eat_addr - adj < data)
	59	+ \|\| (edt.num_functions + 1) * 4 < edt.num_functions
	60	+ \|\| edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize)
	61	fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
	62	(long) edt.eat_addr,
	63	(long) edt.num_functions);
	64	--
	65	2.9.3