1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch
new file mode 100644
index 0000000000..35cf328a14
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch
@@ -0,0 +1,70 @@
+From 45a0eaf77022963d639d6d19871dbab7b79703fc Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 23 Oct 2018 19:02:06 +1030
+Subject: [PATCH] PR23806, NULL pointer dereference in merge_strings
+        PR 23806
+        * merge.c (_bfd_add_merge_section): Don't attempt to merge
+        sections with ridiculously large alignments.
+Upstream-Status: Backport
+CVE: CVE-2018-18606
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/merge.c   | 15 +++++++++++----
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 1f3fc1c..c5f7ec7 100644
+--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
+@@ -1,5 +1,11 @@
+ 2018-10-23  Alan Modra  <amodra@gmail.com>
+ 
+       PR 23806
+       * merge.c (_bfd_add_merge_section): Don't attempt to merge
+       sections with ridiculously large alignments.
+
+2018-10-23  Alan Modra  <amodra@gmail.com>
+
+        PR 23804
+        * merge.c (_bfd_add_merge_section): Don't attempt to merge
+        sections where size is not a multiple of entsize.
+diff --git a/bfd/merge.c b/bfd/merge.c
+index 5e3bba0..7de0c88 100644
+--- a/bfd/merge.c
+++ b/bfd/merge.c
+@@ -24,6 +24,7 @@
+    as used in ELF SHF_MERGE.  */
+ 
+ #include "sysdep.h"
+#include <limits.h>
+ #include "bfd.h"
+ #include "elf-bfd.h"
+ #include "libbfd.h"
+@@ -385,12 +386,18 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec,
+       return TRUE;
+     }
+ 
+-  align = sec->alignment_power;
+-  if ((sec->entsize < (unsigned) 1 << align
+#ifndef CHAR_BIT
+#define CHAR_BIT 8
+#endif
+  if (sec->alignment_power >= sizeof (align) * CHAR_BIT)
+    return TRUE;
+
+  align = 1u << sec->alignment_power;
+  if ((sec->entsize < align
+        && ((sec->entsize & (sec->entsize - 1))
+           || !(sec->flags & SEC_STRINGS)))
+-      || (sec->entsize > (unsigned) 1 << align
+-         && (sec->entsize & (((unsigned) 1 << align) - 1))))
+      || (sec->entsize > align
+         && (sec->entsize & (align - 1))))
+     {
+       /* Sanity check.  If string character size is smaller than
+         alignment, then we require character size to be a power
+-- 
+2.9.3

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch new file mode 100644 index 0000000000..35cf328a14 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch
@@ -0,0 +1,70 @@
	1	From 45a0eaf77022963d639d6d19871dbab7b79703fc Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Tue, 23 Oct 2018 19:02:06 +1030
	4	Subject: [PATCH] PR23806, NULL pointer dereference in merge_strings
	5
	6	PR 23806
	7	* merge.c (_bfd_add_merge_section): Don't attempt to merge
	8	sections with ridiculously large alignments.
	9
	10	Upstream-Status: Backport
	11	CVE: CVE-2018-18606
	12	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
	13	---
	14	bfd/ChangeLog \| 6 ++++++
	15	bfd/merge.c \| 15 +++++++++++----
	16	2 files changed, 17 insertions(+), 4 deletions(-)
	17
	18	diff --git a/bfd/ChangeLog b/bfd/ChangeLog
	19	index 1f3fc1c..c5f7ec7 100644
	20	--- a/bfd/ChangeLog
	21	+++ b/bfd/ChangeLog
	22	@@ -1,5 +1,11 @@
	23	2018-10-23 Alan Modra <amodra@gmail.com>
	24
	25	+ PR 23806
	26	+ * merge.c (_bfd_add_merge_section): Don't attempt to merge
	27	+ sections with ridiculously large alignments.
	28	+
	29	+2018-10-23 Alan Modra <amodra@gmail.com>
	30	+
	31	PR 23804
	32	* merge.c (_bfd_add_merge_section): Don't attempt to merge
	33	sections where size is not a multiple of entsize.
	34	diff --git a/bfd/merge.c b/bfd/merge.c
	35	index 5e3bba0..7de0c88 100644
	36	--- a/bfd/merge.c
	37	+++ b/bfd/merge.c
	38	@@ -24,6 +24,7 @@
	39	as used in ELF SHF_MERGE. */
	40
	41	#include "sysdep.h"
	42	+#include <limits.h>
	43	#include "bfd.h"
	44	#include "elf-bfd.h"
	45	#include "libbfd.h"
	46	@@ -385,12 +386,18 @@ _bfd_add_merge_section (bfd abfd, void psinfo, asection sec,
	47	return TRUE;
	48	}
	49
	50	- align = sec->alignment_power;
	51	- if ((sec->entsize < (unsigned) 1 << align
	52	+#ifndef CHAR_BIT
	53	+#define CHAR_BIT 8
	54	+#endif
	55	+ if (sec->alignment_power >= sizeof (align) * CHAR_BIT)
	56	+ return TRUE;
	57	+
	58	+ align = 1u << sec->alignment_power;
	59	+ if ((sec->entsize < align
	60	&& ((sec->entsize & (sec->entsize - 1))
	61	\|\| !(sec->flags & SEC_STRINGS)))
	62	- \|\| (sec->entsize > (unsigned) 1 << align
	63	- && (sec->entsize & (((unsigned) 1 << align) - 1))))
	64	+ \|\| (sec->entsize > align
	65	+ && (sec->entsize & (align - 1))))
	66	{
	67	/* Sanity check. If string character size is smaller than
	68	alignment, then we require character size to be a power
	69	--
	70	2.9.3