1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch
new file mode 100644
index 0000000000..b5511d7d8a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch
@@ -0,0 +1,73 @@
+From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 28 Feb 2018 10:13:54 +0000
+Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1
+ debug information.
+        PR 22894
+        * dwarf1.c (parse_die): Check the length of form blocks before
+        advancing the data pointer.
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-7568 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/dwarf1.c  | 17 +++++++++++++++--
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+Index: git/bfd/dwarf1.c
+===================================================================
+--- git.orig/bfd/dwarf1.c
+++ git/bfd/dwarf1.c
+@@ -213,6 +213,7 @@ parse_die (bfd *             abfd,
+   /* Then the attributes.  */
+   while (xptr + 2 <= aDiePtrEnd)
+     {
+      unsigned int   block_len;
+       unsigned short attr;
+ 
+       /* Parse the attribute based on its form.  This section
+@@ -255,12 +256,24 @@ parse_die (bfd *             abfd,
+          break;
+        case FORM_BLOCK2:
+          if (xptr + 2 <= aDiePtrEnd)
+-           xptr += bfd_get_16 (abfd, xptr);
+           {
+             block_len = bfd_get_16 (abfd, xptr);
+             if (xptr + block_len > aDiePtrEnd
+                 || xptr + block_len < xptr)
+               return FALSE;
+             xptr += block_len;
+           }
+          xptr += 2;
+          break;
+        case FORM_BLOCK4:
+          if (xptr + 4 <= aDiePtrEnd)
+-           xptr += bfd_get_32 (abfd, xptr);
+           {
+             block_len = bfd_get_32 (abfd, xptr);
+             if (xptr + block_len > aDiePtrEnd
+                 || xptr + block_len < xptr)
+               return FALSE;
+             xptr += block_len;
+           }
+          xptr += 4;
+          break;
+        case FORM_STRING:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
+2018-02-28  Nick Clifton  <nickc@redhat.com>
+
+       PR 22894
+       * dwarf1.c (parse_die): Check the length of form blocks before
+       advancing the data pointer.
+
+ 2017-09-25  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22202

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch new file mode 100644 index 0000000000..b5511d7d8a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch
@@ -0,0 +1,73 @@
	1	From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001
	2	From: Nick Clifton <nickc@redhat.com>
	3	Date: Wed, 28 Feb 2018 10:13:54 +0000
	4	Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1
	5	debug information.
	6
	7	PR 22894
	8	* dwarf1.c (parse_die): Check the length of form blocks before
	9	advancing the data pointer.
	10
	11	Upstream-Status: Backport
	12	Affects: <= 2.30
	13	CVE: CVE-2018-7568 patch2
	14	Signed-off-by: Armin Kuster <akuster@mvista.com>
	15
	16	---
	17	bfd/ChangeLog \| 6 ++++++
	18	bfd/dwarf1.c \| 17 +++++++++++++++--
	19	2 files changed, 21 insertions(+), 2 deletions(-)
	20
	21	Index: git/bfd/dwarf1.c
	22	===================================================================
	23	--- git.orig/bfd/dwarf1.c
	24	+++ git/bfd/dwarf1.c
	25	@@ -213,6 +213,7 @@ parse_die (bfd * abfd,
	26	/* Then the attributes. */
	27	while (xptr + 2 <= aDiePtrEnd)
	28	{
	29	+ unsigned int block_len;
	30	unsigned short attr;
	31
	32	/* Parse the attribute based on its form. This section
	33	@@ -255,12 +256,24 @@ parse_die (bfd * abfd,
	34	break;
	35	case FORM_BLOCK2:
	36	if (xptr + 2 <= aDiePtrEnd)
	37	- xptr += bfd_get_16 (abfd, xptr);
	38	+ {
	39	+ block_len = bfd_get_16 (abfd, xptr);
	40	+ if (xptr + block_len > aDiePtrEnd
	41	+ \|\| xptr + block_len < xptr)
	42	+ return FALSE;
	43	+ xptr += block_len;
	44	+ }
	45	xptr += 2;
	46	break;
	47	case FORM_BLOCK4:
	48	if (xptr + 4 <= aDiePtrEnd)
	49	- xptr += bfd_get_32 (abfd, xptr);
	50	+ {
	51	+ block_len = bfd_get_32 (abfd, xptr);
	52	+ if (xptr + block_len > aDiePtrEnd
	53	+ \|\| xptr + block_len < xptr)
	54	+ return FALSE;
	55	+ xptr += block_len;
	56	+ }
	57	xptr += 4;
	58	break;
	59	case FORM_STRING:
	60	Index: git/bfd/ChangeLog
	61	===================================================================
	62	--- git.orig/bfd/ChangeLog
	63	+++ git/bfd/ChangeLog
	64	@@ -1,3 +1,9 @@
	65	+2018-02-28 Nick Clifton <nickc@redhat.com>
	66	+
	67	+ PR 22894
	68	+ * dwarf1.c (parse_die): Check the length of form blocks before
	69	+ advancing the data pointer.
	70	+
	71	2017-09-25 Alan Modra <amodra@gmail.com>
	72
	73	PR 22202