1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
new file mode 100644
index 0000000000..b36a532668
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
@@ -0,0 +1,51 @@
+From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
+file. There are newer versions of binutils, but none of them contain the
+commit fixing CVE-2019-17451, so backport it to master and zeus.
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
+CVE: CVE-2019-17451
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1.  Reading the first
+section of course overflows the buffer and tramples on other memory.
+        PR 25070
+        * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+        total_size calculation.
+---
+ bfd/dwarf2.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0b4e485582..a91597b1d0 100644
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+       for (total_size = 0;
+           msec;
+           msec = find_debug_info (debug_bfd, debug_sections, msec))
+-       total_size += msec->size;
+       {
+         /* Catch PR25070 testcase overflowing size calculation here.  */
+         if (total_size + msec->size < total_size
+             || total_size + msec->size < msec->size)
+           {
+             bfd_set_error (bfd_error_no_memory);
+             return FALSE;
+           }
+         total_size += msec->size;
+       }
+ 
+       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+       if (stash->info_ptr_memory == NULL)
+-- 
+2.23.0

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch new file mode 100644 index 0000000000..b36a532668 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
@@ -0,0 +1,51 @@
	1	From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Wed, 9 Oct 2019 10:47:13 +1030
	4	Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
	5
	6	Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
	7	file. There are newer versions of binutils, but none of them contain the
	8	commit fixing CVE-2019-17451, so backport it to master and zeus.
	9
	10	Upstream-Status: Backport
	11	[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
	12	CVE: CVE-2019-17451
	13	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
	14
	15
	16	Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
	17	and ffffd5555453b140 result in a total size of 1. Reading the first
	18	section of course overflows the buffer and tramples on other memory.
	19
	20	PR 25070
	21	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
	22	total_size calculation.
	23	---
	24	bfd/dwarf2.c \| 11 ++++++++++-
	25	1 file changed, 10 insertions(+), 1 deletion(-)
	26
	27	diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
	28	index 0b4e485582..a91597b1d0 100644
	29	--- a/bfd/dwarf2.c
	30	+++ b/bfd/dwarf2.c
	31	@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd abfd, bfd debug_bfd,
	32	for (total_size = 0;
	33	msec;
	34	msec = find_debug_info (debug_bfd, debug_sections, msec))
	35	- total_size += msec->size;
	36	+ {
	37	+ /* Catch PR25070 testcase overflowing size calculation here. */
	38	+ if (total_size + msec->size < total_size
	39	+ \|\| total_size + msec->size < msec->size)
	40	+ {
	41	+ bfd_set_error (bfd_error_no_memory);
	42	+ return FALSE;
	43	+ }
	44	+ total_size += msec->size;
	45	+ }
	46
	47	stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
	48	if (stash->info_ptr_memory == NULL)
	49	--
	50	2.23.0
	51