1 files changed, 290 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-6.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-6.3/CVE-2016-4490.patch
new file mode 100644
index 0000000000..f32e91d4fc
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-6.3/CVE-2016-4490.patch
@@ -0,0 +1,290 @@
+From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Mon, 2 May 2016 17:06:40 +0000
+Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
+ =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+        PR c++/70498
+        * cp-demangle.c: Parse numbers as integer instead of long to avoid
+        overflow after sanity checks. Include <limits.h> if available.
+        (INT_MAX): Define if necessary.
+        (d_make_template_param): Takes integer argument instead of long.
+        (d_make_function_param): Likewise.
+        (d_append_num): Likewise.
+        (d_identifier): Likewise.
+        (d_number): Parse as and return integer.
+        (d_compact_number): Handle overflow.
+        (d_source_name): Change variable type to integer for parsed number.
+        (d_java_resource): Likewise.
+        (d_special_name): Likewise.
+        (d_discriminator): Likewise.
+        (d_unnamed_type): Likewise.
+        * testsuite/demangle-expected: Add regression test cases.
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
+CVE:  CVE-2016-4490
+[Yocto #9632]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libiberty/ChangeLog                   | 19 +++++++++++++
+ libiberty/cp-demangle.c               | 52 ++++++++++++++++++++---------------
+ libiberty/testsuite/demangle-expected | 14 ++++++++--
+ 3 files changed, 61 insertions(+), 24 deletions(-)
+Index: git/libiberty/ChangeLog
+===================================================================
+--- git.orig/libiberty/ChangeLog
+++ git/libiberty/ChangeLog
+@@ -1,3 +1,22 @@
+2016-05-02  Marcel Böhme  <boehme.marcel@gmail.com>
+
+   PR c++/70498
+   * cp-demangle.c: Parse numbers as integer instead of long to avoid
+   overflow after sanity checks. Include <limits.h> if available.
+   (INT_MAX): Define if necessary.
+   (d_make_template_param): Takes integer argument instead of long.
+   (d_make_function_param): Likewise.
+   (d_append_num): Likewise.
+   (d_identifier): Likewise.
+   (d_number): Parse as and return integer.
+   (d_compact_number): Handle overflow.
+   (d_source_name): Change variable type to integer for parsed number.
+   (d_java_resource): Likewise.
+   (d_special_name): Likewise.
+   (d_discriminator): Likewise.
+   (d_unnamed_type): Likewise.
+   * testsuite/demangle-expected: Add regression test cases.
+
+ 2016-04-27  Release Manager
+ 
+        * GCC 6.1.0 released.
+Index: git/libiberty/cp-demangle.c
+===================================================================
+--- git.orig/libiberty/cp-demangle.c
+++ git/libiberty/cp-demangle.c
+@@ -128,6 +128,13 @@ extern char *alloca ();
+ # endif /* alloca */
+ #endif /* HAVE_ALLOCA_H */
+ 
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+#ifndef INT_MAX
+# define INT_MAX       (int)(((unsigned int) ~0) >> 1)          /* 0x7FFFFFFF */
+#endif
+
+ #include "ansidecl.h"
+ #include "libiberty.h"
+ #include "demangle.h"
+@@ -398,7 +405,7 @@ d_make_dtor (struct d_info *, enum gnu_v
+              struct demangle_component *);
+ 
+ static struct demangle_component *
+-d_make_template_param (struct d_info *, long);
+d_make_template_param (struct d_info *, int);
+ 
+ static struct demangle_component *
+ d_make_sub (struct d_info *, const char *, int);
+@@ -421,9 +428,9 @@ static struct demangle_component *d_unqu
+ 
+ static struct demangle_component *d_source_name (struct d_info *);
+ 
+-static long d_number (struct d_info *);
+static int d_number (struct d_info *);
+ 
+-static struct demangle_component *d_identifier (struct d_info *, long);
+static struct demangle_component *d_identifier (struct d_info *, int);
+ 
+ static struct demangle_component *d_operator_name (struct d_info *);
+ 
+@@ -1119,7 +1126,7 @@ d_make_dtor (struct d_info *di, enum gnu
+ /* Add a new template parameter.  */
+ 
+ static struct demangle_component *
+-d_make_template_param (struct d_info *di, long i)
+d_make_template_param (struct d_info *di, int i)
+ {
+   struct demangle_component *p;
+ 
+@@ -1135,7 +1142,7 @@ d_make_template_param (struct d_info *di
+ /* Add a new function parameter.  */
+ 
+ static struct demangle_component *
+-d_make_function_param (struct d_info *di, long i)
+d_make_function_param (struct d_info *di, int i)
+ {
+   struct demangle_component *p;
+ 
+@@ -1620,7 +1627,7 @@ d_unqualified_name (struct d_info *di)
+ static struct demangle_component *
+ d_source_name (struct d_info *di)
+ {
+-  long len;
+  int len;
+   struct demangle_component *ret;
+ 
+   len = d_number (di);
+@@ -1633,12 +1640,12 @@ d_source_name (struct d_info *di)
+ 
+ /* number ::= [n] <(non-negative decimal integer)>  */
+ 
+-static long
+static int
+ d_number (struct d_info *di)
+ {
+   int negative;
+   char peek;
+-  long ret;
+  int ret;
+ 
+   negative = 0;
+   peek = d_peek_char (di);
+@@ -1681,7 +1688,7 @@ d_number_component (struct d_info *di)
+ /* identifier ::= <(unqualified source code identifier)>  */
+ 
+ static struct demangle_component *
+-d_identifier (struct d_info *di, long len)
+d_identifier (struct d_info *di, int len)
+ {
+   const char *name;
+ 
+@@ -1702,7 +1709,7 @@ d_identifier (struct d_info *di, long le
+   /* Look for something which looks like a gcc encoding of an
+      anonymous namespace, and replace it with a more user friendly
+      name.  */
+-  if (len >= (long) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2
+  if (len >= (int) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2
+       && memcmp (name, ANONYMOUS_NAMESPACE_PREFIX,
+                 ANONYMOUS_NAMESPACE_PREFIX_LEN) == 0)
+     {
+@@ -1870,7 +1877,7 @@ d_java_resource (struct d_info *di)
+ {
+   struct demangle_component *p = NULL;
+   struct demangle_component *next = NULL;
+-  long len, i;
+  int len, i;
+   char c;
+   const char *str;
+ 
+@@ -2012,7 +2019,7 @@ d_special_name (struct d_info *di)
+        case 'C':
+          {
+            struct demangle_component *derived_type;
+-           long offset;
+           int offset;
+            struct demangle_component *base_type;
+ 
+            derived_type = cplus_demangle_type (di);
+@@ -2946,10 +2953,10 @@ d_pointer_to_member_type (struct d_info
+ 
+ /* <non-negative number> _ */
+ 
+-static long
+static int
+ d_compact_number (struct d_info *di)
+ {
+-  long num;
+  int num;
+   if (d_peek_char (di) == '_')
+     num = 0;
+   else if (d_peek_char (di) == 'n')
+@@ -2957,7 +2964,7 @@ d_compact_number (struct d_info *di)
+   else
+     num = d_number (di) + 1;
+ 
+-  if (! d_check_char (di, '_'))
+  if (num < 0 || ! d_check_char (di, '_'))
+     return -1;
+   return num;
+ }
+@@ -2969,7 +2976,7 @@ d_compact_number (struct d_info *di)
+ static struct demangle_component *
+ d_template_param (struct d_info *di)
+ {
+-  long param;
+  int param;
+ 
+   if (! d_check_char (di, 'T'))
+     return NULL;
+@@ -3171,9 +3178,10 @@ d_expression_1 (struct d_info *di)
+        }
+       else
+        {
+-         index = d_compact_number (di) + 1;
+-         if (index == 0)
+         index = d_compact_number (di);
+         if (index == INT_MAX || index == -1)
+            return NULL;
+         index ++;
+        }
+       return d_make_function_param (di, index);
+     }
+@@ -3502,7 +3510,7 @@ d_local_name (struct d_info *di)
+ static int
+ d_discriminator (struct d_info *di)
+ {
+-  long discrim;
+  int discrim;
+ 
+   if (d_peek_char (di) != '_')
+     return 1;
+@@ -3558,7 +3566,7 @@ static struct demangle_component *
+ d_unnamed_type (struct d_info *di)
+ {
+   struct demangle_component *ret;
+-  long num;
+  int num;
+ 
+   if (! d_check_char (di, 'U'))
+     return NULL;
+@@ -4086,10 +4094,10 @@ d_append_string (struct d_print_info *dp
+ }
+ 
+ static inline void
+-d_append_num (struct d_print_info *dpi, long l)
+d_append_num (struct d_print_info *dpi, int l)
+ {
+   char buf[25];
+-  sprintf (buf,"%ld", l);
+  sprintf (buf,"%d", l);
+   d_append_string (dpi, buf);
+ }
+ 
+Index: git/libiberty/testsuite/demangle-expected
+===================================================================
+--- git.orig/libiberty/testsuite/demangle-expected
+++ git/libiberty/testsuite/demangle-expected
+@@ -4422,12 +4422,22 @@ void baz<int>(A<sizeof (foo((int)(), (fl
+ _Z3fooI1FEN1XIXszdtcl1PclcvT__EEE5arrayEE4TypeEv
+ X<sizeof ((P(((F)())())).array)>::Type foo<F>()
+ #
+-# Tests a use-after-free problem
+# Tests a use-after-free problem PR70481
+ 
+ _Q.__0
+ ::Q.(void)
+ #
+-# Tests a use-after-free problem
+# Tests a use-after-free problem PR70481
+ 
+ _Q10-__9cafebabe.
+ cafebabe.::-(void)
+#
+# Tests integer overflow problem PR70492
+
+__vt_90000000000cafebabe
+__vt_90000000000cafebabe
+#
+# Tests write access violation PR70498
+
+_Z80800000000000000000000
+_Z80800000000000000000000

diff --git a/meta/recipes-devtools/gcc/gcc-6.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-6.3/CVE-2016-4490.patch new file mode 100644 index 0000000000..f32e91d4fc --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-6.3/CVE-2016-4490.patch
@@ -0,0 +1,290 @@
	1	From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
	2	From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
	3	Date: Mon, 2 May 2016 17:06:40 +0000
	4	Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
	5	=?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	PR c++/70498
	11	* cp-demangle.c: Parse numbers as integer instead of long to avoid
	12	overflow after sanity checks. Include <limits.h> if available.
	13	(INT_MAX): Define if necessary.
	14	(d_make_template_param): Takes integer argument instead of long.
	15	(d_make_function_param): Likewise.
	16	(d_append_num): Likewise.
	17	(d_identifier): Likewise.
	18	(d_number): Parse as and return integer.
	19	(d_compact_number): Handle overflow.
	20	(d_source_name): Change variable type to integer for parsed number.
	21	(d_java_resource): Likewise.
	22	(d_special_name): Likewise.
	23	(d_discriminator): Likewise.
	24	(d_unnamed_type): Likewise.
	25	* testsuite/demangle-expected: Add regression test cases.
	26
	27
	28
	29	git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
	30
	31	Upstream-Status: Backport
	32	CVE: CVE-2016-4490
	33	[Yocto #9632]
	34
	35	Signed-off-by: Armin Kuster <akuster@mvista.com>
	36
	37	---
	38	libiberty/ChangeLog \| 19 +++++++++++++
	39	libiberty/cp-demangle.c \| 52 ++++++++++++++++++++---------------
	40	libiberty/testsuite/demangle-expected \| 14 ++++++++--
	41	3 files changed, 61 insertions(+), 24 deletions(-)
	42
	43	Index: git/libiberty/ChangeLog
	44	===================================================================
	45	--- git.orig/libiberty/ChangeLog
	46	+++ git/libiberty/ChangeLog
	47	@@ -1,3 +1,22 @@
	48	+2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
	49	+
	50	+ PR c++/70498
	51	+ * cp-demangle.c: Parse numbers as integer instead of long to avoid
	52	+ overflow after sanity checks. Include <limits.h> if available.
	53	+ (INT_MAX): Define if necessary.
	54	+ (d_make_template_param): Takes integer argument instead of long.
	55	+ (d_make_function_param): Likewise.
	56	+ (d_append_num): Likewise.
	57	+ (d_identifier): Likewise.
	58	+ (d_number): Parse as and return integer.
	59	+ (d_compact_number): Handle overflow.
	60	+ (d_source_name): Change variable type to integer for parsed number.
	61	+ (d_java_resource): Likewise.
	62	+ (d_special_name): Likewise.
	63	+ (d_discriminator): Likewise.
	64	+ (d_unnamed_type): Likewise.
	65	+ * testsuite/demangle-expected: Add regression test cases.
	66	+
	67	2016-04-27 Release Manager
	68
	69	* GCC 6.1.0 released.
	70	Index: git/libiberty/cp-demangle.c
	71	===================================================================
	72	--- git.orig/libiberty/cp-demangle.c
	73	+++ git/libiberty/cp-demangle.c
	74	@@ -128,6 +128,13 @@ extern char *alloca ();
	75	# endif /* alloca */
	76	#endif /* HAVE_ALLOCA_H */
	77
	78	+#ifdef HAVE_LIMITS_H
	79	+#include <limits.h>
	80	+#endif
	81	+#ifndef INT_MAX
	82	+# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
	83	+#endif
	84	+
	85	#include "ansidecl.h"
	86	#include "libiberty.h"
	87	#include "demangle.h"
	88	@@ -398,7 +405,7 @@ d_make_dtor (struct d_info *, enum gnu_v
	89	struct demangle_component *);
	90
	91	static struct demangle_component *
	92	-d_make_template_param (struct d_info *, long);
	93	+d_make_template_param (struct d_info *, int);
	94
	95	static struct demangle_component *
	96	d_make_sub (struct d_info , const char , int);
	97	@@ -421,9 +428,9 @@ static struct demangle_component *d_unqu
	98
	99	static struct demangle_component d_source_name (struct d_info );
	100
	101	-static long d_number (struct d_info *);
	102	+static int d_number (struct d_info *);
	103
	104	-static struct demangle_component d_identifier (struct d_info , long);
	105	+static struct demangle_component d_identifier (struct d_info , int);
	106
	107	static struct demangle_component d_operator_name (struct d_info );
	108
	109	@@ -1119,7 +1126,7 @@ d_make_dtor (struct d_info *di, enum gnu
	110	/* Add a new template parameter. */
	111
	112	static struct demangle_component *
	113	-d_make_template_param (struct d_info *di, long i)
	114	+d_make_template_param (struct d_info *di, int i)
	115	{
	116	struct demangle_component *p;
	117
	118	@@ -1135,7 +1142,7 @@ d_make_template_param (struct d_info *di
	119	/* Add a new function parameter. */
	120
	121	static struct demangle_component *
	122	-d_make_function_param (struct d_info *di, long i)
	123	+d_make_function_param (struct d_info *di, int i)
	124	{
	125	struct demangle_component *p;
	126
	127	@@ -1620,7 +1627,7 @@ d_unqualified_name (struct d_info *di)
	128	static struct demangle_component *
	129	d_source_name (struct d_info *di)
	130	{
	131	- long len;
	132	+ int len;
	133	struct demangle_component *ret;
	134
	135	len = d_number (di);
	136	@@ -1633,12 +1640,12 @@ d_source_name (struct d_info *di)
	137
	138	/* number ::= [n] <(non-negative decimal integer)> */
	139
	140	-static long
	141	+static int
	142	d_number (struct d_info *di)
	143	{
	144	int negative;
	145	char peek;
	146	- long ret;
	147	+ int ret;
	148
	149	negative = 0;
	150	peek = d_peek_char (di);
	151	@@ -1681,7 +1688,7 @@ d_number_component (struct d_info *di)
	152	/* identifier ::= <(unqualified source code identifier)> */
	153
	154	static struct demangle_component *
	155	-d_identifier (struct d_info *di, long len)
	156	+d_identifier (struct d_info *di, int len)
	157	{
	158	const char *name;
	159
	160	@@ -1702,7 +1709,7 @@ d_identifier (struct d_info *di, long le
	161	/* Look for something which looks like a gcc encoding of an
	162	anonymous namespace, and replace it with a more user friendly
	163	name. */
	164	- if (len >= (long) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2
	165	+ if (len >= (int) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2
	166	&& memcmp (name, ANONYMOUS_NAMESPACE_PREFIX,
	167	ANONYMOUS_NAMESPACE_PREFIX_LEN) == 0)
	168	{
	169	@@ -1870,7 +1877,7 @@ d_java_resource (struct d_info *di)
	170	{
	171	struct demangle_component *p = NULL;
	172	struct demangle_component *next = NULL;
	173	- long len, i;
	174	+ int len, i;
	175	char c;
	176	const char *str;
	177
	178	@@ -2012,7 +2019,7 @@ d_special_name (struct d_info *di)
	179	case 'C':
	180	{
	181	struct demangle_component *derived_type;
	182	- long offset;
	183	+ int offset;
	184	struct demangle_component *base_type;
	185
	186	derived_type = cplus_demangle_type (di);
	187	@@ -2946,10 +2953,10 @@ d_pointer_to_member_type (struct d_info
	188
	189	/* <non-negative number> _ */
	190
	191	-static long
	192	+static int
	193	d_compact_number (struct d_info *di)
	194	{
	195	- long num;
	196	+ int num;
	197	if (d_peek_char (di) == '_')
	198	num = 0;
	199	else if (d_peek_char (di) == 'n')
	200	@@ -2957,7 +2964,7 @@ d_compact_number (struct d_info *di)
	201	else
	202	num = d_number (di) + 1;
	203
	204	- if (! d_check_char (di, '_'))
	205	+ if (num < 0 \|\| ! d_check_char (di, '_'))
	206	return -1;
	207	return num;
	208	}
	209	@@ -2969,7 +2976,7 @@ d_compact_number (struct d_info *di)
	210	static struct demangle_component *
	211	d_template_param (struct d_info *di)
	212	{
	213	- long param;
	214	+ int param;
	215
	216	if (! d_check_char (di, 'T'))
	217	return NULL;
	218	@@ -3171,9 +3178,10 @@ d_expression_1 (struct d_info *di)
	219	}
	220	else
	221	{
	222	- index = d_compact_number (di) + 1;
	223	- if (index == 0)
	224	+ index = d_compact_number (di);
	225	+ if (index == INT_MAX \|\| index == -1)
	226	return NULL;
	227	+ index ++;
	228	}
	229	return d_make_function_param (di, index);
	230	}
	231	@@ -3502,7 +3510,7 @@ d_local_name (struct d_info *di)
	232	static int
	233	d_discriminator (struct d_info *di)
	234	{
	235	- long discrim;
	236	+ int discrim;
	237
	238	if (d_peek_char (di) != '_')
	239	return 1;
	240	@@ -3558,7 +3566,7 @@ static struct demangle_component *
	241	d_unnamed_type (struct d_info *di)
	242	{
	243	struct demangle_component *ret;
	244	- long num;
	245	+ int num;
	246
	247	if (! d_check_char (di, 'U'))
	248	return NULL;
	249	@@ -4086,10 +4094,10 @@ d_append_string (struct d_print_info *dp
	250	}
	251
	252	static inline void
	253	-d_append_num (struct d_print_info *dpi, long l)
	254	+d_append_num (struct d_print_info *dpi, int l)
	255	{
	256	char buf[25];
	257	- sprintf (buf,"%ld", l);
	258	+ sprintf (buf,"%d", l);
	259	d_append_string (dpi, buf);
	260	}
	261
	262	Index: git/libiberty/testsuite/demangle-expected
	263	===================================================================
	264	--- git.orig/libiberty/testsuite/demangle-expected
	265	+++ git/libiberty/testsuite/demangle-expected
	266	@@ -4422,12 +4422,22 @@ void baz<int>(A<sizeof (foo((int)(), (fl
	267	_Z3fooI1FEN1XIXszdtcl1PclcvT__EEE5arrayEE4TypeEv
	268	X<sizeof ((P(((F)())())).array)>::Type foo<F>()
	269	#
	270	-# Tests a use-after-free problem
	271	+# Tests a use-after-free problem PR70481
	272
	273	_Q.__0
	274	::Q.(void)
	275	#
	276	-# Tests a use-after-free problem
	277	+# Tests a use-after-free problem PR70481
	278
	279	_Q10-__9cafebabe.
	280	cafebabe.::-(void)
	281	+#
	282	+# Tests integer overflow problem PR70492
	283	+
	284	+__vt_90000000000cafebabe
	285	+__vt_90000000000cafebabe
	286	+#
	287	+# Tests write access violation PR70498
	288	+
	289	+_Z80800000000000000000000
	290	+_Z80800000000000000000000