binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077

(From OE-Core rev: 0e366eda53f6f440708531ed8cb2ac4941ca428f) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-04-29 14:26:35 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-04-30 12:05:23 +0100
commit: 71a546aaf3a7da8487a90f20ac211dd31d852d85 (patch)
tree: 52ebc446fec77f9c41a94d8c9dcbfb0ab068776a
parent: 05d058e64597402fcb81d9789041a8ad4ca28c39 (diff)
download: poky-71a546aaf3a7da8487a90f20ac211dd31d852d85.tar.gz
5 files changed, 277 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 5d0c16b13e..49e6827c1f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -44,6 +44,10 @@ SRC_URI = "\
     file://0013-Detect-64-bit-MIPS-targets.patch \
     file://0014-sync-with-OE-libtool-changes.patch \
     file://0015-binutils-enable-x86_64-pep-for-producing-EFI-binarie.patch \
+     file://CVE-2019-9074.patch \
+     file://CVE-2019-9075.patch \
+     file://CVE-2019-9076.patch \
+     file://CVE-2019-9077.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch
new file mode 100644
index 0000000000..a11a51200e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch
@@ -0,0 +1,68 @@
+From e2ebb3906432dcca2727186ad79415f920730fb2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 19 Feb 2019 22:48:44 +1030
+Subject: [PATCH] PR24235, Read memory violation in pei-x86_64.c
+        PR 24235
+        * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
+        attempting to prevent read past end of section.
+Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/179f2db0d9c397d7dd8a59907b84208b79f7f48c]
+CVE: CVE-2019-9074
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ bfd/ChangeLog    | 6 ++++++
+ bfd/pei-x86_64.c | 9 ++++-----
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index dd2c741..cbf30de 100644
+--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
+@@ -1,3 +1,9 @@
+2019-02-19  Alan Modra  <amodra@gmail.com>
+
+       PR 24235
+       * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
+       attempting to prevent read past end of section.
+
+ 2019-02-04  Nick Clifton  <nickc@redhat.com>
+ 
+        * development.sh (experimental) Set to false.
+diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
+index ff1093c..7e75104 100644
+--- a/bfd/pei-x86_64.c
+++ b/bfd/pei-x86_64.c
+@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+   /* virt_size might be zero for objects.  */
+   if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
+     {
+-      stop = (datasize / onaline) * onaline;
+      stop = datasize;
+       virt_size_is_zero = TRUE;
+     }
+   else if (datasize < stop)
+@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+                 _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
+                 pdata_section->name, (unsigned long) datasize,
+                 (unsigned long) stop);
+-       /* Be sure not to read passed datasize.  */
+-       stop = datasize / onaline;
+       /* Be sure not to read past datasize.  */
+       stop = datasize;
+       }
+ 
+   /* Display functions table.  */
+@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+              altent += imagebase;
+ 
+              if (altent >= pdata_vma
+-                 && (altent + PDATA_ROW_SIZE <= pdata_vma
+-                     + pei_section_data (abfd, pdata_section)->virt_size))
+                 && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
+                {
+                  pex64_get_runtime_function
+                    (abfd, &arf, &pdata[altent - pdata_vma]);
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch
new file mode 100644
index 0000000000..bcb1310f16
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch
@@ -0,0 +1,119 @@
+From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Feb 2019 08:21:24 +1030
+Subject: [PATCH] PR24236, Heap buffer overflow in
+ _bfd_archive_64_bit_slurp_armap
+        PR 24236
+        * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
+        sentinel NUL to string buffer nearer to loop where it is used.
+        Don't go past sentinel when scanning strings, and don't write
+        NUL again.
+        * archive.c (do_slurp_coff_armap): Simplify string handling to
+        archive64.c style.
+Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/8abac8031ed369a2734b1cdb7df28a39a54b4b49]
+CVE: CVE-2019-9075
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> 
+---
+ bfd/ChangeLog   | 10 ++++++++++
+ bfd/archive.c   | 17 +++++++----------
+ bfd/archive64.c | 10 +++++-----
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 72c87c7..e39bb12 100644
+--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
+@@ -1,3 +1,13 @@
+2019-02-20  Alan Modra  <amodra@gmail.com>
+
+       PR 24236
+       * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
+       sentinel NUL to string buffer nearer to loop where it is used.
+       Don't go past sentinel when scanning strings, and don't write
+       NUL again.
+       * archive.c (do_slurp_coff_armap): Simplify string handling to
+       archive64.c style.
+
+ 2019-02-19  Alan Modra  <amodra@gmail.com>
+ 
+        PR 24235
+diff --git a/bfd/archive.c b/bfd/archive.c
+index d2d9b72..68a92a3 100644
+--- a/bfd/archive.c
+++ b/bfd/archive.c
+@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
+   int *raw_armap, *rawptr;
+   struct artdata *ardata = bfd_ardata (abfd);
+   char *stringbase;
+  char *stringend;
+   bfd_size_type stringsize;
+   bfd_size_type parsed_size;
+   carsym *carsyms;
+@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
+     }
+ 
+   /* OK, build the carsyms.  */
+-  for (i = 0; i < nsymz && stringsize > 0; i++)
+  stringend = stringbase + stringsize;
+  *stringend = 0;
+  for (i = 0; i < nsymz; i++)
+     {
+-      bfd_size_type len;
+-
+       rawptr = raw_armap + i;
+       carsyms->file_offset = swap ((bfd_byte *) rawptr);
+       carsyms->name = stringbase;
+-      /* PR 17512: file: 4a1d50c1.  */
+-      len = strnlen (stringbase, stringsize);
+-      if (len < stringsize)
+-       len ++;
+-      stringbase += len;
+-      stringsize -= len;
+      stringbase += strlen (stringbase);
+      if (stringbase != stringend)
+       ++stringbase;
+       carsyms++;
+     }
+-  *stringbase = 0;
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);
+diff --git a/bfd/archive64.c b/bfd/archive64.c
+index 312bf82..42f6ed9 100644
+--- a/bfd/archive64.c
+++ b/bfd/archive64.c
+@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
+     return FALSE;
+   carsyms = ardata->symdefs;
+   stringbase = ((char *) ardata->symdefs) + carsym_size;
+-  stringbase[stringsize] = 0;
+-  stringend = stringbase + stringsize;
+ 
+   raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
+   if (raw_armap == NULL)
+@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
+       goto release_raw_armap;
+     }
+ 
+  stringend = stringbase + stringsize;
+  *stringend = 0;
+   for (i = 0; i < nsymz; i++)
+     {
+       carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
+       carsyms->name = stringbase;
+-      if (stringbase < stringend)
+-       stringbase += strlen (stringbase) + 1;
+      stringbase += strlen (stringbase);
+      if (stringbase != stringend)
+       ++stringbase;
+       ++carsyms;
+     }
+-  *stringbase = '\0';
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch
new file mode 100644
index 0000000000..ec8cde2503
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch
@@ -0,0 +1,49 @@
+From 9f841c583880eb6d0194455c1583a766f853e628 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Feb 2019 12:06:31 +1030
+Subject: [PATCH] PR24233, Out of memory
+        PR 24233
+        * objdump.c (dump_bfd_private_header): Print warning if
+        bfd_print_private_bfd_data returns false.
+Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7d272a55caebfc26ab2e15d1e9439bac978b9bb7]
+CVE: CVE-2019-9076
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/objdump.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index f837c37..d5dd7cb 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
+2019-02-20  Alan Modra  <amodra@gmail.com>
+
+       PR 24233
+       * objdump.c (dump_bfd_private_header): Print warning if
+       bfd_print_private_bfd_data returns false.
+
+ 2019-02-02  Nick Clifton  <nickc@redhat.com>
+ 
+        * configure: Regenerate.
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 8725390..7d0c6a4 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -3178,7 +3178,9 @@ dump_bfd_header (bfd *abfd)
+ static void
+ dump_bfd_private_header (bfd *abfd)
+ {
+-  bfd_print_private_bfd_data (abfd, stdout);
+  if (!bfd_print_private_bfd_data (abfd, stdout))
+    non_fatal (_("warning: private headers incomplete: %s"),
+              bfd_errmsg (bfd_get_error ()));
+ }
+ 
+ static void
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch
new file mode 100644
index 0000000000..11ecb71b2e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch
@@ -0,0 +1,37 @@
+From f7bbc8890de45df6eda0ddef5dd04f835f54eecf Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 20 Feb 2019 17:03:47 +0000
+Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS
+ option section using readelf.
+        PR 24243
+        * readelf.c (process_mips_specific): Check for an options section
+        that is too small to even contain a single option.
+Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7fc0c668f2aceb8582d74db1ad2528e2bba8a921]
+CVE: CVE-2019-9077
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ binutils/readelf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 9df3742..18ab806 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -16179,6 +16179,12 @@ process_mips_specific (Filedata * filedata)
+          error (_("No MIPS_OPTIONS header found\n"));
+          return FALSE;
+        }
+      /* PR 24243  */
+      if (sect->sh_size < sizeof (* eopt))
+       {
+         error (_("The MIPS options section is too small.\n"));
+         return FALSE;
+       }
+ 
+       eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1,
+                                                 sect->sh_size, _("options"));
+-- 
+2.7.4
author	Anuj Mittal <anuj.mittal@intel.com>	2019-04-29 14:26:35 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-04-30 12:05:23 +0100
commit	71a546aaf3a7da8487a90f20ac211dd31d852d85 (patch)
tree	52ebc446fec77f9c41a94d8c9dcbfb0ab068776a
parent	05d058e64597402fcb81d9789041a8ad4ca28c39 (diff)
download	poky-71a546aaf3a7da8487a90f20ac211dd31d852d85.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc index 5d0c16b13e..49e6827c1f 100644 --- a/meta/recipes-devtools/binutils/binutils-2.32.inc +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -44,6 +44,10 @@ SRC_URI = "\
44	file://0013-Detect-64-bit-MIPS-targets.patch \	44	file://0013-Detect-64-bit-MIPS-targets.patch \
45	file://0014-sync-with-OE-libtool-changes.patch \	45	file://0014-sync-with-OE-libtool-changes.patch \
46	file://0015-binutils-enable-x86_64-pep-for-producing-EFI-binarie.patch \	46	file://0015-binutils-enable-x86_64-pep-for-producing-EFI-binarie.patch \
		47	file://CVE-2019-9074.patch \
		48	file://CVE-2019-9075.patch \
		49	file://CVE-2019-9076.patch \
		50	file://CVE-2019-9077.patch \
47	"	51	"
48	S = "${WORKDIR}/git"	52	S = "${WORKDIR}/git"
49		53


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch new file mode 100644 index 0000000000..a11a51200e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch
@@ -0,0 +1,68 @@
		1	From e2ebb3906432dcca2727186ad79415f920730fb2 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Tue, 19 Feb 2019 22:48:44 +1030
		4	Subject: [PATCH] PR24235, Read memory violation in pei-x86_64.c
		5
		6	PR 24235
		7	* pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
		8	attempting to prevent read past end of section.
		9
		10	Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/179f2db0d9c397d7dd8a59907b84208b79f7f48c]
		11	CVE: CVE-2019-9074
		12	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		13	---
		14	bfd/ChangeLog \| 6 ++++++
		15	bfd/pei-x86_64.c \| 9 ++++-----
		16	2 files changed, 10 insertions(+), 5 deletions(-)
		17
		18	diff --git a/bfd/ChangeLog b/bfd/ChangeLog
		19	index dd2c741..cbf30de 100644
		20	--- a/bfd/ChangeLog
		21	+++ b/bfd/ChangeLog
		22	@@ -1,3 +1,9 @@
		23	+2019-02-19 Alan Modra <amodra@gmail.com>
		24	+
		25	+ PR 24235
		26	+ * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
		27	+ attempting to prevent read past end of section.
		28	+
		29	2019-02-04 Nick Clifton <nickc@redhat.com>
		30
		31	* development.sh (experimental) Set to false.
		32	diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
		33	index ff1093c..7e75104 100644
		34	--- a/bfd/pei-x86_64.c
		35	+++ b/bfd/pei-x86_64.c
		36	@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd abfd, void vfile, asection *pdata_section)
		37	/* virt_size might be zero for objects. */
		38	if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
		39	{
		40	- stop = (datasize / onaline) * onaline;
		41	+ stop = datasize;
		42	virt_size_is_zero = TRUE;
		43	}
		44	else if (datasize < stop)
		45	@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd abfd, void vfile, asection *pdata_section)
		46	_("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
		47	pdata_section->name, (unsigned long) datasize,
		48	(unsigned long) stop);
		49	- /* Be sure not to read passed datasize. */
		50	- stop = datasize / onaline;
		51	+ /* Be sure not to read past datasize. */
		52	+ stop = datasize;
		53	}
		54
		55	/* Display functions table. */
		56	@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd abfd, void vfile, asection *pdata_section)
		57	altent += imagebase;
		58
		59	if (altent >= pdata_vma
		60	- && (altent + PDATA_ROW_SIZE <= pdata_vma
		61	- + pei_section_data (abfd, pdata_section)->virt_size))
		62	+ && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
		63	{
		64	pex64_get_runtime_function
		65	(abfd, &arf, &pdata[altent - pdata_vma]);
		66	--
		67	2.7.4
		68


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch new file mode 100644 index 0000000000..bcb1310f16 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch
@@ -0,0 +1,119 @@
		1	From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Wed, 20 Feb 2019 08:21:24 +1030
		4	Subject: [PATCH] PR24236, Heap buffer overflow in
		5	_bfd_archive_64_bit_slurp_armap
		6
		7	PR 24236
		8	* archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
		9	sentinel NUL to string buffer nearer to loop where it is used.
		10	Don't go past sentinel when scanning strings, and don't write
		11	NUL again.
		12	* archive.c (do_slurp_coff_armap): Simplify string handling to
		13	archive64.c style.
		14
		15	Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/8abac8031ed369a2734b1cdb7df28a39a54b4b49]
		16	CVE: CVE-2019-9075
		17	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		18	---
		19	bfd/ChangeLog \| 10 ++++++++++
		20	bfd/archive.c \| 17 +++++++----------
		21	bfd/archive64.c \| 10 +++++-----
		22	3 files changed, 22 insertions(+), 15 deletions(-)
		23
		24	diff --git a/bfd/ChangeLog b/bfd/ChangeLog
		25	index 72c87c7..e39bb12 100644
		26	--- a/bfd/ChangeLog
		27	+++ b/bfd/ChangeLog
		28	@@ -1,3 +1,13 @@
		29	+2019-02-20 Alan Modra <amodra@gmail.com>
		30	+
		31	+ PR 24236
		32	+ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
		33	+ sentinel NUL to string buffer nearer to loop where it is used.
		34	+ Don't go past sentinel when scanning strings, and don't write
		35	+ NUL again.
		36	+ * archive.c (do_slurp_coff_armap): Simplify string handling to
		37	+ archive64.c style.
		38	+
		39	2019-02-19 Alan Modra <amodra@gmail.com>
		40
		41	PR 24235
		42	diff --git a/bfd/archive.c b/bfd/archive.c
		43	index d2d9b72..68a92a3 100644
		44	--- a/bfd/archive.c
		45	+++ b/bfd/archive.c
		46	@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
		47	int raw_armap, rawptr;
		48	struct artdata *ardata = bfd_ardata (abfd);
		49	char *stringbase;
		50	+ char *stringend;
		51	bfd_size_type stringsize;
		52	bfd_size_type parsed_size;
		53	carsym *carsyms;
		54	@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
		55	}
		56
		57	/* OK, build the carsyms. */
		58	- for (i = 0; i < nsymz && stringsize > 0; i++)
		59	+ stringend = stringbase + stringsize;
		60	+ *stringend = 0;
		61	+ for (i = 0; i < nsymz; i++)
		62	{
		63	- bfd_size_type len;
		64	-
		65	rawptr = raw_armap + i;
		66	carsyms->file_offset = swap ((bfd_byte *) rawptr);
		67	carsyms->name = stringbase;
		68	- /* PR 17512: file: 4a1d50c1. */
		69	- len = strnlen (stringbase, stringsize);
		70	- if (len < stringsize)
		71	- len ++;
		72	- stringbase += len;
		73	- stringsize -= len;
		74	+ stringbase += strlen (stringbase);
		75	+ if (stringbase != stringend)
		76	+ ++stringbase;
		77	carsyms++;
		78	}
		79	- *stringbase = 0;
		80
		81	ardata->symdef_count = nsymz;
		82	ardata->first_file_filepos = bfd_tell (abfd);
		83	diff --git a/bfd/archive64.c b/bfd/archive64.c
		84	index 312bf82..42f6ed9 100644
		85	--- a/bfd/archive64.c
		86	+++ b/bfd/archive64.c
		87	@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
		88	return FALSE;
		89	carsyms = ardata->symdefs;
		90	stringbase = ((char *) ardata->symdefs) + carsym_size;
		91	- stringbase[stringsize] = 0;
		92	- stringend = stringbase + stringsize;
		93
		94	raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
		95	if (raw_armap == NULL)
		96	@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
		97	goto release_raw_armap;
		98	}
		99
		100	+ stringend = stringbase + stringsize;
		101	+ *stringend = 0;
		102	for (i = 0; i < nsymz; i++)
		103	{
		104	carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
		105	carsyms->name = stringbase;
		106	- if (stringbase < stringend)
		107	- stringbase += strlen (stringbase) + 1;
		108	+ stringbase += strlen (stringbase);
		109	+ if (stringbase != stringend)
		110	+ ++stringbase;
		111	++carsyms;
		112	}
		113	- *stringbase = '\0';
		114
		115	ardata->symdef_count = nsymz;
		116	ardata->first_file_filepos = bfd_tell (abfd);
		117	--
		118	2.7.4
		119


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch new file mode 100644 index 0000000000..ec8cde2503 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch
@@ -0,0 +1,49 @@
		1	From 9f841c583880eb6d0194455c1583a766f853e628 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Wed, 20 Feb 2019 12:06:31 +1030
		4	Subject: [PATCH] PR24233, Out of memory
		5
		6	PR 24233
		7	* objdump.c (dump_bfd_private_header): Print warning if
		8	bfd_print_private_bfd_data returns false.
		9
		10	Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7d272a55caebfc26ab2e15d1e9439bac978b9bb7]
		11	CVE: CVE-2019-9076
		12	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		13	---
		14	binutils/ChangeLog \| 6 ++++++
		15	binutils/objdump.c \| 4 +++-
		16	2 files changed, 9 insertions(+), 1 deletion(-)
		17
		18	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
		19	index f837c37..d5dd7cb 100644
		20	--- a/binutils/ChangeLog
		21	+++ b/binutils/ChangeLog
		22	@@ -1,3 +1,9 @@
		23	+2019-02-20 Alan Modra <amodra@gmail.com>
		24	+
		25	+ PR 24233
		26	+ * objdump.c (dump_bfd_private_header): Print warning if
		27	+ bfd_print_private_bfd_data returns false.
		28	+
		29	2019-02-02 Nick Clifton <nickc@redhat.com>
		30
		31	* configure: Regenerate.
		32	diff --git a/binutils/objdump.c b/binutils/objdump.c
		33	index 8725390..7d0c6a4 100644
		34	--- a/binutils/objdump.c
		35	+++ b/binutils/objdump.c
		36	@@ -3178,7 +3178,9 @@ dump_bfd_header (bfd *abfd)
		37	static void
		38	dump_bfd_private_header (bfd *abfd)
		39	{
		40	- bfd_print_private_bfd_data (abfd, stdout);
		41	+ if (!bfd_print_private_bfd_data (abfd, stdout))
		42	+ non_fatal (_("warning: private headers incomplete: %s"),
		43	+ bfd_errmsg (bfd_get_error ()));
		44	}
		45
		46	static void
		47	--
		48	2.7.4
		49


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch new file mode 100644 index 0000000000..11ecb71b2e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch
@@ -0,0 +1,37 @@
		1	From f7bbc8890de45df6eda0ddef5dd04f835f54eecf Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 20 Feb 2019 17:03:47 +0000
		4	Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS
		5	option section using readelf.
		6
		7	PR 24243
		8	* readelf.c (process_mips_specific): Check for an options section
		9	that is too small to even contain a single option.
		10
		11	Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7fc0c668f2aceb8582d74db1ad2528e2bba8a921]
		12	CVE: CVE-2019-9077
		13	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		14	---
		15	binutils/readelf.c \| 6 ++++++
		16	1 file changed, 6 insertions(+)
		17
		18	diff --git a/binutils/readelf.c b/binutils/readelf.c
		19	index 9df3742..18ab806 100644
		20	--- a/binutils/readelf.c
		21	+++ b/binutils/readelf.c
		22	@@ -16179,6 +16179,12 @@ process_mips_specific (Filedata * filedata)
		23	error (_("No MIPS_OPTIONS header found\n"));
		24	return FALSE;
		25	}
		26	+ /* PR 24243 */
		27	+ if (sect->sh_size < sizeof (* eopt))
		28	+ {
		29	+ error (_("The MIPS options section is too small.\n"));
		30	+ return FALSE;
		31	+ }
		32
		33	eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1,
		34	sect->sh_size, _("options"));
		35	--
		36	2.7.4
		37