2 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 99fc1b1ffa..68d21c8829 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
     file://CVE-2017-9749.patch \
     file://CVE-2017-9750.patch \
     file://CVE-2017-9751.patch \
+     file://CVE-2017-9752.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
new file mode 100644
index 0000000000..f63a993b29
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
@@ -0,0 +1,208 @@
+From c53d2e6d744da000aaafe0237bced090aab62818 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 11:27:15 +0100
+Subject: [PATCH] Fix potential address violations when processing a corrupt
+ Alpha VMA binary.
+        PR binutils/21589
+        * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+        maximum value for the ascic pointer.  Check that name processing
+        does not read beyond this value.
+        (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+        end of etir record.
+Upstream-Status: Backport
+CVE: CVE-2017-9752
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog   |  9 +++++++++
+ bfd/vms-alpha.c | 51 +++++++++++++++++++++++++++++++++++++++++----------
+ 2 files changed, 50 insertions(+), 10 deletions(-)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -9,6 +9,15 @@
+ 
+ 2017-06-14  Nick Clifton  <nickc@redhat.com>
+  
+       PR binutils/21589
+       * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+       maximum value for the ascic pointer.  Check that name processing
+       does not read beyond this value.
+       (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+       end of etir record.
+
+2017-06-14  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21578
+        * elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid
+        flag value.
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c
+++ git/bfd/vms-alpha.c
+@@ -1456,7 +1456,7 @@ dst_retrieve_location (bfd *abfd, unsign
+ /* Write multiple bytes to section image.  */
+ 
+ static bfd_boolean
+-image_write (bfd *abfd, unsigned char *ptr, int size)
+image_write (bfd *abfd, unsigned char *ptr, unsigned int size)
+ {
+ #if VMS_DEBUG
+   _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
+@@ -1603,14 +1603,16 @@ _bfd_vms_etir_name (int cmd)
+ #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
+ 
+ static void
+-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic,
+_bfd_vms_get_value (bfd *abfd,
+                   const unsigned char *ascic,
+                   const unsigned char *max_ascic,
+                     struct bfd_link_info *info,
+                     bfd_vma *vma,
+                     struct alpha_vms_link_hash_entry **hp)
+ {
+   char name[257];
+-  int len;
+-  int i;
+  unsigned int len;
+  unsigned int i;
+   struct alpha_vms_link_hash_entry *h;
+ 
+   /* Not linking.  Do not try to resolve the symbol.  */
+@@ -1622,6 +1624,14 @@ _bfd_vms_get_value (bfd *abfd, const uns
+     }
+ 
+   len = *ascic;
+  if (ascic + len >= max_ascic)
+    {
+      _bfd_error_handler (_("Corrupt vms value"));
+      *vma = 0;
+      *hp = NULL;
+      return;
+    }
+
+   for (i = 0; i < len; i++)
+     name[i] = ascic[i + 1];
+   name[i] = 0;
+@@ -1741,6 +1751,15 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+       _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+ #endif
+ 
+      /* PR 21589: Check for a corrupt ETIR record.  */
+      if (cmd_length < 4)
+       {
+       corrupt_etir:
+         _bfd_error_handler (_("Corrupt ETIR record encountered"));
+         bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+       }
+
+       switch (cmd)
+         {
+           /* Stack global
+@@ -1748,7 +1767,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ 
+              stack 32 bit value of symbol (high bits set to 0).  */
+         case ETIR__C_STA_GBL:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
+           break;
+ 
+@@ -1757,6 +1776,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ 
+              stack 32 bit value, sign extend to 64 bit.  */
+         case ETIR__C_STA_LW:
+         if (ptr + 4 >= maxptr)
+           goto corrupt_etir;
+           _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
+           break;
+ 
+@@ -1765,6 +1786,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ 
+              stack 64 bit value of symbol.  */
+         case ETIR__C_STA_QW:
+         if (ptr + 8 >= maxptr)
+           goto corrupt_etir;
+           _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
+           break;
+ 
+@@ -1778,6 +1801,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           {
+             int psect;
+ 
+           if (ptr + 12 >= maxptr)
+             goto corrupt_etir;
+             psect = bfd_getl32 (ptr);
+             if ((unsigned int) psect >= PRIV (section_count))
+               {
+@@ -1867,6 +1892,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           {
+             int size;
+ 
+           if (ptr + 4 >= maxptr)
+             goto corrupt_etir;
+             size = bfd_getl32 (ptr);
+             _bfd_vms_pop (abfd, &op1, &rel1);
+             if (rel1 != RELC_NONE)
+@@ -1879,7 +1906,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           /* Store global: write symbol value
+              arg: cs   global symbol name.  */
+         case ETIR__C_STO_GBL:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->typ == EGSD__C_SYMG)
+@@ -1901,7 +1928,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           /* Store code address: write address of entry point
+              arg: cs   global symbol name (procedure).  */
+         case ETIR__C_STO_CA:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->flags & EGSY__V_NORM)
+@@ -1946,8 +1973,10 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+              da        data.  */
+         case ETIR__C_STO_IMM:
+           {
+-            int size;
+            unsigned int size;
+ 
+           if (ptr + 4 >= maxptr)
+             goto corrupt_etir;
+             size = bfd_getl32 (ptr);
+             image_write (abfd, ptr + 4, size);
+           }
+@@ -1960,7 +1989,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+              store global longword: store 32bit value of symbol
+              arg: cs   symbol name.  */
+         case ETIR__C_STO_GBL_LW:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ #if 0
+           abort ();
+ #endif
+@@ -2013,7 +2042,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+              da        signature.  */
+ 
+         case ETIR__C_STC_LP_PSB:
+-          _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->typ == EGSD__C_SYMG)
+@@ -2109,6 +2138,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           /* Augment relocation base: increment image location counter by offset
+              arg: lw   offset value.  */
+         case ETIR__C_CTL_AUGRB:
+         if (ptr + 4 >= maxptr)
+           goto corrupt_etir;
+           op1 = bfd_getl32 (ptr);
+           image_inc_ptr (abfd, op1);
+           break;

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index 99fc1b1ffa..68d21c8829 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
63	file://CVE-2017-9749.patch \	63	file://CVE-2017-9749.patch \
64	file://CVE-2017-9750.patch \	64	file://CVE-2017-9750.patch \
65	file://CVE-2017-9751.patch \	65	file://CVE-2017-9751.patch \
		66	file://CVE-2017-9752.patch \
66	"	67	"
67	S = "${WORKDIR}/git"	68	S = "${WORKDIR}/git"
68		69


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch new file mode 100644 index 0000000000..f63a993b29 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
@@ -0,0 +1,208 @@
		1	From c53d2e6d744da000aaafe0237bced090aab62818 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 14 Jun 2017 11:27:15 +0100
		4	Subject: [PATCH] Fix potential address violations when processing a corrupt
		5	Alpha VMA binary.
		6
		7	PR binutils/21589
		8	* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
		9	maximum value for the ascic pointer. Check that name processing
		10	does not read beyond this value.
		11	(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
		12	end of etir record.
		13
		14	Upstream-Status: Backport
		15	CVE: CVE-2017-9752
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	bfd/ChangeLog \| 9 +++++++++
		20	bfd/vms-alpha.c \| 51 +++++++++++++++++++++++++++++++++++++++++----------
		21	2 files changed, 50 insertions(+), 10 deletions(-)
		22
		23	Index: git/bfd/ChangeLog
		24	===================================================================
		25	--- git.orig/bfd/ChangeLog
		26	+++ git/bfd/ChangeLog
		27	@@ -9,6 +9,15 @@
		28
		29	2017-06-14 Nick Clifton <nickc@redhat.com>
		30
		31	+ PR binutils/21589
		32	+ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
		33	+ maximum value for the ascic pointer. Check that name processing
		34	+ does not read beyond this value.
		35	+ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
		36	+ end of etir record.
		37	+
		38	+2017-06-14 Nick Clifton <nickc@redhat.com>
		39	+
		40	PR binutils/21578
		41	* elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid
		42	flag value.
		43	Index: git/bfd/vms-alpha.c
		44	===================================================================
		45	--- git.orig/bfd/vms-alpha.c
		46	+++ git/bfd/vms-alpha.c
		47	@@ -1456,7 +1456,7 @@ dst_retrieve_location (bfd *abfd, unsign
		48	/* Write multiple bytes to section image. */
		49
		50	static bfd_boolean
		51	-image_write (bfd abfd, unsigned char ptr, int size)
		52	+image_write (bfd abfd, unsigned char ptr, unsigned int size)
		53	{
		54	#if VMS_DEBUG
		55	_bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
		56	@@ -1603,14 +1603,16 @@ _bfd_vms_etir_name (int cmd)
		57	#define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
		58
		59	static void
		60	-_bfd_vms_get_value (bfd abfd, const unsigned char ascic,
		61	+_bfd_vms_get_value (bfd *abfd,
		62	+ const unsigned char *ascic,
		63	+ const unsigned char *max_ascic,
		64	struct bfd_link_info *info,
		65	bfd_vma *vma,
		66	struct alpha_vms_link_hash_entry **hp)
		67	{
		68	char name[257];
		69	- int len;
		70	- int i;
		71	+ unsigned int len;
		72	+ unsigned int i;
		73	struct alpha_vms_link_hash_entry *h;
		74
		75	/* Not linking. Do not try to resolve the symbol. */
		76	@@ -1622,6 +1624,14 @@ _bfd_vms_get_value (bfd *abfd, const uns
		77	}
		78
		79	len = *ascic;
		80	+ if (ascic + len >= max_ascic)
		81	+ {
		82	+ _bfd_error_handler (_("Corrupt vms value"));
		83	+ *vma = 0;
		84	+ *hp = NULL;
		85	+ return;
		86	+ }
		87	+
		88	for (i = 0; i < len; i++)
		89	name[i] = ascic[i + 1];
		90	name[i] = 0;
		91	@@ -1741,6 +1751,15 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		92	_bfd_hexdump (8, ptr, cmd_length - 4, 0);
		93	#endif
		94
		95	+ /* PR 21589: Check for a corrupt ETIR record. */
		96	+ if (cmd_length < 4)
		97	+ {
		98	+ corrupt_etir:
		99	+ _bfd_error_handler (_("Corrupt ETIR record encountered"));
		100	+ bfd_set_error (bfd_error_bad_value);
		101	+ return FALSE;
		102	+ }
		103	+
		104	switch (cmd)
		105	{
		106	/* Stack global
		107	@@ -1748,7 +1767,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		108
		109	stack 32 bit value of symbol (high bits set to 0). */
		110	case ETIR__C_STA_GBL:
		111	- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
		112	+ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
		113	_bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
		114	break;
		115
		116	@@ -1757,6 +1776,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		117
		118	stack 32 bit value, sign extend to 64 bit. */
		119	case ETIR__C_STA_LW:
		120	+ if (ptr + 4 >= maxptr)
		121	+ goto corrupt_etir;
		122	_bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
		123	break;
		124
		125	@@ -1765,6 +1786,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		126
		127	stack 64 bit value of symbol. */
		128	case ETIR__C_STA_QW:
		129	+ if (ptr + 8 >= maxptr)
		130	+ goto corrupt_etir;
		131	_bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
		132	break;
		133
		134	@@ -1778,6 +1801,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		135	{
		136	int psect;
		137
		138	+ if (ptr + 12 >= maxptr)
		139	+ goto corrupt_etir;
		140	psect = bfd_getl32 (ptr);
		141	if ((unsigned int) psect >= PRIV (section_count))
		142	{
		143	@@ -1867,6 +1892,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		144	{
		145	int size;
		146
		147	+ if (ptr + 4 >= maxptr)
		148	+ goto corrupt_etir;
		149	size = bfd_getl32 (ptr);
		150	_bfd_vms_pop (abfd, &op1, &rel1);
		151	if (rel1 != RELC_NONE)
		152	@@ -1879,7 +1906,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		153	/* Store global: write symbol value
		154	arg: cs global symbol name. */
		155	case ETIR__C_STO_GBL:
		156	- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
		157	+ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
		158	if (h && h->sym)
		159	{
		160	if (h->sym->typ == EGSD__C_SYMG)
		161	@@ -1901,7 +1928,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		162	/* Store code address: write address of entry point
		163	arg: cs global symbol name (procedure). */
		164	case ETIR__C_STO_CA:
		165	- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
		166	+ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
		167	if (h && h->sym)
		168	{
		169	if (h->sym->flags & EGSY__V_NORM)
		170	@@ -1946,8 +1973,10 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		171	da data. */
		172	case ETIR__C_STO_IMM:
		173	{
		174	- int size;
		175	+ unsigned int size;
		176
		177	+ if (ptr + 4 >= maxptr)
		178	+ goto corrupt_etir;
		179	size = bfd_getl32 (ptr);
		180	image_write (abfd, ptr + 4, size);
		181	}
		182	@@ -1960,7 +1989,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		183	store global longword: store 32bit value of symbol
		184	arg: cs symbol name. */
		185	case ETIR__C_STO_GBL_LW:
		186	- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
		187	+ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
		188	#if 0
		189	abort ();
		190	#endif
		191	@@ -2013,7 +2042,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		192	da signature. */
		193
		194	case ETIR__C_STC_LP_PSB:
		195	- _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
		196	+ _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
		197	if (h && h->sym)
		198	{
		199	if (h->sym->typ == EGSD__C_SYMG)
		200	@@ -2109,6 +2138,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
		201	/* Augment relocation base: increment image location counter by offset
		202	arg: lw offset value. */
		203	case ETIR__C_CTL_AUGRB:
		204	+ if (ptr + 4 >= maxptr)
		205	+ goto corrupt_etir;
		206	op1 = bfd_getl32 (ptr);
		207	image_inc_ptr (abfd, op1);
		208	break;