3 files changed, 490 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 3329a97ecf..3b7c9f776b 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -57,6 +57,8 @@ SRC_URI = "\
     file://CVE-2017-12449_12455_12457_1.patch \
     file://CVE-2017-12449_12455_12457.patch \
     file://CVE-2017-12451.patch \
+     file://CVE-2017-12450_12452_12453_12454_12456_1.patch \
+     file://CVE-2017-12450_12452_12453_12454_12456.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch
new file mode 100644
index 0000000000..503f655b61
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch
@@ -0,0 +1,375 @@
+commit ca4cf9b9c622a5695e01f7f5815a7382a31fcf51
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Mon Jul 24 13:49:22 2017 +0100
+    Fix address violation errors parsing corrupt binary files.
+    
+        PR 21813
+    binutils* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
+        string whilst concatenating symbol names.
+    
+    bfd * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address
+        of the relocs to the canonicalize_one_reloc routine.
+        * mach-o.h (struct bfd_mach_o_backend_data): Update the prototype
+        for the _bfd_mach_o_canonicalize_one_reloc field.
+        * mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add
+        res_base parameter.  Use to check for corrupt pair relocs.
+        * mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc):
+        Likewise.
+        * mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc):
+        Likewise.
+        * mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc):
+        Likewise.
+    
+        * vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is
+        enough data in the record before attempting to parse it.
+        (_bfd_vms_slurp_eeom): Likewise.
+    
+        (_bfd_vms_slurp_egsd): Check for an invalid section index.
+        (image_set_ptr): Likewise.
+        (alpha_vms_slurp_relocs): Likewise.
+        (alpha_vms_object_p): Check for a truncated record.
+Upstream-Status: Backport
+CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/mach-o-aarch64.c
+===================================================================
+--- git.orig/bfd/mach-o-aarch64.c       2017-08-31 19:17:51.264385450 +0530
+++ git/bfd/mach-o-aarch64.c    2017-08-31 19:18:02.620442777 +0530
+@@ -147,9 +147,11 @@
+ };
+ 
+ static bfd_boolean
+-bfd_mach_o_arm64_canonicalize_one_reloc (bfd *abfd,
+-                                      struct mach_o_reloc_info_external *raw,
+-                                        arelent *res, asymbol **syms)
+bfd_mach_o_arm64_canonicalize_one_reloc (bfd *       abfd,
+                                        struct mach_o_reloc_info_external * raw,
+                                        arelent *   res,
+                                        asymbol **  syms,
+                                        arelent *   res_base ATTRIBUTE_UNUSED)
+ {
+   bfd_mach_o_reloc_info reloc;
+ 
+Index: git/bfd/mach-o-i386.c
+===================================================================
+--- git.orig/bfd/mach-o-i386.c  2017-08-31 19:17:51.264385450 +0530
+++ git/bfd/mach-o-i386.c       2017-08-31 19:18:02.620442777 +0530
+@@ -112,9 +112,11 @@
+ };
+ 
+ static bfd_boolean
+-bfd_mach_o_i386_canonicalize_one_reloc (bfd *abfd,
+-                                       struct mach_o_reloc_info_external *raw,
+-                                       arelent *res, asymbol **syms)
+bfd_mach_o_i386_canonicalize_one_reloc (bfd *       abfd,
+                                       struct mach_o_reloc_info_external * raw,
+                                       arelent *   res,
+                                       asymbol **  syms,
+                                       arelent *   res_base)
+ {
+   bfd_mach_o_reloc_info reloc;
+ 
+@@ -126,6 +128,9 @@
+       switch (reloc.r_type)
+         {
+         case BFD_MACH_O_GENERIC_RELOC_PAIR:
+         /* PR 21813: Check for a corrupt PAIR reloc at the start.  */
+         if (res == res_base)
+           return FALSE;
+           if (reloc.r_length == 2)
+             {
+              res->howto = &i386_howto_table[7];
+@@ -391,9 +396,9 @@
+     { NULL, NULL }
+   };
+ 
+-#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc
+-#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out
+-#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread
+#define bfd_mach_o_canonicalize_one_reloc  bfd_mach_o_i386_canonicalize_one_reloc
+#define bfd_mach_o_swap_reloc_out          bfd_mach_o_i386_swap_reloc_out
+#define bfd_mach_o_print_thread            bfd_mach_o_i386_print_thread
+ 
+ #define bfd_mach_o_tgt_seg_table mach_o_i386_segsec_names_xlat
+ #define bfd_mach_o_section_type_valid_for_tgt NULL
+Index: git/bfd/mach-o-x86-64.c
+===================================================================
+--- git.orig/bfd/mach-o-x86-64.c        2017-08-31 19:17:51.264385450 +0530
+++ git/bfd/mach-o-x86-64.c     2017-08-31 19:18:02.620442777 +0530
+@@ -120,9 +120,11 @@
+ };
+ 
+ static bfd_boolean
+-bfd_mach_o_x86_64_canonicalize_one_reloc (bfd *abfd,
+-                                       struct mach_o_reloc_info_external *raw,
+-                                       arelent *res, asymbol **syms)
+bfd_mach_o_x86_64_canonicalize_one_reloc (bfd *       abfd,
+                                         struct mach_o_reloc_info_external * raw,
+                                         arelent *   res,
+                                         asymbol **  syms,
+                                         arelent *   res_base ATTRIBUTE_UNUSED)
+ {
+   bfd_mach_o_reloc_info reloc;
+ 
+Index: git/bfd/mach-o.c
+===================================================================
+--- git.orig/bfd/mach-o.c       2017-08-31 19:18:02.440441869 +0530
+++ git/bfd/mach-o.c    2017-08-31 19:18:02.620442777 +0530
+@@ -1496,7 +1496,7 @@
+   for (i = 0; i < count; i++)
+     {
+       if (!(*bed->_bfd_mach_o_canonicalize_one_reloc)(abfd, &native_relocs[i],
+-                                                     &res[i], syms))
+                                                     &res[i], syms, res))
+         goto err;
+     }
+   free (native_relocs);
+Index: git/bfd/mach-o.h
+===================================================================
+--- git.orig/bfd/mach-o.h       2017-08-31 19:17:51.264385450 +0530
+++ git/bfd/mach-o.h    2017-08-31 19:18:02.620442777 +0530
+@@ -746,7 +746,7 @@
+   enum bfd_architecture arch;
+   bfd_vma page_size;
+   bfd_boolean (*_bfd_mach_o_canonicalize_one_reloc)
+-    (bfd *, struct mach_o_reloc_info_external *, arelent *, asymbol **);
+  (bfd *, struct mach_o_reloc_info_external *, arelent *, asymbol **, arelent *);
+   bfd_boolean (*_bfd_mach_o_swap_reloc_out)(arelent *, bfd_mach_o_reloc_info *);
+   bfd_boolean (*_bfd_mach_o_print_thread)(bfd *, bfd_mach_o_thread_flavour *,
+                                           void *, char *);
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-08-31 19:18:02.564442494 +0530
+++ git/bfd/ChangeLog   2017-08-31 19:18:02.620442777 +0530
+@@ -11,6 +11,30 @@
+        of end pointer.
+        (evax_bfd_print_emh): Check for invalid string lengths.
+ 
+ 2017-07-24  Nick Clifton  <nickc@redhat.com>
+ 
+       PR 21813
+       * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address
+       of the relocs to the canonicalize_one_reloc routine.
+       * mach-o.h (struct bfd_mach_o_backend_data): Update the prototype
+       for the _bfd_mach_o_canonicalize_one_reloc field.
+       * mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add
+       res_base parameter.  Use to check for corrupt pair relocs.
+       * mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc):
+       Likewise.
+       * mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc):
+       Likewise.
+       * mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc):
+       Likewise.
+
+       * vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is
+       enough data in the record before attempting to parse it.
+       (_bfd_vms_slurp_eeom): Likewise.
+
+       (_bfd_vms_slurp_egsd): Check for an invalid section index.
+       (image_set_ptr): Likewise.
+       (alpha_vms_slurp_relocs): Likewise.
+
+ 2017-07-19  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 21786
+Index: git/bfd/mach-o-arm.c
+===================================================================
+--- git.orig/bfd/mach-o-arm.c   2017-08-31 19:17:51.264385450 +0530
+++ git/bfd/mach-o-arm.c        2017-08-31 19:18:02.620442777 +0530
+@@ -30,7 +30,7 @@
+ #define bfd_mach_o_mkobject bfd_mach_o_arm_mkobject
+ 
+ #define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_arm_canonicalize_one_reloc
+-#define bfd_mach_o_swap_reloc_out NULL
+#define bfd_mach_o_swap_reloc_out  NULL
+ #define bfd_mach_o_bfd_reloc_type_lookup bfd_mach_o_arm_bfd_reloc_type_lookup
+ #define bfd_mach_o_bfd_reloc_name_lookup bfd_mach_o_arm_bfd_reloc_name_lookup
+ 
+@@ -147,9 +147,11 @@
+ };
+ 
+ static bfd_boolean
+-bfd_mach_o_arm_canonicalize_one_reloc (bfd *abfd,
+-                                      struct mach_o_reloc_info_external *raw,
+-                                      arelent *res, asymbol **syms)
+bfd_mach_o_arm_canonicalize_one_reloc (bfd *       abfd,
+                                      struct mach_o_reloc_info_external * raw,
+                                      arelent *   res,
+                                      asymbol **  syms,
+                                      arelent *   res_base)
+  {
+   bfd_mach_o_reloc_info reloc;
+ 
+@@ -161,6 +163,9 @@
+       switch (reloc.r_type)
+         {
+         case BFD_MACH_O_ARM_RELOC_PAIR:
+         /* PR 21813: Check for a corrupt PAIR reloc at the start.  */
+         if (res == res_base)
+           return FALSE;
+           if (reloc.r_length == 2)
+             {
+              res->howto = &arm_howto_table[7];
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c    2017-08-31 19:18:02.556442454 +0530
+++ git/bfd/vms-alpha.c 2017-08-31 19:20:56.233322607 +0530
+@@ -473,6 +473,14 @@
+ 
+   vms_debug2 ((8, "_bfd_vms_slurp_eihd\n"));
+ 
+  /* PR 21813: Check for an undersized record.  */
+  if (PRIV (recrd.buf_size) < sizeof (* eihd))
+    {
+      _bfd_error_handler (_("Corrupt EIHD record - size is too small"));
+      bfd_set_error (bfd_error_bad_value);
+      return FALSE;
+    }
+
+   size = bfd_getl32 (eihd->size);
+   imgtype = bfd_getl32 (eihd->imgtype);
+ 
+@@ -1255,19 +1263,39 @@
+            if (old_flags & EGSY__V_DEF)
+               {
+                 struct vms_esdf *esdf = (struct vms_esdf *)vms_rec;
+                long psindx;
+ 
+                entry->value = bfd_getl64 (esdf->value);
+                if (PRIV (sections) == NULL)
+                  return FALSE;
+-               entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)];
+
+                psindx = bfd_getl32 (esdf->psindx);
+                /* PR 21813: Check for an out of range index.  */
+                if (psindx < 0 || psindx >= (int) PRIV (section_count))
+                  {
+                    _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
+                                        psindx);
+                    bfd_set_error (bfd_error_bad_value);
+                    return FALSE;
+                  }
+                entry->section = PRIV (sections)[psindx];
+ 
+                 if (old_flags & EGSY__V_NORM)
+                   {
+                     PRIV (norm_sym_count)++;
+ 
+                     entry->code_value = bfd_getl64 (esdf->code_address);
+-                    entry->code_section =
+-                      PRIV (sections)[bfd_getl32 (esdf->ca_psindx)];
+                    psindx = bfd_getl32 (esdf->ca_psindx);
+                /* PR 21813: Check for an out of range index.  */
+                    if (psindx < 0 || psindx >= (int) PRIV (section_count))
+                      {
+                        _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
+                                            psindx);
+                        bfd_set_error (bfd_error_bad_value);
+                        return FALSE;
+                      }
+                     entry->code_section = PRIV (sections)[psindx];
+
+                   }
+               }
+          }
+@@ -1294,9 +1322,20 @@
+ 
+             if (old_flags & EGSY__V_REL)
+              {
+                long psindx;
+
+                if (PRIV (sections) == NULL)
+                  return FALSE;
+-               entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
+                psindx = bfd_getl32 (egst->psindx);
+                /* PR 21813: Check for an out of range index.  */
+                if (psindx < 0 || psindx >= (int) PRIV (section_count))
+                  {
+                    _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
+                                        psindx);
+                    bfd_set_error (bfd_error_bad_value);
+                    return FALSE;
+                  }
+                entry->section = PRIV (sections)[psindx];
+              }
+             else
+               entry->section = bfd_abs_section_ptr;
+@@ -1387,6 +1426,10 @@
+ 
+   if (PRIV (sections) == NULL)
+     return;
+
+  if (sect < 0 || sect >= (int) PRIV (section_count))
+    return;
+
+   sec = PRIV (sections)[sect];
+ 
+   if (info)
+@@ -2360,6 +2403,14 @@
+ 
+   vms_debug2 ((2, "EEOM\n"));
+ 
+   /* PR 21813: Check for an undersized record.  */
+   if (PRIV (recrd.buf_size) < sizeof (* eeom))
+     {
+       _bfd_error_handler (_("Corrupt EEOM record - size is too small"));
+       bfd_set_error (bfd_error_bad_value);
+       return FALSE;
+     }
+
+   PRIV (eom_data).eom_l_total_lps = bfd_getl32 (eeom->total_lps);
+   PRIV (eom_data).eom_w_comcod = bfd_getl16 (eeom->comcod);
+   if (PRIV (eom_data).eom_w_comcod > 1)
+@@ -2540,6 +2591,10 @@
+           PRIV (recrd.buf_size) = PRIV (recrd.rec_size);
+         }
+ 
+      /* PR 21813: Check for a truncated record.  */
+      if (PRIV (recrd.rec_size < test_len))
+       goto error_ret;
+
+       /* Read the remaining record.  */
+       remaining = PRIV (recrd.rec_size) - test_len;
+       to_read = MIN (VMS_BLOCK_SIZE - test_len, remaining);
+@@ -5074,7 +5129,7 @@
+               }
+             else if (cur_psidx >= 0)
+              {
+-               if (PRIV (sections) == NULL)
+                if (PRIV (sections) == NULL || cur_psidx >= (int) PRIV (section_count))
+                  return FALSE;
+                reloc->sym_ptr_ptr =
+                  PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog 2017-08-31 19:18:01.816438718 +0530
+++ git/binutils/ChangeLog      2017-08-31 19:18:02.624442798 +0530
+@@ -1,3 +1,9 @@
+2017-07-24  Nick Clifton  <nickc@redhat.com>
+
+       PR 21813
+       * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
+       string whilst concatenating symbol names.
+
+ 2017-02-14  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21157
+Index: git/binutils/rddbg.c
+===================================================================
+--- git.orig/binutils/rddbg.c   2017-08-31 19:17:51.596387126 +0530
+++ git/binutils/rddbg.c        2017-08-31 19:18:02.624442798 +0530
+@@ -300,7 +300,8 @@
+ 
+          s = i.name;
+          f = NULL;
+-         while (s[strlen (s) - 1] == '\\'
+          while (strlen (s) > 0
+                && s[strlen (s) - 1] == '\\'
+                 && ps + 1 < symend)
+            {
+              char *sc, *n;
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch
new file mode 100644
index 0000000000..208bbbafae
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch
@@ -0,0 +1,113 @@
+commit cb06d03ad92ffcfaa09c3f065837cb39e9e1486d
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Wed Jun 21 11:13:49 2017 +0100
+    Fix address violation parsing a corrupt IEEE Alpha binary.
+    
+        PR binutils/21637
+        * vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section
+        list.
+        (image_set_ptr): Likewise.
+        (alpha_vms_fix_sec_rel): Likewise.
+        (alpha_vms_slurp_relocs): Likewise.
+Upstream-Status: Backport
+CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c    2017-08-31 18:01:00.742098130 +0530
+++ git/bfd/vms-alpha.c 2017-08-31 18:01:06.000000000 +0530
+@@ -1257,6 +1257,8 @@
+                 struct vms_esdf *esdf = (struct vms_esdf *)vms_rec;
+ 
+                entry->value = bfd_getl64 (esdf->value);
+               if (PRIV (sections) == NULL)
+                 return FALSE;
+                entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)];
+ 
+                 if (old_flags & EGSY__V_NORM)
+@@ -1291,7 +1293,11 @@
+             entry->symbol_vector = bfd_getl32 (egst->value);
+ 
+             if (old_flags & EGSY__V_REL)
+-              entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
+             {
+               if (PRIV (sections) == NULL)
+                 return FALSE;
+               entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
+             }
+             else
+               entry->section = bfd_abs_section_ptr;
+ 
+@@ -1379,6 +1385,8 @@
+ 
+   vms_debug2 ((4, "image_set_ptr (0x%08x, sect=%d)\n", (unsigned)vma, sect));
+ 
+  if (PRIV (sections) == NULL)
+    return;
+   sec = PRIV (sections)[sect];
+ 
+   if (info)
+@@ -1691,7 +1699,12 @@
+ alpha_vms_fix_sec_rel (bfd *abfd, struct bfd_link_info *info,
+                        unsigned int rel, bfd_vma vma)
+ {
+-  asection *sec = PRIV (sections)[rel & RELC_MASK];
+  asection *sec;
+
+  if (PRIV (sections) == NULL)
+    return 0;
+
+  sec = PRIV (sections)[rel & RELC_MASK];
+ 
+   if (info)
+     {
+@@ -5000,6 +5013,8 @@
+                 return FALSE;
+               }
+ 
+           if (PRIV (sections) == NULL)
+             return FALSE;
+             sec = PRIV (sections)[cur_psect];
+             if (sec == bfd_abs_section_ptr)
+               {
+@@ -5058,8 +5073,12 @@
+                   reloc->sym_ptr_ptr = sym;
+               }
+             else if (cur_psidx >= 0)
+-              reloc->sym_ptr_ptr =
+-                PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+             {
+               if (PRIV (sections) == NULL)
+                 return FALSE;
+               reloc->sym_ptr_ptr =
+                 PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+             }
+             else
+               reloc->sym_ptr_ptr = NULL;
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-08-31 18:01:06.000000000 +0530
+++ git/bfd/ChangeLog   2017-08-31 18:01:49.114384620 +0530
+@@ -31,7 +31,16 @@
+        correct magic bytes at the start, set the error to wrong format
+        and clear the format selector before returning NULL.
+ 
+- 2017-06-19  Nick Clifton  <nickc@redhat.com>
+ 2017-06-21  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21637
+       * vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section
+       list.
+       (image_set_ptr): Likewise.
+       (alpha_vms_fix_sec_rel): Likewise.
+       (alpha_vms_slurp_relocs): Likewise.
+
+2017-06-19  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21618
+        * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 3329a97ecf..3b7c9f776b 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -57,6 +57,8 @@ SRC_URI = "\
57	file://CVE-2017-12449_12455_12457_1.patch \	57	file://CVE-2017-12449_12455_12457_1.patch \
58	file://CVE-2017-12449_12455_12457.patch \	58	file://CVE-2017-12449_12455_12457.patch \
59	file://CVE-2017-12451.patch \	59	file://CVE-2017-12451.patch \
		60	file://CVE-2017-12450_12452_12453_12454_12456_1.patch \
		61	file://CVE-2017-12450_12452_12453_12454_12456.patch \
60	"	62	"
61	S = "${WORKDIR}/git"	63	S = "${WORKDIR}/git"
62		64


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch new file mode 100644 index 0000000000..503f655b61 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch
@@ -0,0 +1,375 @@
		1	commit ca4cf9b9c622a5695e01f7f5815a7382a31fcf51
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Mon Jul 24 13:49:22 2017 +0100
		4
		5	Fix address violation errors parsing corrupt binary files.
		6
		7	PR 21813
		8	binutils* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
		9	string whilst concatenating symbol names.
		10
		11	bfd * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address
		12	of the relocs to the canonicalize_one_reloc routine.
		13	* mach-o.h (struct bfd_mach_o_backend_data): Update the prototype
		14	for the _bfd_mach_o_canonicalize_one_reloc field.
		15	* mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add
		16	res_base parameter. Use to check for corrupt pair relocs.
		17	* mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc):
		18	Likewise.
		19	* mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc):
		20	Likewise.
		21	* mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc):
		22	Likewise.
		23
		24	* vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is
		25	enough data in the record before attempting to parse it.
		26	(_bfd_vms_slurp_eeom): Likewise.
		27
		28	(_bfd_vms_slurp_egsd): Check for an invalid section index.
		29	(image_set_ptr): Likewise.
		30	(alpha_vms_slurp_relocs): Likewise.
		31
		32	(alpha_vms_object_p): Check for a truncated record.
		33
		34	Upstream-Status: Backport
		35
		36	CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456
		37	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		38
		39	Index: git/bfd/mach-o-aarch64.c
		40	===================================================================
		41	--- git.orig/bfd/mach-o-aarch64.c 2017-08-31 19:17:51.264385450 +0530
		42	+++ git/bfd/mach-o-aarch64.c 2017-08-31 19:18:02.620442777 +0530
		43	@@ -147,9 +147,11 @@
		44	};
		45
		46	static bfd_boolean
		47	-bfd_mach_o_arm64_canonicalize_one_reloc (bfd *abfd,
		48	- struct mach_o_reloc_info_external *raw,
		49	- arelent res, asymbol *syms)
		50	+bfd_mach_o_arm64_canonicalize_one_reloc (bfd * abfd,
		51	+ struct mach_o_reloc_info_external * raw,
		52	+ arelent * res,
		53	+ asymbol ** syms,
		54	+ arelent * res_base ATTRIBUTE_UNUSED)
		55	{
		56	bfd_mach_o_reloc_info reloc;
		57
		58	Index: git/bfd/mach-o-i386.c
		59	===================================================================
		60	--- git.orig/bfd/mach-o-i386.c 2017-08-31 19:17:51.264385450 +0530
		61	+++ git/bfd/mach-o-i386.c 2017-08-31 19:18:02.620442777 +0530
		62	@@ -112,9 +112,11 @@
		63	};
		64
		65	static bfd_boolean
		66	-bfd_mach_o_i386_canonicalize_one_reloc (bfd *abfd,
		67	- struct mach_o_reloc_info_external *raw,
		68	- arelent res, asymbol *syms)
		69	+bfd_mach_o_i386_canonicalize_one_reloc (bfd * abfd,
		70	+ struct mach_o_reloc_info_external * raw,
		71	+ arelent * res,
		72	+ asymbol ** syms,
		73	+ arelent * res_base)
		74	{
		75	bfd_mach_o_reloc_info reloc;
		76
		77	@@ -126,6 +128,9 @@
		78	switch (reloc.r_type)
		79	{
		80	case BFD_MACH_O_GENERIC_RELOC_PAIR:
		81	+ /* PR 21813: Check for a corrupt PAIR reloc at the start. */
		82	+ if (res == res_base)
		83	+ return FALSE;
		84	if (reloc.r_length == 2)
		85	{
		86	res->howto = &i386_howto_table[7];
		87	@@ -391,9 +396,9 @@
		88	{ NULL, NULL }
		89	};
		90
		91	-#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc
		92	-#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out
		93	-#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread
		94	+#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc
		95	+#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out
		96	+#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread
		97
		98	#define bfd_mach_o_tgt_seg_table mach_o_i386_segsec_names_xlat
		99	#define bfd_mach_o_section_type_valid_for_tgt NULL
		100	Index: git/bfd/mach-o-x86-64.c
		101	===================================================================
		102	--- git.orig/bfd/mach-o-x86-64.c 2017-08-31 19:17:51.264385450 +0530
		103	+++ git/bfd/mach-o-x86-64.c 2017-08-31 19:18:02.620442777 +0530
		104	@@ -120,9 +120,11 @@
		105	};
		106
		107	static bfd_boolean
		108	-bfd_mach_o_x86_64_canonicalize_one_reloc (bfd *abfd,
		109	- struct mach_o_reloc_info_external *raw,
		110	- arelent res, asymbol *syms)
		111	+bfd_mach_o_x86_64_canonicalize_one_reloc (bfd * abfd,
		112	+ struct mach_o_reloc_info_external * raw,
		113	+ arelent * res,
		114	+ asymbol ** syms,
		115	+ arelent * res_base ATTRIBUTE_UNUSED)
		116	{
		117	bfd_mach_o_reloc_info reloc;
		118
		119	Index: git/bfd/mach-o.c
		120	===================================================================
		121	--- git.orig/bfd/mach-o.c 2017-08-31 19:18:02.440441869 +0530
		122	+++ git/bfd/mach-o.c 2017-08-31 19:18:02.620442777 +0530
		123	@@ -1496,7 +1496,7 @@
		124	for (i = 0; i < count; i++)
		125	{
		126	if (!(*bed->_bfd_mach_o_canonicalize_one_reloc)(abfd, &native_relocs[i],
		127	- &res[i], syms))
		128	+ &res[i], syms, res))
		129	goto err;
		130	}
		131	free (native_relocs);
		132	Index: git/bfd/mach-o.h
		133	===================================================================
		134	--- git.orig/bfd/mach-o.h 2017-08-31 19:17:51.264385450 +0530
		135	+++ git/bfd/mach-o.h 2017-08-31 19:18:02.620442777 +0530
		136	@@ -746,7 +746,7 @@
		137	enum bfd_architecture arch;
		138	bfd_vma page_size;
		139	bfd_boolean (*_bfd_mach_o_canonicalize_one_reloc)
		140	- (bfd , struct mach_o_reloc_info_external , arelent , asymbol *);
		141	+ (bfd , struct mach_o_reloc_info_external , arelent , asymbol , arelent );
		142	bfd_boolean (_bfd_mach_o_swap_reloc_out)(arelent , bfd_mach_o_reloc_info *);
		143	bfd_boolean (_bfd_mach_o_print_thread)(bfd , bfd_mach_o_thread_flavour *,
		144	void , char );
		145	Index: git/bfd/ChangeLog
		146	===================================================================
		147	--- git.orig/bfd/ChangeLog 2017-08-31 19:18:02.564442494 +0530
		148	+++ git/bfd/ChangeLog 2017-08-31 19:18:02.620442777 +0530
		149	@@ -11,6 +11,30 @@
		150	of end pointer.
		151	(evax_bfd_print_emh): Check for invalid string lengths.
		152
		153	+ 2017-07-24 Nick Clifton <nickc@redhat.com>
		154	+
		155	+ PR 21813
		156	+ * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address
		157	+ of the relocs to the canonicalize_one_reloc routine.
		158	+ * mach-o.h (struct bfd_mach_o_backend_data): Update the prototype
		159	+ for the _bfd_mach_o_canonicalize_one_reloc field.
		160	+ * mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add
		161	+ res_base parameter. Use to check for corrupt pair relocs.
		162	+ * mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc):
		163	+ Likewise.
		164	+ * mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc):
		165	+ Likewise.
		166	+ * mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc):
		167	+ Likewise.
		168	+
		169	+ * vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is
		170	+ enough data in the record before attempting to parse it.
		171	+ (_bfd_vms_slurp_eeom): Likewise.
		172	+
		173	+ (_bfd_vms_slurp_egsd): Check for an invalid section index.
		174	+ (image_set_ptr): Likewise.
		175	+ (alpha_vms_slurp_relocs): Likewise.
		176	+
		177	2017-07-19 Nick Clifton <nickc@redhat.com>
		178
		179	PR 21786
		180	Index: git/bfd/mach-o-arm.c
		181	===================================================================
		182	--- git.orig/bfd/mach-o-arm.c 2017-08-31 19:17:51.264385450 +0530
		183	+++ git/bfd/mach-o-arm.c 2017-08-31 19:18:02.620442777 +0530
		184	@@ -30,7 +30,7 @@
		185	#define bfd_mach_o_mkobject bfd_mach_o_arm_mkobject
		186
		187	#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_arm_canonicalize_one_reloc
		188	-#define bfd_mach_o_swap_reloc_out NULL
		189	+#define bfd_mach_o_swap_reloc_out NULL
		190	#define bfd_mach_o_bfd_reloc_type_lookup bfd_mach_o_arm_bfd_reloc_type_lookup
		191	#define bfd_mach_o_bfd_reloc_name_lookup bfd_mach_o_arm_bfd_reloc_name_lookup
		192
		193	@@ -147,9 +147,11 @@
		194	};
		195
		196	static bfd_boolean
		197	-bfd_mach_o_arm_canonicalize_one_reloc (bfd *abfd,
		198	- struct mach_o_reloc_info_external *raw,
		199	- arelent res, asymbol *syms)
		200	+bfd_mach_o_arm_canonicalize_one_reloc (bfd * abfd,
		201	+ struct mach_o_reloc_info_external * raw,
		202	+ arelent * res,
		203	+ asymbol ** syms,
		204	+ arelent * res_base)
		205	{
		206	bfd_mach_o_reloc_info reloc;
		207
		208	@@ -161,6 +163,9 @@
		209	switch (reloc.r_type)
		210	{
		211	case BFD_MACH_O_ARM_RELOC_PAIR:
		212	+ /* PR 21813: Check for a corrupt PAIR reloc at the start. */
		213	+ if (res == res_base)
		214	+ return FALSE;
		215	if (reloc.r_length == 2)
		216	{
		217	res->howto = &arm_howto_table[7];
		218	Index: git/bfd/vms-alpha.c
		219	===================================================================
		220	--- git.orig/bfd/vms-alpha.c 2017-08-31 19:18:02.556442454 +0530
		221	+++ git/bfd/vms-alpha.c 2017-08-31 19:20:56.233322607 +0530
		222	@@ -473,6 +473,14 @@
		223
		224	vms_debug2 ((8, "_bfd_vms_slurp_eihd\n"));
		225
		226	+ /* PR 21813: Check for an undersized record. */
		227	+ if (PRIV (recrd.buf_size) < sizeof (* eihd))
		228	+ {
		229	+ _bfd_error_handler (_("Corrupt EIHD record - size is too small"));
		230	+ bfd_set_error (bfd_error_bad_value);
		231	+ return FALSE;
		232	+ }
		233	+
		234	size = bfd_getl32 (eihd->size);
		235	imgtype = bfd_getl32 (eihd->imgtype);
		236
		237	@@ -1255,19 +1263,39 @@
		238	if (old_flags & EGSY__V_DEF)
		239	{
		240	struct vms_esdf esdf = (struct vms_esdf )vms_rec;
		241	+ long psindx;
		242
		243	entry->value = bfd_getl64 (esdf->value);
		244	if (PRIV (sections) == NULL)
		245	return FALSE;
		246	- entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)];
		247	+
		248	+ psindx = bfd_getl32 (esdf->psindx);
		249	+ /* PR 21813: Check for an out of range index. */
		250	+ if (psindx < 0 \|\| psindx >= (int) PRIV (section_count))
		251	+ {
		252	+ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
		253	+ psindx);
		254	+ bfd_set_error (bfd_error_bad_value);
		255	+ return FALSE;
		256	+ }
		257	+ entry->section = PRIV (sections)[psindx];
		258
		259	if (old_flags & EGSY__V_NORM)
		260	{
		261	PRIV (norm_sym_count)++;
		262
		263	entry->code_value = bfd_getl64 (esdf->code_address);
		264	- entry->code_section =
		265	- PRIV (sections)[bfd_getl32 (esdf->ca_psindx)];
		266	+ psindx = bfd_getl32 (esdf->ca_psindx);
		267	+ /* PR 21813: Check for an out of range index. */
		268	+ if (psindx < 0 \|\| psindx >= (int) PRIV (section_count))
		269	+ {
		270	+ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
		271	+ psindx);
		272	+ bfd_set_error (bfd_error_bad_value);
		273	+ return FALSE;
		274	+ }
		275	+ entry->code_section = PRIV (sections)[psindx];
		276	+
		277	}
		278	}
		279	}
		280	@@ -1294,9 +1322,20 @@
		281
		282	if (old_flags & EGSY__V_REL)
		283	{
		284	+ long psindx;
		285	+
		286	if (PRIV (sections) == NULL)
		287	return FALSE;
		288	- entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
		289	+ psindx = bfd_getl32 (egst->psindx);
		290	+ /* PR 21813: Check for an out of range index. */
		291	+ if (psindx < 0 \|\| psindx >= (int) PRIV (section_count))
		292	+ {
		293	+ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
		294	+ psindx);
		295	+ bfd_set_error (bfd_error_bad_value);
		296	+ return FALSE;
		297	+ }
		298	+ entry->section = PRIV (sections)[psindx];
		299	}
		300	else
		301	entry->section = bfd_abs_section_ptr;
		302	@@ -1387,6 +1426,10 @@
		303
		304	if (PRIV (sections) == NULL)
		305	return;
		306	+
		307	+ if (sect < 0 \|\| sect >= (int) PRIV (section_count))
		308	+ return;
		309	+
		310	sec = PRIV (sections)[sect];
		311
		312	if (info)
		313	@@ -2360,6 +2403,14 @@
		314
		315	vms_debug2 ((2, "EEOM\n"));
		316
		317	+ /* PR 21813: Check for an undersized record. */
		318	+ if (PRIV (recrd.buf_size) < sizeof (* eeom))
		319	+ {
		320	+ _bfd_error_handler (_("Corrupt EEOM record - size is too small"));
		321	+ bfd_set_error (bfd_error_bad_value);
		322	+ return FALSE;
		323	+ }
		324	+
		325	PRIV (eom_data).eom_l_total_lps = bfd_getl32 (eeom->total_lps);
		326	PRIV (eom_data).eom_w_comcod = bfd_getl16 (eeom->comcod);
		327	if (PRIV (eom_data).eom_w_comcod > 1)
		328	@@ -2540,6 +2591,10 @@
		329	PRIV (recrd.buf_size) = PRIV (recrd.rec_size);
		330	}
		331
		332	+ /* PR 21813: Check for a truncated record. */
		333	+ if (PRIV (recrd.rec_size < test_len))
		334	+ goto error_ret;
		335	+
		336	/* Read the remaining record. */
		337	remaining = PRIV (recrd.rec_size) - test_len;
		338	to_read = MIN (VMS_BLOCK_SIZE - test_len, remaining);
		339	@@ -5074,7 +5129,7 @@
		340	}
		341	else if (cur_psidx >= 0)
		342	{
		343	- if (PRIV (sections) == NULL)
		344	+ if (PRIV (sections) == NULL \|\| cur_psidx >= (int) PRIV (section_count))
		345	return FALSE;
		346	reloc->sym_ptr_ptr =
		347	PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
		348	Index: git/binutils/ChangeLog
		349	===================================================================
		350	--- git.orig/binutils/ChangeLog 2017-08-31 19:18:01.816438718 +0530
		351	+++ git/binutils/ChangeLog 2017-08-31 19:18:02.624442798 +0530
		352	@@ -1,3 +1,9 @@
		353	+2017-07-24 Nick Clifton <nickc@redhat.com>
		354	+
		355	+ PR 21813
		356	+ * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
		357	+ string whilst concatenating symbol names.
		358	+
		359	2017-02-14 Nick Clifton <nickc@redhat.com>
		360
		361	PR binutils/21157
		362	Index: git/binutils/rddbg.c
		363	===================================================================
		364	--- git.orig/binutils/rddbg.c 2017-08-31 19:17:51.596387126 +0530
		365	+++ git/binutils/rddbg.c 2017-08-31 19:18:02.624442798 +0530
		366	@@ -300,7 +300,8 @@
		367
		368	s = i.name;
		369	f = NULL;
		370	- while (s[strlen (s) - 1] == '\\'
		371	+ while (strlen (s) > 0
		372	+ && s[strlen (s) - 1] == '\\'
		373	&& ps + 1 < symend)
		374	{
		375	char sc, n;


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch new file mode 100644 index 0000000000..208bbbafae --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch
@@ -0,0 +1,113 @@
		1	commit cb06d03ad92ffcfaa09c3f065837cb39e9e1486d
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Wed Jun 21 11:13:49 2017 +0100
		4
		5	Fix address violation parsing a corrupt IEEE Alpha binary.
		6
		7	PR binutils/21637
		8	* vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section
		9	list.
		10	(image_set_ptr): Likewise.
		11	(alpha_vms_fix_sec_rel): Likewise.
		12	(alpha_vms_slurp_relocs): Likewise.
		13
		14	Upstream-Status: Backport
		15
		16	CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456
		17	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		18
		19	Index: git/bfd/vms-alpha.c
		20	===================================================================
		21	--- git.orig/bfd/vms-alpha.c 2017-08-31 18:01:00.742098130 +0530
		22	+++ git/bfd/vms-alpha.c 2017-08-31 18:01:06.000000000 +0530
		23	@@ -1257,6 +1257,8 @@
		24	struct vms_esdf esdf = (struct vms_esdf )vms_rec;
		25
		26	entry->value = bfd_getl64 (esdf->value);
		27	+ if (PRIV (sections) == NULL)
		28	+ return FALSE;
		29	entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)];
		30
		31	if (old_flags & EGSY__V_NORM)
		32	@@ -1291,7 +1293,11 @@
		33	entry->symbol_vector = bfd_getl32 (egst->value);
		34
		35	if (old_flags & EGSY__V_REL)
		36	- entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
		37	+ {
		38	+ if (PRIV (sections) == NULL)
		39	+ return FALSE;
		40	+ entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
		41	+ }
		42	else
		43	entry->section = bfd_abs_section_ptr;
		44
		45	@@ -1379,6 +1385,8 @@
		46
		47	vms_debug2 ((4, "image_set_ptr (0x%08x, sect=%d)\n", (unsigned)vma, sect));
		48
		49	+ if (PRIV (sections) == NULL)
		50	+ return;
		51	sec = PRIV (sections)[sect];
		52
		53	if (info)
		54	@@ -1691,7 +1699,12 @@
		55	alpha_vms_fix_sec_rel (bfd abfd, struct bfd_link_info info,
		56	unsigned int rel, bfd_vma vma)
		57	{
		58	- asection *sec = PRIV (sections)[rel & RELC_MASK];
		59	+ asection *sec;
		60	+
		61	+ if (PRIV (sections) == NULL)
		62	+ return 0;
		63	+
		64	+ sec = PRIV (sections)[rel & RELC_MASK];
		65
		66	if (info)
		67	{
		68	@@ -5000,6 +5013,8 @@
		69	return FALSE;
		70	}
		71
		72	+ if (PRIV (sections) == NULL)
		73	+ return FALSE;
		74	sec = PRIV (sections)[cur_psect];
		75	if (sec == bfd_abs_section_ptr)
		76	{
		77	@@ -5058,8 +5073,12 @@
		78	reloc->sym_ptr_ptr = sym;
		79	}
		80	else if (cur_psidx >= 0)
		81	- reloc->sym_ptr_ptr =
		82	- PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
		83	+ {
		84	+ if (PRIV (sections) == NULL)
		85	+ return FALSE;
		86	+ reloc->sym_ptr_ptr =
		87	+ PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
		88	+ }
		89	else
		90	reloc->sym_ptr_ptr = NULL;
		91
		92	Index: git/bfd/ChangeLog
		93	===================================================================
		94	--- git.orig/bfd/ChangeLog 2017-08-31 18:01:06.000000000 +0530
		95	+++ git/bfd/ChangeLog 2017-08-31 18:01:49.114384620 +0530
		96	@@ -31,7 +31,16 @@
		97	correct magic bytes at the start, set the error to wrong format
		98	and clear the format selector before returning NULL.
		99
		100	- 2017-06-19 Nick Clifton <nickc@redhat.com>
		101	+ 2017-06-21 Nick Clifton <nickc@redhat.com>
		102	+
		103	+ PR binutils/21637
		104	+ * vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section
		105	+ list.
		106	+ (image_set_ptr): Likewise.
		107	+ (alpha_vms_fix_sec_rel): Likewise.
		108	+ (alpha_vms_slurp_relocs): Likewise.
		109	+
		110	+2017-06-19 Nick Clifton <nickc@redhat.com>
		111
		112	PR binutils/21618
		113	* vms-alpha.c (evax_bfd_print_emh): Check for insufficient record