[ROCKO][PATCH 01/27] binutils: Security fix CVE-2017-12967

[ROCKO][PATCH 01/27] binutils: Security fix CVE-2017-12967

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-12967.patch         | 47 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-12967.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index b29b75a..12b579c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -35,6 +35,7 @@ SRC_URI = "\
      file://0013-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \
      file://0014-Detect-64-bit-MIPS-targets.patch \
      file://0015-sync-with-OE-libtool-changes.patch \
+     file://CVE-2017-12967.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12967.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12967.patch
new file mode 100644
index 0000000..ab19d21
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12967.patch
@@ -0,0 +1,47 @@
+From b0029dce6867de1a2828293177b0e030d2f0f03c Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 28 Nov 2017 18:00:29 +0000
+Subject: [PATCH] Prevent a memory exhaustion problem when trying to read in
+ strings from a COFF binary with a corrupt string table size.
+
+	PR 22507
+	* coffgen.c (_bfd_coff_read_string_table): Check for an excessive
+	size of the external string table.
+
+Upstream-Status: backport
+Affects binutls <= 2.29.1
+CVE:  CVE-2017-12967 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/coffgen.c | 4 ++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+Index: git/bfd/coffgen.c
+===================================================================
+--- git.orig/bfd/coffgen.c
++++ git/bfd/coffgen.c
+@@ -1709,7 +1709,7 @@ _bfd_coff_read_string_table (bfd *abfd)
+ #endif
+     }
+ 
+-  if (strsize < STRING_SIZE_SIZE)
++  if (strsize < STRING_SIZE_SIZE || strsize > bfd_get_file_size (abfd))
+     {
+       _bfd_error_handler
+ 	/* xgettext: c-format */
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-11-28  Nick Clifton  <nickc@redhat.com>
++
++       PR 22507
++       * coffgen.c (_bfd_coff_read_string_table): Check for an excessive
++       size of the external string table.
++
+ 2018-03-28  Eric Botcazou  <ebotcazou@adacore.com>
+ 
+ 	PR ld/22972
-- 
2.7.4

[ROCKO][PATCH 02/27] binutils: Secuirty fix CVE-2017-14930

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

affects <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-14930.patch         | 53 ++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14930.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 12b579c..2232781 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -36,6 +36,7 @@ SRC_URI = "\
      file://0014-Detect-64-bit-MIPS-targets.patch \
      file://0015-sync-with-OE-libtool-changes.patch \
      file://CVE-2017-12967.patch \
+     file://CVE-2017-14930.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14930.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14930.patch
new file mode 100644
index 0000000..bbd267a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14930.patch
@@ -0,0 +1,53 @@
+From a26a013f22a19e2c16729e64f40ef8a7dfcc086e Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 17:10:14 +0930
+Subject: [PATCH] PR22191, memory leak in dwarf2.c
+
+table->sequences is a linked list before it is replaced by a bfd_alloc
+array in sort_line_sequences.
+
+	PR 22191
+	* dwarf2.c (decode_line_info): Properly free line sequences on error.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE:  CVE-2017-14930
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/dwarf2.c  | 8 ++++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -2473,8 +2473,12 @@ decode_line_info (struct comp_unit *unit
+     return table;
+ 
+  fail:
+-  if (table->sequences != NULL)
+-    free (table->sequences);
++  while (table->sequences != NULL)
++    {
++      struct line_sequence* seq = table->sequences;
++      table->sequences = table->sequences->prev_sequence;
++      free (seq);
++    }
+   if (table->files != NULL)
+     free (table->files);
+   if (table->dirs != NULL)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2017-09-24  Alan Modra  <amodra@gmail.com>
++
++       PR 22191
++       * dwarf2.c (decode_line_info): Properly free line sequences on error.
++
+ 2017-11-28  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22507
-- 
2.7.4

[ROCKO][PATCH 03/27] binutls: Security fix CVE-2017-14932

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-14932.patch         | 46 ++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14932.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 2232781..788f98a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -37,6 +37,7 @@ SRC_URI = "\
      file://0015-sync-with-OE-libtool-changes.patch \
      file://CVE-2017-12967.patch \
      file://CVE-2017-14930.patch \
+     file://CVE-2017-14932.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14932.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14932.patch
new file mode 100644
index 0000000..a436031
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14932.patch
@@ -0,0 +1,46 @@
+From e338894dc2e603683bed2172e8e9f25b29051005 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 26 Sep 2017 09:32:18 +0930
+Subject: [PATCH] PR22204, Lack of DW_LNE_end_sequence causes "infinite" loop
+
+	PR 22204
+	* dwarf2.c (decode_line_info): Ensure line_ptr stays within
+	bounds in inner loop.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14932
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/dwarf2.c  | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -2269,7 +2269,7 @@ decode_line_info (struct comp_unit *unit
+       bfd_vma high_pc = 0;
+ 
+       /* Decode the table.  */
+-      while (! end_sequence)
++      while (!end_sequence && line_ptr < line_end)
+ 	{
+ 	  op_code = read_1_byte (abfd, line_ptr, line_end);
+ 	  line_ptr += 1;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-09-26  Alan Modra  <amodra@gmail.com>
++
++       PR 22204
++       * dwarf2.c (decode_line_info): Ensure line_ptr stays within
++       bounds in inner loop.
++
+ 2017-09-24  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22191
-- 
2.7.4

[ROCKO][PATCH 04/27] binutls: Security fix CVE-2017-14933

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   2 +
 .../binutils/binutils/CVE-2017-14933_p1.patch      |  58 ++++++++++++
 .../binutils/binutils/CVE-2017-14933_p2.patch      | 102 +++++++++++++++++++++
 3 files changed, 162 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 788f98a..fb4ca64 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -38,6 +38,8 @@ SRC_URI = "\
      file://CVE-2017-12967.patch \
      file://CVE-2017-14930.patch \
      file://CVE-2017-14932.patch \
+     file://CVE-2017-14933_p1.patch \
+     file://CVE-2017-14933_p2.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch
new file mode 100644
index 0000000..9df8138
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch
@@ -0,0 +1,58 @@
+From 30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 26 Sep 2017 14:37:47 +0100
+Subject: [PATCH] Avoid needless resource usage when processing a corrupt DWARF
+ directory or file name table.
+
+	PR 22210
+	* dwarf2.c (read_formatted_entries): Fail early if we know that
+	the loop parsing data entries will overflow the end of the
+	section.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14933 #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/dwarf2.c  | 10 ++++++++++
+ 2 files changed, 17 insertions(+)
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-09-26  Nick Clifton  <nickc@redhat.com>
++
++	PR 22210
++	* dwarf2.c (read_formatted_entries): Fail early if we know that
++	the loop parsing data entries will overflow the end of the
++	section.
++
+ 2017-09-26  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22204
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -1933,6 +1933,17 @@ read_formatted_entries (struct comp_unit
+ 
+   data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end);
+   buf += bytes_read;
++
++  /* PR 22210.  Paranoia check.  Don't bother running the loop
++     if we know that we are going to run out of buffer.  */
++  if (data_count > (bfd_vma) (buf_end - buf))
++    {
++      _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."),
++                         data_count);
++      bfd_set_error (bfd_error_bad_value);
++      return FALSE;
++    }
++
+   for (datai = 0; datai < data_count; datai++)
+     {
+       bfd_byte *format = format_header_data;
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch
new file mode 100644
index 0000000..607d92f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch
@@ -0,0 +1,102 @@
+From 33e0a9a056bd23e923b929a4f2ab049ade0b1c32 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 26 Sep 2017 23:20:06 +0930
+Subject: [PATCH] Tidy reading data in read_formatted_entries
+
+Using read_attribute_value accomplishes two things: It checks for
+unexpected formats, and ensures the buffer pointer always increments.
+
+	PR 22210
+	* dwarf2.c (read_formatted_entries): Use read_attribute_value to
+	read data.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14933 #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/dwarf2.c  | 37 +++++++------------------------------
+ 2 files changed, 13 insertions(+), 30 deletions(-)
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-09-26  Alan Modra  <amodra@gmail.com>
++
++	PR 22210
++	* dwarf2.c (read_formatted_entries): Use read_attribute_value to
++	read data.
++
+ 2017-09-26  Nick Clifton  <nickc@redhat.com>
+ 
+ 	PR 22210
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -1955,6 +1955,7 @@ read_formatted_entries (struct comp_unit
+ 	  char *string_trash;
+ 	  char **stringp = &string_trash;
+ 	  unsigned int uint_trash, *uintp = &uint_trash;
++	  struct attribute attr;
+ 
+ 	  content_type = _bfd_safe_read_leb128 (abfd, format, &bytes_read,
+ 						FALSE, buf_end);
+@@ -1986,47 +1987,23 @@ read_formatted_entries (struct comp_unit
+ 	  form = _bfd_safe_read_leb128 (abfd, format, &bytes_read, FALSE,
+ 					buf_end);
+ 	  format += bytes_read;
++
++	  buf = read_attribute_value (&attr, form, 0, unit, buf, buf_end);
++	  if (buf == NULL)
++	    return FALSE;
+ 	  switch (form)
+ 	    {
+ 	    case DW_FORM_string:
+-	      *stringp = read_string (abfd, buf, buf_end, &bytes_read);
+-	      buf += bytes_read;
+-	      break;
+-
+ 	    case DW_FORM_line_strp:
+-	      *stringp = read_indirect_line_string (unit, buf, buf_end, &bytes_read);
+-	      buf += bytes_read;
++	      *stringp = attr.u.str;
+ 	      break;
+ 
+ 	    case DW_FORM_data1:
+-	      *uintp = read_1_byte (abfd, buf, buf_end);
+-	      buf += 1;
+-	      break;
+-
+ 	    case DW_FORM_data2:
+-	      *uintp = read_2_bytes (abfd, buf, buf_end);
+-	      buf += 2;
+-	      break;
+-
+ 	    case DW_FORM_data4:
+-	      *uintp = read_4_bytes (abfd, buf, buf_end);
+-	      buf += 4;
+-	      break;
+-
+ 	    case DW_FORM_data8:
+-	      *uintp = read_8_bytes (abfd, buf, buf_end);
+-	      buf += 8;
+-	      break;
+-
+ 	    case DW_FORM_udata:
+-	      *uintp = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE,
+-					      buf_end);
+-	      buf += bytes_read;
+-	      break;
+-
+-	    case DW_FORM_block:
+-	      /* It is valid only for DW_LNCT_timestamp which is ignored by
+-		 current GDB.  */
++	      *uintp = attr.u.val;
+ 	      break;
+ 	    }
+ 	}
-- 
2.7.4

[ROCKO][PATCH 05/27] binutls: Security fix CVE-2017-14934

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-14934.patch         | 63 ++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index fb4ca64..765813d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -40,6 +40,7 @@ SRC_URI = "\
      file://CVE-2017-14932.patch \
      file://CVE-2017-14933_p1.patch \
      file://CVE-2017-14933_p2.patch \
+     file://CVE-2017-14934.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch
new file mode 100644
index 0000000..57733f0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch
@@ -0,0 +1,63 @@
+From 19485196044b2521af979f1e5c4a89bfb90fba0b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 27 Sep 2017 10:42:51 +0100
+Subject: [PATCH] Prevent an infinite loop in the DWARF parsing code when
+ encountering a CU structure with a small negative size.
+
+	PR 22219
+	* dwarf.c (process_debug_info): Add a check for a negative
+	cu_length field.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14934
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/dwarf.c   | 11 ++++++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
++++ git/binutils/dwarf.c
+@@ -2547,7 +2547,7 @@ process_debug_info (struct dwarf_section
+       int level, last_level, saved_level;
+       dwarf_vma cu_offset;
+       unsigned int offset_size;
+-      int initial_length_size;
++      unsigned int initial_length_size;
+       dwarf_vma signature_high = 0;
+       dwarf_vma signature_low = 0;
+       dwarf_vma type_offset = 0;
+@@ -2695,6 +2695,15 @@ process_debug_info (struct dwarf_section
+ 	  num_units = unit;
+ 	  break;
+ 	}
++      else if (compunit.cu_length + initial_length_size < initial_length_size)
++	{
++	  warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"),
++		dwarf_vmatoa ("x", cu_offset),
++		dwarf_vmatoa ("x", compunit.cu_length));
++	  num_units = unit;
++	  break;
++	}
++
+       tags = hdrptr;
+       start += compunit.cu_length + initial_length_size;
+ 
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-09-27  Nick Clifton  <nickc@redhat.com>
++
++       PR 22219
++       * dwarf.c (process_debug_info): Add a check for a negative
++       cu_length field.
++
+ 2017-11-01  Alan Modra  <amodra@gmail.com>
+ 
+ 	Apply from master
-- 
2.7.4

[ROCKO][PATCH 06/27] binutls: Security fix for CVE-2017-14938

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-14938.patch         | 64 ++++++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 765813d..8e92b92 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -41,6 +41,7 @@ SRC_URI = "\
      file://CVE-2017-14933_p1.patch \
      file://CVE-2017-14933_p2.patch \
      file://CVE-2017-14934.patch \
+     file://CVE-2017-14938.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch
new file mode 100644
index 0000000..e62c73c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch
@@ -0,0 +1,64 @@
+From bd61e135492ecf624880e6b78e5fcde3c9716df6 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 14:34:57 +0930
+Subject: [PATCH] PR22166, SHT_GNU_verneed memory allocation
+
+The sanity check covers the previous minimim size, plus that the size
+is at least enough for sh_info verneed entries.
+
+Also, since we write all verneed fields or exit with an error, there
+isn't any need to zero the memory allocated for verneed entries.
+
+	PR 22166
+	* elf.c (_bfd_elf_slurp_version_tables): Test sh_info on
+	SHT_GNU_verneed section for sanity.  Don't zalloc memory for
+	verref.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14938
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 7 +++++++
+ bfd/elf.c     | 5 +++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -8198,7 +8198,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 
+       hdr = &elf_tdata (abfd)->dynverref_hdr;
+ 
+-      if (hdr->sh_info == 0 || hdr->sh_size < sizeof (Elf_External_Verneed))
++      if (hdr->sh_info == 0
++	  || hdr->sh_info > hdr->sh_size / sizeof (Elf_External_Verneed))
+ 	{
+ error_return_bad_verref:
+ 	  _bfd_error_handler
+@@ -8219,7 +8220,7 @@ error_return_verref:
+ 	goto error_return_verref;
+ 
+       elf_tdata (abfd)->verref = (Elf_Internal_Verneed *)
+-	bfd_zalloc2 (abfd, hdr->sh_info, sizeof (Elf_Internal_Verneed));
++	bfd_alloc2 (abfd, hdr->sh_info, sizeof (Elf_Internal_Verneed));
+ 
+       if (elf_tdata (abfd)->verref == NULL)
+ 	goto error_return_verref;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-09-24  Alan Modra  <amodra@gmail.com>
++
++       PR 22166
++       * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on
++       SHT_GNU_verneed section for sanity.  Don't zalloc memory for
++       verref.
++
+ 2017-09-26  Alan Modra  <amodra@gmail.com>
+ 
+ 	PR 22210
-- 
2.7.4

[ROCKO][PATCH 07/27] binutls: Security fix for CVE-2017-14939

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-14939.patch         | 56 ++++++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 8e92b92..c0ad94c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -42,6 +42,7 @@ SRC_URI = "\
      file://CVE-2017-14933_p2.patch \
      file://CVE-2017-14934.patch \
      file://CVE-2017-14938.patch \
+     file://CVE-2017-14939.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch
new file mode 100644
index 0000000..d1e4c3e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch
@@ -0,0 +1,56 @@
+From 515f23e63c0074ab531bc954f84ca40c6281a724 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 14:36:16 +0930
+Subject: [PATCH] PR22169, heap-based buffer overflow in read_1_byte
+
+The .debug_line header length field doesn't include the length field
+itself, ie. it's the size of the rest of .debug_line.
+
+	PR 22169
+	* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14939
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/dwarf2.c  | 7 ++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -2084,12 +2084,13 @@ decode_line_info (struct comp_unit *unit
+       offset_size = 8;
+     }
+ 
+-  if (unit->line_offset + lh.total_length > stash->dwarf_line_size)
++  if (lh.total_length > (size_t) (line_end - line_ptr))
+     {
+       _bfd_error_handler
+ 	/* xgettext: c-format */
+-	(_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"),
+-	 lh.total_length, stash->dwarf_line_size - unit->line_offset);
++	(_("Dwarf Error: Line info data is bigger (%#Lx)"
++	   " than the space remaining in the section (%#lx)"),
++	 lh.total_length, (unsigned long) (line_end - line_ptr));
+       bfd_set_error (bfd_error_bad_value);
+       return NULL;
+     }
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,9 @@
+ 2017-09-24  Alan Modra  <amodra@gmail.com>
++ 
++       PR 22169
++       * dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
++
++2017-09-24  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22166
+        * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on
-- 
2.7.4

[ROCKO][PATCH 08/27] binutils: Security fix for CVE-2017-14940

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-14940.patch         | 47 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14940.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index c0ad94c..45e4393 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -43,6 +43,7 @@ SRC_URI = "\
      file://CVE-2017-14934.patch \
      file://CVE-2017-14938.patch \
      file://CVE-2017-14939.patch \
+     file://CVE-2017-14940.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14940.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14940.patch
new file mode 100644
index 0000000..49b0bdc
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14940.patch
@@ -0,0 +1,47 @@
+From 0d76029f92182c3682d8be2c833d45bc9a2068fe Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 14:35:33 +0930
+Subject: [PATCH] PR22167, NULL pointer dereference in scan_unit_for_symbols
+
+	PR 22167
+	* dwarf2.c (scan_unit_for_symbols): Check u.blk->data is non-NULL.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14940
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/dwarf2.c  | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -3202,7 +3202,8 @@ scan_unit_for_symbols (struct comp_unit
+ 		    case DW_FORM_block2:
+ 		    case DW_FORM_block4:
+ 		    case DW_FORM_exprloc:
+-		      if (*attr.u.blk->data == DW_OP_addr)
++		      if (attr.u.blk->data != NULL
++			  && *attr.u.blk->data == DW_OP_addr)
+ 			{
+ 			  var->stack = 0;
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,5 +1,10 @@
+ 2017-09-24  Alan Modra  <amodra@gmail.com>
+  
++       PR 22167
++       * dwarf2.c (scan_unit_for_symbols): Check u.blk->data is non-NULL.
++
++2017-09-24  Alan Modra  <amodra@gmail.com>
++ 
+        PR 22169
+        * dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
+ 
-- 
2.7.4

[ROCKO][PATCH 09/27] binutls: Security fix for CVE-2017-15021

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-15021.patch         | 48 ++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15021.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 45e4393..6f7d655 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -44,6 +44,7 @@ SRC_URI = "\
      file://CVE-2017-14938.patch \
      file://CVE-2017-14939.patch \
      file://CVE-2017-14940.patch \
+     file://CVE-2017-15021.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15021.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15021.patch
new file mode 100644
index 0000000..caca7b1
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15021.patch
@@ -0,0 +1,48 @@
+From 52b36c51e5bf6d7600fdc6ba115b170b0e78e31d Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 21:36:18 +0930
+Subject: [PATCH] PR22197, buffer overflow in bfd_get_debug_link_info_1
+
+	PR 22197
+	* opncls.c (bfd_get_debug_link_info_1): Properly check that crc is
+	within section bounds.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15021
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/opncls.c  | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/bfd/opncls.c
+===================================================================
+--- git.orig/bfd/opncls.c
++++ git/bfd/opncls.c
+@@ -1200,7 +1200,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   /* PR 17597: avoid reading off the end of the buffer.  */
+   crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+   crc_offset = (crc_offset + 3) & ~3;
+-  if (crc_offset >= bfd_get_section_size (sect))
++  if (crc_offset + 4 > bfd_get_section_size (sect))
+     return NULL;
+ 
+   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,5 +1,11 @@
+ 2017-09-24  Alan Modra  <amodra@gmail.com>
+  
++       PR 22197
++       * opncls.c (bfd_get_debug_link_info_1): Properly check that crc is
++       within section bounds.
++
++2017-09-24  Alan Modra  <amodra@gmail.com>
++ 
+        PR 22167
+        * dwarf2.c (scan_unit_for_symbols): Check u.blk->data is non-NULL.
+ 
-- 
2.7.4

[ROCKO][PATCH 10/27] binutls: Security fix for CVE-2017-15022

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affected: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-15022.patch         | 61 ++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15022.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 6f7d655..05b7f22 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -45,6 +45,7 @@ SRC_URI = "\
      file://CVE-2017-14939.patch \
      file://CVE-2017-14940.patch \
      file://CVE-2017-15021.patch \
+     file://CVE-2017-15022.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15022.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15022.patch
new file mode 100644
index 0000000..c9acfa7
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15022.patch
@@ -0,0 +1,61 @@
+From 11855d8a1f11b102a702ab76e95b22082cccf2f8 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 25 Sep 2017 19:46:34 +0930
+Subject: [PATCH] PR22201, DW_AT_name with out of bounds reference
+
+DW_AT_name ought to always have a string value.
+
+	PR 22201
+	* dwarf2.c (scan_unit_for_symbols): Ignore DW_AT_name unless it
+	has string form.
+	(parse_comp_unit): Likewise.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15022
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 7 +++++++
+ bfd/dwarf2.c  | 6 ++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -3177,7 +3177,8 @@ scan_unit_for_symbols (struct comp_unit
+ 	      switch (attr.name)
+ 		{
+ 		case DW_AT_name:
+-		  var->name = attr.u.str;
++		  if (is_str_attr (attr.form))
++		    var->name = attr.u.str;
+ 		  break;
+ 
+ 		case DW_AT_decl_file:
+@@ -3429,7 +3430,8 @@ parse_comp_unit (struct dwarf2_debug *st
+ 	  break;
+ 
+ 	case DW_AT_name:
+-	  unit->name = attr.u.str;
++	  if (is_str_attr (attr.form))
++	    unit->name = attr.u.str;
+ 	  break;
+ 
+ 	case DW_AT_low_pc:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-09-25  Alan Modra  <amodra@gmail.com>
++ 
++       PR 22201
++       * dwarf2.c (scan_unit_for_symbols): Ignore DW_AT_name unless it
++       has string form.
++       (parse_comp_unit): Likewise.
++
+ 2017-09-24  Alan Modra  <amodra@gmail.com>
+  
+        PR 22197
-- 
2.7.4

[ROCKO][PATCH 11/27] binutls: Security fix for CVE-2017-15023

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-15023.patch         | 52 ++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15023.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 05b7f22..08b233f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -46,6 +46,7 @@ SRC_URI = "\
      file://CVE-2017-14940.patch \
      file://CVE-2017-15021.patch \
      file://CVE-2017-15022.patch \
+     file://CVE-2017-15023.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15023.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15023.patch
new file mode 100644
index 0000000..9439b7b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15023.patch
@@ -0,0 +1,52 @@
+From c361faae8d964db951b7100cada4dcdc983df1bf Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 25 Sep 2017 19:03:46 +0930
+Subject: [PATCH] PR22200, DWARF5 .debug_line sanity check
+
+The format_count entry can't be zero unless the count is also zero.
+
+	PR 22200
+	* dwarf2.c (read_formatted_entries): Error on format_count zero.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15023
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/dwarf2.c  | 7 +++++++
+ 2 files changed, 12 insertions(+)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -1934,6 +1934,13 @@ read_formatted_entries (struct comp_unit
+   data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end);
+   buf += bytes_read;
+ 
++  if (format_count == 0 && data_count != 0)
++    {
++      _bfd_error_handler (_("Dwarf Error: Zero format count."));
++      bfd_set_error (bfd_error_bad_value);
++      return FALSE;
++    }
++
+   /* PR 22210.  Paranoia check.  Don't bother running the loop
+      if we know that we are going to run out of buffer.  */
+   if (data_count > (bfd_vma) (buf_end - buf))
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,9 @@
+ 2017-09-25  Alan Modra  <amodra@gmail.com>
++
++       PR 22200
++       * dwarf2.c (read_formatted_entries): Error on format_count zero.
++
++2017-09-25  Alan Modra  <amodra@gmail.com>
+  
+        PR 22201
+        * dwarf2.c (scan_unit_for_symbols): Ignore DW_AT_name unless it
-- 
2.7.4

[ROCKO][PATCH 12/27] binutls: Security fix for CVE-2017-15024

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   1 +
 .../binutils/binutils/CVE-2017-15024.patch         | 227 +++++++++++++++++++++
 2 files changed, 228 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 08b233f..c13cb50 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
      file://CVE-2017-15021.patch \
      file://CVE-2017-15022.patch \
      file://CVE-2017-15023.patch \
+     file://CVE-2017-15024.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch
new file mode 100644
index 0000000..53b072e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch
@@ -0,0 +1,227 @@
+From 52a93b95ec0771c97e26f0bb28630a271a667bd2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 14:37:16 +0930
+Subject: [PATCH] PR22187, infinite loop in find_abstract_instance_name
+
+This patch prevents the simple case of infinite recursion in
+find_abstract_instance_name by ensuring that the attributes being
+processed are not the same as the previous call.
+
+The patch also does a little cleanup, and leaves in place some changes
+to the nested_funcs array that I made when I wrongly thought looping
+might occur in scan_unit_for_symbols.
+
+	PR 22187
+	* dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
+	pname param.  Return status.  Make name const.  Don't abort,
+	return an error.  Formatting.  Exit if current info_ptr matches
+	orig_info_ptr.  Update callers.
+	(scan_unit_for_symbols): Start at nesting_level of zero.  Make
+	nested_funcs an array of structs for extensibility.  Formatting.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15024
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 10 ++++++++
+ bfd/dwarf2.c  | 76 +++++++++++++++++++++++++++++++++++++++--------------------
+ 2 files changed, 61 insertions(+), 25 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -2823,9 +2823,11 @@ lookup_symbol_in_variable_table (struct
+   return FALSE;
+ }
+ 
+-static char *
++static bfd_boolean
+ find_abstract_instance_name (struct comp_unit *unit,
++			     bfd_byte *orig_info_ptr,
+ 			     struct attribute *attr_ptr,
++			     const char **pname,
+ 			     bfd_boolean *is_linkage)
+ {
+   bfd *abfd = unit->abfd;
+@@ -2835,7 +2837,7 @@ find_abstract_instance_name (struct comp
+   struct abbrev_info *abbrev;
+   bfd_uint64_t die_ref = attr_ptr->u.val;
+   struct attribute attr;
+-  char *name = NULL;
++  const char *name = NULL;
+ 
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+@@ -2844,7 +2846,12 @@ find_abstract_instance_name (struct comp
+       /* We only support DW_FORM_ref_addr within the same file, so
+ 	 any relocations should be resolved already.  */
+       if (!die_ref)
+-	abort ();
++	{
++	  _bfd_error_handler
++	    (_("Dwarf Error: Abstract instance DIE ref zero."));
++	  bfd_set_error (bfd_error_bad_value);
++	  return FALSE;
++	}
+ 
+       info_ptr = unit->sec_info_ptr + die_ref;
+       info_ptr_end = unit->end_ptr;
+@@ -2879,9 +2886,10 @@ find_abstract_instance_name (struct comp
+ 	  _bfd_error_handler
+ 	    (_("Dwarf Error: Unable to read alt ref %u."), die_ref);
+ 	  bfd_set_error (bfd_error_bad_value);
+-	  return NULL;
++	  return FALSE;
+ 	}
+-      info_ptr_end = unit->stash->alt_dwarf_info_buffer + unit->stash->alt_dwarf_info_size;
++      info_ptr_end = (unit->stash->alt_dwarf_info_buffer
++		      + unit->stash->alt_dwarf_info_size);
+ 
+       /* FIXME: Do we need to locate the correct CU, in a similar
+ 	 fashion to the code in the DW_FORM_ref_addr case above ?  */
+@@ -2904,6 +2912,7 @@ find_abstract_instance_name (struct comp
+ 	  _bfd_error_handler
+ 	    (_("Dwarf Error: Could not find abbrev number %u."), abbrev_number);
+ 	  bfd_set_error (bfd_error_bad_value);
++	  return FALSE;
+ 	}
+       else
+ 	{
+@@ -2913,6 +2922,15 @@ find_abstract_instance_name (struct comp
+ 					 info_ptr, info_ptr_end);
+ 	      if (info_ptr == NULL)
+ 		break;
++	      /* It doesn't ever make sense for DW_AT_specification to
++		 refer to the same DIE.  Stop simple recursion.  */
++	      if (info_ptr == orig_info_ptr)
++		{
++		  _bfd_error_handler
++		    (_("Dwarf Error: Abstract instance recursion detected."));
++		  bfd_set_error (bfd_error_bad_value);
++		  return FALSE;
++		}
+ 	      switch (attr.name)
+ 		{
+ 		case DW_AT_name:
+@@ -2926,7 +2944,9 @@ find_abstract_instance_name (struct comp
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+-		  name = find_abstract_instance_name (unit, &attr, is_linkage);
++		  if (!find_abstract_instance_name (unit, info_ptr, &attr,
++						    pname, is_linkage))
++		    return FALSE;
+ 		  break;
+ 		case DW_AT_linkage_name:
+ 		case DW_AT_MIPS_linkage_name:
+@@ -2944,7 +2964,8 @@ find_abstract_instance_name (struct comp
+ 	    }
+ 	}
+     }
+-  return name;
++  *pname = name;
++  return TRUE;
+ }
+ 
+ static bfd_boolean
+@@ -3005,20 +3026,22 @@ scan_unit_for_symbols (struct comp_unit
+   bfd *abfd = unit->abfd;
+   bfd_byte *info_ptr = unit->first_child_die_ptr;
+   bfd_byte *info_ptr_end = unit->stash->info_ptr_end;
+-  int nesting_level = 1;
+-  struct funcinfo **nested_funcs;
++  int nesting_level = 0;
++  struct nest_funcinfo {
++    struct funcinfo *func;
++  } *nested_funcs;
+   int nested_funcs_size;
+ 
+   /* Maintain a stack of in-scope functions and inlined functions, which we
+      can use to set the caller_func field.  */
+   nested_funcs_size = 32;
+-  nested_funcs = (struct funcinfo **)
+-    bfd_malloc (nested_funcs_size * sizeof (struct funcinfo *));
++  nested_funcs = (struct nest_funcinfo *)
++    bfd_malloc (nested_funcs_size * sizeof (*nested_funcs));
+   if (nested_funcs == NULL)
+     return FALSE;
+-  nested_funcs[nesting_level] = 0;
++  nested_funcs[nesting_level].func = 0;
+ 
+-  while (nesting_level)
++  while (nesting_level >= 0)
+     {
+       unsigned int abbrev_number, bytes_read, i;
+       struct abbrev_info *abbrev;
+@@ -3076,13 +3099,13 @@ scan_unit_for_symbols (struct comp_unit
+ 	  BFD_ASSERT (!unit->cached);
+ 
+ 	  if (func->tag == DW_TAG_inlined_subroutine)
+-	    for (i = nesting_level - 1; i >= 1; i--)
+-	      if (nested_funcs[i])
++	    for (i = nesting_level; i-- != 0; )
++	      if (nested_funcs[i].func)
+ 		{
+-		  func->caller_func = nested_funcs[i];
++		  func->caller_func = nested_funcs[i].func;
+ 		  break;
+ 		}
+-	  nested_funcs[nesting_level] = func;
++	  nested_funcs[nesting_level].func = func;
+ 	}
+       else
+ 	{
+@@ -3102,12 +3125,13 @@ scan_unit_for_symbols (struct comp_unit
+ 	    }
+ 
+ 	  /* No inline function in scope at this nesting level.  */
+-	  nested_funcs[nesting_level] = 0;
++	  nested_funcs[nesting_level].func = 0;
+ 	}
+ 
+       for (i = 0; i < abbrev->num_attrs; ++i)
+ 	{
+-	  info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, info_ptr_end);
++	  info_ptr = read_attribute (&attr, &abbrev->attrs[i],
++				     unit, info_ptr, info_ptr_end);
+ 	  if (info_ptr == NULL)
+ 	    goto fail;
+ 
+@@ -3126,8 +3150,10 @@ scan_unit_for_symbols (struct comp_unit
+ 
+ 		case DW_AT_abstract_origin:
+ 		case DW_AT_specification:
+-		  func->name = find_abstract_instance_name (unit, &attr,
+-							    &func->is_linkage);
++		  if (!find_abstract_instance_name (unit, info_ptr, &attr,
++						    &func->name,
++						    &func->is_linkage))
++		    goto fail;
+ 		  break;
+ 
+ 		case DW_AT_name:
+@@ -3254,17 +3280,17 @@ scan_unit_for_symbols (struct comp_unit
+ 
+ 	  if (nesting_level >= nested_funcs_size)
+ 	    {
+-	      struct funcinfo **tmp;
++	      struct nest_funcinfo *tmp;
+ 
+ 	      nested_funcs_size *= 2;
+-	      tmp = (struct funcinfo **)
++	      tmp = (struct nest_funcinfo *)
+ 		bfd_realloc (nested_funcs,
+-			     nested_funcs_size * sizeof (struct funcinfo *));
++			     nested_funcs_size * sizeof (*nested_funcs));
+ 	      if (tmp == NULL)
+ 		goto fail;
+ 	      nested_funcs = tmp;
+ 	    }
+-	  nested_funcs[nesting_level] = 0;
++	  nested_funcs[nesting_level].func = 0;
+ 	}
+     }
+ 
-- 
2.7.4

[ROCKO][PATCH 13/27] binutls: Security fix for CVE-2017-15025

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-15025.patch         | 47 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15025.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index c13cb50..8bd880c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -48,6 +48,7 @@ SRC_URI = "\
      file://CVE-2017-15022.patch \
      file://CVE-2017-15023.patch \
      file://CVE-2017-15024.patch \
+     file://CVE-2017-15025.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15025.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15025.patch
new file mode 100644
index 0000000..ce53159
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15025.patch
@@ -0,0 +1,47 @@
+From d8010d3e75ec7194a4703774090b27486b742d48 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 14:36:48 +0930
+Subject: [PATCH] PR22186, divide-by-zero in decode_line_info
+
+	PR 22186
+	* dwarf2.c (decode_line_info): Fail on lh.line_range of zero
+	rather than dividing by zero.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15025
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/dwarf2.c  | 2 ++
+ 2 files changed, 8 insertions(+)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -2432,6 +2432,8 @@ decode_line_info (struct comp_unit *unit
+ 	    case DW_LNS_set_basic_block:
+ 	      break;
+ 	    case DW_LNS_const_add_pc:
++	      if (lh.line_range == 0)
++		goto line_fail;
+ 	      if (lh.maximum_ops_per_insn == 1)
+ 		address += (lh.minimum_instruction_length
+ 			    * ((255 - lh.opcode_base) / lh.line_range));
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-09-24  Alan Modra  <amodra@gmail.com>
++
++       PR 22186
++       * dwarf2.c (decode_line_info): Fail on lh.line_range of zero
++       rather than dividing by zero.
++
++
+ 2017-09-25  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22200
-- 
2.7.4

[ROCKO][PATCH 14/27] binutls: Security fix for CVE-2017-15225

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-15225.patch         | 48 ++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15225.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 8bd880c..1983d85 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -49,6 +49,7 @@ SRC_URI = "\
      file://CVE-2017-15023.patch \
      file://CVE-2017-15024.patch \
      file://CVE-2017-15025.patch \
+     file://CVE-2017-15225.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15225.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15225.patch
new file mode 100644
index 0000000..2ef3f53
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15225.patch
@@ -0,0 +1,48 @@
+From b55ec8b676ed05d93ee49d6c79ae0403616c4fb0 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 9 Oct 2017 13:21:44 +1030
+Subject: [PATCH] PR22212, memory leak in nm
+
+	PR 22212
+	* dwarf2.c (_bfd_dwarf2_cleanup_debug_info): Free
+	funcinfo_hash_table and varinfo_hash_table.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15225
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/dwarf2.c  | 4 ++++
+ 2 files changed, 10 insertions(+)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -4932,6 +4932,10 @@ _bfd_dwarf2_cleanup_debug_info (bfd *abf
+ 	}
+     }
+ 
++  if (stash->funcinfo_hash_table)
++    bfd_hash_table_free (&stash->funcinfo_hash_table->base);
++  if (stash->varinfo_hash_table)
++    bfd_hash_table_free (&stash->varinfo_hash_table->base);
+   if (stash->dwarf_abbrev_buffer)
+     free (stash->dwarf_abbrev_buffer);
+   if (stash->dwarf_line_buffer)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-10-09  Alan Modra  <amodra@gmail.com>
++
++       PR 22212
++       * dwarf2.c (_bfd_dwarf2_cleanup_debug_info): Free
++       funcinfo_hash_table and varinfo_hash_table.
++
+ 2017-09-24  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22186
-- 
2.7.4

[ROCKO][PATCH 15/27] binutls: Security fix for CVE-2017-15939

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   1 +
 .../binutils/binutils/CVE-2017-15939.patch         | 113 +++++++++++++++++++++
 2 files changed, 114 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 1983d85..917f667 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
      file://CVE-2017-15024.patch \
      file://CVE-2017-15025.patch \
      file://CVE-2017-15225.patch \
+     file://CVE-2017-15939.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch
new file mode 100644
index 0000000..bccad76
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch
@@ -0,0 +1,113 @@
+From a54018b72d75abf2e74bf36016702da06399c1d9 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 26 Sep 2017 09:38:26 +0930
+Subject: [PATCH] PR22205, .debug_line file table NULL filename
+
+The PR22200 fuzzer testcase found one way to put NULLs into .debug_line
+file tables.  PR22205 finds another.  This patch gives up on trying to
+prevent NULL files in the file table and instead just copes with them.
+Arguably, this is better than giving up and showing no info from
+.debug_line.  I've also fixed a case where the fairly recent DWARF5
+support in handling broken DWARG could result in uninitialized memory
+reads, and made a small tidy.
+
+	PR 22205
+	* dwarf2.c (concat_filename): Return "<unknown>" on NULL filename.
+	(read_formatted_entries): Init "fe".
+	(decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15939
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/dwarf2.c  | 35 +++++++++++++----------------------
+ 2 files changed, 20 insertions(+), 22 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -1597,6 +1597,8 @@ concat_filename (struct line_info_table
+     }
+ 
+   filename = table->files[file - 1].name;
++  if (filename == NULL)
++    return strdup ("<unknown>");
+ 
+   if (!IS_ABSOLUTE_PATH (filename))
+     {
+@@ -1956,6 +1958,7 @@ read_formatted_entries (struct comp_unit
+       bfd_byte *format = format_header_data;
+       struct fileinfo fe;
+ 
++      memset (&fe, 0, sizeof fe);
+       for (formati = 0; formati < format_count; formati++)
+ 	{
+ 	  bfd_vma content_type, form;
+@@ -2256,6 +2259,7 @@ decode_line_info (struct comp_unit *unit
+       unsigned int discriminator = 0;
+       int is_stmt = lh.default_is_stmt;
+       int end_sequence = 0;
++      unsigned int dir, xtime, size;
+       /* eraxxon@alumni.rice.edu: Against the DWARF2 specs, some
+ 	 compilers generate address sequences that are wildly out of
+ 	 order using DW_LNE_set_address (e.g. Intel C++ 6.0 compiler
+@@ -2330,31 +2334,18 @@ decode_line_info (struct comp_unit *unit
+ 		case DW_LNE_define_file:
+ 		  cur_file = read_string (abfd, line_ptr, line_end, &bytes_read);
+ 		  line_ptr += bytes_read;
+-		  if ((table->num_files % FILE_ALLOC_CHUNK) == 0)
+-		    {
+-		      struct fileinfo *tmp;
+-
+-		      amt = table->num_files + FILE_ALLOC_CHUNK;
+-		      amt *= sizeof (struct fileinfo);
+-		      tmp = (struct fileinfo *) bfd_realloc (table->files, amt);
+-		      if (tmp == NULL)
+-			goto line_fail;
+-		      table->files = tmp;
+-		    }
+-		  table->files[table->num_files].name = cur_file;
+-		  table->files[table->num_files].dir =
+-		    _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-					   FALSE, line_end);
++		  dir = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
++					       FALSE, line_end);
+ 		  line_ptr += bytes_read;
+-		  table->files[table->num_files].time =
+-		    _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-					   FALSE, line_end);
++		  xtime = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
++						 FALSE, line_end);
+ 		  line_ptr += bytes_read;
+-		  table->files[table->num_files].size =
+-		    _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-					   FALSE, line_end);
++		  size = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
++						FALSE, line_end);
+ 		  line_ptr += bytes_read;
+-		  table->num_files++;
++		  if (!line_info_add_file_name (table, cur_file, dir,
++						xtime, size))
++		    goto line_fail;
+ 		  break;
+ 		case DW_LNE_set_discriminator:
+ 		  discriminator =
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-09-26  Alan Modra  <amodra@gmail.com>
++ 
++       PR 22205
++       * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename.
++       (read_formatted_entries): Init "fe".
++       (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name.
++
+ 2017-10-09  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22212
-- 
2.7.4

[ROCKO][PATCH 16/27] binutls: Security fix for CVE-2017-15996

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-15996.patch         | 84 ++++++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 917f667..7928de9 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -51,6 +51,7 @@ SRC_URI = "\
      file://CVE-2017-15025.patch \
      file://CVE-2017-15225.patch \
      file://CVE-2017-15939.patch \
+     file://CVE-2017-15996.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch
new file mode 100644
index 0000000..dab8380
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch
@@ -0,0 +1,84 @@
+From d91f0b20e561e326ee91a09a76206257bde8438b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 28 Oct 2017 21:31:16 +1030
+Subject: [PATCH] PR22361 readelf buffer overflow on fuzzed archive header
+
+	PR 22361
+	* readelf.c (process_archive_index_and_symbols): Ensure ar_size
+	field is zero terminated for strtoul.
+	(setup_archive, get_archive_member_name): Likewise.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15996
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  7 +++++++
+ binutils/elfcomm.c | 11 +++++++++++
+ 2 files changed, 18 insertions(+)
+
+Index: git/binutils/elfcomm.c
+===================================================================
+--- git.orig/binutils/elfcomm.c
++++ git/binutils/elfcomm.c
+@@ -466,8 +466,12 @@ process_archive_index_and_symbols (struc
+ {
+   size_t got;
+   unsigned long size;
++  char fmag_save;
+ 
++  fmag_save = arch->arhdr.ar_fmag[0];
++  arch->arhdr.ar_fmag[0] = 0;
+   size = strtoul (arch->arhdr.ar_size, NULL, 10);
++  arch->arhdr.ar_fmag[0] = fmag_save;
+   /* PR 17531: file: 912bd7de.  */
+   if ((signed long) size < 0)
+     {
+@@ -655,7 +659,10 @@ setup_archive (struct archive_info *arch
+   if (const_strneq (arch->arhdr.ar_name, "//              "))
+     {
+       /* This is the archive string table holding long member names.  */
++      char fmag_save = arch->arhdr.ar_fmag[0];
++      arch->arhdr.ar_fmag[0] = 0;
+       arch->longnames_size = strtoul (arch->arhdr.ar_size, NULL, 10);
++      arch->arhdr.ar_fmag[0] = fmag_save;
+       /* PR 17531: file: 01068045.  */
+       if (arch->longnames_size < 8)
+ 	{
+@@ -758,6 +765,7 @@ get_archive_member_name (struct archive_
+       char *endp;
+       char *member_file_name;
+       char *member_name;
++      char fmag_save;
+ 
+       if (arch->longnames == NULL || arch->longnames_size == 0)
+ 	{
+@@ -766,9 +774,12 @@ get_archive_member_name (struct archive_
+ 	}
+ 
+       arch->nested_member_origin = 0;
++      fmag_save = arch->arhdr.ar_fmag[0];
++      arch->arhdr.ar_fmag[0] = 0;
+       k = j = strtoul (arch->arhdr.ar_name + 1, &endp, 10);
+       if (arch->is_thin_archive && endp != NULL && * endp == ':')
+         arch->nested_member_origin = strtoul (endp + 1, NULL, 10);
++      arch->arhdr.ar_fmag[0] = fmag_save;
+ 
+       if (j > arch->longnames_size)
+ 	{
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-10-28  Alan Modra  <amodra@gmail.com>
++
++       PR 22361
++       * readelf.c (process_archive_index_and_symbols): Ensure ar_size
++       field is zero terminated for strtoul.
++       (setup_archive, get_archive_member_name): Likewise.
++
+ 2017-09-26  Alan Modra  <amodra@gmail.com>
+  
+        PR 22205
-- 
2.7.4

[ROCKO][PATCH 17/27] binutls: Security fix for CVE-2017-16826

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-16826.patch         | 53 ++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16826.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 7928de9..d75ec50 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -52,6 +52,7 @@ SRC_URI = "\
      file://CVE-2017-15225.patch \
      file://CVE-2017-15939.patch \
      file://CVE-2017-15996.patch \
+     file://CVE-2017-16826.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16826.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16826.patch
new file mode 100644
index 0000000..bb24ba8
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16826.patch
@@ -0,0 +1,53 @@
+From a67d66eb97e7613a38ffe6622d837303b3ecd31d Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 1 Nov 2017 15:21:46 +0000
+Subject: [PATCH] Prevent illegal memory accesses when attempting to read
+ excessively large COFF line number tables.
+
+	PR 22376
+	* coffcode.h (coff_slurp_line_table): Check for an excessively
+	large line number count.
+
+Upstream-Status: Backport 
+Affects: <= 2.29.1
+CVE: CVE-2017-16826
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog  | 6 ++++++
+ bfd/coffcode.h | 8 ++++++++
+ 2 files changed, 14 insertions(+)
+
+Index: git/bfd/coffcode.h
+===================================================================
+--- git.orig/bfd/coffcode.h
++++ git/bfd/coffcode.h
+@@ -4578,6 +4578,14 @@ coff_slurp_line_table (bfd *abfd, asecti
+ 
+   BFD_ASSERT (asect->lineno == NULL);
+ 
++  if (asect->lineno_count > asect->size)
++    {
++      _bfd_error_handler
++	(_("%B: warning: line number count (%#lx) exceeds section size (%#lx)"),
++	 abfd, (unsigned long) asect->lineno_count, (unsigned long) asect->size);
++      return FALSE;
++    }
++
+   amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent);
+   lineno_cache = (alent *) bfd_alloc (abfd, amt);
+   if (lineno_cache == NULL)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-11-01  Nick Clifton  <nickc@redhat.com>
++ 
++       PR 22376
++       * coffcode.h (coff_slurp_line_table): Check for an excessively
++       large line number count.
++
+ 2017-10-28  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22361
-- 
2.7.4

[ROCKO][PATCH 18/27] binutls: Security fix for CVE-2017-16827

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-16827.patch         | 95 ++++++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index d75ec50..7d05046 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -53,6 +53,7 @@ SRC_URI = "\
      file://CVE-2017-15939.patch \
      file://CVE-2017-15996.patch \
      file://CVE-2017-16826.patch \
+     file://CVE-2017-16827.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
new file mode 100644
index 0000000..dbc577c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
@@ -0,0 +1,95 @@
+From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 17 Oct 2017 16:43:47 +1030
+Subject: [PATCH] PR22306, Invalid free() in slurp_symtab()
+
+	PR 22306
+	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
+	and error for any other size that doesn't cover the header word.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16827
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/aoutx.h   | 45 ++++++++++++++++++++++++++++++---------------
+ 2 files changed, 36 insertions(+), 15 deletions(-)
+
+Index: git/bfd/aoutx.h
+===================================================================
+--- git.orig/bfd/aoutx.h
++++ git/bfd/aoutx.h
+@@ -1352,27 +1352,42 @@ aout_get_external_symbols (bfd *abfd)
+ 	  || bfd_bread ((void *) string_chars, amt, abfd) != amt)
+ 	return FALSE;
+       stringsize = GET_WORD (abfd, string_chars);
++      if (stringsize == 0)
++	stringsize = 1;
++      else if (stringsize < BYTES_IN_WORD
++	       || (size_t) stringsize != stringsize)
++	{
++	  bfd_set_error (bfd_error_bad_value);
++	  return FALSE;
++	}
+ 
+ #ifdef USE_MMAP
+-      if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
+-				 &obj_aout_string_window (abfd), TRUE))
+-	return FALSE;
+-      strings = (char *) obj_aout_string_window (abfd).data;
+-#else
+-      strings = (char *) bfd_malloc (stringsize + 1);
+-      if (strings == NULL)
+-	return FALSE;
+-
+-      /* Skip space for the string count in the buffer for convenience
+-	 when using indexes.  */
+-      amt = stringsize - BYTES_IN_WORD;
+-      if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
++      if (stringsize >= BYTES_IN_WORD)
+ 	{
+-	  free (strings);
+-	  return FALSE;
++	  if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
++				     &obj_aout_string_window (abfd), TRUE))
++	    return FALSE;
++	  strings = (char *) obj_aout_string_window (abfd).data;
+ 	}
++      else
+ #endif
++	{
++	  strings = (char *) bfd_malloc (stringsize);
++	  if (strings == NULL)
++	    return FALSE;
+ 
++	  if (stringsize >= BYTES_IN_WORD)
++	    {
++	      /* Keep the string count in the buffer for convenience
++		 when indexing with e_strx.  */
++	      amt = stringsize - BYTES_IN_WORD;
++	      if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
++		{
++		  free (strings);
++		  return FALSE;
++		}
++	    }
++	}
+       /* Ensure that a zero index yields an empty string.  */
+       strings[0] = '\0';
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-10-17  Alan Modra  <amodra@gmail.com>
++
++       PR 22306
++       * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
++       and error for any other size that doesn't cover the header word.
++
+ 2017-11-01  Nick Clifton  <nickc@redhat.com>
+  
+        PR 22376
-- 
2.7.4

[ROCKO][PATCH 19/27] binutls: Security fix for CVE-2017-16828

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   2 +
 .../binutils/binutils/CVE-2017-16828_p1.patch      |  79 +++++++++++
 .../binutils/binutils/CVE-2017-16828_p2.patch      | 149 +++++++++++++++++++++
 3 files changed, 230 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 7d05046..65d3c34 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -54,6 +54,8 @@ SRC_URI = "\
      file://CVE-2017-15996.patch \
      file://CVE-2017-16826.patch \
      file://CVE-2017-16827.patch \
+     file://CVE-2017-16828_p1.patch \
+     file://CVE-2017-16828_p2.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
new file mode 100644
index 0000000..310908f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
@@ -0,0 +1,79 @@
+From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 5 Oct 2017 17:32:18 +1030
+Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames
+
+Pointer comparisons have traps for the unwary.  After adding a large
+unknown value to "start", the test "start < end" depends on where
+"start" is originally in memory.
+
+	PR 22239
+	* dwarf.c (read_cie): Don't compare "start" and "end" pointers
+	after adding a possibly wild length to "start", compare the length
+	to the difference of the pointers instead.  Remove now redundant
+	"negative" length test.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16828 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  8 ++++++++
+ binutils/dwarf.c   | 15 ++++-----------
+ 2 files changed, 12 insertions(+), 11 deletions(-)
+
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
++++ git/binutils/dwarf.c
+@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned
+     {
+       READ_ULEB (augmentation_data_len);
+       augmentation_data = start;
+-      start += augmentation_data_len;
+       /* PR 17512: file: 11042-2589-0.004.  */
+-      if (start > end)
++      if (augmentation_data_len > (size_t) (end - start))
+ 	{
+ 	  warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
+-		augmentation_data_len, (long)((end - start) + augmentation_data_len));
++		augmentation_data_len, (unsigned long) (end - start));
+ 	  return end;
+ 	}
++      start += augmentation_data_len;
+     }
+ 
+   if (augmentation_data_len)
+@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned
+       q = augmentation_data;
+       qend = q + augmentation_data_len;
+ 
+-      /* PR 17531: file: 015adfaa.  */
+-      if (qend < q)
+-	{
+-	  warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
+-	  augmentation_data_len = 0;
+-	}
+-
+-      while (p < end && q < augmentation_data + augmentation_data_len)
++      while (p < end && q < qend)
+ 	{
+ 	  if (*p == 'L')
+ 	    q++;
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,11 @@
++2017-10-05  Alan Modra  <amodra@gmail.com>
++
++       PR 22239
++       * dwarf.c (read_cie): Don't compare "start" and "end" pointers
++       after adding a possibly wild length to "start", compare the length
++       to the difference of the pointers instead.  Remove now redundant
++       "negative" length test.
++
+ 2017-09-27  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22219
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch
new file mode 100644
index 0000000..5073d31
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch
@@ -0,0 +1,149 @@
+From bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 3 Nov 2017 13:57:15 +0000
+Subject: [PATCH] Fix integer overflow problems when reading an ELF binary with
+ corrupt augmentation data.
+
+	PR 22386
+	* dwarf.c (read_cie): Use bfd_size_type for
+	augmentation_data_len.
+	(display_augmentation_data): New function.
+	(display_debug_frames): Use it.
+	Check for integer overflow when testing augmentation_data_len.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16828 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 10 +++++++++
+ binutils/dwarf.c   | 65 +++++++++++++++++++++++++++++++++---------------------
+ 2 files changed, 50 insertions(+), 25 deletions(-)
+
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
++++ git/binutils/dwarf.c
+@@ -6577,13 +6577,13 @@ frame_display_row (Frame_Chunk *fc, int
+ static unsigned char *
+ read_cie (unsigned char *start, unsigned char *end,
+ 	  Frame_Chunk **p_cie, int *p_version,
+-	  unsigned long *p_aug_len, unsigned char **p_aug)
++	  bfd_size_type *p_aug_len, unsigned char **p_aug)
+ {
+   int version;
+   Frame_Chunk *fc;
+   unsigned int length_return;
+   unsigned char *augmentation_data = NULL;
+-  unsigned long augmentation_data_len = 0;
++  bfd_size_type augmentation_data_len = 0;
+ 
+   * p_cie = NULL;
+   /* PR 17512: file: 001-228113-0.004.  */
+@@ -6653,10 +6653,11 @@ read_cie (unsigned char *start, unsigned
+       READ_ULEB (augmentation_data_len);
+       augmentation_data = start;
+       /* PR 17512: file: 11042-2589-0.004.  */
+-      if (augmentation_data_len > (size_t) (end - start))
++      if (augmentation_data_len > (bfd_size_type) (end - start))
+ 	{
+-	  warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
+-		augmentation_data_len, (unsigned long) (end - start));
++	  warn (_("Augmentation data too long: 0x%s, expected at most %#lx\n"),
++		dwarf_vmatoa ("x", augmentation_data_len),
++		(unsigned long) (end - start));
+ 	  return end;
+ 	}
+       start += augmentation_data_len;
+@@ -6701,6 +6702,31 @@ read_cie (unsigned char *start, unsigned
+   return start;
+ }
+ 
++/* Prints out the contents on the augmentation data array.
++   If do_wide is not enabled, then formats the output to fit into 80 columns.  */
++
++static void
++display_augmentation_data (const unsigned char * data, const bfd_size_type len)
++{
++  bfd_size_type i;
++
++  i = printf (_("  Augmentation data:    "));
++
++  if (do_wide || len < ((80 - i) / 3))
++    for (i = 0; i < len; ++i)
++      printf (" %02x", data[i]);
++  else
++    {
++      for (i = 0; i < len; ++i)
++	{
++	  if (i % (80 / 3) == 0)
++	    putchar ('\n');
++	  printf (" %02x", data[i]);
++	}
++    }
++  putchar ('\n');
++}
++
+ static int
+ display_debug_frames (struct dwarf_section *section,
+ 		      void *file ATTRIBUTE_UNUSED)
+@@ -6729,7 +6755,7 @@ display_debug_frames (struct dwarf_secti
+       Frame_Chunk *cie;
+       int need_col_headers = 1;
+       unsigned char *augmentation_data = NULL;
+-      unsigned long augmentation_data_len = 0;
++      bfd_size_type augmentation_data_len = 0;
+       unsigned int encoded_ptr_size = saved_eh_addr_size;
+       unsigned int offset_size;
+       unsigned int initial_length_size;
+@@ -6823,16 +6849,8 @@ display_debug_frames (struct dwarf_secti
+ 	      printf ("  Return address column: %d\n", fc->ra);
+ 
+ 	      if (augmentation_data_len)
+-		{
+-		  unsigned long i;
++		display_augmentation_data (augmentation_data, augmentation_data_len);
+ 
+-		  printf ("  Augmentation data:    ");
+-		  for (i = 0; i < augmentation_data_len; ++i)
+-		    /* FIXME: If do_wide is FALSE, then we should
+-		       add carriage returns at 80 columns...  */
+-		    printf (" %02x", augmentation_data[i]);
+-		  putchar ('\n');
+-		}
+ 	      putchar ('\n');
+ 	    }
+ 	}
+@@ -6988,11 +7006,13 @@ display_debug_frames (struct dwarf_secti
+ 	      READ_ULEB (augmentation_data_len);
+ 	      augmentation_data = start;
+ 	      start += augmentation_data_len;
+-	      /* PR 17512: file: 722-8446-0.004.  */
+-	      if (start >= end || ((signed long) augmentation_data_len) < 0)
++	      /* PR 17512 file: 722-8446-0.004 and PR 22386.  */
++	      if (start >= end
++		  || ((bfd_signed_vma) augmentation_data_len) < 0
++		  || augmentation_data > start)
+ 		{
+-		  warn (_("Corrupt augmentation data length: %lx\n"),
+-			augmentation_data_len);
++		  warn (_("Corrupt augmentation data length: 0x%s\n"),
++			dwarf_vmatoa ("x", augmentation_data_len));
+ 		  start = end;
+ 		  augmentation_data = NULL;
+ 		  augmentation_data_len = 0;
+@@ -7014,12 +7034,7 @@ display_debug_frames (struct dwarf_secti
+ 
+ 	  if (! do_debug_frames_interp && augmentation_data_len)
+ 	    {
+-	      unsigned long i;
+-
+-	      printf ("  Augmentation data:    ");
+-	      for (i = 0; i < augmentation_data_len; ++i)
+-		printf (" %02x", augmentation_data[i]);
+-	      putchar ('\n');
++	      display_augmentation_data (augmentation_data, augmentation_data_len);
+ 	      putchar ('\n');
+ 	    }
+ 	}
-- 
2.7.4

[ROCKO][PATCH 20/27] binutls: Security fix for CVE-2017-16829

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-16829.patch         | 82 ++++++++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 65d3c34..1fa3eb7 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -56,6 +56,7 @@ SRC_URI = "\
      file://CVE-2017-16827.patch \
      file://CVE-2017-16828_p1.patch \
      file://CVE-2017-16828_p2.patch \
+     file://CVE-2017-16829.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
new file mode 100644
index 0000000..f9410e2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
@@ -0,0 +1,82 @@
+From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 17 Oct 2017 21:57:29 +1030
+Subject: [PATCH] PR22307, Heap out of bounds read in
+ _bfd_elf_parse_gnu_properties
+
+When adding an unbounded increment to a pointer, you can't just check
+against the end of the buffer but also must check that overflow
+doesn't result in "negative" pointer movement.  Pointer comparisons
+are signed.  Better, check the increment against the space left using
+an unsigned comparison.
+
+	PR 22307
+	* elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
+	against size left rather than comparing pointers.  Reorganise loop.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16829
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog        |  6 ++++++
+ bfd/elf-properties.c | 18 +++++++++---------
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+
+Index: git/bfd/elf-properties.c
+===================================================================
+--- git.orig/bfd/elf-properties.c
++++ git/bfd/elf-properties.c
+@@ -93,15 +93,20 @@ bad_size:
+       return FALSE;
+     }
+ 
+-  while (1)
++  while (ptr != ptr_end)
+     {
+-      unsigned int type = bfd_h_get_32 (abfd, ptr);
+-      unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);
++      unsigned int type;
++      unsigned int datasz;
+       elf_property *prop;
+ 
++      if ((size_t) (ptr_end - ptr) < 8)
++	goto bad_size;
++
++      type = bfd_h_get_32 (abfd, ptr);
++      datasz = bfd_h_get_32 (abfd, ptr + 4);
+       ptr += 8;
+ 
+-      if ((ptr + datasz) > ptr_end)
++      if (datasz > (size_t) (ptr_end - ptr))
+ 	{
+ 	  _bfd_error_handler
+ 	    (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),
+@@ -182,11 +187,6 @@ bad_size:
+ 
+ next:
+       ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);
+-      if (ptr == ptr_end)
+-	break;
+-
+-      if (ptr > (ptr_end - 8))
+-	goto bad_size;
+     }
+ 
+   return TRUE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,10 @@
+ 2017-10-17  Alan Modra  <amodra@gmail.com>
++ 
++       PR 22307
++       * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
++       against size left rather than comparing pointers.  Reorganise loop.
++
++2017-10-17  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22306
+        * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
-- 
2.7.4

[ROCKO][PATCH 21/27] binutls: Security fix for CVE-2017-16830

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-16830.patch         | 91 ++++++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 1fa3eb7..69ad9b2 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -57,6 +57,7 @@ SRC_URI = "\
      file://CVE-2017-16828_p1.patch \
      file://CVE-2017-16828_p2.patch \
      file://CVE-2017-16829.patch \
+     file://CVE-2017-16830.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch
new file mode 100644
index 0000000..1382c8e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch
@@ -0,0 +1,91 @@
+From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001
+From: Mingi Cho <mgcho.minic@gmail.com>
+Date: Thu, 2 Nov 2017 17:01:08 +0000
+Subject: [PATCH] Work around integer overflows when readelf is checking for
+ corrupt ELF notes when run on a 32-bit host.
+
+	PR 22384
+	* readelf.c (print_gnu_property_note): Improve overflow checks so
+	that they will work on a 32-bit host.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16830
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/readelf.c | 33 +++++++++++++++++----------------
+ 2 files changed, 23 insertions(+), 16 deletions(-)
+
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
++++ git/binutils/readelf.c
+@@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No
+       return;
+     }
+ 
+-  while (1)
++  while (ptr < ptr_end)
+     {
+       unsigned int j;
+-      unsigned int type = byte_get (ptr, 4);
+-      unsigned int datasz = byte_get (ptr + 4, 4);
++      unsigned int type;
++      unsigned int datasz;
++
++      if ((size_t) (ptr_end - ptr) < 8)
++	{
++	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
++	  break;
++	}
++
++      type = byte_get (ptr, 4);
++      datasz = byte_get (ptr + 4, 4);
+ 
+       ptr += 8;
+ 
+-      if ((ptr + datasz) > ptr_end)
++      if (datasz > (size_t) (ptr_end - ptr))
+ 	{
+ 	  printf (_("<corrupt type (%#x) datasz: %#x>\n"),
+ 		  type, datasz);
+@@ -16520,19 +16529,11 @@ next:
+       ptr += ((datasz + (size - 1)) & ~ (size - 1));
+       if (ptr == ptr_end)
+ 	break;
+-      else
+-	{
+-	  if (do_wide)
+-	    printf (", ");
+-	  else
+-	    printf ("\n\t");
+-	}
+ 
+-      if (ptr > (ptr_end - 8))
+-	{
+-	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
+-	  break;
+-	}
++      if (do_wide)
++	printf (", ");
++      else
++	printf ("\n\t");
+     }
+ 
+   printf ("\n");
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-11-02  Mingi Cho  <mgcho.minic@gmail.com>
++
++       PR 22384
++       * readelf.c (print_gnu_property_note): Improve overflow checks so
++       that they will work on a 32-bit host.
++
+ 2017-10-05  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22239
-- 
2.7.4

[ROCKO][PATCH 22/27] binutls: Security fix for CVE-2017-16831

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-16831.patch         | 77 ++++++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 69ad9b2..d9758c4 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -58,6 +58,7 @@ SRC_URI = "\
      file://CVE-2017-16828_p2.patch \
      file://CVE-2017-16829.patch \
      file://CVE-2017-16830.patch \
+     file://CVE-2017-16831.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch
new file mode 100644
index 0000000..7acd5e0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch
@@ -0,0 +1,77 @@
+From 6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 3 Nov 2017 11:55:21 +0000
+Subject: [PATCH] Fix excessive memory allocation attempts and possible integer
+ overfloaws when attempting to read a COFF binary with a corrupt symbol count.
+
+	PR 22385
+	* coffgen.c (_bfd_coff_get_external_symbols): Check for an
+	overlarge raw syment count.
+	(coff_get_normalized_symtab): Likewise.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE:  CVE-2017-16831
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/coffgen.c | 17 +++++++++++++++--
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,11 @@
++2017-11-03  Mingi Cho  <mgcho.minic@gmail.com>
++           Nick Clifton  <nickc@redhat.com>
++
++       PR 22385
++       * coffgen.c (_bfd_coff_get_external_symbols): Check for an
++       overlarge raw syment count.
++       (coff_get_normalized_symtab): Likewise.
++
+ 2017-10-17  Alan Modra  <amodra@gmail.com>
+  
+        PR 22307
+Index: git/bfd/coffgen.c
+===================================================================
+--- git.orig/bfd/coffgen.c
++++ git/bfd/coffgen.c
+@@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abf
+   size = obj_raw_syment_count (abfd) * symesz;
+   if (size == 0)
+     return TRUE;
++   /* Check for integer overflow and for unreasonable symbol counts.  */
++   if (size < obj_raw_syment_count (abfd)
++       || (bfd_get_file_size (abfd) > 0
++          && size > bfd_get_file_size (abfd)))
++
++     {
++       _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"),
++                         abfd, obj_raw_syment_count (abfd));
++       return FALSE;
++    }
+ 
+   syms = bfd_malloc (size);
+   if (syms == NULL)
+     {
+       /* PR 21013: Provide an error message when the alloc fails.  */
+-      _bfd_error_handler (_("%B: Not enough memory to allocate space for %lu symbols"),
+-			  abfd, size);
++      _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"),
++                         abfd, obj_raw_syment_count (abfd), symesz);
+       return FALSE;
+     }
+ 
+@@ -1790,6 +1800,9 @@ coff_get_normalized_symtab (bfd *abfd)
+     return NULL;
+ 
+   size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type);
++  /* Check for integer overflow.  */
++  if (size < obj_raw_syment_count (abfd))
++    return NULL;
+   internal = (combined_entry_type *) bfd_zalloc (abfd, size);
+   if (internal == NULL && size != 0)
+     return NULL;
-- 
2.7.4

[ROCKO][PATCH 23/27] binutls: Security fix for CVE-2017-16832

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-16832.patch         | 61 ++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index d9758c4..b1842cb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -59,6 +59,7 @@ SRC_URI = "\
      file://CVE-2017-16829.patch \
      file://CVE-2017-16830.patch \
      file://CVE-2017-16831.patch \
+     file://CVE-2017-16832.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
new file mode 100644
index 0000000..9044bcc
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
@@ -0,0 +1,61 @@
+From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 31 Oct 2017 14:29:40 +0000
+Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary
+ with a corrupt data dictionary.
+
+	PR 22373
+	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data
+	offset values.
+
+Upstrem-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16832
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/peicode.h | 9 ++++++---
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+Index: git/bfd/peicode.h
+===================================================================
+--- git.orig/bfd/peicode.h
++++ git/bfd/peicode.h
+@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
+   bfd_byte *data = 0;
+   bfd_size_type dataoff;
+   unsigned int i;
+-
+   bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
+   bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;
+ 
+@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)
+ 
+   dataoff = addr - section->vma;
+ 
+-  /* PR 20605: Make sure that the data is really there.  */
+-  if (dataoff + size > section->size)
++  /* PR 20605 and 22373: Make sure that the data is really there.
++     Note - since we are dealing with unsigned quantities we have
++     to be careful to check for potential overflows.  */
++  if (dataoff > section->size
++      || size > section->size
++      || dataoff + size > section->size)
+     {
+       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
+ 			  abfd);
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-10-31  Nick Clifton  <nickc@redhat.com>
++
++       PR 22373
++       * peicode.h (pe_bfd_read_buildid): Check for invalid size and data
++       offset values.
++
+ 2017-11-03  Mingi Cho  <mgcho.minic@gmail.com>
+            Nick Clifton  <nickc@redhat.com>
+ 
-- 
2.7.4

[ROCKO][PATCH 24/27] binutls: Security fix for CVE-2017-17080

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-17080.patch         | 78 ++++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-17080.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index b1842cb..3617b20 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -60,6 +60,7 @@ SRC_URI = "\
      file://CVE-2017-16830.patch \
      file://CVE-2017-16831.patch \
      file://CVE-2017-16832.patch \
+     file://CVE-2017-17080.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17080.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17080.patch
new file mode 100644
index 0000000..611a276
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17080.patch
@@ -0,0 +1,78 @@
+From 80a0437873045cc08753fcac4af154e2931a99fd Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 16 Nov 2017 14:53:32 +0000
+Subject: [PATCH] Prevent illegal memory accesses when parsing incorrecctly
+ formated core notes.
+
+	PR 22421
+	* elf.c (elfcore_grok_netbsd_procinfo): Check that the note is big enough.
+	(elfcore_grok_openbsd_procinfo): Likewise.
+	(elfcore_grok_nto_status): Likewise.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-17080 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/elf.c     | 10 ++++++++++
+ 2 files changed, 17 insertions(+)
+
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -9862,6 +9862,7 @@ elfcore_grok_freebsd_psinfo (bfd *abfd,
+   /* Check for version 1 in pr_version.  */
+   if (bfd_h_get_32 (abfd, (bfd_byte *) note->descdata) != 1)
+     return FALSE;
++
+   offset = 4;
+ 
+   /* Skip over pr_psinfosz. */
+@@ -10030,6 +10031,9 @@ elfcore_netbsd_get_lwpid (Elf_Internal_N
+ static bfd_boolean
+ elfcore_grok_netbsd_procinfo (bfd *abfd, Elf_Internal_Note *note)
+ {
++  if (note->descsz <= 0x7c + 31)
++    return FALSE;
++
+   /* Signal number at offset 0x08. */
+   elf_tdata (abfd)->core->signal
+     = bfd_h_get_32 (abfd, (bfd_byte *) note->descdata + 0x08);
+@@ -10114,6 +10118,9 @@ elfcore_grok_netbsd_note (bfd *abfd, Elf
+ static bfd_boolean
+ elfcore_grok_openbsd_procinfo (bfd *abfd, Elf_Internal_Note *note)
+ {
++  if (note->descsz <= 0x48 + 31)
++    return FALSE;
++
+   /* Signal number at offset 0x08. */
+   elf_tdata (abfd)->core->signal
+     = bfd_h_get_32 (abfd, (bfd_byte *) note->descdata + 0x08);
+@@ -10185,6 +10192,9 @@ elfcore_grok_nto_status (bfd *abfd, Elf_
+   short sig;
+   unsigned flags;
+ 
++  if (note->descsz < 16)
++    return FALSE;
++
+   /* nto_procfs_status 'pid' field is at offset 0.  */
+   elf_tdata (abfd)->core->pid = bfd_get_32 (abfd, (bfd_byte *) ddata);
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-11-16  Nick Clifton  <nickc@redhat.com>
++ 
++       PR 22421
++       * elf.c (elfcore_grok_netbsd_procinfo): Check that the note is big enough.
++       (elfcore_grok_openbsd_procinfo): Likewise.
++       (elfcore_grok_nto_status): Likewise.
++
+ 2017-10-31  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22373
-- 
2.7.4

[ROCKO][PATCH 25/27] Binutils: Security fix for CVE-2017-17121

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   1 +
 .../binutils/binutils/CVE-2017-17121.patch         | 366 +++++++++++++++++++++
 2 files changed, 367 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 3617b20..c1d5740 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -61,6 +61,7 @@ SRC_URI = "\
      file://CVE-2017-16831.patch \
      file://CVE-2017-16832.patch \
      file://CVE-2017-17080.patch \
+     file://CVE-2017-17121.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch
new file mode 100644
index 0000000..4b675f7
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch
@@ -0,0 +1,366 @@
+From b23dc97fe237a1d9e850d7cbeee066183a00630b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 28 Nov 2017 13:20:31 +0000
+Subject: [PATCH] Fix a memory access violation when attempting to parse a
+ corrupt COFF binary with a relocation that points beyond the end of the
+ section to be relocated.
+
+	PR 22506
+	* reloc.c (reloc_offset_in_range): Rename to
+	bfd_reloc_offset_in_range and export.
+	(bfd_perform_relocation): Rename function invocation.
+	(bfd_install_relocation): Likewise.
+	(bfd_final_link_relocate): Likewise.
+	* bfd-in2.h: Regenerate.
+	* coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range.
+	* coff-i386.c (coff_i386_reloc): Likewise.
+	* coff-i860.c (coff_i860_reloc): Likewise.
+	* coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise.
+	* coff-m88k.c (m88k_special_reloc): Likewise.
+	* coff-mips.c (mips_reflo_reloc): Likewise.
+	* coff-x86_64.c (coff_amd64_reloc): Likewise.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-17121
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog     | 17 +++++++++++++++
+ bfd/bfd-in2.h     |  6 +++++
+ bfd/coff-arm.c    | 65 ++++++++++++++++++++++++++++++-------------------------
+ bfd/coff-i386.c   |  5 +++++
+ bfd/coff-i860.c   |  5 +++++
+ bfd/coff-m68k.c   |  5 +++++
+ bfd/coff-m88k.c   |  9 +++++++-
+ bfd/coff-mips.c   |  6 +++++
+ bfd/coff-x86_64.c | 16 +++++---------
+ bfd/reloc.c       | 40 +++++++++++++++++++++++++++++-----
+ 10 files changed, 126 insertions(+), 48 deletions(-)
+
+Index: git/bfd/bfd-in2.h
+===================================================================
+--- git.orig/bfd/bfd-in2.h
++++ git/bfd/bfd-in2.h
+@@ -2661,6 +2661,12 @@ bfd_reloc_status_type bfd_check_overflow
+     unsigned int addrsize,
+     bfd_vma relocation);
+ 
++bfd_boolean bfd_reloc_offset_in_range
++   (reloc_howto_type *howto,
++    bfd *abfd,
++    asection *section,
++    bfd_size_type offset);
++
+ bfd_reloc_status_type bfd_perform_relocation
+    (bfd *abfd,
+     arelent *reloc_entry,
+Index: git/bfd/coff-arm.c
+===================================================================
+--- git.orig/bfd/coff-arm.c
++++ git/bfd/coff-arm.c
+@@ -109,41 +109,46 @@ coff_arm_reloc (bfd *abfd,
+   x = ((x & ~howto->dst_mask)					\
+        | (((x & howto->src_mask) + diff) & howto->dst_mask))
+ 
+-    if (diff != 0)
+-      {
+-	reloc_howto_type *howto = reloc_entry->howto;
+-	unsigned char *addr = (unsigned char *) data + reloc_entry->address;
++  if (diff != 0)
++    {
++      reloc_howto_type *howto = reloc_entry->howto;
++      unsigned char *addr = (unsigned char *) data + reloc_entry->address;
++
++      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
++				       reloc_entry->address
++				       * bfd_octets_per_byte (abfd)))
++	return bfd_reloc_outofrange;
++
++      switch (howto->size)
++	{
++	case 0:
++	  {
++	    char x = bfd_get_8 (abfd, addr);
++	    DOIT (x);
++	    bfd_put_8 (abfd, x, addr);
++	  }
++	  break;
+ 
+-	switch (howto->size)
++	case 1:
+ 	  {
+-	  case 0:
+-	    {
+-	      char x = bfd_get_8 (abfd, addr);
+-	      DOIT (x);
+-	      bfd_put_8 (abfd, x, addr);
+-	    }
+-	    break;
+-
+-	  case 1:
+-	    {
+-	      short x = bfd_get_16 (abfd, addr);
+-	      DOIT (x);
+-	      bfd_put_16 (abfd, (bfd_vma) x, addr);
+-	    }
+-	    break;
+-
+-	  case 2:
+-	    {
+-	      long x = bfd_get_32 (abfd, addr);
+-	      DOIT (x);
+-	      bfd_put_32 (abfd, (bfd_vma) x, addr);
+-	    }
+-	    break;
++	    short x = bfd_get_16 (abfd, addr);
++	    DOIT (x);
++	    bfd_put_16 (abfd, (bfd_vma) x, addr);
++	  }
++	  break;
+ 
+-	  default:
+-	    abort ();
++	case 2:
++	  {
++	    long x = bfd_get_32 (abfd, addr);
++	    DOIT (x);
++	    bfd_put_32 (abfd, (bfd_vma) x, addr);
+ 	  }
+-      }
++	  break;
++
++	default:
++	  abort ();
++	}
++    }
+ 
+   /* Now let bfd_perform_relocation finish everything up.  */
+   return bfd_reloc_continue;
+Index: git/bfd/coff-i386.c
+===================================================================
+--- git.orig/bfd/coff-i386.c
++++ git/bfd/coff-i386.c
+@@ -144,6 +144,11 @@ coff_i386_reloc (bfd *abfd,
+       reloc_howto_type *howto = reloc_entry->howto;
+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+ 
++      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
++				       reloc_entry->address
++				       * bfd_octets_per_byte (abfd)))
++	return bfd_reloc_outofrange;
++
+       switch (howto->size)
+ 	{
+ 	case 0:
+Index: git/bfd/coff-i860.c
+===================================================================
+--- git.orig/bfd/coff-i860.c
++++ git/bfd/coff-i860.c
+@@ -95,6 +95,11 @@ coff_i860_reloc (bfd *abfd,
+ 	reloc_howto_type *howto = reloc_entry->howto;
+ 	unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+ 
++	if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
++					 reloc_entry->address
++					 * bfd_octets_per_byte (abfd)))
++	  return bfd_reloc_outofrange;
++
+ 	switch (howto->size)
+ 	  {
+ 	  case 0:
+Index: git/bfd/coff-m68k.c
+===================================================================
+--- git.orig/bfd/coff-m68k.c
++++ git/bfd/coff-m68k.c
+@@ -305,6 +305,11 @@ m68kcoff_common_addend_special_fn (bfd *
+       reloc_howto_type *howto = reloc_entry->howto;
+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+ 
++      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
++				       reloc_entry->address
++				       * bfd_octets_per_byte (abfd)))
++	return bfd_reloc_outofrange;
++
+       switch (howto->size)
+ 	{
+ 	case 0:
+Index: git/bfd/coff-m88k.c
+===================================================================
+--- git.orig/bfd/coff-m88k.c
++++ git/bfd/coff-m88k.c
+@@ -72,10 +72,17 @@ m88k_special_reloc (bfd *abfd,
+ 	{
+ 	  bfd_vma output_base = 0;
+ 	  bfd_vma addr = reloc_entry->address;
+-	  bfd_vma x = bfd_get_16 (abfd, (bfd_byte *) data + addr);
++	  bfd_vma x;
+ 	  asection *reloc_target_output_section;
+ 	  long relocation = 0;
+ 
++	  if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
++					   reloc_entry->address
++					   * bfd_octets_per_byte (abfd)))
++	    return bfd_reloc_outofrange;
++
++	  x = bfd_get_16 (abfd, (bfd_byte *) data + addr);
++
+ 	  /* Work out which section the relocation is targeted at and the
+ 	     initial relocation command value.  */
+ 
+Index: git/bfd/coff-mips.c
+===================================================================
+--- git.orig/bfd/coff-mips.c
++++ git/bfd/coff-mips.c
+@@ -504,6 +504,12 @@ mips_reflo_reloc (bfd *abfd ATTRIBUTE_UN
+ 	  unsigned long vallo;
+ 	  struct mips_hi *next;
+ 
++	  if (! bfd_reloc_offset_in_range (reloc_entry->howto, abfd,
++					   input_section,
++					   reloc_entry->address
++					   * bfd_octets_per_byte (abfd)))
++	    return bfd_reloc_outofrange;
++
+ 	  /* Do the REFHI relocation.  Note that we actually don't
+ 	     need to know anything about the REFLO itself, except
+ 	     where to find the low 16 bits of the addend needed by the
+Index: git/bfd/coff-x86_64.c
+===================================================================
+--- git.orig/bfd/coff-x86_64.c
++++ git/bfd/coff-x86_64.c
+@@ -143,16 +143,10 @@ coff_amd64_reloc (bfd *abfd,
+       reloc_howto_type *howto = reloc_entry->howto;
+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;
+ 
+-      /* FIXME: We do not have an end address for data, so we cannot
+-	 accurately range check any addresses computed against it.
+-	 cf: PR binutils/17512: file: 1085-1761-0.004.
+-	 For now we do the best that we can.  */
+-      if (addr < (unsigned char *) data
+-	  || addr > ((unsigned char *) data) + input_section->size)
+-	{
+-	  bfd_set_error (bfd_error_bad_value);
+-	  return bfd_reloc_notsupported;
+-	}
++      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,
++				       reloc_entry->address
++				       * bfd_octets_per_byte (abfd)))
++	return bfd_reloc_outofrange;
+ 
+       switch (howto->size)
+ 	{
+Index: git/bfd/reloc.c
+===================================================================
+--- git.orig/bfd/reloc.c
++++ git/bfd/reloc.c
+@@ -538,12 +538,31 @@ bfd_check_overflow (enum complain_overfl
+   return flag;
+ }
+ 
++/*
++FUNCTION
++	bfd_reloc_offset_in_range
++
++SYNOPSIS
++	bfd_boolean bfd_reloc_offset_in_range
++          (reloc_howto_type *howto,
++           bfd *abfd,
++           asection *section,
++           bfd_size_type offset);
++
++DESCRIPTION
++        Returns TRUE if the reloc described by @var{HOWTO} can be
++	applied at @var{OFFSET} octets in @var{SECTION}.
++
++*/
++
+ /* HOWTO describes a relocation, at offset OCTET.  Return whether the
+    relocation field is within SECTION of ABFD.  */
+ 
+-static bfd_boolean
+-reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd,
+-		       asection *section, bfd_size_type octet)
++bfd_boolean
++bfd_reloc_offset_in_range (reloc_howto_type *howto,
++			   bfd *abfd,
++			   asection *section,
++			   bfd_size_type octet)
+ {
+   bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section);
+   bfd_size_type reloc_size = bfd_get_reloc_size (howto);
+@@ -617,6 +636,11 @@ bfd_perform_relocation (bfd *abfd,
+   if (howto && howto->special_function)
+     {
+       bfd_reloc_status_type cont;
++
++      /* Note - we do not call bfd_reloc_offset_in_range here as the
++	 reloc_entry->address field might actually be valid for the
++	 backend concerned.  It is up to the special_function itself
++	 to call bfd_reloc_offset_in_range if needed.  */
+       cont = howto->special_function (abfd, reloc_entry, symbol, data,
+ 				      input_section, output_bfd,
+ 				      error_message);
+@@ -637,7 +661,7 @@ bfd_perform_relocation (bfd *abfd,
+ 
+   /* Is the address of the relocation really within the section?  */
+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
+-  if (!reloc_offset_in_range (howto, abfd, input_section, octets))
++  if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* Work out which section the relocation is targeted at and the
+@@ -1003,6 +1027,10 @@ bfd_install_relocation (bfd *abfd,
+     {
+       bfd_reloc_status_type cont;
+ 
++      /* Note - we do not call bfd_reloc_offset_in_range here as the
++	 reloc_entry->address field might actually be valid for the
++	 backend concerned.  It is up to the special_function itself
++	 to call bfd_reloc_offset_in_range if needed.  */
+       /* XXX - The special_function calls haven't been fixed up to deal
+ 	 with creating new relocations and section contents.  */
+       cont = howto->special_function (abfd, reloc_entry, symbol,
+@@ -1025,7 +1053,7 @@ bfd_install_relocation (bfd *abfd,
+ 
+   /* Is the address of the relocation really within the section?  */
+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
+-  if (!reloc_offset_in_range (howto, abfd, input_section, octets))
++  if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* Work out which section the relocation is targeted at and the
+@@ -1363,7 +1391,7 @@ _bfd_final_link_relocate (reloc_howto_ty
+   bfd_size_type octets = address * bfd_octets_per_byte (input_bfd);
+ 
+   /* Sanity check the address.  */
+-  if (!reloc_offset_in_range (howto, input_bfd, input_section, octets))
++  if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* This function assumes that we are dealing with a basic relocation
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,20 @@
++2017-11-28  Nick Clifton  <nickc@redhat.com>
++
++       PR 22506
++       * reloc.c (reloc_offset_in_range): Rename to
++      bfd_reloc_offset_in_range and export.
++       (bfd_perform_relocation): Rename function invocation.
++       (bfd_install_relocation): Likewise.
++       (bfd_final_link_relocate): Likewise.
++       * bfd-in2.h: Regenerate.
++       * coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range.
++       * coff-i386.c (coff_i386_reloc): Likewise.
++       * coff-i860.c (coff_i860_reloc): Likewise.
++       * coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise.
++       * coff-m88k.c (m88k_special_reloc): Likewise.
++       * coff-mips.c (mips_reflo_reloc): Likewise.
++       * coff-x86_64.c (coff_amd64_reloc): Likewise.
++
+ 2017-11-16  Nick Clifton  <nickc@redhat.com>
+  
+        PR 22421
-- 
2.7.4

[ROCKO][PATCH 26/27] binutls: Security fix for CVE-2017-17122

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-17122.patch         | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index c1d5740..577bbf0 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -62,6 +62,7 @@ SRC_URI = "\
      file://CVE-2017-16832.patch \
      file://CVE-2017-17080.patch \
      file://CVE-2017-17121.patch \
+     file://CVE-2017-17122.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
new file mode 100644
index 0000000..5ae749b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
@@ -0,0 +1,58 @@
+From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 29 Nov 2017 12:40:43 +0000
+Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of
+ memory when parsing relocs in a corrupt file.
+
+	PR 22508
+	* objdump.c (dump_relocs_in_section): Also check the section's
+	relocation count to make sure that it is reasonable before
+	attempting to allocate space for the relocs.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE:  CVE-2017-17122
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  7 +++++++
+ binutils/objdump.c | 11 ++++++++++-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -3381,7 +3381,16 @@ dump_relocs_in_section (bfd *abfd,
+     }
+ 
+   if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
+-      && (ufile_ptr) relsize > bfd_get_file_size (abfd))
++      && (((ufile_ptr) relsize > bfd_get_file_size (abfd))
++	  /* Also check the section's reloc count since if this is negative
++	     (or very large) the computation in bfd_get_reloc_upper_bound
++	     may have resulted in returning a small, positive integer.
++	     See PR 22508 for a reproducer.
++
++	     Note - we check against file size rather than section size as
++	     it is possible for there to be more relocs that apply to a
++	     section than there are bytes in that section.  */
++	  || (section->reloc_count > bfd_get_file_size (abfd))))
+     {
+       printf (" (too many: 0x%x)\n", section->reloc_count);
+       bfd_set_error (bfd_error_file_truncated);
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,10 @@
++2017-11-29  Nick Clifton  <nickc@redhat.com>
++
++       PR 22508
++       * objdump.c (dump_relocs_in_section): Also check the section's
++       relocation count to make sure that it is reasonable before
++       attempting to allocate space for the relocs.
++
+ 2017-11-02  Mingi Cho  <mgcho.minic@gmail.com>
+ 
+        PR 22384
-- 
2.7.4

[ROCKO][PATCH 27/27] binutls: Security fix for CVE-2017-17125

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   1 +
 .../binutils/binutils/CVE-2017-17125.patch         | 129 +++++++++++++++++++++
 2 files changed, 130 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 577bbf0..c4d40ea 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
      file://CVE-2017-17080.patch \
      file://CVE-2017-17121.patch \
      file://CVE-2017-17122.patch \
+     file://CVE-2017-17125.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch
new file mode 100644
index 0000000..30dc6d5
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch
@@ -0,0 +1,129 @@
+From 160b1a618ad94988410dc81fce9189fcda5b7ff4 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 18 Nov 2017 23:18:22 +1030
+Subject: [PATCH] PR22443, Global buffer overflow in
+ _bfd_elf_get_symbol_version_string
+
+Symbols like *ABS* defined in bfd/section.c:global_syms are not
+elf_symbol_type.  They can appear on relocs and perhaps other places
+in an ELF bfd, so a number of places in nm.c and objdump.c are wrong
+to cast an asymbol based on the bfd being ELF.  I think we lose
+nothing by excluding all section symbols, not just the global_syms.
+
+	PR 22443
+	* nm.c (sort_symbols_by_size): Don't attempt to access
+	section symbol internal_elf_sym.
+	(print_symbol): Likewise.  Don't call bfd_get_symbol_version_string
+	for section symbols.
+	* objdump.c (compare_symbols): Don't attempt to access
+	section symbol internal_elf_sym.
+	(objdump_print_symname): Don't call bfd_get_symbol_version_string
+	for section symbols.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE:  CVE-2017-17125
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 12 ++++++++++++
+ binutils/nm.c      | 17 ++++++++++-------
+ binutils/objdump.c |  6 +++---
+ 3 files changed, 25 insertions(+), 10 deletions(-)
+
+Index: git/binutils/nm.c
+===================================================================
+--- git.orig/binutils/nm.c
++++ git/binutils/nm.c
+@@ -765,7 +765,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boo
+       asection *sec;
+       bfd_vma sz;
+       asymbol *temp;
+-      int synthetic = (sym->flags & BSF_SYNTHETIC);
+ 
+       if (from + size < fromend)
+ 	{
+@@ -782,10 +781,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boo
+       sec = bfd_get_section (sym);
+ 
+       /* Synthetic symbols don't have a full type set of data available, thus
+-	 we can't rely on that information for the symbol size.  */
+-      if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
++	 we can't rely on that information for the symbol size.  Ditto for
++	 bfd/section.c:global_syms like *ABS*.  */
++      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
++	  && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+ 	sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size;
+-      else if (!synthetic && bfd_is_com_section (sec))
++      else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
++	       && bfd_is_com_section (sec))
+ 	sz = sym->value;
+       else
+ 	{
+@@ -874,8 +876,9 @@ print_symbol (bfd *        abfd,
+ 
+   info.sinfo = &syminfo;
+   info.ssize = ssize;
+-  /* Synthetic symbols do not have a full symbol type set of data available.  */
+-  if ((sym->flags & BSF_SYNTHETIC) != 0)
++  /* Synthetic symbols do not have a full symbol type set of data available.
++     Nor do bfd/section.c:global_syms like *ABS*.  */
++  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0)
+     {
+       info.elfinfo = NULL;
+       info.coffinfo = NULL;
+@@ -893,7 +896,7 @@ print_symbol (bfd *        abfd,
+       const char *  version_string = NULL;
+       bfd_boolean   hidden = FALSE;
+ 
+-      if ((sym->flags & BSF_SYNTHETIC) == 0)
++      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ 	version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
+ 
+       if (bfd_is_und_section (bfd_get_section (sym)))
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const v
+       bfd_vma asz, bsz;
+ 
+       asz = 0;
+-      if ((a->flags & BSF_SYNTHETIC) == 0)
++      if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ 	asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
+       bsz = 0;
+-      if ((b->flags & BSF_SYNTHETIC) == 0)
++      if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+ 	bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
+       if (asz != bsz)
+ 	return asz > bsz ? -1 : 1;
+@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct
+ 	name = alloc;
+     }
+ 
+-  if ((sym->flags & BSF_SYNTHETIC) == 0)
++  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+     version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
+ 
+   if (bfd_is_und_section (bfd_get_section (sym)))
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,15 @@
++2017-11-18  Alan Modra  <amodra@gmail.com>
++
++       PR 22443
++       * nm.c (sort_symbols_by_size): Don't attempt to access
++       section symbol internal_elf_sym.
++       (print_symbol): Likewise.  Don't call bfd_get_symbol_version_string
++       for section symbols.
++       * objdump.c (compare_symbols): Don't attempt to access
++       section symbol internal_elf_sym.
++       (objdump_print_symname): Don't call bfd_get_symbol_version_string
++       for section symbols.
++
+ 2017-11-29  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22508
-- 
2.7.4

✗ patchtest: failure for "[ROCKO] binutils: Security fix..." and 26 more

[Patchwork]

== Series Details ==

Series: "[ROCKO] binutils: Security fix..." and 26 more
Revision: 1
URL   : https://patchwork.openembedded.org/series/13427/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Upstream-Status is in incorrect format [test_upstream_status_presence_format] 
  Suggested fix    Fix Upstream-Status format in CVE-2017-12967.patch
  Current          Upstream-Status: backport
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [ROCKO][PATCH 01/27] binutils: Security fix CVE-2017-12967

[akuster808]

On 08/08/2018 08:34 AM, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> affects: <= 2.29.1
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>

This one is really CVE-2017-17124 so it will be renamed in V2

CVE-2017-12967 is already in 2.29.1

> ---
>  meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
>  .../binutils/binutils/CVE-2017-12967.patch         | 47 ++++++++++++++++++++++
>  2 files changed, 48 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-12967.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
> index b29b75a..12b579c 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
> @@ -35,6 +35,7 @@ SRC_URI = "\
>       file://0013-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \
>       file://0014-Detect-64-bit-MIPS-targets.patch \
>       file://0015-sync-with-OE-libtool-changes.patch \
> +     file://CVE-2017-12967.patch \
>  "
>  S  = "${WORKDIR}/git"
>  
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12967.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12967.patch
> new file mode 100644
> index 0000000..ab19d21
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12967.patch
> @@ -0,0 +1,47 @@
> +From b0029dce6867de1a2828293177b0e030d2f0f03c Mon Sep 17 00:00:00 2001
> +From: Nick Clifton <nickc@redhat.com>
> +Date: Tue, 28 Nov 2017 18:00:29 +0000
> +Subject: [PATCH] Prevent a memory exhaustion problem when trying to read in
> + strings from a COFF binary with a corrupt string table size.
> +
> +	PR 22507
> +	* coffgen.c (_bfd_coff_read_string_table): Check for an excessive
> +	size of the external string table.
> +
> +Upstream-Status: backport
> +Affects binutls <= 2.29.1
> +CVE:  CVE-2017-12967 
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + bfd/ChangeLog | 6 ++++++
> + bfd/coffgen.c | 4 ++--
> + 2 files changed, 8 insertions(+), 2 deletions(-)
> +
> +Index: git/bfd/coffgen.c
> +===================================================================
> +--- git.orig/bfd/coffgen.c
> ++++ git/bfd/coffgen.c
> +@@ -1709,7 +1709,7 @@ _bfd_coff_read_string_table (bfd *abfd)
> + #endif
> +     }
> + 
> +-  if (strsize < STRING_SIZE_SIZE)
> ++  if (strsize < STRING_SIZE_SIZE || strsize > bfd_get_file_size (abfd))
> +     {
> +       _bfd_error_handler
> + 	/* xgettext: c-format */
> +Index: git/bfd/ChangeLog
> +===================================================================
> +--- git.orig/bfd/ChangeLog
> ++++ git/bfd/ChangeLog
> +@@ -1,3 +1,9 @@
> ++2017-11-28  Nick Clifton  <nickc@redhat.com>
> ++
> ++       PR 22507
> ++       * coffgen.c (_bfd_coff_read_string_table): Check for an excessive
> ++       size of the external string table.
> ++
> + 2018-03-28  Eric Botcazou  <ebotcazou@adacore.com>
> + 
> + 	PR ld/22972