binutils: fix three CVE issues

Backport the CVE patches from the upstream:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
h=30838132997e6a3cfe3ec11c58b32b22f6f6b102
h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d

[BZ 23686] https://sourceware.org/bugzilla/show_bug.cgi?id=23686
[BZ 23685] https://sourceware.org/bugzilla/show_bug.cgi?id=23685

The one is for CVE-2018-17358 and CVE-2018-17359, and the another
is for CVE-2018-17360.

(From OE-Core rev: 2683d8287d6878868d3aa15ce6e6a80ce28d8737)

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-devtools/binutils/binutils-2.31.inc

@@ -41,6 +41,8 @@ SRC_URI = "\
      file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \
      file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \
      file://0021-PLT-information-was-still-being-generated-when-symbo.patch \
+     file://CVE-2018-17358.patch \
+     file://CVE-2018-17360.patch \
 "
 S  = "${WORKDIR}/git"
 

meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch

@@ -0,0 +1,144 @@
+From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 20 Sep 2018 15:29:17 +0930
+Subject: [PATCH] Bug 23686, two segment faults in nm
+
+Fixes the bugs exposed by the testcases in the PR, plus two more bugs
+I noticed when looking at _bfd_stab_section_find_nearest_line.
+
+	PR 23686
+	* dwarf2.c (read_section): Error when attempting to malloc
+	"(bfd_size_type) -1".
+	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
+	function_name.  Bounds check reloc address.  Formatting.  Ensure
+	.stabstr zero terminated.
+CVE: CVE-2018-17358 and CVE-2018-17359
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog |  9 +++++++++
+ bfd/dwarf2.c  |  9 ++++++++-
+ bfd/syms.c    | 22 ++++++++++++++++------
+ 3 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 04c0c2a..fef5479 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,12 @@
++2018-09-20  Alan Modra  <amodra@gmail.com>
++
++	PR 23686
++	* dwarf2.c (read_section): Error when attempting to malloc
++	"(bfd_size_type) -1".
++	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
++	function_name.  Bounds check reloc address.  Formatting.  Ensure
++	.stabstr zero terminated.
++
+ 2018-08-12  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+ 	PR ld/23428
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 3b28855..77a7368 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -527,6 +527,7 @@ read_section (bfd *	      abfd,
+   asection *msec;
+   const char *section_name = sec->uncompressed_name;
+   bfd_byte *contents = *section_buffer;
++  bfd_size_type amt;
+ 
+   /* The section may have already been read.  */
+   if (contents == NULL)
+@@ -549,7 +550,13 @@ read_section (bfd *	      abfd,
+       *section_size = msec->rawsize ? msec->rawsize : msec->size;
+       /* Paranoia - alloc one extra so that we can make sure a string
+ 	 section is NUL terminated.  */
+-      contents = (bfd_byte *) bfd_malloc (*section_size + 1);
++      amt = *section_size + 1;
++      if (amt == 0)
++	{
++	  bfd_set_error (bfd_error_no_memory);
++	  return FALSE;
++	}
++      contents = (bfd_byte *) bfd_malloc (amt);
+       if (contents == NULL)
+ 	return FALSE;
+       if (syms
+diff --git a/bfd/syms.c b/bfd/syms.c
+index 187071f..e09640a 100644
+--- a/bfd/syms.c
++++ b/bfd/syms.c
+@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 					 0, strsize))
+ 	return FALSE;
+ 
++      /* Stab strings ought to be nul terminated.  Ensure the last one
++	 is, to prevent running off the end of the buffer.  */
++      info->strs[strsize - 1] = 0;
++
+       /* If this is a relocatable object file, we have to relocate
+ 	 the entries in .stab.  This should always be simple 32 bit
+ 	 relocations against symbols defined in this object file, so
+@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 		  || r->howto->bitsize != 32
+ 		  || r->howto->pc_relative
+ 		  || r->howto->bitpos != 0
+-		  || r->howto->dst_mask != 0xffffffff)
++		  || r->howto->dst_mask != 0xffffffff
++		  || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
+ 		{
+ 		  _bfd_error_handler
+ 		    (_("unsupported .stab relocation"));
+@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 		{
+ 		  nul_fun = stab;
+ 		  nul_str = str;
+-		  if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
++		  if (file_name >= (char *) info->strs + strsize
++		      || file_name < (char *) str)
+ 		    file_name = NULL;
+ 		  if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
+ 		      && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
+@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 		      directory_name = file_name;
+ 		      file_name = ((char *) str
+ 				   + bfd_get_32 (abfd, stab + STRDXOFF));
+-		      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
++		      if (file_name >= (char *) info->strs + strsize
++			  || file_name < (char *) str)
+ 			file_name = NULL;
+ 		    }
+ 		}
+@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 	      file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+ 	      /* PR 17512: file: 0c680a1f.  */
+ 	      /* PR 17512: file: 5da8aec4.  */
+-	      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
++	      if (file_name >= (char *) info->strs + strsize
++		  || file_name < (char *) str)
+ 		file_name = NULL;
+ 	      break;
+ 
+@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 	      function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+ 	      if (function_name == (char *) str)
+ 		continue;
+-	      if (function_name >= (char *) info->strs + strsize)
++	      if (function_name >= (char *) info->strs + strsize
++		  || function_name < (char *) str)
+ 		function_name = NULL;
+ 
+ 	      nul_fun = NULL;
+@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 	  if (val <= offset)
+ 	    {
+ 	      file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+-	      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
++	      if (file_name >= (char *) info->strs + strsize
++		  || file_name < (char *) str)
+ 		file_name = NULL;
+ 	      *pline = 0;
+ 	    }
+-- 
+2.9.3

meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch

@@ -0,0 +1,65 @@
+From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 20 Sep 2018 18:23:17 +0930
+Subject: [PATCH] PR23685, buffer overflow
+
+	PR 23685
+	* peXXigen.c (pe_print_edata): Correct export address table
+	overflow checks.  Check dataoff against section size too.
+
+CVE: CVE-2018-17360
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog  |  6 ++++++
+ bfd/peXXigen.c | 11 ++++++-----
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index fef5479..81b9e56 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,5 +1,11 @@
+ 2018-09-20  Alan Modra  <amodra@gmail.com>
+ 
++	PR 23685
++	* peXXigen.c (pe_print_edata): Correct export address table
++	overflow checks.  Check dataoff against section size too.
++
++2018-09-20  Alan Modra  <amodra@gmail.com>
++
+ 	PR 23686
+ 	* dwarf2.c (read_section): Error when attempting to malloc
+ 	"(bfd_size_type) -1".
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index 598f2ca..1645ef4 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile)
+ 
+       dataoff = addr - section->vma;
+       datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
+-      if (datasize > section->size - dataoff)
++      if (dataoff > section->size
++	  || datasize > section->size - dataoff)
+ 	{
+ 	  fprintf (file,
+ 		   _("\nThere is an export table in %s, but it does not fit into that section\n"),
+@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile)
+ 	  edt.base);
+ 
+   /* PR 17512: Handle corrupt PE binaries.  */
+-  if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize
++  /* PR 17512 file: 140-165018-0.004.  */
++  if (edt.eat_addr - adj >= datasize
+       /* PR 17512: file: 092b1829 */
+-      || (edt.num_functions * 4) < edt.num_functions
+-      /* PR 17512 file: 140-165018-0.004.  */
+-      || data + edt.eat_addr - adj < data)
++      || (edt.num_functions + 1) * 4 < edt.num_functions
++      || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize)
+     fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
+ 	     (long) edt.eat_addr,
+ 	     (long) edt.num_functions);
+-- 
+2.9.3