From 2a43ef74ac77433bc48f461845e99cf4ebbc2074 Mon Sep 17 00:00:00 2001
From: Thiruvadi Rajaraman <trajaraman@mvista.com>
Date: Thu, 21 Sep 2017 19:32:24 +0530
Subject: binutils: CVE-2017-9755

Source: binutils-gdb.git
MR: 73932
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: 49ad5f3244cd51ee6714c1b60cc1c3f84d7de7c8
Description:

 i386-dis: Add 2 tests with invalid bnd register

        PR binutils/21594
        * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
        register.
        * testsuite/gas/i386/x86-64-mpx.s: Likewise.
        * testsuite/gas/i386/mpx.d: Updated.
        * testsuite/gas/i386/x86-64-mpx.d: Likewise.

 i386-dis: Check valid bnd register

 Since there are only 4 bnd registers, return "(bad)" for register
 number > 3.

        PR binutils/21594
        * i386-dis.c (OP_E_register): Check valid bnd register.
        (OP_G): Likewise.

Affects: <= 2.28
Author: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.27.inc   |   2 +
 .../binutils/binutils/CVE-2017-9755_1.patch        |  60 ++++++++++++
 .../binutils/binutils/CVE-2017-9755_2.patch        | 101 +++++++++++++++++++++
 3 files changed, 163 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 2b35cb154d..961364c81c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -86,6 +86,8 @@ SRC_URI = "\
      file://CVE-2017-9750.patch \
      file://CVE-2017-9752.patch \
      file://CVE-2017-9753_9754.patch \
+     file://CVE-2017-9755_1.patch \
+     file://CVE-2017-9755_2.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch
new file mode 100644
index 0000000000..3ad32189b1
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch
@@ -0,0 +1,60 @@
+commit 0d96e4df4812c3bad77c229dfef47a9bc115ac12
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Thu Jun 15 06:40:17 2017 -0700
+
+    i386-dis: Check valid bnd register
+    
+    Since there are only 4 bnd registers, return "(bad)" for register
+    number > 3.
+    
+    	PR binutils/21594
+    	* i386-dis.c (OP_E_register): Check valid bnd register.
+    	(OP_G): Likewise.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9755
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/opcodes/i386-dis.c
+===================================================================
+--- git.orig/opcodes/i386-dis.c	2017-09-21 15:38:46.907182525 +0530
++++ git/opcodes/i386-dis.c	2017-09-21 15:38:54.703174976 +0530
+@@ -15211,6 +15211,11 @@
+       names = address_mode == mode_64bit ? names64 : names32;
+       break;
+     case bnd_mode:
++      if (reg > 0x3)
++	{
++	  oappend ("(bad)");
++	  return;
++	}
+       names = names_bnd;
+       break;
+     case indir_v_mode:
+@@ -15751,6 +15756,11 @@
+       oappend (names64[modrm.reg + add]);
+       break;
+     case bnd_mode:
++      if (modrm.reg > 0x3)
++	{
++	  oappend ("(bad)");
++	  return;
++	}
+       oappend (names_bnd[modrm.reg]);
+       break;
+     case v_mode:
+Index: git/opcodes/ChangeLog
+===================================================================
+--- git.orig/opcodes/ChangeLog	2017-09-21 15:38:54.531175122 +0530
++++ git/opcodes/ChangeLog	2017-09-21 15:45:32.264491166 +0530
+@@ -1,3 +1,9 @@
++2017-06-15  H.J. Lu  <hongjiu.lu@intel.com>
++
++	PR binutils/21594
++	* i386-dis.c (OP_E_register): Check valid bnd register.
++	(OP_G): Likewise.
++
+ 2017-06-15  Nick Clifton  <nickc@redhat.com>
+ 
+ 	PR binutils/21586
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch
new file mode 100644
index 0000000000..69e1607d8b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch
@@ -0,0 +1,101 @@
+commit 8cac017d35ef374e65acc98818a17cf8a652cbd0
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Thu Jun 15 08:21:48 2017 -0700
+
+    i386-dis: Add 2 tests with invalid bnd register
+    
+    	PR binutils/21594
+    	* testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
+    	register.
+    	* testsuite/gas/i386/x86-64-mpx.s: Likewise.
+    	* testsuite/gas/i386/mpx.d: Updated.
+    	* testsuite/gas/i386/x86-64-mpx.d: Likewise.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9755
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/gas/testsuite/gas/i386/mpx.d
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/mpx.d	2017-09-21 15:45:57.640640603 +0530
++++ git/gas/testsuite/gas/i386/mpx.d	2017-09-21 15:45:57.616640460 +0530
+@@ -130,4 +130,8 @@
+ 
+ [a-f0-9]+ <foo>:
+ [ 	]*[a-f0-9]+:	f2 c3                	bnd ret 
++
++[a-f0-9]+ <bad>:
++[ 	]*[a-f0-9]+:	0f 1a 30             	bndldx \(%eax\),\(bad\)
++[ 	]*[a-f0-9]+:	66 0f 1a c4          	bndmov \(bad\),%bnd0
+ #pass
+Index: git/gas/testsuite/gas/i386/mpx.s
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/mpx.s	2017-09-21 15:45:57.640640603 +0530
++++ git/gas/testsuite/gas/i386/mpx.s	2017-09-21 15:45:57.616640460 +0530
+@@ -157,3 +157,15 @@
+ 	bnd ret
+ 
+ foo:	bnd ret
++
++bad:
++	# bndldx (%eax),(bad)
++	.byte 0x0f
++	.byte 0x1a
++	.byte 0x30
++
++	# bndmov (bad),%bnd0
++	.byte 0x66
++	.byte 0x0f
++	.byte 0x1a
++	.byte 0xc4
+Index: git/gas/testsuite/gas/i386/x86-64-mpx.d
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.d	2017-09-21 15:45:57.640640603 +0530
++++ git/gas/testsuite/gas/i386/x86-64-mpx.d	2017-09-21 15:45:57.616640460 +0530
+@@ -182,4 +182,8 @@
+ 
+ [a-f0-9]+ <foo>:
+ [ 	]*[a-f0-9]+:	f2 c3                	bnd retq 
++
++[a-f0-9]+ <bad>:
++[ 	]*[a-f0-9]+:	0f 1a 30             	bndldx \(%rax\),\(bad\)
++[ 	]*[a-f0-9]+:	66 0f 1a c4          	bndmov \(bad\),%bnd0
+ #pass
+Index: git/gas/testsuite/gas/i386/x86-64-mpx.s
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.s	2017-09-21 15:45:57.640640603 +0530
++++ git/gas/testsuite/gas/i386/x86-64-mpx.s	2017-09-21 15:45:57.616640460 +0530
+@@ -209,3 +209,15 @@
+ 	bnd ret
+ 
+ foo:	bnd ret
++
++bad:
++	# bndldx (%eax),(bad)
++	.byte 0x0f
++	.byte 0x1a
++	.byte 0x30
++
++	# bndmov (bad),%bnd0
++	.byte 0x66
++	.byte 0x0f
++	.byte 0x1a
++	.byte 0xc4
+Index: git/gas/ChangeLog
+===================================================================
+--- git.orig/gas/ChangeLog	2017-09-21 15:38:53.143176323 +0530
++++ git/gas/ChangeLog	2017-09-21 15:48:07.134368927 +0530
+@@ -1,3 +1,12 @@
++2017-06-15  H.J. Lu  <hongjiu.lu@intel.com>
++
++	PR binutils/21594
++	* testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
++	register.
++	* testsuite/gas/i386/x86-64-mpx.s: Likewise.
++	* testsuite/gas/i386/mpx.d: Updated.
++	* testsuite/gas/i386/x86-64-mpx.d: Likewise.
++
+ 2016-12-01  Nick Clifton  <nickc@redhat.com>
+ 
+ 	PR gas/20898
-- 
cgit 1.2.3-korg