diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils')
58 files changed, 9628 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12448.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12448.patch new file mode 100644 index 0000000000..039166cfb9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12448.patch @@ -0,0 +1,49 @@ +commit 909e4e716c4d77e33357bbe9bc902bfaf2e1af24 +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Jul 19 14:49:12 2017 +0100 + + Fix use-after-free error when parsing a corrupt nested archive. + + PR 21787 + * archive.c (bfd_generic_archive_p): If the bfd does not have the + correct magic bytes at the start, set the error to wrong format + and clear the format selector before returning NULL. + +Upstream-Status: Backport + +CVE: CVE-2017-12448 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/archive.c +=================================================================== +--- git.orig/bfd/archive.c 2017-08-30 16:44:10.848601412 +0530 ++++ git/bfd/archive.c 2017-08-30 16:44:21.400855758 +0530 +@@ -834,7 +834,12 @@ + if (strncmp (armag, ARMAG, SARMAG) != 0 + && strncmp (armag, ARMAGB, SARMAG) != 0 + && ! bfd_is_thin_archive (abfd)) +- return NULL; ++ { ++ bfd_set_error (bfd_error_wrong_format); ++ if (abfd->format == bfd_archive) ++ abfd->format = bfd_unknown; ++ return NULL; ++ } + + tdata_hold = bfd_ardata (abfd); + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-08-30 16:44:21.340854320 +0530 ++++ git/bfd/ChangeLog 2017-08-30 16:46:48.716143277 +0530 +@@ -1,3 +1,10 @@ ++2017-07-19 Nick Clifton <nickc@redhat.com> ++ ++ PR 21787 ++ * archive.c (bfd_generic_archive_p): If the bfd does not have the ++ correct magic bytes at the start, set the error to wrong format ++ and clear the format selector before returning NULL. ++ + 2017-04-25 Maciej W. Rozycki <macro@imgtec.com> + + * readelf.c (process_mips_specific): Remove error reporting from diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch new file mode 100644 index 0000000000..d7512b3829 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch @@ -0,0 +1,240 @@ +commit 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Jul 27 12:04:50 2017 +0100 + + Fix address violation issues encountered when parsing corrupt binaries. + + PR 21840 + * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab + size is -1. + * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion + with error return. + * section.c (bfd_make_section_with_flags): Fail if the name or bfd + are NULL. + * vms-alpha.c (bfd_make_section_with_flags): Correct computation + of end pointer. + (evax_bfd_print_emh): Check for invalid string lengths. + +Upstream-Status: Backport + +CVE: CVE-2017-12449_12455_12457 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/mach-o.c +=================================================================== +--- git.orig/bfd/mach-o.c 2017-08-30 17:21:59.684671218 +0530 ++++ git/bfd/mach-o.c 2017-08-30 17:22:19.136813620 +0530 +@@ -3739,6 +3739,9 @@ + } + else + { ++ /* See PR 21840 for a reproducer. */ ++ if ((sym->strsize + 1) == 0) ++ return FALSE; + sym->strtab = bfd_alloc (abfd, sym->strsize + 1); + if (sym->strtab == NULL) + return FALSE; +Index: git/bfd/nlmcode.h +=================================================================== +--- git.orig/bfd/nlmcode.h 2017-08-30 17:21:59.688671247 +0530 ++++ git/bfd/nlmcode.h 2017-08-30 17:22:19.140813649 +0530 +@@ -351,7 +351,9 @@ + bfd_byte *contents; + bfd_byte *p, *pend; + +- BFD_ASSERT (hdrLength == 0 && hdr == NULL); ++ /* See PR 21840 for a reproducer. */ ++ if (hdrLength != 0 || hdr != NULL) ++ return FALSE; + + pos = bfd_tell (abfd); + if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0) +Index: git/bfd/section.c +=================================================================== +--- git.orig/bfd/section.c 2017-08-30 17:21:59.708671392 +0530 ++++ git/bfd/section.c 2017-08-30 17:22:19.140813649 +0530 +@@ -1240,7 +1240,7 @@ + struct section_hash_entry *sh; + asection *newsect; + +- if (abfd->output_has_begun) ++ if (abfd == NULL || name == NULL || abfd->output_has_begun) + { + bfd_set_error (bfd_error_invalid_operation); + return NULL; +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c 2017-08-30 17:22:19.080813209 +0530 ++++ git/bfd/vms-alpha.c 2017-08-30 17:22:19.140813649 +0530 +@@ -5562,8 +5562,9 @@ + { + struct vms_emh_common *emh = (struct vms_emh_common *)rec; + unsigned int subtype; ++ int extra; + +- subtype = (unsigned)bfd_getl16 (emh->subtyp); ++ subtype = (unsigned) bfd_getl16 (emh->subtyp); + + fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len); + +@@ -5573,58 +5574,82 @@ + fprintf (file, _(" Error: The length is less than the length of an EMH record\n")); + return; + } +- ++ extra = rec_len - sizeof (struct vms_emh_common); ++ + switch (subtype) + { + case EMH__C_MHD: + { +- struct vms_emh_mhd *mhd = (struct vms_emh_mhd *)rec; +- const char *name; ++ struct vms_emh_mhd *mhd = (struct vms_emh_mhd *) rec; ++ const char * name; ++ const char * nextname; ++ const char * maxname; + ++ /* PR 21840: Check for invalid lengths. */ ++ if (rec_len < sizeof (* mhd)) ++ { ++ fprintf (file, _(" Error: The record length is less than the size of an EMH_MHD record\n")); ++ return; ++ } + fprintf (file, _("Module header\n")); + fprintf (file, _(" structure level: %u\n"), mhd->strlvl); + fprintf (file, _(" max record size: %u\n"), +- (unsigned)bfd_getl32 (mhd->recsiz)); ++ (unsigned) bfd_getl32 (mhd->recsiz)); + name = (char *)(mhd + 1); ++ maxname = (char *) rec + rec_len; ++ if (name > maxname - 2) ++ { ++ fprintf (file, _(" Error: The module name is missing\n")); ++ return; ++ } ++ nextname = name + name[0] + 1; ++ if (nextname >= maxname) ++ { ++ fprintf (file, _(" Error: The module name is too long\n")); ++ return; ++ } + fprintf (file, _(" module name : %.*s\n"), name[0], name + 1); +- name += name[0] + 1; ++ name = nextname; ++ if (name > maxname - 2) ++ { ++ fprintf (file, _(" Error: The module version is missing\n")); ++ return; ++ } ++ nextname = name + name[0] + 1; ++ if (nextname >= maxname) ++ { ++ fprintf (file, _(" Error: The module version is too long\n")); ++ return; ++ } + fprintf (file, _(" module version : %.*s\n"), name[0], name + 1); +- name += name[0] + 1; +- fprintf (file, _(" compile date : %.17s\n"), name); ++ name = nextname; ++ if ((maxname - name) < 17 && maxname[-1] != 0) ++ fprintf (file, _(" Error: The compile date is truncated\n")); ++ else ++ fprintf (file, _(" compile date : %.17s\n"), name); + } + break; ++ + case EMH__C_LNM: +- { +- fprintf (file, _("Language Processor Name\n")); +- fprintf (file, _(" language name: %.*s\n"), +- (int)(rec_len - sizeof (struct vms_emh_common)), +- (char *)rec + sizeof (struct vms_emh_common)); +- } ++ fprintf (file, _("Language Processor Name\n")); ++ fprintf (file, _(" language name: %.*s\n"), extra, (char *)(emh + 1)); + break; ++ + case EMH__C_SRC: +- { +- fprintf (file, _("Source Files Header\n")); +- fprintf (file, _(" file: %.*s\n"), +- (int)(rec_len - sizeof (struct vms_emh_common)), +- (char *)rec + sizeof (struct vms_emh_common)); +- } ++ fprintf (file, _("Source Files Header\n")); ++ fprintf (file, _(" file: %.*s\n"), extra, (char *)(emh + 1)); + break; ++ + case EMH__C_TTL: +- { +- fprintf (file, _("Title Text Header\n")); +- fprintf (file, _(" title: %.*s\n"), +- (int)(rec_len - sizeof (struct vms_emh_common)), +- (char *)rec + sizeof (struct vms_emh_common)); +- } ++ fprintf (file, _("Title Text Header\n")); ++ fprintf (file, _(" title: %.*s\n"), extra, (char *)(emh + 1)); + break; ++ + case EMH__C_CPR: +- { +- fprintf (file, _("Copyright Header\n")); +- fprintf (file, _(" copyright: %.*s\n"), +- (int)(rec_len - sizeof (struct vms_emh_common)), +- (char *)rec + sizeof (struct vms_emh_common)); +- } ++ fprintf (file, _("Copyright Header\n")); ++ fprintf (file, _(" copyright: %.*s\n"), extra, (char *)(emh + 1)); + break; ++ + default: + fprintf (file, _("unhandled emh subtype %u\n"), subtype); + break; +Index: git/bfd/vms-misc.c +=================================================================== +--- git.orig/bfd/vms-misc.c 2017-08-30 17:21:59.716671451 +0530 ++++ git/bfd/vms-misc.c 2017-08-30 17:22:19.140813649 +0530 +@@ -135,8 +135,8 @@ + #endif + + +-/* Copy sized string (string with fixed size) to new allocated area +- size is string size (size of record) */ ++/* Copy sized string (string with fixed size) to new allocated area. ++ Size is string size (size of record). */ + + char * + _bfd_vms_save_sized_string (unsigned char *str, int size) +@@ -151,8 +151,8 @@ + return newstr; + } + +-/* Copy counted string (string with size at first byte) to new allocated area +- ptr points to size byte on entry */ ++/* Copy counted string (string with size at first byte) to new allocated area. ++ PTR points to size byte on entry. */ + + char * + _bfd_vms_save_counted_string (unsigned char *ptr) +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-08-30 17:22:19.080813209 +0530 ++++ git/bfd/ChangeLog 2017-08-30 17:23:51.069502425 +0530 +@@ -1,3 +1,16 @@ ++2017-07-27 Nick Clifton <nickc@redhat.com> ++ ++ PR 21840 ++ * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab ++ size is -1. ++ * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion ++ with error return. ++ * section.c (bfd_make_section_with_flags): Fail if the name or bfd ++ are NULL. ++ * vms-alpha.c (bfd_make_section_with_flags): Correct computation ++ of end pointer. ++ (evax_bfd_print_emh): Check for invalid string lengths. ++ + 2017-07-19 Nick Clifton <nickc@redhat.com> + + PR 21787 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch new file mode 100644 index 0000000000..6dae0f6c24 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch @@ -0,0 +1,97 @@ +commit bc21b167eb0106eb31d946a0eb5acfb7e4d5d8a1 +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Jun 19 14:52:36 2017 +0100 + + Fix address violations when reading corrupt VMS records. + + PR binutils/21618 + * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record + length. + (evax_bfd_print_eeom): Likewise. + (evax_bfd_print_egsd): Check for an overlarge record length. + (evax_bfd_print_etir): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-12449_12455_12457 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c 2017-08-30 17:08:27.408159234 +0530 ++++ git/bfd/vms-alpha.c 2017-08-30 17:12:07.289044702 +0530 +@@ -5567,6 +5567,13 @@ + + fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len); + ++ /* PR 21618: Check for invalid lengths. */ ++ if (rec_len < sizeof (* emh)) ++ { ++ fprintf (file, _(" Error: The length is less than the length of an EMH record\n")); ++ return; ++ } ++ + switch (subtype) + { + case EMH__C_MHD: +@@ -5630,6 +5637,14 @@ + struct vms_eeom *eeom = (struct vms_eeom *)rec; + + fprintf (file, _(" EEOM (len=%u):\n"), rec_len); ++ ++ /* PR 21618: Check for invalid lengths. */ ++ if (rec_len < sizeof (* eeom)) ++ { ++ fprintf (file, _(" Error: The length is less than the length of an EEOM record\n")); ++ return; ++ } ++ + fprintf (file, _(" number of cond linkage pairs: %u\n"), + (unsigned)bfd_getl32 (eeom->total_lps)); + fprintf (file, _(" completion code: %u\n"), +@@ -5718,6 +5733,12 @@ + n, type, len); + n++; + ++ if (off + len > rec_len || off + len < off) ++ { ++ fprintf (file, _(" Error: length larger than remaining space in record\n")); ++ return; ++ } ++ + switch (type) + { + case EGSD__C_PSC: +@@ -5958,6 +5979,12 @@ + size = bfd_getl16 (etir->size); + buf = rec + off + sizeof (struct vms_etir); + ++ if (off + size > rec_len || off + size < off) ++ { ++ fprintf (file, _(" Error: length larger than remaining space in record\n")); ++ return; ++ } ++ + fprintf (file, _(" (type: %3u, size: 4+%3u): "), type, size - 4); + switch (type) + { +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-08-30 17:08:43.612213596 +0530 ++++ git/bfd/ChangeLog 2017-08-30 17:13:27.217438742 +0530 +@@ -5,6 +5,15 @@ + correct magic bytes at the start, set the error to wrong format + and clear the format selector before returning NULL. + ++ 2017-06-19 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21618 ++ * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record ++ length. ++ (evax_bfd_print_eeom): Likewise. ++ (evax_bfd_print_egsd): Check for an overlarge record length. ++ (evax_bfd_print_etir): Likewise. ++ + 2017-04-25 Maciej W. Rozycki <macro@imgtec.com> + + * readelf.c (process_mips_specific): Remove error reporting from diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch new file mode 100644 index 0000000000..503f655b61 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456.patch @@ -0,0 +1,375 @@ +commit ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Jul 24 13:49:22 2017 +0100 + + Fix address violation errors parsing corrupt binary files. + + PR 21813 + binutils* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty + string whilst concatenating symbol names. + + bfd * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address + of the relocs to the canonicalize_one_reloc routine. + * mach-o.h (struct bfd_mach_o_backend_data): Update the prototype + for the _bfd_mach_o_canonicalize_one_reloc field. + * mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add + res_base parameter. Use to check for corrupt pair relocs. + * mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc): + Likewise. + * mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc): + Likewise. + * mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc): + Likewise. + + * vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is + enough data in the record before attempting to parse it. + (_bfd_vms_slurp_eeom): Likewise. + + (_bfd_vms_slurp_egsd): Check for an invalid section index. + (image_set_ptr): Likewise. + (alpha_vms_slurp_relocs): Likewise. + + (alpha_vms_object_p): Check for a truncated record. + +Upstream-Status: Backport + +CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/mach-o-aarch64.c +=================================================================== +--- git.orig/bfd/mach-o-aarch64.c 2017-08-31 19:17:51.264385450 +0530 ++++ git/bfd/mach-o-aarch64.c 2017-08-31 19:18:02.620442777 +0530 +@@ -147,9 +147,11 @@ + }; + + static bfd_boolean +-bfd_mach_o_arm64_canonicalize_one_reloc (bfd *abfd, +- struct mach_o_reloc_info_external *raw, +- arelent *res, asymbol **syms) ++bfd_mach_o_arm64_canonicalize_one_reloc (bfd * abfd, ++ struct mach_o_reloc_info_external * raw, ++ arelent * res, ++ asymbol ** syms, ++ arelent * res_base ATTRIBUTE_UNUSED) + { + bfd_mach_o_reloc_info reloc; + +Index: git/bfd/mach-o-i386.c +=================================================================== +--- git.orig/bfd/mach-o-i386.c 2017-08-31 19:17:51.264385450 +0530 ++++ git/bfd/mach-o-i386.c 2017-08-31 19:18:02.620442777 +0530 +@@ -112,9 +112,11 @@ + }; + + static bfd_boolean +-bfd_mach_o_i386_canonicalize_one_reloc (bfd *abfd, +- struct mach_o_reloc_info_external *raw, +- arelent *res, asymbol **syms) ++bfd_mach_o_i386_canonicalize_one_reloc (bfd * abfd, ++ struct mach_o_reloc_info_external * raw, ++ arelent * res, ++ asymbol ** syms, ++ arelent * res_base) + { + bfd_mach_o_reloc_info reloc; + +@@ -126,6 +128,9 @@ + switch (reloc.r_type) + { + case BFD_MACH_O_GENERIC_RELOC_PAIR: ++ /* PR 21813: Check for a corrupt PAIR reloc at the start. */ ++ if (res == res_base) ++ return FALSE; + if (reloc.r_length == 2) + { + res->howto = &i386_howto_table[7]; +@@ -391,9 +396,9 @@ + { NULL, NULL } + }; + +-#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc +-#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out +-#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread ++#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc ++#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out ++#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread + + #define bfd_mach_o_tgt_seg_table mach_o_i386_segsec_names_xlat + #define bfd_mach_o_section_type_valid_for_tgt NULL +Index: git/bfd/mach-o-x86-64.c +=================================================================== +--- git.orig/bfd/mach-o-x86-64.c 2017-08-31 19:17:51.264385450 +0530 ++++ git/bfd/mach-o-x86-64.c 2017-08-31 19:18:02.620442777 +0530 +@@ -120,9 +120,11 @@ + }; + + static bfd_boolean +-bfd_mach_o_x86_64_canonicalize_one_reloc (bfd *abfd, +- struct mach_o_reloc_info_external *raw, +- arelent *res, asymbol **syms) ++bfd_mach_o_x86_64_canonicalize_one_reloc (bfd * abfd, ++ struct mach_o_reloc_info_external * raw, ++ arelent * res, ++ asymbol ** syms, ++ arelent * res_base ATTRIBUTE_UNUSED) + { + bfd_mach_o_reloc_info reloc; + +Index: git/bfd/mach-o.c +=================================================================== +--- git.orig/bfd/mach-o.c 2017-08-31 19:18:02.440441869 +0530 ++++ git/bfd/mach-o.c 2017-08-31 19:18:02.620442777 +0530 +@@ -1496,7 +1496,7 @@ + for (i = 0; i < count; i++) + { + if (!(*bed->_bfd_mach_o_canonicalize_one_reloc)(abfd, &native_relocs[i], +- &res[i], syms)) ++ &res[i], syms, res)) + goto err; + } + free (native_relocs); +Index: git/bfd/mach-o.h +=================================================================== +--- git.orig/bfd/mach-o.h 2017-08-31 19:17:51.264385450 +0530 ++++ git/bfd/mach-o.h 2017-08-31 19:18:02.620442777 +0530 +@@ -746,7 +746,7 @@ + enum bfd_architecture arch; + bfd_vma page_size; + bfd_boolean (*_bfd_mach_o_canonicalize_one_reloc) +- (bfd *, struct mach_o_reloc_info_external *, arelent *, asymbol **); ++ (bfd *, struct mach_o_reloc_info_external *, arelent *, asymbol **, arelent *); + bfd_boolean (*_bfd_mach_o_swap_reloc_out)(arelent *, bfd_mach_o_reloc_info *); + bfd_boolean (*_bfd_mach_o_print_thread)(bfd *, bfd_mach_o_thread_flavour *, + void *, char *); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-08-31 19:18:02.564442494 +0530 ++++ git/bfd/ChangeLog 2017-08-31 19:18:02.620442777 +0530 +@@ -11,6 +11,30 @@ + of end pointer. + (evax_bfd_print_emh): Check for invalid string lengths. + ++ 2017-07-24 Nick Clifton <nickc@redhat.com> ++ ++ PR 21813 ++ * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address ++ of the relocs to the canonicalize_one_reloc routine. ++ * mach-o.h (struct bfd_mach_o_backend_data): Update the prototype ++ for the _bfd_mach_o_canonicalize_one_reloc field. ++ * mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add ++ res_base parameter. Use to check for corrupt pair relocs. ++ * mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc): ++ Likewise. ++ * mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc): ++ Likewise. ++ * mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc): ++ Likewise. ++ ++ * vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is ++ enough data in the record before attempting to parse it. ++ (_bfd_vms_slurp_eeom): Likewise. ++ ++ (_bfd_vms_slurp_egsd): Check for an invalid section index. ++ (image_set_ptr): Likewise. ++ (alpha_vms_slurp_relocs): Likewise. ++ + 2017-07-19 Nick Clifton <nickc@redhat.com> + + PR 21786 +Index: git/bfd/mach-o-arm.c +=================================================================== +--- git.orig/bfd/mach-o-arm.c 2017-08-31 19:17:51.264385450 +0530 ++++ git/bfd/mach-o-arm.c 2017-08-31 19:18:02.620442777 +0530 +@@ -30,7 +30,7 @@ + #define bfd_mach_o_mkobject bfd_mach_o_arm_mkobject + + #define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_arm_canonicalize_one_reloc +-#define bfd_mach_o_swap_reloc_out NULL ++#define bfd_mach_o_swap_reloc_out NULL + #define bfd_mach_o_bfd_reloc_type_lookup bfd_mach_o_arm_bfd_reloc_type_lookup + #define bfd_mach_o_bfd_reloc_name_lookup bfd_mach_o_arm_bfd_reloc_name_lookup + +@@ -147,9 +147,11 @@ + }; + + static bfd_boolean +-bfd_mach_o_arm_canonicalize_one_reloc (bfd *abfd, +- struct mach_o_reloc_info_external *raw, +- arelent *res, asymbol **syms) ++bfd_mach_o_arm_canonicalize_one_reloc (bfd * abfd, ++ struct mach_o_reloc_info_external * raw, ++ arelent * res, ++ asymbol ** syms, ++ arelent * res_base) + { + bfd_mach_o_reloc_info reloc; + +@@ -161,6 +163,9 @@ + switch (reloc.r_type) + { + case BFD_MACH_O_ARM_RELOC_PAIR: ++ /* PR 21813: Check for a corrupt PAIR reloc at the start. */ ++ if (res == res_base) ++ return FALSE; + if (reloc.r_length == 2) + { + res->howto = &arm_howto_table[7]; +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c 2017-08-31 19:18:02.556442454 +0530 ++++ git/bfd/vms-alpha.c 2017-08-31 19:20:56.233322607 +0530 +@@ -473,6 +473,14 @@ + + vms_debug2 ((8, "_bfd_vms_slurp_eihd\n")); + ++ /* PR 21813: Check for an undersized record. */ ++ if (PRIV (recrd.buf_size) < sizeof (* eihd)) ++ { ++ _bfd_error_handler (_("Corrupt EIHD record - size is too small")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + size = bfd_getl32 (eihd->size); + imgtype = bfd_getl32 (eihd->imgtype); + +@@ -1255,19 +1263,39 @@ + if (old_flags & EGSY__V_DEF) + { + struct vms_esdf *esdf = (struct vms_esdf *)vms_rec; ++ long psindx; + + entry->value = bfd_getl64 (esdf->value); + if (PRIV (sections) == NULL) + return FALSE; +- entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)]; ++ ++ psindx = bfd_getl32 (esdf->psindx); ++ /* PR 21813: Check for an out of range index. */ ++ if (psindx < 0 || psindx >= (int) PRIV (section_count)) ++ { ++ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), ++ psindx); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ entry->section = PRIV (sections)[psindx]; + + if (old_flags & EGSY__V_NORM) + { + PRIV (norm_sym_count)++; + + entry->code_value = bfd_getl64 (esdf->code_address); +- entry->code_section = +- PRIV (sections)[bfd_getl32 (esdf->ca_psindx)]; ++ psindx = bfd_getl32 (esdf->ca_psindx); ++ /* PR 21813: Check for an out of range index. */ ++ if (psindx < 0 || psindx >= (int) PRIV (section_count)) ++ { ++ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), ++ psindx); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ entry->code_section = PRIV (sections)[psindx]; ++ + } + } + } +@@ -1294,9 +1322,20 @@ + + if (old_flags & EGSY__V_REL) + { ++ long psindx; ++ + if (PRIV (sections) == NULL) + return FALSE; +- entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)]; ++ psindx = bfd_getl32 (egst->psindx); ++ /* PR 21813: Check for an out of range index. */ ++ if (psindx < 0 || psindx >= (int) PRIV (section_count)) ++ { ++ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), ++ psindx); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ entry->section = PRIV (sections)[psindx]; + } + else + entry->section = bfd_abs_section_ptr; +@@ -1387,6 +1426,10 @@ + + if (PRIV (sections) == NULL) + return; ++ ++ if (sect < 0 || sect >= (int) PRIV (section_count)) ++ return; ++ + sec = PRIV (sections)[sect]; + + if (info) +@@ -2360,6 +2403,14 @@ + + vms_debug2 ((2, "EEOM\n")); + ++ /* PR 21813: Check for an undersized record. */ ++ if (PRIV (recrd.buf_size) < sizeof (* eeom)) ++ { ++ _bfd_error_handler (_("Corrupt EEOM record - size is too small")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + PRIV (eom_data).eom_l_total_lps = bfd_getl32 (eeom->total_lps); + PRIV (eom_data).eom_w_comcod = bfd_getl16 (eeom->comcod); + if (PRIV (eom_data).eom_w_comcod > 1) +@@ -2540,6 +2591,10 @@ + PRIV (recrd.buf_size) = PRIV (recrd.rec_size); + } + ++ /* PR 21813: Check for a truncated record. */ ++ if (PRIV (recrd.rec_size < test_len)) ++ goto error_ret; ++ + /* Read the remaining record. */ + remaining = PRIV (recrd.rec_size) - test_len; + to_read = MIN (VMS_BLOCK_SIZE - test_len, remaining); +@@ -5074,7 +5129,7 @@ + } + else if (cur_psidx >= 0) + { +- if (PRIV (sections) == NULL) ++ if (PRIV (sections) == NULL || cur_psidx >= (int) PRIV (section_count)) + return FALSE; + reloc->sym_ptr_ptr = + PRIV (sections)[cur_psidx]->symbol_ptr_ptr; +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog 2017-08-31 19:18:01.816438718 +0530 ++++ git/binutils/ChangeLog 2017-08-31 19:18:02.624442798 +0530 +@@ -1,3 +1,9 @@ ++2017-07-24 Nick Clifton <nickc@redhat.com> ++ ++ PR 21813 ++ * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty ++ string whilst concatenating symbol names. ++ + 2017-02-14 Nick Clifton <nickc@redhat.com> + + PR binutils/21157 +Index: git/binutils/rddbg.c +=================================================================== +--- git.orig/binutils/rddbg.c 2017-08-31 19:17:51.596387126 +0530 ++++ git/binutils/rddbg.c 2017-08-31 19:18:02.624442798 +0530 +@@ -300,7 +300,8 @@ + + s = i.name; + f = NULL; +- while (s[strlen (s) - 1] == '\\' ++ while (strlen (s) > 0 ++ && s[strlen (s) - 1] == '\\' + && ps + 1 < symend) + { + char *sc, *n; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch new file mode 100644 index 0000000000..208bbbafae --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12450_12452_12453_12454_12456_1.patch @@ -0,0 +1,113 @@ +commit cb06d03ad92ffcfaa09c3f065837cb39e9e1486d +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Jun 21 11:13:49 2017 +0100 + + Fix address violation parsing a corrupt IEEE Alpha binary. + + PR binutils/21637 + * vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section + list. + (image_set_ptr): Likewise. + (alpha_vms_fix_sec_rel): Likewise. + (alpha_vms_slurp_relocs): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c 2017-08-31 18:01:00.742098130 +0530 ++++ git/bfd/vms-alpha.c 2017-08-31 18:01:06.000000000 +0530 +@@ -1257,6 +1257,8 @@ + struct vms_esdf *esdf = (struct vms_esdf *)vms_rec; + + entry->value = bfd_getl64 (esdf->value); ++ if (PRIV (sections) == NULL) ++ return FALSE; + entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)]; + + if (old_flags & EGSY__V_NORM) +@@ -1291,7 +1293,11 @@ + entry->symbol_vector = bfd_getl32 (egst->value); + + if (old_flags & EGSY__V_REL) +- entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)]; ++ { ++ if (PRIV (sections) == NULL) ++ return FALSE; ++ entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)]; ++ } + else + entry->section = bfd_abs_section_ptr; + +@@ -1379,6 +1385,8 @@ + + vms_debug2 ((4, "image_set_ptr (0x%08x, sect=%d)\n", (unsigned)vma, sect)); + ++ if (PRIV (sections) == NULL) ++ return; + sec = PRIV (sections)[sect]; + + if (info) +@@ -1691,7 +1699,12 @@ + alpha_vms_fix_sec_rel (bfd *abfd, struct bfd_link_info *info, + unsigned int rel, bfd_vma vma) + { +- asection *sec = PRIV (sections)[rel & RELC_MASK]; ++ asection *sec; ++ ++ if (PRIV (sections) == NULL) ++ return 0; ++ ++ sec = PRIV (sections)[rel & RELC_MASK]; + + if (info) + { +@@ -5000,6 +5013,8 @@ + return FALSE; + } + ++ if (PRIV (sections) == NULL) ++ return FALSE; + sec = PRIV (sections)[cur_psect]; + if (sec == bfd_abs_section_ptr) + { +@@ -5058,8 +5073,12 @@ + reloc->sym_ptr_ptr = sym; + } + else if (cur_psidx >= 0) +- reloc->sym_ptr_ptr = +- PRIV (sections)[cur_psidx]->symbol_ptr_ptr; ++ { ++ if (PRIV (sections) == NULL) ++ return FALSE; ++ reloc->sym_ptr_ptr = ++ PRIV (sections)[cur_psidx]->symbol_ptr_ptr; ++ } + else + reloc->sym_ptr_ptr = NULL; + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-08-31 18:01:06.000000000 +0530 ++++ git/bfd/ChangeLog 2017-08-31 18:01:49.114384620 +0530 +@@ -31,7 +31,16 @@ + correct magic bytes at the start, set the error to wrong format + and clear the format selector before returning NULL. + +- 2017-06-19 Nick Clifton <nickc@redhat.com> ++ 2017-06-21 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21637 ++ * vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section ++ list. ++ (image_set_ptr): Likewise. ++ (alpha_vms_fix_sec_rel): Likewise. ++ (alpha_vms_slurp_relocs): Likewise. ++ ++2017-06-19 Nick Clifton <nickc@redhat.com> + + PR binutils/21618 + * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12451.patch new file mode 100644 index 0000000000..23ddfcf1bc --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12451.patch @@ -0,0 +1,384 @@ +commit 29866fa186ee3ebda5242221607dba360b2e541e +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Jul 19 11:07:43 2017 +0100 + + Fix address violation when attempting to read a corrupt field in a COFF archive header structure. + + PR 21786 + * coff-rs6000.c (_bfd_strntol): New function. + (_bfd_strntoll): New function. + (GET_VALUE_IN_FIELD): New macro. + (EQ_VALUE_IN_FIELD): new macro. + (_bfd_xcoff_slurp_armap): Use new macros. + (_bfd_xcoff_archive_p): Likewise. + (_bfd_xcoff_read_ar_hdr): Likewise. + (_bfd_xcoff_openr_next_archived_file): Likewise. + (_bfd_xcoff_stat_arch_elt): Likewise. + +commit 6c4e7b6bfbc4679f695106de2817ecf02b27c8be +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Jul 19 16:14:02 2017 +0100 + + Extend previous fix to coff-rs6000.c to coff64-rs6000.c + + PR 21786 + * coff64-rs6000.c (_bfd_strntol): New function. + (_bfd_strntoll): New function. + (GET_VALUE_IN_FIELD): New macro. + (xcoff64_slurp_armap): Use new macros. + +Upstream-Status: backport + +CVE: CVE-2017-12451 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-08-31 16:07:20.966269193 +0530 ++++ git/bfd/ChangeLog 2017-08-31 16:25:04.423155789 +0530 +@@ -13,6 +13,19 @@ + + 2017-07-19 Nick Clifton <nickc@redhat.com> + ++ PR 21786 ++ * coff-rs6000.c (_bfd_strntol): New function. ++ (_bfd_strntoll): New function. ++ (GET_VALUE_IN_FIELD): New macro. ++ (EQ_VALUE_IN_FIELD): new macro. ++ (_bfd_xcoff_slurp_armap): Use new macros. ++ (_bfd_xcoff_archive_p): Likewise. ++ (_bfd_xcoff_read_ar_hdr): Likewise. ++ (_bfd_xcoff_openr_next_archived_file): Likewise. ++ (_bfd_xcoff_stat_arch_elt): Likewise. ++ ++2017-07-19 Nick Clifton <nickc@redhat.com> ++ + PR 21787 + * archive.c (bfd_generic_archive_p): If the bfd does not have the + correct magic bytes at the start, set the error to wrong format +Index: git/bfd/coff-rs6000.c +=================================================================== +--- git.orig/bfd/coff-rs6000.c 2017-08-31 16:07:14.278208353 +0530 ++++ git/bfd/coff-rs6000.c 2017-08-31 16:24:05.414696722 +0530 +@@ -203,7 +203,8 @@ + }; + + /* Information about one member of an archive. */ +-struct member_layout { ++struct member_layout ++{ + /* The archive member that this structure describes. */ + bfd *member; + +@@ -237,7 +238,8 @@ + }; + + /* A structure used for iterating over the members of an archive. */ +-struct archive_iterator { ++struct archive_iterator ++{ + /* The archive itself. */ + bfd *archive; + +@@ -654,8 +656,6 @@ + end: + return bfd_coff_auxesz (abfd); + } +- +- + + /* The XCOFF reloc table. Actually, XCOFF relocations specify the + bitsize and whether they are signed or not, along with a +@@ -663,7 +663,6 @@ + different algorithms for putting in the reloc. Many of these + relocs need special_function entries, which I have not written. */ + +- + reloc_howto_type xcoff_howto_table[] = + { + /* 0x00: Standard 32 bit relocation. */ +@@ -1185,6 +1184,51 @@ + /* bfd_xcoff_archive_set_magic (abfd, magic); */ + } + ++/* PR 21786: The PE/COFF standard does not require NUL termination for any of ++ the ASCII fields in the archive headers. So in order to be able to extract ++ numerical values we provide our own versions of strtol and strtoll which ++ take a maximum length as an additional parameter. Also - just to save space, ++ we omit the endptr return parameter, since we know that it is never used. */ ++ ++static long ++_bfd_strntol (const char * nptr, int base, unsigned int maxlen) ++{ ++ char buf[24]; /* Should be enough. */ ++ ++ BFD_ASSERT (maxlen < (sizeof (buf) - 1)); ++ ++ memcpy (buf, nptr, maxlen); ++ buf[maxlen] = 0; ++ return strtol (buf, NULL, base); ++} ++ ++static long long ++_bfd_strntoll (const char * nptr, int base, unsigned int maxlen) ++{ ++ char buf[32]; /* Should be enough. */ ++ ++ BFD_ASSERT (maxlen < (sizeof (buf) - 1)); ++ ++ memcpy (buf, nptr, maxlen); ++ buf[maxlen] = 0; ++ return strtoll (buf, NULL, base); ++} ++ ++/* Macro to read an ASCII value stored in an archive header field. */ ++#define GET_VALUE_IN_FIELD(VAR, FIELD) \ ++ do \ ++ { \ ++ (VAR) = sizeof (VAR) > sizeof (long) \ ++ ? _bfd_strntoll (FIELD, 10, sizeof FIELD) \ ++ : _bfd_strntol (FIELD, 10, sizeof FIELD); \ ++ } \ ++ while (0) ++ ++#define EQ_VALUE_IN_FIELD(VAR, FIELD) \ ++ (sizeof (VAR) > sizeof (long) \ ++ ? (VAR) ==_bfd_strntoll (FIELD, 10, sizeof FIELD) \ ++ : (VAR) == _bfd_strntol (FIELD, 10, sizeof FIELD)) ++ + /* Read in the armap of an XCOFF archive. */ + + bfd_boolean +@@ -1209,7 +1253,7 @@ + /* This is for the old format. */ + struct xcoff_ar_hdr hdr; + +- off = strtol (xcoff_ardata (abfd)->symoff, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (off, xcoff_ardata (abfd)->symoff); + if (off == 0) + { + bfd_has_map (abfd) = FALSE; +@@ -1225,12 +1269,12 @@ + return FALSE; + + /* Skip the name (normally empty). */ +- namlen = strtol (hdr.namlen, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); + off = ((namlen + 1) & ~ (size_t) 1) + SXCOFFARFMAG; + if (bfd_seek (abfd, off, SEEK_CUR) != 0) + return FALSE; + +- sz = strtol (hdr.size, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (sz, hdr.size); + + /* Read in the entire symbol table. */ + contents = (bfd_byte *) bfd_alloc (abfd, sz); +@@ -1264,7 +1308,7 @@ + /* This is for the new format. */ + struct xcoff_ar_hdr_big hdr; + +- off = strtol (xcoff_ardata_big (abfd)->symoff, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (off, xcoff_ardata_big (abfd)->symoff); + if (off == 0) + { + bfd_has_map (abfd) = FALSE; +@@ -1280,15 +1324,12 @@ + return FALSE; + + /* Skip the name (normally empty). */ +- namlen = strtol (hdr.namlen, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); + off = ((namlen + 1) & ~ (size_t) 1) + SXCOFFARFMAG; + if (bfd_seek (abfd, off, SEEK_CUR) != 0) + return FALSE; + +- /* XXX This actually has to be a call to strtoll (at least on 32-bit +- machines) since the field width is 20 and there numbers with more +- than 32 bits can be represented. */ +- sz = strtol (hdr.size, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (sz, hdr.size); + + /* Read in the entire symbol table. */ + contents = (bfd_byte *) bfd_alloc (abfd, sz); +@@ -1393,8 +1434,8 @@ + goto error_ret; + } + +- bfd_ardata (abfd)->first_file_filepos = strtol (hdr.firstmemoff, +- (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (bfd_ardata (abfd)->first_file_filepos, ++ hdr.firstmemoff); + + amt = SIZEOF_AR_FILE_HDR; + bfd_ardata (abfd)->tdata = bfd_zalloc (abfd, amt); +@@ -1469,7 +1510,7 @@ + return NULL; + } + +- namlen = strtol (hdr.namlen, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); + amt = SIZEOF_AR_HDR + namlen + 1; + hdrp = (struct xcoff_ar_hdr *) bfd_alloc (abfd, amt); + if (hdrp == NULL) +@@ -1486,7 +1527,7 @@ + ((char *) hdrp)[SIZEOF_AR_HDR + namlen] = '\0'; + + ret->arch_header = (char *) hdrp; +- ret->parsed_size = strtol (hdr.size, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (ret->parsed_size, hdr.size); + ret->filename = (char *) hdrp + SIZEOF_AR_HDR; + } + else +@@ -1501,7 +1542,7 @@ + return NULL; + } + +- namlen = strtol (hdr.namlen, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); + amt = SIZEOF_AR_HDR_BIG + namlen + 1; + hdrp = (struct xcoff_ar_hdr_big *) bfd_alloc (abfd, amt); + if (hdrp == NULL) +@@ -1518,10 +1559,7 @@ + ((char *) hdrp)[SIZEOF_AR_HDR_BIG + namlen] = '\0'; + + ret->arch_header = (char *) hdrp; +- /* XXX This actually has to be a call to strtoll (at least on 32-bit +- machines) since the field width is 20 and there numbers with more +- than 32 bits can be represented. */ +- ret->parsed_size = strtol (hdr.size, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (ret->parsed_size, hdr.size); + ret->filename = (char *) hdrp + SIZEOF_AR_HDR_BIG; + } + +@@ -1550,14 +1588,11 @@ + if (last_file == NULL) + filestart = bfd_ardata (archive)->first_file_filepos; + else +- filestart = strtol (arch_xhdr (last_file)->nextoff, (char **) NULL, +- 10); ++ GET_VALUE_IN_FIELD (filestart, arch_xhdr (last_file)->nextoff); + + if (filestart == 0 +- || filestart == strtol (xcoff_ardata (archive)->memoff, +- (char **) NULL, 10) +- || filestart == strtol (xcoff_ardata (archive)->symoff, +- (char **) NULL, 10)) ++ || EQ_VALUE_IN_FIELD (filestart, xcoff_ardata (archive)->memoff) ++ || EQ_VALUE_IN_FIELD (filestart, xcoff_ardata (archive)->symoff)) + { + bfd_set_error (bfd_error_no_more_archived_files); + return NULL; +@@ -1568,20 +1603,11 @@ + if (last_file == NULL) + filestart = bfd_ardata (archive)->first_file_filepos; + else +- /* XXX These actually have to be a calls to strtoll (at least +- on 32-bit machines) since the fields's width is 20 and +- there numbers with more than 32 bits can be represented. */ +- filestart = strtol (arch_xhdr_big (last_file)->nextoff, (char **) NULL, +- 10); +- +- /* XXX These actually have to be calls to strtoll (at least on 32-bit +- machines) since the fields's width is 20 and there numbers with more +- than 32 bits can be represented. */ ++ GET_VALUE_IN_FIELD (filestart, arch_xhdr_big (last_file)->nextoff); ++ + if (filestart == 0 +- || filestart == strtol (xcoff_ardata_big (archive)->memoff, +- (char **) NULL, 10) +- || filestart == strtol (xcoff_ardata_big (archive)->symoff, +- (char **) NULL, 10)) ++ || EQ_VALUE_IN_FIELD (filestart, xcoff_ardata_big (archive)->memoff) ++ || EQ_VALUE_IN_FIELD (filestart, xcoff_ardata_big (archive)->symoff)) + { + bfd_set_error (bfd_error_no_more_archived_files); + return NULL; +@@ -1606,20 +1632,20 @@ + { + struct xcoff_ar_hdr *hdrp = arch_xhdr (abfd); + +- s->st_mtime = strtol (hdrp->date, (char **) NULL, 10); +- s->st_uid = strtol (hdrp->uid, (char **) NULL, 10); +- s->st_gid = strtol (hdrp->gid, (char **) NULL, 10); +- s->st_mode = strtol (hdrp->mode, (char **) NULL, 8); ++ GET_VALUE_IN_FIELD (s->st_mtime, hdrp->date); ++ GET_VALUE_IN_FIELD (s->st_uid, hdrp->uid); ++ GET_VALUE_IN_FIELD (s->st_gid, hdrp->gid); ++ GET_VALUE_IN_FIELD (s->st_mode, hdrp->mode); + s->st_size = arch_eltdata (abfd)->parsed_size; + } + else + { + struct xcoff_ar_hdr_big *hdrp = arch_xhdr_big (abfd); + +- s->st_mtime = strtol (hdrp->date, (char **) NULL, 10); +- s->st_uid = strtol (hdrp->uid, (char **) NULL, 10); +- s->st_gid = strtol (hdrp->gid, (char **) NULL, 10); +- s->st_mode = strtol (hdrp->mode, (char **) NULL, 8); ++ GET_VALUE_IN_FIELD (s->st_mtime, hdrp->date); ++ GET_VALUE_IN_FIELD (s->st_uid, hdrp->uid); ++ GET_VALUE_IN_FIELD (s->st_gid, hdrp->gid); ++ GET_VALUE_IN_FIELD (s->st_mode, hdrp->mode); + s->st_size = arch_eltdata (abfd)->parsed_size; + } + +Index: git/bfd/coff64-rs6000.c +=================================================================== +--- git.orig/bfd/coff64-rs6000.c 2017-08-31 16:07:14.282208390 +0530 ++++ git/bfd/coff64-rs6000.c 2017-08-31 16:28:43.228864485 +0530 +@@ -1852,6 +1852,46 @@ + return NULL; + } + ++/* PR 21786: The PE/COFF standard does not require NUL termination for any of ++ the ASCII fields in the archive headers. So in order to be able to extract ++ numerical values we provide our own versions of strtol and strtoll which ++ take a maximum length as an additional parameter. Also - just to save space, ++ we omit the endptr return parameter, since we know that it is never used. */ ++ ++static long ++_bfd_strntol (const char * nptr, int base, unsigned int maxlen) ++{ ++ char buf[24]; /* Should be enough. */ ++ ++ BFD_ASSERT (maxlen < (sizeof (buf) - 1)); ++ ++ memcpy (buf, nptr, maxlen); ++ buf[maxlen] = 0; ++ return strtol (buf, NULL, base); ++} ++ ++static long long ++_bfd_strntoll (const char * nptr, int base, unsigned int maxlen) ++{ ++ char buf[32]; /* Should be enough. */ ++ ++ BFD_ASSERT (maxlen < (sizeof (buf) - 1)); ++ ++ memcpy (buf, nptr, maxlen); ++ buf[maxlen] = 0; ++ return strtoll (buf, NULL, base); ++} ++ ++/* Macro to read an ASCII value stored in an archive header field. */ ++#define GET_VALUE_IN_FIELD(VAR, FIELD) \ ++ do \ ++ { \ ++ (VAR) = sizeof (VAR) > sizeof (long) \ ++ ? _bfd_strntoll (FIELD, 10, sizeof FIELD) \ ++ : _bfd_strntol (FIELD, 10, sizeof FIELD); \ ++ } \ ++ while (0) ++ + /* Read in the armap of an XCOFF archive. */ + + static bfd_boolean +@@ -1892,7 +1932,7 @@ + return FALSE; + + /* Skip the name (normally empty). */ +- namlen = strtol (hdr.namlen, (char **) NULL, 10); ++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); + pos = ((namlen + 1) & ~(size_t) 1) + SXCOFFARFMAG; + if (bfd_seek (abfd, pos, SEEK_CUR) != 0) + return FALSE; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14729.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14729.patch new file mode 100644 index 0000000000..09d5143829 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14729.patch @@ -0,0 +1,45 @@ +commit 61e3bf5f83f7e505b6bc51ef65426e5b31e6e360 +Author: H.J. Lu <hjl.tools@gmail.com> +Date: Fri Sep 22 14:15:40 2017 -0700 + +x86: Guard against corrupted PLT + +There should be only one entry in PLT for a given symbol. Set howto to +NULL after processing a PLT entry to guard against corrupted PLT so that +the duplicated PLT entries are skipped. + +PR binutils/22170 + +Upstream-Status: Backport + +CVE: CVE-2017-14729 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> +Index: git/bfd/elf-ifunc.c +=================================================================== +--- git.orig/bfd/elf-ifunc.c 2017-11-08 12:34:22.063320490 +0530 ++++ git/bfd/elf-ifunc.c 2017-11-08 12:34:29.995404891 +0530 +@@ -473,6 +473,10 @@ + memcpy (names, "@plt", sizeof ("@plt")); + names += sizeof ("@plt"); + ++s, ++n; ++ /* There should be only one entry in PLT for a given ++ symbol. Set howto to NULL after processing a PLT ++ entry to guard against corrupted PLT. */ ++ p->howto = NULL; + } + + free (plt_sym_val); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-11-08 12:34:29.939404297 +0530 ++++ git/bfd/ChangeLog 2017-11-08 12:35:55.660271599 +0530 +@@ -1,3 +1,9 @@ ++2017-09-22 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/22170 ++ * elf-ifunc.c (elf_get_synthetic_symtab): Guard against ++ corrupted PLT. ++ + 2017-07-27 Nick Clifton <nickc@redhat.com> + + PR 21840 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch new file mode 100644 index 0000000000..ef42b13597 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch @@ -0,0 +1,241 @@ +commit 52a93b95ec0771c97e26f0bb28630a271a667bd2 +Author: Alan Modra <amodra@gmail.com> +Date: Sun Sep 24 14:37:16 2017 +0930 + + PR22187, infinite loop in find_abstract_instance_name + + This patch prevents the simple case of infinite recursion in + find_abstract_instance_name by ensuring that the attributes being + processed are not the same as the previous call. + + The patch also does a little cleanup, and leaves in place some changes + to the nested_funcs array that I made when I wrongly thought looping + might occur in scan_unit_for_symbols. + + PR 22187 + * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and + pname param. Return status. Make name const. Don't abort, + return an error. Formatting. Exit if current info_ptr matches + orig_info_ptr. Update callers. + (scan_unit_for_symbols): Start at nesting_level of zero. Make + nested_funcs an array of structs for extensibility. Formatting. + +Upstream-Status: Backport + +CVE: CVE-2017-15024 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c 2017-11-08 12:44:59.198052588 +0530 ++++ git/bfd/dwarf2.c 2017-11-08 12:45:10.670155730 +0530 +@@ -2273,9 +2273,11 @@ + return FALSE; + } + +-static char * ++static bfd_boolean + find_abstract_instance_name (struct comp_unit *unit, ++ bfd_byte *orig_info_ptr, + struct attribute *attr_ptr, ++ const char **pname, + bfd_boolean *is_linkage) + { + bfd *abfd = unit->abfd; +@@ -2285,7 +2287,7 @@ + struct abbrev_info *abbrev; + bfd_uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; +- char *name = NULL; ++ const char *name = NULL; + + /* DW_FORM_ref_addr can reference an entry in a different CU. It + is an offset from the .debug_info section, not the current CU. */ +@@ -2294,7 +2296,12 @@ + /* We only support DW_FORM_ref_addr within the same file, so + any relocations should be resolved already. */ + if (!die_ref) +- abort (); ++ { ++ _bfd_error_handler ++ (_("Dwarf Error: Abstract instance DIE ref zero.")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } + + info_ptr = unit->sec_info_ptr + die_ref; + info_ptr_end = unit->end_ptr; +@@ -2329,9 +2336,10 @@ + (*_bfd_error_handler) + (_("Dwarf Error: Unable to read alt ref %u."), die_ref); + bfd_set_error (bfd_error_bad_value); +- return NULL; ++ return FALSE; + } +- info_ptr_end = unit->stash->alt_dwarf_info_buffer + unit->stash->alt_dwarf_info_size; ++ info_ptr_end = (unit->stash->alt_dwarf_info_buffer ++ + unit->stash->alt_dwarf_info_size); + + /* FIXME: Do we need to locate the correct CU, in a similar + fashion to the code in the DW_FORM_ref_addr case above ? */ +@@ -2353,6 +2361,7 @@ + (*_bfd_error_handler) + (_("Dwarf Error: Could not find abbrev number %u."), abbrev_number); + bfd_set_error (bfd_error_bad_value); ++ return FALSE; + } + else + { +@@ -2362,6 +2371,15 @@ + info_ptr, info_ptr_end); + if (info_ptr == NULL) + break; ++ /* It doesn't ever make sense for DW_AT_specification to ++ refer to the same DIE. Stop simple recursion. */ ++ if (info_ptr == orig_info_ptr) ++ { ++ _bfd_error_handler ++ (_("Dwarf Error: Abstract instance recursion detected.")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } + switch (attr.name) + { + case DW_AT_name: +@@ -2375,7 +2393,9 @@ + } + break; + case DW_AT_specification: +- name = find_abstract_instance_name (unit, &attr, is_linkage); ++ if (!find_abstract_instance_name (unit, info_ptr, &attr, ++ pname, is_linkage)) ++ return FALSE; + break; + case DW_AT_linkage_name: + case DW_AT_MIPS_linkage_name: +@@ -2393,7 +2413,8 @@ + } + } + } +- return name; ++ *pname = name; ++ return TRUE; + } + + static bfd_boolean +@@ -2454,20 +2475,22 @@ + bfd *abfd = unit->abfd; + bfd_byte *info_ptr = unit->first_child_die_ptr; + bfd_byte *info_ptr_end = unit->stash->info_ptr_end; +- int nesting_level = 1; +- struct funcinfo **nested_funcs; ++ int nesting_level = 0; ++ struct nest_funcinfo { ++ struct funcinfo *func; ++ } *nested_funcs; + int nested_funcs_size; + + /* Maintain a stack of in-scope functions and inlined functions, which we + can use to set the caller_func field. */ + nested_funcs_size = 32; +- nested_funcs = (struct funcinfo **) +- bfd_malloc (nested_funcs_size * sizeof (struct funcinfo *)); ++ nested_funcs = (struct nest_funcinfo *) ++ bfd_malloc (nested_funcs_size * sizeof (*nested_funcs)); + if (nested_funcs == NULL) + return FALSE; +- nested_funcs[nesting_level] = 0; ++ nested_funcs[nesting_level].func = 0; + +- while (nesting_level) ++ while (nesting_level >= 0) + { + unsigned int abbrev_number, bytes_read, i; + struct abbrev_info *abbrev; +@@ -2516,13 +2539,13 @@ + BFD_ASSERT (!unit->cached); + + if (func->tag == DW_TAG_inlined_subroutine) +- for (i = nesting_level - 1; i >= 1; i--) +- if (nested_funcs[i]) ++ for (i = nesting_level; i-- != 0; ) ++ if (nested_funcs[i].func) + { +- func->caller_func = nested_funcs[i]; ++ func->caller_func = nested_funcs[i].func; + break; + } +- nested_funcs[nesting_level] = func; ++ nested_funcs[nesting_level].func = func; + } + else + { +@@ -2541,12 +2564,13 @@ + } + + /* No inline function in scope at this nesting level. */ +- nested_funcs[nesting_level] = 0; ++ nested_funcs[nesting_level].func = 0; + } + + for (i = 0; i < abbrev->num_attrs; ++i) + { +- info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, info_ptr_end); ++ info_ptr = read_attribute (&attr, &abbrev->attrs[i], ++ unit, info_ptr, info_ptr_end); + if (info_ptr == NULL) + goto fail; + +@@ -2565,8 +2589,10 @@ + + case DW_AT_abstract_origin: + case DW_AT_specification: +- func->name = find_abstract_instance_name (unit, &attr, +- &func->is_linkage); ++ if (!find_abstract_instance_name (unit, info_ptr, &attr, ++ &func->name, ++ &func->is_linkage)) ++ goto fail; + break; + + case DW_AT_name: +@@ -2691,17 +2717,17 @@ + + if (nesting_level >= nested_funcs_size) + { +- struct funcinfo **tmp; ++ struct nest_funcinfo *tmp; + + nested_funcs_size *= 2; +- tmp = (struct funcinfo **) ++ tmp = (struct nest_funcinfo *) + bfd_realloc (nested_funcs, +- nested_funcs_size * sizeof (struct funcinfo *)); ++ nested_funcs_size * sizeof (*nested_funcs)); + if (tmp == NULL) + goto fail; + nested_funcs = tmp; + } +- nested_funcs[nesting_level] = 0; ++ nested_funcs[nesting_level].func = 0; + } + } + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-11-08 12:45:10.614155229 +0530 ++++ git/bfd/ChangeLog 2017-11-08 12:46:55.791054918 +0530 +@@ -1,3 +1,13 @@ ++2017-09-24 Alan Modra <amodra@gmail.com> ++ ++ PR 22187 ++ * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and ++ pname param. Return status. Make name const. Don't abort, ++ return an error. Formatting. Exit if current info_ptr matches ++ orig_info_ptr. Update callers. ++ (scan_unit_for_symbols): Start at nesting_level of zero. Make ++ nested_funcs an array of structs for extensibility. Formatting. ++ + 2017-09-22 H.J. Lu <hongjiu.lu@intel.com> + + PR binutils/22170 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch new file mode 100644 index 0000000000..25d6f3a32a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch @@ -0,0 +1,153 @@ +commit 1b86808a86077722ee4f42ff97f836b12420bb2a +Author: Alan Modra <amodra@gmail.com> +Date: Tue Sep 26 21:47:24 2017 +0930 + + PR22209, invalid memory read in find_abstract_instance_name + + This patch adds bounds checking for DW_FORM_ref_addr die refs, and + calculates them relative to the first .debug_info section. See the + big comment for why calculating relative to the current .debug_info + section was wrong for relocatable object files. + + PR 22209 + * dwarf2.c (struct comp_unit): Delete sec_info_ptr field. + (find_abstract_instance_name): Calculate DW_FORM_ref_addr relative + to stash->info_ptr_memory, and check die_ref is within that memory. + Set info_ptr_end correctly when another CU is refd. Check die_ref + for DW_FORM_ref4 etc. is within CU. + +Upstream-Status: Backport + +CVE: CVE-2017-15938 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c 2017-11-07 18:52:19.896253364 +0530 ++++ git/bfd/dwarf2.c 2017-11-07 18:52:19.952253802 +0530 +@@ -119,8 +119,7 @@ + + /* A pointer to the memory block allocated for info_ptr. Neither + info_ptr nor sec_info_ptr are guaranteed to stay pointing to the +- beginning of the malloc block. This is used only to free the +- memory later. */ ++ beginning of the malloc block. */ + bfd_byte *info_ptr_memory; + + /* Pointer to the symbol table. */ +@@ -238,9 +237,6 @@ + by its reference. */ + bfd_byte *info_ptr_unit; + +- /* Pointer to the start of the debug section, for DW_FORM_ref_addr. */ +- bfd_byte *sec_info_ptr; +- + /* The offset into .debug_line of the line number table. */ + unsigned long line_offset; + +@@ -2294,21 +2290,37 @@ + if (attr_ptr->form == DW_FORM_ref_addr) + { + /* We only support DW_FORM_ref_addr within the same file, so +- any relocations should be resolved already. */ +- if (!die_ref) ++ any relocations should be resolved already. Check this by ++ testing for a zero die_ref; There can't be a valid reference ++ to the header of a .debug_info section. ++ DW_FORM_ref_addr is an offset relative to .debug_info. ++ Normally when using the GNU linker this is accomplished by ++ emitting a symbolic reference to a label, because .debug_info ++ sections are linked at zero. When there are multiple section ++ groups containing .debug_info, as there might be in a ++ relocatable object file, it would be reasonable to assume that ++ a symbolic reference to a label in any .debug_info section ++ might be used. Since we lay out multiple .debug_info ++ sections at non-zero VMAs (see place_sections), and read ++ them contiguously into stash->info_ptr_memory, that means ++ the reference is relative to stash->info_ptr_memory. */ ++ size_t total; ++ ++ info_ptr = unit->stash->info_ptr_memory; ++ info_ptr_end = unit->stash->info_ptr_end; ++ total = info_ptr_end - info_ptr; ++ if (!die_ref || die_ref >= total) + { + _bfd_error_handler +- (_("Dwarf Error: Abstract instance DIE ref zero.")); ++ (_("Dwarf Error: Invalid abstract instance DIE ref.")); + bfd_set_error (bfd_error_bad_value); + return FALSE; + } +- +- info_ptr = unit->sec_info_ptr + die_ref; +- info_ptr_end = unit->end_ptr; ++ info_ptr += die_ref; + + /* Now find the CU containing this pointer. */ + if (info_ptr >= unit->info_ptr_unit && info_ptr < unit->end_ptr) +- ; ++ info_ptr_end = unit->end_ptr; + else + { + /* Check other CUs to see if they contain the abbrev. */ +@@ -2324,7 +2336,10 @@ + break; + + if (u) +- unit = u; ++ { ++ unit = u; ++ info_ptr_end = unit->end_ptr; ++ } + /* else FIXME: What do we do now ? */ + } + } +@@ -2346,8 +2361,22 @@ + } + else + { +- info_ptr = unit->info_ptr_unit + die_ref; ++ /* DW_FORM_ref1, DW_FORM_ref2, DW_FORM_ref4, DW_FORM_ref8 or ++ DW_FORM_ref_udata. These are all references relative to the ++ start of the current CU. */ ++ size_t total; ++ ++ info_ptr = unit->info_ptr_unit; + info_ptr_end = unit->end_ptr; ++ total = info_ptr_end - info_ptr; ++ if (!die_ref || die_ref >= total) ++ { ++ _bfd_error_handler ++ (_("Dwarf Error: Invalid abstract instance DIE ref.")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ info_ptr += die_ref; + } + + abbrev_number = safe_read_leb128 (abfd, info_ptr, &bytes_read, FALSE, info_ptr_end); +@@ -2846,7 +2875,6 @@ + unit->end_ptr = end_ptr; + unit->stash = stash; + unit->info_ptr_unit = info_ptr_unit; +- unit->sec_info_ptr = stash->sec_info_ptr; + + for (i = 0; i < abbrev->num_attrs; ++i) + { +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-11-07 18:52:19.900253395 +0530 ++++ git/bfd/ChangeLog 2017-11-07 18:53:29.668799630 +0530 +@@ -1,3 +1,12 @@ ++2017-09-26 Alan Modra <amodra@gmail.com> ++ ++ PR 22209 ++ * dwarf2.c (struct comp_unit): Delete sec_info_ptr field. ++ (find_abstract_instance_name): Calculate DW_FORM_ref_addr relative ++ to stash->info_ptr_memory, and check die_ref is within that memory. ++ Set info_ptr_end correctly when another CU is refd. Check die_ref ++ for DW_FORM_ref4 etc. is within CU. ++ + 2017-09-24 Alan Modra <amodra@gmail.com> + + PR 22187 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch new file mode 100644 index 0000000000..eb9fc6f36c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch @@ -0,0 +1,40 @@ +commit 69ace2200106348a1b00d509a6a234337c104c17 +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Dec 1 15:20:19 2016 +0000 + + Fix seg fault attempting to unget an EOF character. + + PR gas/20898 + * app.c (do_scrub_chars): Do not attempt to unget EOF. + +Upstream-Status: backport + +CVE: CVE-2017-7223 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/gas/ChangeLog +=================================================================== +--- git.orig/gas/ChangeLog 2017-09-04 12:42:08.941602299 +0530 ++++ git/gas/ChangeLog 2017-09-04 12:48:28.863820763 +0530 +@@ -1,3 +1,8 @@ ++2016-12-01 Nick Clifton <nickc@redhat.com> ++ ++ PR gas/20898 ++ * app.c (do_scrub_chars): Do not attempt to unget EOF. ++ + 2016-08-05 Nick Clifton <nickc@redhat.com> + + PR gas/20364 +Index: git/gas/app.c +=================================================================== +--- git.orig/gas/app.c 2017-09-04 12:42:05.261580103 +0530 ++++ git/gas/app.c 2017-09-04 12:47:19.923428673 +0530 +@@ -1187,7 +1187,7 @@ + state = -2; + break; + } +- else ++ else if (ch2 != EOF) + { + UNGET (ch2); + } diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7224.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7224.patch new file mode 100644 index 0000000000..fb9ce90740 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7224.patch @@ -0,0 +1,48 @@ +commit e82ab856bb4689330c29fb9f1c57a8555b26380e +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Dec 1 10:49:39 2016 +0000 + + Fix a seg-fault disassembling a corrupt binary. + + PR binutils/20892 + * aoutx.h (find_nearest_line): Handle the case where the function + name is empty. + +Upstream-Status: Backport + +CVE: CVE-2017-7224 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 12:54:37.513859864 +0530 ++++ git/bfd/ChangeLog 2017-09-04 13:00:22.891753836 +0530 +@@ -120,6 +120,10 @@ + * peicode.h (pe_ILF_object_p): Use strnlen to avoid running over + the end of the string buffer. + ++ PR binutils/20892 ++ * aoutx.h (find_nearest_line): Handle the case where the function ++ name is empty. ++ + 2016-08-02 Nick Clifton <nickc@redhat.com> + + PR ld/17739 +Index: git/bfd/aoutx.h +=================================================================== +--- git.orig/bfd/aoutx.h 2017-09-04 12:54:35.957851411 +0530 ++++ git/bfd/aoutx.h 2017-09-04 12:57:50.634902163 +0530 +@@ -2819,6 +2819,13 @@ + const char *function = func->name; + char *colon; + ++ if (buf == NULL) ++ { ++ /* PR binutils/20892: In a corrupt input file func can be empty. */ ++ * functionname_ptr = NULL; ++ return TRUE; ++ } ++ + /* The caller expects a symbol name. We actually have a + function name, without the leading underscore. Put the + underscore back in, so that the caller gets a symbol name. */ diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch new file mode 100644 index 0000000000..699905a4d0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch @@ -0,0 +1,66 @@ +commit 50455f1ab2935f7321215dfa681745c9b1cb5b19 +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Dec 1 10:15:07 2016 +0000 + + Fix seg-fault running addr2line on a corrupt binary. + + PR binutils/20891 + * aoutx.h (find_nearest_line): Handle the case where the main file + name and the directory name are both empty. + +Upstream-Status: backport + +CVE: CVE-2017-7225 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 13:04:20.941485636 +0530 ++++ git/bfd/ChangeLog 2017-09-04 13:08:05.003175703 +0530 +@@ -120,6 +120,12 @@ + * peicode.h (pe_ILF_object_p): Use strnlen to avoid running over + the end of the string buffer. + ++2016-12-01 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/20891 ++ * aoutx.h (find_nearest_line): Handle the case where the main file ++ name and the directory name are both empty. ++ + PR binutils/20892 + * aoutx.h (find_nearest_line): Handle the case where the function + name is empty. +Index: git/bfd/aoutx.h +=================================================================== +--- git.orig/bfd/aoutx.h 2017-09-04 13:04:20.941485636 +0530 ++++ git/bfd/aoutx.h 2017-09-04 13:10:55.856441243 +0530 +@@ -2663,7 +2663,7 @@ + char *buf; + + *filename_ptr = abfd->filename; +- *functionname_ptr = 0; ++ *functionname_ptr = NULL; + *line_ptr = 0; + if (disriminator_ptr) + *disriminator_ptr = 0; +@@ -2808,9 +2808,17 @@ + *filename_ptr = main_file_name; + else + { +- sprintf (buf, "%s%s", directory_name, main_file_name); +- *filename_ptr = buf; +- buf += filelen + 1; ++ if (buf == NULL) ++ /* PR binutils/20891: In a corrupt input file both ++ main_file_name and directory_name can be empty... */ ++ * filename_ptr = NULL; ++ else ++ { ++ snprintf (buf, filelen + 1, "%s%s", directory_name, ++ main_file_name); ++ *filename_ptr = buf; ++ buf += filelen + 1; ++ } + } + } + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7226.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7226.patch new file mode 100644 index 0000000000..7525f34324 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7226.patch @@ -0,0 +1,42 @@ +Fix seg-fault in the binutils utilities when reading a corrupt input file. + +PR binutils/20905 +* peicode.h (pe_ILF_object_p): Use strnlen to avoid running over +the end of the string buffer. + +Upstream-Status: Backport + +CVE: CVE-2017-7226 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-08-23 13:59:16.868424171 +0530 ++++ git/bfd/ChangeLog 2017-08-23 14:03:22.683013823 +0530 +@@ -39,6 +39,12 @@ + (bfd_elf_final_link): Only initialize the extended symbol index + section if there are extended symbol tables to list. + ++2016-12-05 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/20905 ++ * peicode.h (pe_ILF_object_p): Use strnlen to avoid running over ++ the end of the string buffer. ++ + 2016-08-02 Nick Clifton <nickc@redhat.com> + + PR ld/17739 +Index: git/bfd/peicode.h +=================================================================== +--- git.orig/bfd/peicode.h 2017-08-23 13:59:06.948319100 +0530 ++++ git/bfd/peicode.h 2017-08-23 13:59:16.920424722 +0530 +@@ -1264,7 +1264,8 @@ + } + + symbol_name = (char *) ptr; +- source_dll = symbol_name + strlen (symbol_name) + 1; ++ /* See PR 20905 for an example of where the strnlen is necessary. */ ++ source_dll = symbol_name + strnlen (symbol_name, size - 1) + 1; + + /* Verify that the strings are null terminated. */ + if (ptr[size - 1] != 0 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7227.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7227.patch new file mode 100644 index 0000000000..1fa98e19be --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7227.patch @@ -0,0 +1,49 @@ +commit 406bd128dba2a59d0736839fc87a59bce319076c +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Dec 5 16:00:43 2016 +0000 + + Fix seg-fault in linker when passed a bogus input script. + + PR ld/20906 + * ldlex.l: Check for bogus strings in linker scripts. + +Upstream-Status: backport + +CVE: CVE-2017-7227 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/ld/ChangeLog +=================================================================== +--- git.orig/ld/ChangeLog 2017-09-04 13:18:09.660584245 +0530 ++++ git/ld/ChangeLog 2017-09-04 13:20:34.286155911 +0530 +@@ -1,3 +1,8 @@ ++2016-12-05 Nick Clifton <nickc@redhat.com> ++ ++ PR ld/20906 ++ * ldlex.l: Check for bogus strings in linker scripts. ++ + 2016-08-02 Nick Clifton <nickc@redhat.com> + + PR ld/17739 +Index: git/ld/ldlex.l +=================================================================== +--- git.orig/ld/ldlex.l 2017-09-04 13:18:09.692584605 +0530 ++++ git/ld/ldlex.l 2017-09-04 13:22:54.483583368 +0530 +@@ -416,9 +416,15 @@ + + <EXPRESSION,BOTH,SCRIPT,VERS_NODE,INPUTLIST>"\""[^\"]*"\"" { + /* No matter the state, quotes +- give what's inside */ ++ give what's inside. */ ++ bfd_size_type len; + yylval.name = xstrdup (yytext + 1); +- yylval.name[yyleng - 2] = 0; ++ /* PR ld/20906. A corrupt input file ++ can contain bogus strings. */ ++ len = strlen (yylval.name); ++ if (len > yyleng - 2) ++ len = yyleng - 2; ++ yylval.name[len] = 0; + return NAME; + } + <BOTH,SCRIPT,EXPRESSION>"\n" { lineno++;} diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch new file mode 100644 index 0000000000..50a48bc549 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_1.patch @@ -0,0 +1,47 @@ +commit d7f399a8de4c55eb841db6493597a587fac002de +Author: Nick Clifton <nickc@redhat.com> +Date: Fri Dec 2 17:46:26 2016 +0000 + + Fix seg-fault in linker when passed a corrupt binary input file. + + PR lf/20908 + * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries + when following indirect links. + +Upstream-Status: Backport + +CVE: CVE-2017-7299 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/elflink.c +=================================================================== +--- git.orig/bfd/elflink.c 2017-09-20 14:15:26.337333504 +0530 ++++ git/bfd/elflink.c 2017-09-20 14:20:19.000000000 +0530 +@@ -11201,6 +11201,12 @@ + asection *sec; + + sec = p->u.indirect.section; ++ /* See PR 20908 for a reproducer. */ ++ if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour) ++ { ++ _bfd_error_handler (_("%B: not in ELF format"), sec->owner); ++ goto error_return; ++ } + esdi = elf_section_data (sec); + + /* Mark all sections which are to be included in the +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-20 14:20:19.000000000 +0530 ++++ git/bfd/ChangeLog 2017-09-20 14:23:48.743556932 +0530 +@@ -192,6 +192,10 @@ + + 2016-12-02 Nick Clifton <nickc@redhat.com> + ++ PR lf/20908 ++ * elflink.c (bfd_elf_final_link): Check for ELF flavour binaries ++ when following indirect links. ++ + PR ld/20909 + * aoutx.h (aout_link_add_symbols): Fix off-by-one error in check + for an illegal string offset. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch new file mode 100644 index 0000000000..7691b122ce --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7299_2.patch @@ -0,0 +1,120 @@ +commit a961cdd5f139d3c3e09170db52bd8df7dafae13f +Author: Alan Modra <amodra@gmail.com> +Date: Thu Dec 15 21:29:44 2016 +1030 + + Linking non-ELF file broken by PR20908 fix + + PR ld/20968 + PR ld/20908 + * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move + reloc counting code later after ELF flavour test. + +Upstream-Status: Backport + +CVE: CVE-2017-7299 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/elflink.c +=================================================================== +--- git.orig/bfd/elflink.c 2017-09-20 14:15:28.133343092 +0530 ++++ git/bfd/elflink.c 2017-09-20 14:15:28.189343391 +0530 +@@ -11201,13 +11201,6 @@ + asection *sec; + + sec = p->u.indirect.section; +- /* See PR 20908 for a reproducer. */ +- if (bfd_get_flavour (sec->owner) != bfd_target_elf_flavour) +- { +- _bfd_error_handler (_("%B: not in ELF format"), sec->owner); +- goto error_return; +- } +- esdi = elf_section_data (sec); + + /* Mark all sections which are to be included in the + link. This will normally be every section. We need +@@ -11218,37 +11211,18 @@ + if (sec->flags & SEC_MERGE) + merged = TRUE; + +- if (esdo->this_hdr.sh_type == SHT_REL +- || esdo->this_hdr.sh_type == SHT_RELA) +- /* Some backends use reloc_count in relocation sections +- to count particular types of relocs. Of course, +- reloc sections themselves can't have relocations. */ +- reloc_count = 0; +- else if (emit_relocs) +- { +- reloc_count = sec->reloc_count; +- if (bed->elf_backend_count_additional_relocs) +- { +- int c; +- c = (*bed->elf_backend_count_additional_relocs) (sec); +- additional_reloc_count += c; +- } +- } +- else if (bed->elf_backend_count_relocs) +- reloc_count = (*bed->elf_backend_count_relocs) (info, sec); +- + if (sec->rawsize > max_contents_size) + max_contents_size = sec->rawsize; + if (sec->size > max_contents_size) + max_contents_size = sec->size; + +- /* We are interested in just local symbols, not all +- symbols. */ + if (bfd_get_flavour (sec->owner) == bfd_target_elf_flavour + && (sec->owner->flags & DYNAMIC) == 0) + { + size_t sym_count; + ++ /* We are interested in just local symbols, not all ++ symbols. */ + if (elf_bad_symtab (sec->owner)) + sym_count = (elf_tdata (sec->owner)->symtab_hdr.sh_size + / bed->s->sizeof_sym); +@@ -11262,6 +11236,27 @@ + && elf_symtab_shndx_list (sec->owner) != NULL) + max_sym_shndx_count = sym_count; + ++ if (esdo->this_hdr.sh_type == SHT_REL ++ || esdo->this_hdr.sh_type == SHT_RELA) ++ /* Some backends use reloc_count in relocation sections ++ to count particular types of relocs. Of course, ++ reloc sections themselves can't have relocations. */ ++ ; ++ else if (emit_relocs) ++ { ++ reloc_count = sec->reloc_count; ++ if (bed->elf_backend_count_additional_relocs) ++ { ++ int c; ++ c = (*bed->elf_backend_count_additional_relocs) (sec); ++ additional_reloc_count += c; ++ } ++ } ++ else if (bed->elf_backend_count_relocs) ++ reloc_count = (*bed->elf_backend_count_relocs) (info, sec); ++ ++ esdi = elf_section_data (sec); ++ + if ((sec->flags & SEC_RELOC) != 0) + { + size_t ext_size = 0; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-20 14:15:28.013342453 +0530 ++++ git/bfd/ChangeLog 2017-09-20 14:19:06.990419395 +0530 +@@ -156,6 +156,13 @@ + (bfd_elf_final_link): Only initialize the extended symbol index + section if there are extended symbol tables to list. + ++2016-12-15 Alan Modra <amodra@gmail.com> ++ ++ PR ld/20968 ++ PR ld/20908 ++ * elflink.c (bfd_elf_final_link): Revert 2016-12-02 change. Move ++ reloc counting code later after ELF flavour test. ++ + 2016-12-06 Nick Clifton <nickc@redhat.com> + + PR binutils/20931 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7300.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7300.patch new file mode 100644 index 0000000000..c4432e76b0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7300.patch @@ -0,0 +1,55 @@ +From 531336e3a0b79ed60cfc36ad2d6579b6a71175da Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 2 Dec 2016 16:41:14 +0000 +Subject: [PATCH] Fix seg-fault in the linker when examining a corrupt binary. + + PR ld/20909 + * aoutx.h (aout_link_add_symbols): Fix off-by-one error in check + for an illegal string offset. + +Upstream-Status: Backport +CVE: CVE-2017-7300 +VER: < 2.27-r0.9.1 +Signed-off-by: Manjunath Matti <mmatti@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/aoutx.h | 3 +-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/bfd/ChangeLog b/bfd/ChangeLog +index d061e66..c8085e7 100644 +--- a/bfd/ChangeLog ++++ b/bfd/ChangeLog +@@ -175,6 +175,12 @@ + * aoutx.h (find_nearest_line): Handle the case where the function + name is empty. + ++2016-12-02 Nick Clifton <nickc@redhat.com> ++ ++ PR ld/20909 ++ * aoutx.h (aout_link_add_symbols): Fix off-by-one error in check ++ for an illegal string offset. ++ + 2016-08-02 Nick Clifton <nickc@redhat.com> + + PR ld/17739 +diff --git a/bfd/aoutx.h b/bfd/aoutx.h +index 4308679..b9ac2b7 100644 +--- a/bfd/aoutx.h ++++ b/bfd/aoutx.h +@@ -3031,10 +3031,9 @@ aout_link_add_symbols (bfd *abfd, struct bfd_link_info *info) + continue; + + /* PR 19629: Corrupt binaries can contain illegal string offsets. */ +- if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd)) ++ if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd)) + return FALSE; + name = strings + GET_WORD (abfd, p->e_strx); +- + value = GET_WORD (abfd, p->e_value); + flags = BSF_GLOBAL; + string = NULL; +-- +2.9.3 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch new file mode 100644 index 0000000000..36b4259fde --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch @@ -0,0 +1,52 @@ +commit daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Dec 5 12:25:34 2016 +0000 + + Fix seg-fault in linker parsing a corrupt input file. + + PR ld/20924 + (aout_link_add_symbols): Fix off by one error checking for + overflow of string offset. + +Upstream-Status: Backport + +CVE: CVE-2017-7301 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 15:42:15.244812577 +0530 ++++ git/bfd/ChangeLog 2017-09-04 15:51:36.573466525 +0530 +@@ -120,6 +120,10 @@ + * peicode.h (pe_ILF_object_p): Use strnlen to avoid running over + the end of the string buffer. + ++ PR ld/20924 ++ (aout_link_add_symbols): Fix off by one error checking for ++ overflow of string offset. ++ + 2016-12-01 Nick Clifton <nickc@redhat.com> + + PR binutils/20891 +Index: git/bfd/aoutx.h +=================================================================== +--- git.orig/bfd/aoutx.h 2017-09-04 15:42:15.244812577 +0530 ++++ git/bfd/aoutx.h 2017-09-04 15:49:36.500479341 +0530 +@@ -3091,7 +3091,7 @@ + BFD_ASSERT (p + 1 < pend); + ++p; + /* PR 19629: Corrupt binaries can contain illegal string offsets. */ +- if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd)) ++ if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd)) + return FALSE; + string = strings + GET_WORD (abfd, p->e_strx); + section = bfd_ind_section_ptr; +@@ -3127,7 +3127,7 @@ + ++p; + string = name; + /* PR 19629: Corrupt binaries can contain illegal string offsets. */ +- if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd)) ++ if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd)) + return FALSE; + name = strings + GET_WORD (abfd, p->e_strx); + section = bfd_und_section_ptr; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7302.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7302.patch new file mode 100644 index 0000000000..a45de0e0ab --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7302.patch @@ -0,0 +1,81 @@ +commit e2996cc315d6ea242e1a954dc20246485ccc8512 +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Dec 5 14:32:30 2016 +0000 + + Fix seg-fault running strip on a corrupt binary. + + PR binutils/20921 + * aoutx.h (squirt_out_relocs): Check for and report any relocs + that could not be recognised. + +Upstream-Status: Backport + +CVE: CVE-2017-7302 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 15:57:38.564419146 +0530 ++++ git/bfd/ChangeLog 2017-09-04 16:02:31.994883900 +0530 +@@ -124,6 +124,10 @@ + (aout_link_add_symbols): Fix off by one error checking for + overflow of string offset. + ++ PR binutils/20921 ++ * aoutx.h (squirt_out_relocs): Check for and report any relocs ++ that could not be recognised. ++ + 2016-12-01 Nick Clifton <nickc@redhat.com> + + PR binutils/20891 +Index: git/bfd/aoutx.h +=================================================================== +--- git.orig/bfd/aoutx.h 2017-09-04 15:57:38.564419146 +0530 ++++ git/bfd/aoutx.h 2017-09-04 16:01:08.830188291 +0530 +@@ -1952,6 +1952,7 @@ + + PUT_WORD (abfd, g->address, natptr->r_address); + ++ BFD_ASSERT (g->howto != NULL); + r_length = g->howto->size ; /* Size as a power of two. */ + r_pcrel = (int) g->howto->pc_relative; /* Relative to PC? */ + /* XXX This relies on relocs coming from a.out files. */ +@@ -2390,16 +2391,34 @@ + for (natptr = native; + count != 0; + --count, natptr += each_size, ++generic) +- MY_swap_ext_reloc_out (abfd, *generic, +- (struct reloc_ext_external *) natptr); ++ { ++ if ((*generic)->howto == NULL) ++ { ++ bfd_set_error (bfd_error_invalid_operation); ++ _bfd_error_handler (_("%B: attempt to write out unknown reloc type"), abfd); ++ return FALSE; ++ } ++ MY_swap_ext_reloc_out (abfd, *generic, ++ (struct reloc_ext_external *) natptr); ++ } + } + else + { + for (natptr = native; + count != 0; + --count, natptr += each_size, ++generic) +- MY_swap_std_reloc_out (abfd, *generic, +- (struct reloc_std_external *) natptr); ++ { ++ /* PR 20921: If the howto field has not been initialised then skip ++ this reloc. */ ++ if ((*generic)->howto == NULL) ++ { ++ bfd_set_error (bfd_error_invalid_operation); ++ _bfd_error_handler (_("%B: attempt to write out unknown reloc type"), abfd); ++ return FALSE; ++ } ++ MY_swap_std_reloc_out (abfd, *generic, ++ (struct reloc_std_external *) natptr); ++ } + } + + if (bfd_bwrite ((void *) native, natsize, abfd) != natsize) diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7303.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7303.patch new file mode 100644 index 0000000000..59a3b17461 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7303.patch @@ -0,0 +1,55 @@ +commit a55c9876bb111fd301b4762cf501de0040b8f9db +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Dec 5 13:35:50 2016 +0000 + + Fix seg-fault attempting to strip a corrupt binary. + + PR binutils/20922 + * elf.c (find_link): Check for null headers before attempting to + match them. + +Upstream-Status: Backport + +CVE: CVE-2017-7303 +Signed-off-by: Thiruvadi Rajaraman <tarjaraman@mvista.com> + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 16:06:08.996688391 +0530 ++++ git/bfd/ChangeLog 2017-09-04 16:09:26.810320541 +0530 +@@ -124,6 +124,10 @@ + (aout_link_add_symbols): Fix off by one error checking for + overflow of string offset. + ++ PR binutils/20922 ++ * elf.c (find_link): Check for null headers before attempting to ++ match them. ++ + PR binutils/20921 + * aoutx.h (squirt_out_relocs): Check for and report any relocs + that could not be recognised. +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c 2017-09-04 16:05:55.612577527 +0530 ++++ git/bfd/elf.c 2017-09-04 16:08:35.709900050 +0530 +@@ -1249,13 +1249,19 @@ + Elf_Internal_Shdr ** oheaders = elf_elfsections (obfd); + unsigned int i; + +- if (section_match (oheaders[hint], iheader)) ++ BFD_ASSERT (iheader != NULL); ++ ++ /* See PR 20922 for a reproducer of the NULL test. */ ++ if (oheaders[hint] != NULL ++ && section_match (oheaders[hint], iheader)) + return hint; + + for (i = 1; i < elf_numsections (obfd); i++) + { + Elf_Internal_Shdr * oheader = oheaders[i]; + ++ if (oheader == NULL) ++ continue; + if (section_match (oheader, iheader)) + /* FIXME: Do we care if there is a potential for + multiple matches ? */ diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7304.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7304.patch new file mode 100644 index 0000000000..817a3f0176 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7304.patch @@ -0,0 +1,53 @@ +commit 4f3ca05b487e9755018b4c9a053a2e6c35d8a7df +Author: Nick Clifton <nickc@redhat.com> +Date: Tue Dec 6 16:53:57 2016 +0000 + + Fix seg-fault in strip when copying a corrupt binary. + + PR binutils/20931 + * elf.c (copy_special_section_fields): Check for an invalid + sh_link field before attempting to follow it. + +Upstream-Status: Backport + +CVE: CVE-2017-7304 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 16:13:03.512095249 +0530 ++++ git/bfd/ChangeLog 2017-09-04 16:16:25.173745111 +0530 +@@ -114,6 +114,12 @@ + (bfd_elf_final_link): Only initialize the extended symbol index + section if there are extended symbol tables to list. + ++ 2016-12-06 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/20931 ++ * elf.c (copy_special_section_fields): Check for an invalid ++ sh_link field before attempting to follow it. ++ + 2016-12-05 Nick Clifton <nickc@redhat.com> + + PR binutils/20905 +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c 2017-09-04 16:13:03.512095249 +0530 ++++ git/bfd/elf.c 2017-09-04 16:15:38.257359045 +0530 +@@ -1324,6 +1324,16 @@ + in the input bfd. */ + if (iheader->sh_link != SHN_UNDEF) + { ++ /* See PR 20931 for a reproducer. */ ++ if (iheader->sh_link >= elf_numsections (ibfd)) ++ { ++ (* _bfd_error_handler) ++ /* xgettext:c-format */ ++ (_("%B: Invalid sh_link field (%d) in section number %d"), ++ ibfd, iheader->sh_link, secnum); ++ return FALSE; ++ } ++ + sh_link = find_link (obfd, iheaders[iheader->sh_link], iheader->sh_link); + if (sh_link != SHN_UNDEF) + { diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch new file mode 100644 index 0000000000..0fb32b3e26 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch @@ -0,0 +1,105 @@ +From ad32986fdf9da1c8748e47b8b45100398223dba8 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 4 Apr 2017 11:23:36 +0100 +Subject: [PATCH] Fix null pointer dereferences when using a link built with + clang. + + PR binutils/21342 + * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer + dereference. + (bfd_elf_final_link): Only initialize the extended symbol index + section if there are extended symbol tables to list. + +Upstream-Status: Backport +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8 + +CVE: CVE-2017-7614 + +Singed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/elflink.c | 35 +++++++++++++++++++++-------------- + 2 files changed, 29 insertions(+), 14 deletions(-) + +Index: git/bfd/elflink.c +=================================================================== +--- git.orig/bfd/elflink.c ++++ git/bfd/elflink.c +@@ -118,15 +118,18 @@ _bfd_elf_define_linkage_sym (bfd *abfd, + defined in shared libraries can't be overridden, because we + lose the link to the bfd which is via the symbol section. */ + h->root.type = bfd_link_hash_new; ++ bh = &h->root; + } ++ else ++ bh = NULL; + +- bh = &h->root; + bed = get_elf_backend_data (abfd); + if (!_bfd_generic_link_add_one_symbol (info, abfd, name, BSF_GLOBAL, + sec, 0, NULL, FALSE, bed->collect, + &bh)) + return NULL; + h = (struct elf_link_hash_entry *) bh; ++ BFD_ASSERT (h != NULL); + h->def_regular = 1; + h->non_elf = 0; + h->root.linker_def = 1; +@@ -11789,24 +11792,28 @@ bfd_elf_final_link (bfd *abfd, struct bf + { + /* Finish up and write out the symbol string table (.strtab) + section. */ +- Elf_Internal_Shdr *symstrtab_hdr; ++ Elf_Internal_Shdr *symstrtab_hdr = NULL; + file_ptr off = symtab_hdr->sh_offset + symtab_hdr->sh_size; + +- symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr; +- if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0) ++ if (elf_symtab_shndx_list (abfd)) + { +- symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX; +- symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx); +- symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx); +- amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx); +- symtab_shndx_hdr->sh_size = amt; ++ symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr; + +- off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr, +- off, TRUE); ++ if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0) ++ { ++ symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX; ++ symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx); ++ symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx); ++ amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx); ++ symtab_shndx_hdr->sh_size = amt; + +- if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0 +- || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt)) +- return FALSE; ++ off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr, ++ off, TRUE); ++ ++ if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0 ++ || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt)) ++ return FALSE; ++ } + } + + symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,11 @@ ++2017-04-04 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21342 ++ * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer ++ dereference. ++ (bfd_elf_final_link): Only initialize the extended symbol index ++ section if there are extended symbol tables to list. ++ + 2016-08-02 Nick Clifton <nickc@redhat.com> + + PR ld/17739 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch new file mode 100644 index 0000000000..96fe9e34bd --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch @@ -0,0 +1,201 @@ +commit bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 +Author: Alan Modra <amodra@gmail.com> +Date: Sun Apr 23 11:03:34 2017 +0930 + + PR 21412, get_reloc_section assumes .rel/.rela name for SHT_REL/RELA. + + This patch fixes an assumption made by code that runs for objcopy and + strip, that SHT_REL/SHR_RELA sections are always named starting with a + .rel/.rela prefix. I'm also modifying the interface for + elf_backend_get_reloc_section, so any backend function just needs to + handle name mapping. + + PR 21412 + * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change + parameters and comment. + (_bfd_elf_get_reloc_section): Delete. + (_bfd_elf_plt_get_reloc_section): Declare. + * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section): + New functions. Don't blindly skip over assumed .rel/.rela prefix. + Extracted from.. + (_bfd_elf_get_reloc_section): ..here. Delete. + (assign_section_numbers): Call elf_get_reloc_section. + * elf64-ppc.c (elf_backend_get_reloc_section): Define. + * elfxx-target.h (elf_backend_get_reloc_section): Update. + +Upstream-Status: Backport + +CVE: CVE-2017-8393 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/elf-bfd.h +=================================================================== +--- git.orig/bfd/elf-bfd.h 2017-09-04 17:43:22.156623008 +0530 ++++ git/bfd/elf-bfd.h 2017-09-04 17:43:33.836716941 +0530 +@@ -1298,8 +1298,10 @@ + bfd_size_type (*maybe_function_sym) (const asymbol *sym, asection *sec, + bfd_vma *code_off); + +- /* Return the section which RELOC_SEC applies to. */ +- asection *(*get_reloc_section) (asection *reloc_sec); ++ /* Given NAME, the name of a relocation section stripped of its ++ .rel/.rela prefix, return the section in ABFD to which the ++ relocations apply. */ ++ asection *(*get_reloc_section) (bfd *abfd, const char *name); + + /* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which + has a type >= SHT_LOOS. Returns TRUE if the fields were initialised, +@@ -2358,7 +2360,7 @@ + extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol *, asection *, + bfd_vma *); + +-extern asection *_bfd_elf_get_reloc_section (asection *); ++extern asection *_bfd_elf_plt_get_reloc_section (bfd *, const char *); + + extern int bfd_elf_get_default_section_type (flagword); + +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c 2017-09-04 17:43:33.780716491 +0530 ++++ git/bfd/elf.c 2017-09-04 17:43:33.836716941 +0530 +@@ -3493,17 +3493,39 @@ + H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc); + } + +-/* Return the section which RELOC_SEC applies to. */ ++/* Given NAME, the name of a relocation section stripped of its ++ .rel/.rela prefix, return the section in ABFD to which the ++ relocations apply. */ + + asection * +-_bfd_elf_get_reloc_section (asection *reloc_sec) ++_bfd_elf_plt_get_reloc_section (bfd *abfd, const char *name) ++{ ++ /* If a target needs .got.plt section, relocations in rela.plt/rel.plt ++ section likely apply to .got.plt or .got section. */ ++ if (get_elf_backend_data (abfd)->want_got_plt ++ && strcmp (name, ".plt") == 0) ++ { ++ asection *sec; ++ ++ name = ".got.plt"; ++ sec = bfd_get_section_by_name (abfd, name); ++ if (sec != NULL) ++ return sec; ++ name = ".got"; ++ } ++ ++ return bfd_get_section_by_name (abfd, name); ++} ++ ++/* Return the section to which RELOC_SEC applies. */ ++ ++static asection * ++elf_get_reloc_section (asection *reloc_sec) + { + const char *name; + unsigned int type; + bfd *abfd; +- +- if (reloc_sec == NULL) +- return NULL; ++ const struct elf_backend_data *bed; + + type = elf_section_data (reloc_sec)->this_hdr.sh_type; + if (type != SHT_REL && type != SHT_RELA) +@@ -3511,28 +3533,15 @@ + + /* We look up the section the relocs apply to by name. */ + name = reloc_sec->name; +- if (type == SHT_REL) +- name += 4; +- else +- name += 5; ++ if (strncmp (name, ".rel", 4) != 0) ++ return NULL; ++ name += 4; ++ if (type == SHT_RELA && *name++ != 'a') ++ return NULL; + +- /* If a target needs .got.plt section, relocations in rela.plt/rel.plt +- section apply to .got.plt section. */ + abfd = reloc_sec->owner; +- if (get_elf_backend_data (abfd)->want_got_plt +- && strcmp (name, ".plt") == 0) +- { +- /* .got.plt is a linker created input section. It may be mapped +- to some other output section. Try two likely sections. */ +- name = ".got.plt"; +- reloc_sec = bfd_get_section_by_name (abfd, name); +- if (reloc_sec != NULL) +- return reloc_sec; +- name = ".got"; +- } +- +- reloc_sec = bfd_get_section_by_name (abfd, name); +- return reloc_sec; ++ bed = get_elf_backend_data (abfd); ++ return bed->get_reloc_section (abfd, name); + } + + /* Assign all ELF section numbers. The dummy first section is handled here +@@ -3790,7 +3799,7 @@ + if (s != NULL) + d->this_hdr.sh_link = elf_section_data (s)->this_idx; + +- s = get_elf_backend_data (abfd)->get_reloc_section (sec); ++ s = elf_get_reloc_section (sec); + if (s != NULL) + { + d->this_hdr.sh_info = elf_section_data (s)->this_idx; +Index: git/bfd/elfxx-target.h +=================================================================== +--- git.orig/bfd/elfxx-target.h 2017-09-04 17:43:22.216623490 +0530 ++++ git/bfd/elfxx-target.h 2017-09-04 17:43:33.836716941 +0530 +@@ -686,7 +686,7 @@ + #endif + + #ifndef elf_backend_get_reloc_section +-#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section ++#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section + #endif + + #ifndef elf_backend_copy_special_section_fields +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 17:43:33.780716491 +0530 ++++ git/bfd/ChangeLog 2017-09-04 17:45:58.349944078 +0530 +@@ -82,6 +82,21 @@ + + * readelf.c (process_mips_specific): Remove null GOT data check. + ++2017-04-23 Alan Modra <amodra@gmail.com> ++ ++ PR 21412 ++ * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change ++ parameters and comment. ++ (_bfd_elf_get_reloc_section): Delete. ++ (_bfd_elf_plt_get_reloc_section): Declare. ++ * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section): ++ New functions. Don't blindly skip over assumed .rel/.rela prefix. ++ Extracted from.. ++ (_bfd_elf_get_reloc_section): ..here. Delete. ++ (assign_section_numbers): Call elf_get_reloc_section. ++ * elf64-ppc.c (elf_backend_get_reloc_section): Define. ++ * elfxx-target.h (elf_backend_get_reloc_section): Update. ++ + 2017-04-13 Nick Clifton <nickc@redhat.com> + + PR binutils/21379 +Index: git/bfd/elf64-ppc.c +=================================================================== +--- git.orig/bfd/elf64-ppc.c 2017-09-04 17:43:22.200623362 +0530 ++++ git/bfd/elf64-ppc.c 2017-09-04 17:47:04.458511122 +0530 +@@ -117,6 +117,7 @@ + #define elf_backend_link_output_symbol_hook ppc64_elf_output_symbol_hook + #define elf_backend_special_sections ppc64_elf_special_sections + #define elf_backend_merge_symbol_attribute ppc64_elf_merge_symbol_attribute ++#define elf_backend_get_reloc_section bfd_get_section_by_name + + /* The name of the dynamic interpreter. This is put in the .interp + section. */ diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch new file mode 100644 index 0000000000..14ee1910f4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch @@ -0,0 +1,114 @@ +commit 7eacd66b086cabb1daab20890d5481894d4f56b2 +Author: Alan Modra <amodra@gmail.com> +Date: Sun Apr 23 15:21:11 2017 +0930 + + PR 21414, null pointer deref of _bfd_elf_large_com_section sym + + PR 21414 + * section.c (GLOBAL_SYM_INIT): Make available in bfd.h. + * elf.c (lcomm_sym): New. + (_bfd_elf_large_com_section): Use lcomm_sym section symbol. + * bfd-in2.h: Regenerate. + +Upstream-Status: Backport + +CVE: CVE-2017-8394 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/bfd-in2.h +=================================================================== +--- git.orig/bfd/bfd-in2.h 2017-09-20 12:54:44.847475928 +0530 ++++ git/bfd/bfd-in2.h 2017-09-20 12:54:44.903476171 +0530 +@@ -1805,6 +1805,18 @@ + { NULL }, { NULL } \ + } + ++/* We use a macro to initialize the static asymbol structures because ++ traditional C does not permit us to initialize a union member while ++ gcc warns if we don't initialize it. ++ the_bfd, name, value, attr, section [, udata] */ ++#ifdef __STDC__ ++#define GLOBAL_SYM_INIT(NAME, SECTION) \ ++ { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }} ++#else ++#define GLOBAL_SYM_INIT(NAME, SECTION) \ ++ { 0, NAME, 0, BSF_SECTION_SYM, SECTION } ++#endif ++ + void bfd_section_list_clear (bfd *); + + asection *bfd_get_section_by_name (bfd *abfd, const char *name); +Index: git/bfd/section.c +=================================================================== +--- git.orig/bfd/section.c 2017-09-20 12:54:44.847475928 +0530 ++++ git/bfd/section.c 2017-09-20 12:54:44.903476171 +0530 +@@ -738,20 +738,20 @@ + . { NULL }, { NULL } \ + . } + . ++.{* We use a macro to initialize the static asymbol structures because ++. traditional C does not permit us to initialize a union member while ++. gcc warns if we don't initialize it. ++. the_bfd, name, value, attr, section [, udata] *} ++.#ifdef __STDC__ ++.#define GLOBAL_SYM_INIT(NAME, SECTION) \ ++. { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }} ++.#else ++.#define GLOBAL_SYM_INIT(NAME, SECTION) \ ++. { 0, NAME, 0, BSF_SECTION_SYM, SECTION } ++.#endif ++. + */ + +-/* We use a macro to initialize the static asymbol structures because +- traditional C does not permit us to initialize a union member while +- gcc warns if we don't initialize it. */ +- /* the_bfd, name, value, attr, section [, udata] */ +-#ifdef __STDC__ +-#define GLOBAL_SYM_INIT(NAME, SECTION) \ +- { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }} +-#else +-#define GLOBAL_SYM_INIT(NAME, SECTION) \ +- { 0, NAME, 0, BSF_SECTION_SYM, SECTION } +-#endif +- + /* These symbols are global, not specific to any BFD. Therefore, anything + that tries to change them is broken, and should be repaired. */ + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-20 12:54:44.735475444 +0530 ++++ git/bfd/ChangeLog 2017-09-20 12:54:44.903476171 +0530 +@@ -102,6 +102,14 @@ + * readelf.c (process_mips_specific): Remove null GOT data check. + + 2017-04-23 Alan Modra <amodra@gmail.com> ++ ++ PR 21414 ++ * section.c (GLOBAL_SYM_INIT): Make available in bfd.h. ++ * elf.c (lcomm_sym): New. ++ (_bfd_elf_large_com_section): Use lcomm_sym section symbol. ++ * bfd-in2.h: Regenerate. ++ ++2017-04-23 Alan Modra <amodra@gmail.com> + + PR 21412 + * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c 2017-09-20 12:54:44.847475928 +0530 ++++ git/bfd/elf.c 2017-09-20 13:00:22.636091768 +0530 +@@ -10986,9 +10986,11 @@ + + /* It is only used by x86-64 so far. + ??? This repeats *COM* id of zero. sec->id is supposed to be unique, +- but current usage would allow all of _bfd_std_section to be zero. t*/ ++ but current usage would allow all of _bfd_std_section to be zero. */ ++static const asymbol lcomm_sym ++ = GLOBAL_SYM_INIT ("LARGE_COMMON", &_bfd_elf_large_com_section); + asection _bfd_elf_large_com_section +- = BFD_FAKE_SECTION (_bfd_elf_large_com_section, NULL, ++ = BFD_FAKE_SECTION (_bfd_elf_large_com_section, &lcomm_sym, + "LARGE_COMMON", 0, SEC_IS_COMMON); + + void diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8394_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8394_1.patch new file mode 100644 index 0000000000..e1dfd8bb40 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8394_1.patch @@ -0,0 +1,80 @@ +commit 821e6ff6299aa39e841ca50e1ae8a98e3554fd5f +Author: Alan Modra <amodra@gmail.com> +Date: Wed Oct 12 09:41:33 2016 +1030 + + BFD_FAKE_SECTION macro params + + Order NAME, IDX, FLAGS as per STD_SECTION macro. + + * section.c (BFD_FAKE_SECTION): Reorder parameters. Formatting. + (STD_SECTION): Adjust to suit. + * elf.c (_bfd_elf_large_com_section): Likewise. + * bfd-in2.h: Regenerate. + +Upstream-Status: Backport + +CVE: CVE-2017-8394 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + + +Index: git/bfd/bfd-in2.h +=================================================================== +--- git.orig/bfd/bfd-in2.h 2017-09-20 12:54:42.423465338 +0530 ++++ git/bfd/bfd-in2.h 2017-09-20 13:02:48.000000000 +0530 +@@ -1767,9 +1767,9 @@ + #define bfd_section_removed_from_list(ABFD, S) \ + ((S)->next == NULL ? (ABFD)->section_last != (S) : (S)->next->prev != (S)) + +-#define BFD_FAKE_SECTION(SEC, FLAGS, SYM, NAME, IDX) \ ++#define BFD_FAKE_SECTION(SEC, SYM, NAME, IDX, FLAGS) \ + /* name, id, index, next, prev, flags, user_set_vma, */ \ +- { NAME, IDX, 0, NULL, NULL, FLAGS, 0, \ ++ { NAME, IDX, 0, NULL, NULL, FLAGS, 0, \ + \ + /* linker_mark, linker_has_input, gc_mark, decompress_status, */ \ + 0, 0, 1, 0, \ +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c 2017-09-20 12:54:44.503474440 +0530 ++++ git/bfd/elf.c 2017-09-20 13:02:48.000000000 +0530 +@@ -10984,10 +10984,12 @@ + return n; + } + +-/* It is only used by x86-64 so far. */ ++/* It is only used by x86-64 so far. ++ ??? This repeats *COM* id of zero. sec->id is supposed to be unique, ++ but current usage would allow all of _bfd_std_section to be zero. t*/ + asection _bfd_elf_large_com_section +- = BFD_FAKE_SECTION (_bfd_elf_large_com_section, +- SEC_IS_COMMON, NULL, "LARGE_COMMON", 0); ++ = BFD_FAKE_SECTION (_bfd_elf_large_com_section, NULL, ++ "LARGE_COMMON", 0, SEC_IS_COMMON); + + void + _bfd_elf_post_process_headers (bfd * abfd, +Index: git/bfd/section.c +=================================================================== +--- git.orig/bfd/section.c 2017-09-20 12:54:43.815471454 +0530 ++++ git/bfd/section.c 2017-09-20 13:02:48.000000000 +0530 +@@ -700,9 +700,9 @@ + .#define bfd_section_removed_from_list(ABFD, S) \ + . ((S)->next == NULL ? (ABFD)->section_last != (S) : (S)->next->prev != (S)) + . +-.#define BFD_FAKE_SECTION(SEC, FLAGS, SYM, NAME, IDX) \ ++.#define BFD_FAKE_SECTION(SEC, SYM, NAME, IDX, FLAGS) \ + . {* name, id, index, next, prev, flags, user_set_vma, *} \ +-. { NAME, IDX, 0, NULL, NULL, FLAGS, 0, \ ++. { NAME, IDX, 0, NULL, NULL, FLAGS, 0, \ + . \ + . {* linker_mark, linker_has_input, gc_mark, decompress_status, *} \ + . 0, 0, 1, 0, \ +@@ -764,7 +764,7 @@ + }; + + #define STD_SECTION(NAME, IDX, FLAGS) \ +- BFD_FAKE_SECTION(_bfd_std_section[IDX], FLAGS, &global_syms[IDX], NAME, IDX) ++ BFD_FAKE_SECTION(_bfd_std_section[IDX], &global_syms[IDX], NAME, IDX, FLAGS) + + asection _bfd_std_section[] = { + STD_SECTION (BFD_COM_SECTION_NAME, 0, SEC_IS_COMMON), diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch new file mode 100644 index 0000000000..42793e133b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch @@ -0,0 +1,72 @@ +commit e63d123268f23a4cbc45ee55fb6dbc7d84729da3 +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Apr 26 13:07:49 2017 +0100 + + Fix seg-fault attempting to compress a debug section in a corrupt binary. + + PR binutils/21431 + * compress.c (bfd_init_section_compress_status): Check the return + value from bfd_malloc. + +Upstream-Status: Backport + +CVE: CVE-2017-8395 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/compress.c +=================================================================== +--- git.orig/bfd/compress.c 2017-09-04 17:55:00.546577566 +0530 ++++ git/bfd/compress.c 2017-09-04 17:55:10.770664577 +0530 +@@ -534,7 +534,6 @@ + { + bfd_size_type uncompressed_size; + bfd_byte *uncompressed_buffer; +- bfd_boolean ret; + + /* Error if not opened for read. */ + if (abfd->direction != read_direction +@@ -550,18 +549,18 @@ + /* Read in the full section contents and compress it. */ + uncompressed_size = sec->size; + uncompressed_buffer = (bfd_byte *) bfd_malloc (uncompressed_size); ++ /* PR 21431 */ ++ if (uncompressed_buffer == NULL) ++ return FALSE; ++ + if (!bfd_get_section_contents (abfd, sec, uncompressed_buffer, + 0, uncompressed_size)) +- ret = FALSE; +- else +- { +- uncompressed_size = bfd_compress_section_contents (abfd, sec, +- uncompressed_buffer, +- uncompressed_size); +- ret = uncompressed_size != 0; +- } ++ return FALSE; + +- return ret; ++ uncompressed_size = bfd_compress_section_contents (abfd, sec, ++ uncompressed_buffer, ++ uncompressed_size); ++ return uncompressed_size != 0; + } + + /* +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 17:55:10.714664101 +0530 ++++ git/bfd/ChangeLog 2017-09-04 17:56:40.991431847 +0530 +@@ -73,6 +73,12 @@ + (evax_bfd_print_egsd): Check for an overlarge record length. + (evax_bfd_print_etir): Likewise. + ++2017-04-26 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21431 ++ * compress.c (bfd_init_section_compress_status): Check the return ++ value from bfd_malloc. ++ + 2017-04-25 Maciej W. Rozycki <macro@imgtec.com> + + * readelf.c (process_mips_specific): Remove error reporting from diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8396.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8396.patch new file mode 100644 index 0000000000..b1bf92f4dd --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8396.patch @@ -0,0 +1,102 @@ +commit a941291cab71b9ac356e1c03968c177c03e602ab +Author: Alan Modra <amodra@gmail.com> +Date: Sat Apr 29 14:48:16 2017 +0930 + + PR21432, buffer overflow in perform_relocation + + The existing reloc offset range tests didn't catch small negative + offsets less than the size of the reloc field. + + PR 21432 + * reloc.c (reloc_offset_in_range): New function. + (bfd_perform_relocation, bfd_install_relocation): Use it. + (_bfd_final_link_relocate): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-8396 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/reloc.c +=================================================================== +--- git.orig/bfd/reloc.c 2017-09-05 18:12:07.448886623 +0530 ++++ git/bfd/reloc.c 2017-09-05 18:12:07.564887511 +0530 +@@ -538,6 +538,22 @@ + return flag; + } + ++/* HOWTO describes a relocation, at offset OCTET. Return whether the ++ relocation field is within SECTION of ABFD. */ ++ ++static bfd_boolean ++reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd, ++ asection *section, bfd_size_type octet) ++{ ++ bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section); ++ bfd_size_type reloc_size = bfd_get_reloc_size (howto); ++ ++ /* The reloc field must be contained entirely within the section. ++ Allow zero length fields (marker relocs or NONE relocs where no ++ relocation will be performed) at the end of the section. */ ++ return octet <= octet_end && octet + reloc_size <= octet_end; ++} ++ + /* + FUNCTION + bfd_perform_relocation +@@ -618,15 +634,9 @@ + return cont; + } + +- /* Is the address of the relocation really within the section? +- Include the size of the reloc in the test for out of range addresses. +- PR 17512: file: c146ab8b, 46dff27f, 38e53ebf. */ ++ /* Is the address of the relocation really within the section? */ + octets = reloc_entry->address * bfd_octets_per_byte (abfd); +- if (octets + bfd_get_reloc_size (howto) +- > bfd_get_section_limit_octets (abfd, input_section) +- /* Check for an overly large offset which +- masquerades as a negative value too. */ +- || (octets + bfd_get_reloc_size (howto) < bfd_get_reloc_size (howto))) ++ if (!reloc_offset_in_range (howto, abfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* Work out which section the relocation is targeted at and the +@@ -1010,8 +1020,7 @@ + + /* Is the address of the relocation really within the section? */ + octets = reloc_entry->address * bfd_octets_per_byte (abfd); +- if (octets + bfd_get_reloc_size (howto) +- > bfd_get_section_limit_octets (abfd, input_section)) ++ if (!reloc_offset_in_range (howto, abfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* Work out which section the relocation is targeted at and the +@@ -1349,8 +1358,7 @@ + bfd_size_type octets = address * bfd_octets_per_byte (input_bfd); + + /* Sanity check the address. */ +- if (octets + bfd_get_reloc_size (howto) +- > bfd_get_section_limit_octets (input_bfd, input_section)) ++ if (!reloc_offset_in_range (howto, input_bfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* This function assumes that we are dealing with a basic relocation +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-05 18:12:07.448886623 +0530 ++++ git/bfd/ChangeLog 2017-09-05 18:13:46.745645897 +0530 +@@ -73,6 +73,13 @@ + (evax_bfd_print_egsd): Check for an overlarge record length. + (evax_bfd_print_etir): Likewise. + ++2017-04-29 Alan Modra <amodra@gmail.com> ++ ++ PR 21432 ++ * reloc.c (reloc_offset_in_range): New function. ++ (bfd_perform_relocation, bfd_install_relocation): Use it. ++ (_bfd_final_link_relocate): Likewise. ++ + 2017-04-26 Nick Clifton <nickc@redhat.com> + + PR binutils/21434 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch new file mode 100644 index 0000000000..f966c80c4e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch @@ -0,0 +1,50 @@ +commit 04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2 +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Apr 26 16:30:22 2017 +0100 + + Fix a seg-fault when processing a corrupt binary containing reloc(s) with negative addresses. + + PR binutils/21434 + * reloc.c (bfd_perform_relocation): Check for a negative address + in the reloc. + +Upstream-Status: Backport + +CVE: CVE-2017-8397 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + + + +Index: git/bfd/reloc.c +=================================================================== +--- git.orig/bfd/reloc.c 2017-09-04 18:06:00.651987605 +0530 ++++ git/bfd/reloc.c 2017-09-04 18:06:10.740066291 +0530 +@@ -623,7 +623,10 @@ + PR 17512: file: c146ab8b, 46dff27f, 38e53ebf. */ + octets = reloc_entry->address * bfd_octets_per_byte (abfd); + if (octets + bfd_get_reloc_size (howto) +- > bfd_get_section_limit_octets (abfd, input_section)) ++ > bfd_get_section_limit_octets (abfd, input_section) ++ /* Check for an overly large offset which ++ masquerades as a negative value too. */ ++ || (octets + bfd_get_reloc_size (howto) < bfd_get_reloc_size (howto))) + return bfd_reloc_outofrange; + + /* Work out which section the relocation is targeted at and the +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 18:06:10.684065855 +0530 ++++ git/bfd/ChangeLog 2017-09-04 18:08:33.845183050 +0530 +@@ -75,6 +75,12 @@ + + 2017-04-26 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21434 ++ * reloc.c (bfd_perform_relocation): Check for a negative address ++ in the reloc. ++ ++2017-04-26 Nick Clifton <nickc@redhat.com> ++ + PR binutils/21431 + * compress.c (bfd_init_section_compress_status): Check the return + value from bfd_malloc. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch new file mode 100644 index 0000000000..23d5085b16 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch @@ -0,0 +1,147 @@ +commit d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 +Author: Nick Clifton <nickc@redhat.com> +Date: Fri Apr 28 10:28:04 2017 +0100 + + Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary. + + PR binutils/21438 + * dwarf.c (process_extended_line_op): Do not assume that the + string extracted from the section is NUL terminated. + (fetch_indirect_string): If the string retrieved from the section + is not NUL terminated, return an error message. + (fetch_indirect_line_string): Likewise. + (fetch_indexed_string): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-8398 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/binutils/dwarf.c +=================================================================== +--- git.orig/binutils/dwarf.c 2017-09-20 13:40:17.148898512 +0530 ++++ git/binutils/dwarf.c 2017-09-20 13:45:17.564730907 +0530 +@@ -472,15 +472,20 @@ + printf (_(" Entry\tDir\tTime\tSize\tName\n")); + printf (" %d\t", ++state_machine_regs.last_file_entry); + +- name = data; +- data += strnlen ((char *) data, end - data) + 1; +- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); +- data += bytes_read; +- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); +- data += bytes_read; +- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); +- data += bytes_read; +- printf ("%s\n\n", name); ++ { ++ size_t l; ++ ++ name = data; ++ l = strnlen ((char *) data, end - data); ++ data += len + 1; ++ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); ++ data += bytes_read; ++ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); ++ data += bytes_read; ++ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); ++ data += bytes_read; ++ printf ("%.*s\n\n", (int) l, name); ++ } + + if (((unsigned int) (data - orig_data) != len) || data == end) + warn (_("DW_LNE_define_file: Bad opcode length\n")); +@@ -597,18 +602,28 @@ + fetch_indirect_string (dwarf_vma offset) + { + struct dwarf_section *section = &debug_displays [str].section; ++ const unsigned char * ret; + + if (section->start == NULL) + return (const unsigned char *) _("<no .debug_str section>"); + +- if (offset > section->size) ++ if (offset >= section->size) + { + warn (_("DW_FORM_strp offset too big: %s\n"), + dwarf_vmatoa ("x", offset)); + return (const unsigned char *) _("<offset is too big>"); + } + +- return (const unsigned char *) section->start + offset; ++ ret = section->start + offset; ++ /* Unfortunately we cannot rely upon the .debug_str section ending with a ++ NUL byte. Since our caller is expecting to receive a well formed C ++ string we test for the lack of a terminating byte here. */ ++ if (strnlen ((const char *) ret, section->size - offset) ++ == section->size - offset) ++ ret = (const unsigned char *) ++ _("<no NUL byte at end of .debug_str section>"); ++ ++ return ret; + } + + static const char * +@@ -621,6 +636,7 @@ + struct dwarf_section *str_section = &debug_displays [str_sec_idx].section; + dwarf_vma index_offset = idx * offset_size; + dwarf_vma str_offset; ++ const char * ret; + + if (index_section->start == NULL) + return (dwo ? _("<no .debug_str_offsets.dwo section>") +@@ -628,7 +644,7 @@ + + if (this_set != NULL) + index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]; +- if (index_offset > index_section->size) ++ if (index_offset >= index_section->size) + { + warn (_("DW_FORM_GNU_str_index offset too big: %s\n"), + dwarf_vmatoa ("x", index_offset)); +@@ -641,14 +657,22 @@ + + str_offset = byte_get (index_section->start + index_offset, offset_size); + str_offset -= str_section->address; +- if (str_offset > str_section->size) ++ if (str_offset >= str_section->size) + { + warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"), + dwarf_vmatoa ("x", str_offset)); + return _("<indirect index offset is too big>"); + } + +- return (const char *) str_section->start + str_offset; ++ ret = (const char *) str_section->start + str_offset; ++ /* Unfortunately we cannot rely upon str_section ending with a NUL byte. ++ Since our caller is expecting to receive a well formed C string we test ++ for the lack of a terminating byte here. */ ++ if (strnlen (ret, str_section->size - str_offset) ++ == str_section->size - str_offset) ++ ret = (const char *) _("<no NUL byte at end of section>"); ++ ++ return ret; + } + + static const char * +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog 2017-09-20 13:40:18.900898599 +0530 ++++ git/binutils/ChangeLog 2017-09-20 13:48:02.976503560 +0530 +@@ -10,6 +10,16 @@ + * objdump.c (dump_relocs_in_section): Check for an excessive + number of relocs before attempting to dump them. + ++2017-04-28 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21438 ++ * dwarf.c (process_extended_line_op): Do not assume that the ++ string extracted from the section is NUL terminated. ++ (fetch_indirect_string): If the string retrieved from the section ++ is not NUL terminated, return an error message. ++ (fetch_indirect_line_string): Likewise. ++ (fetch_indexed_string): Likewise. ++ + 2017-02-14 Nick Clifton <nickc@redhat.com> + + PR binutils/21157 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch new file mode 100644 index 0000000000..da6e475828 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch @@ -0,0 +1,51 @@ +commit 39ff1b79f687b65f4144ddb379f22587003443fb +Author: Nick Clifton <nickc@redhat.com> +Date: Tue May 2 11:54:53 2017 +0100 + + Prevent memory exhaustion from a corrupt PE binary with an overlarge number of relocs. + + PR 21440 + * objdump.c (dump_relocs_in_section): Check for an excessive + number of relocs before attempting to dump them. + +Upstream-Status: Backport + +CVE: CVE-2017-8421 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c 2017-09-05 11:34:23.140802515 +0530 ++++ git/binutils/objdump.c 2017-09-05 11:34:28.716824776 +0530 +@@ -3238,6 +3238,14 @@ + return; + } + ++ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 ++ && relsize > get_file_size (bfd_get_filename (abfd))) ++ { ++ printf (" (too many: 0x%x)\n", section->reloc_count); ++ bfd_set_error (bfd_error_file_truncated); ++ bfd_fatal (bfd_get_filename (abfd)); ++ } ++ + relpp = (arelent **) xmalloc (relsize); + relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms); + +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog 2017-09-05 11:34:28.040822070 +0530 ++++ git/binutils/ChangeLog 2017-09-05 11:36:02.413217129 +0530 +@@ -4,6 +4,12 @@ + * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty + string whilst concatenating symbol names. + ++2017-05-02 Nick Clifton <nickc@redhat.com> ++ ++ PR 21440 ++ * objdump.c (dump_relocs_in_section): Check for an excessive ++ number of relocs before attempting to dump them. ++ + 2017-02-14 Nick Clifton <nickc@redhat.com> + + PR binutils/21157 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9038.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9038.patch new file mode 100644 index 0000000000..afc14d1e14 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9038.patch @@ -0,0 +1,51 @@ +From f32ba72991d2406b21ab17edc234a2f3fa7fb23d Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 3 Apr 2017 11:01:45 +0100 +Subject: [PATCH] readelf: Update check for invalid word offsets in ARM unwind + information. + + PR binutils/21343 + * readelf.c (get_unwind_section_word): Fix snafu checking for + invalid word offsets in ARM unwind information. + +Upstream-Status: Backport +CVE: CVE-2017-9039 +Affects: binutils <= 2.28 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 6 +++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -7745,9 +7745,9 @@ get_unwind_section_word (struct arm_unw_ + return FALSE; + + /* If the offset is invalid then fail. */ +- if (word_offset > (sec->sh_size - 4) +- /* PR 18879 */ +- || (sec->sh_size < 5 && word_offset >= sec->sh_size) ++ if (/* PR 21343 *//* PR 18879 */ ++ sec->sh_size < 4 ++ || word_offset > (sec->sh_size - 4) + || ((bfd_signed_vma) word_offset) < 0) + return FALSE; + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-04-03 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21343 ++ * readelf.c (get_unwind_section_word): Fix snafu checking for ++ invalid word offsets in ARM unwind information. ++ + 2017-04-04 Nick Clifton <nickc@redhat.com> + + PR binutils/21342 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch new file mode 100644 index 0000000000..41f2b6e316 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch @@ -0,0 +1,72 @@ +From 75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 3 Apr 2017 11:13:21 +0100 +Subject: [PATCH] Fix runtime seg-fault in readelf when parsing a corrupt MIPS + binary. + + PR binutils/21344 + * readelf.c (process_mips_specific): Check for an out of range GOT + entry before reading the module pointer. + +Upstream-Status: Backport +CVE: CVE-2017-9039 supporting patch +VER: <= 2.28 +Signed-off-by: Armin kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 26 ++++++++++++++++++-------- + 2 files changed, 24 insertions(+), 8 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -14987,14 +14987,24 @@ process_mips_specific (FILE * file) + printf (_(" Lazy resolver\n")); + if (ent == (bfd_vma) -1) + goto got_print_fail; +- if (data +- && (byte_get (data + ent - pltgot, addr_size) +- >> (addr_size * 8 - 1)) != 0) ++ ++ if (data) + { +- ent = print_mips_got_entry (data, pltgot, ent, data_end); +- printf (_(" Module pointer (GNU extension)\n")); +- if (ent == (bfd_vma) -1) +- goto got_print_fail; ++ /* PR 21344 */ ++ if (data + ent - pltgot > data_end - addr_size) ++ { ++ error (_("Invalid got entry - %#lx - overflows GOT table\n"), ent); ++ goto got_print_fail; ++ } ++ ++ if (byte_get (data + ent - pltgot, addr_size) ++ >> (addr_size * 8 - 1) != 0) ++ { ++ ent = print_mips_got_entry (data, pltgot, ent, data_end); ++ printf (_(" Module pointer (GNU extension)\n")); ++ if (ent == (bfd_vma) -1) ++ goto got_print_fail; ++ } + } + printf ("\n"); + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,5 +1,11 @@ + 2017-04-03 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21344 ++ * readelf.c (process_mips_specific): Check for an out of range GOT ++ entry before reading the module pointer. ++ ++2017-04-03 Nick Clifton <nickc@redhat.com> ++ + PR binutils/21343 + * readelf.c (get_unwind_section_word): Fix snafu checking for + invalid word offsets in ARM unwind information. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9039_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039_1.patch new file mode 100644 index 0000000000..ee827ee3e7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039_1.patch @@ -0,0 +1,56 @@ +From 82156ab704b08b124d319c0decdbd48b3ca2dac5 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 3 Apr 2017 12:14:06 +0100 +Subject: [PATCH] readelf: Fix overlarge memory allocation when reading a + binary with an excessive number of program headers. + + PR binutils/21345 + * readelf.c (get_program_headers): Check for there being too many + program headers before attempting to allocate space for them. + +Upstream-Status: Backport +CVE: CVE-2017-9039 +VER: <= 2.28 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 17 ++++++++++++++--- + 2 files changed, 20 insertions(+), 3 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -4705,9 +4705,19 @@ get_program_headers (FILE * file) + if (program_headers != NULL) + return 1; + +- phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, +- sizeof (Elf_Internal_Phdr)); ++ /* Be kind to memory checkers by looking for ++ e_phnum values which we know must be invalid. */ ++ if (elf_header.e_phnum ++ * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr)) ++ >= current_file_size) ++ { ++ error (_("Too many program headers - %#x - the file is not that big\n"), ++ elf_header.e_phnum); ++ return FALSE; ++ } + ++ phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, ++ sizeof (Elf_Internal_Phdr)); + if (phdrs == NULL) + { + error (_("Out of memory reading %u program headers\n"), +@@ -14993,7 +15003,8 @@ process_mips_specific (FILE * file) + /* PR 21344 */ + if (data + ent - pltgot > data_end - addr_size) + { +- error (_("Invalid got entry - %#lx - overflows GOT table\n"), ent); ++ error (_("Invalid got entry - %#lx - overflows GOT table\n"), ++ (long) ent); + goto got_print_fail; + } + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch new file mode 100644 index 0000000000..d5089035e1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch @@ -0,0 +1,83 @@ +From 7296a62a2a237f6b1ad8db8c38b090e9f592c8cf Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 13 Apr 2017 16:06:30 +0100 +Subject: [PATCH] readelf: fix out of range subtraction, seg fault from a NULL + pointer and memory exhaustion, all from parsing corrupt binaries. + + PR binutils/21379 + * readelf.c (process_dynamic_section): Detect over large section + offsets in the DT_SYMTAB entry. + + PR binutils/21345 + * readelf.c (process_mips_specific): Catch an unfeasible memory + allocation before it happens and print a suitable error message. + +Upstream-Status: Backport + +did not include all the commit as affect code does not exists. it does contain the two +fixes above. +both cve's fixed by same comit. + +CVE: CVE-2017-9040 +CVE: CVE-2017-9042 +VER: <= 2.28 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 12 ++++++++++++ + binutils/readelf.c | 26 +++++++++++++++++++++----- + 2 files changed, 33 insertions(+), 5 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -9079,6 +9079,12 @@ process_dynamic_section (FILE * file) + processing that. This is overkill, I know, but it + should work. */ + section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0); ++ if ((bfd_size_type) section.sh_offset > current_file_size) ++ { ++ /* See PR 21379 for a reproducer. */ ++ error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset); ++ return FALSE; ++ } + + if (archive_file_offset != 0) + section.sh_size = archive_file_size - section.sh_offset; +@@ -14882,6 +14888,15 @@ process_mips_specific (FILE * file) + return 0; + } + ++ /* PR 21345 - print a slightly more helpful error message ++ if we are sure that the cmalloc will fail. */ ++ if (conflictsno * sizeof (* iconf) > current_file_size) ++ { ++ error (_("Overlarge number of conflicts detected: %lx\n"), ++ (long) conflictsno); ++ return FALSE; ++ } ++ + iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf)); + if (iconf == NULL) + { +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,15 @@ ++2017-04-13 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21379 ++ * readelf.c (process_dynamic_section): Detect over large section ++ offsets in the DT_SYMTAB entry. ++ ++2017-04-13 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21345 ++ * readelf.c (process_mips_specific): Catch an unfeasible memory ++ allocation before it happens and print a suitable error message. ++ + 2017-04-03 Nick Clifton <nickc@redhat.com> + + PR binutils/21345 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch new file mode 100644 index 0000000000..857cd4af91 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch @@ -0,0 +1,51 @@ +From 919383ac718c2a3187ee2a9ad659daa22da26258 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" <macro@imgtec.com> +Date: Wed, 12 Apr 2017 00:02:13 +0100 +Subject: [PATCH] MIPS/readelf: Remove extraneous null GOT data check + +Null data is handled gracefully throughout in MIPS GOT processing, with +addresses printed normally and unavailable data shown as `<unknown>' by +`print_mips_got_entry', and special processing code for GOT[1] doing an +explicit check. Remove an unwanted null GOT data check then, introduced +with commit 592458412fb2 in the course of addressing PR binutils/12855. + + binutils/ + * readelf.c (process_mips_specific): Remove null GOT data check. + +Upstream-Status: Backport +CVE: CVE-2017-9041 patch #1 +VER: <= 2.28 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 4 ++++ + binutils/readelf.c | 3 +-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -14995,8 +14995,8 @@ process_mips_specific (FILE * file) + data = (unsigned char *) get_data (NULL, file, offset, + global_end - pltgot, 1, + _("Global Offset Table data")); +- if (data == NULL) +- return 0; ++ ++ /* PR 12855: Null data is handled gracefully throughout. */ + data_end = data + (global_end - pltgot); + + printf (_("\nPrimary GOT:\n")); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,7 @@ ++2017-04-25 Maciej W. Rozycki <macro@imgtec.com> ++ ++ * readelf.c (process_mips_specific): Remove null GOT data check. ++ + 2017-04-13 Nick Clifton <nickc@redhat.com> + + PR binutils/21379 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch new file mode 100644 index 0000000000..9c3cb8ca25 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch @@ -0,0 +1,84 @@ +From c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" <macro@imgtec.com> +Date: Wed, 12 Apr 2017 00:03:41 +0100 +Subject: [PATCH] MIPS/readelf: Simplify GOT[1] data availability check + +Unavailable data is handled gracefully in MIPS GOT processing done by +`print_mips_got_entry', so all that is needed in special GOT[1] handling +is to verify whether data can be retrieved for the purpose of the GNU +marker check done with `byte_get'. Remove the extra error reporting +code then, introduced with commit 75ec1fdbb797 ("Fix runtime seg-fault +in readelf when parsing a corrupt MIPS binary.") in the course of +addressing PR binutils/21344, and defer the error case to regular local +GOT entry processing. + + binutils/ + * readelf.c (process_mips_specific): Remove error reporting from + GOT[1] processing. + +Upstream-Status: Backport +CVE: CVE-2017-9041 +VER: <= 2.28 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 5 +++++ + binutils/readelf.c | 32 ++++++++++++++------------------ + 2 files changed, 19 insertions(+), 18 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -15013,24 +15013,20 @@ process_mips_specific (FILE * file) + if (ent == (bfd_vma) -1) + goto got_print_fail; + +- if (data) ++ /* Check for the MSB of GOT[1] being set, denoting a GNU object. ++ This entry will be used by some runtime loaders, to store the ++ module pointer. Otherwise this is an ordinary local entry. ++ PR 21344: Check for the entry being fully available before ++ fetching it. */ ++ if (data ++ && data + ent - pltgot + addr_size <= data_end ++ && (byte_get (data + ent - pltgot, addr_size) ++ >> (addr_size * 8 - 1)) != 0) + { +- /* PR 21344 */ +- if (data + ent - pltgot > data_end - addr_size) +- { +- error (_("Invalid got entry - %#lx - overflows GOT table\n"), +- (long) ent); +- goto got_print_fail; +- } +- +- if (byte_get (data + ent - pltgot, addr_size) +- >> (addr_size * 8 - 1) != 0) +- { +- ent = print_mips_got_entry (data, pltgot, ent, data_end); +- printf (_(" Module pointer (GNU extension)\n")); +- if (ent == (bfd_vma) -1) +- goto got_print_fail; +- } ++ ent = print_mips_got_entry (data, pltgot, ent, data_end); ++ printf (_(" Module pointer (GNU extension)\n")); ++ if (ent == (bfd_vma) -1) ++ goto got_print_fail; + } + printf ("\n"); + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,9 @@ + 2017-04-25 Maciej W. Rozycki <macro@imgtec.com> ++ ++ * readelf.c (process_mips_specific): Remove error reporting from ++ GOT[1] processing. ++ ++2017-04-25 Maciej W. Rozycki <macro@imgtec.com> + + * readelf.c (process_mips_specific): Remove null GOT data check. + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch new file mode 100644 index 0000000000..b80226f412 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch @@ -0,0 +1,62 @@ +commit 76800cba595efc3fe95a446c2d664e42ae4ee869 +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Jun 15 12:08:57 2017 +0100 + + Handle EITR records in VMS Alpha binaries with overlarge command length parameters. + + PR binutils/21579 + * vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length. + +Upstream-Status: CVE-2017-9745 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c 2017-09-21 16:08:57.863375204 +0530 ++++ git/bfd/vms-alpha.c 2017-09-21 16:08:58.211377888 +0530 +@@ -1801,14 +1801,8 @@ + + ptr += 4; + +-#if VMS_DEBUG +- _bfd_vms_debug (4, "etir: %s(%d)\n", +- _bfd_vms_etir_name (cmd), cmd); +- _bfd_hexdump (8, ptr, cmd_length - 4, 0); +-#endif +- +- /* PR 21589: Check for a corrupt ETIR record. */ +- if (cmd_length < 4) ++ /* PR 21589 and 21579: Check for a corrupt ETIR record. */ ++ if (cmd_length < 4 || (ptr + cmd_length > maxptr + 4)) + { + corrupt_etir: + _bfd_error_handler (_("Corrupt ETIR record encountered")); +@@ -1816,6 +1810,12 @@ + return FALSE; + } + ++#if VMS_DEBUG ++ _bfd_vms_debug (4, "etir: %s(%d)\n", ++ _bfd_vms_etir_name (cmd), cmd); ++ _bfd_hexdump (8, ptr, cmd_length - 4, 0); ++#endif ++ + switch (cmd) + { + /* Stack global +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 16:08:57.927375697 +0530 ++++ git/bfd/ChangeLog 2017-09-21 16:11:35.192613756 +0530 +@@ -81,6 +81,11 @@ + PR binutils/21581 + (ieee_archive_p): Likewise. + ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21579 ++ * vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length. ++ + 2017-06-14 Nick Clifton <nickc@redhat.com> + + PR binutils/21589 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch new file mode 100644 index 0000000000..e9efb7b89a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch @@ -0,0 +1,88 @@ +commit ae87f7e73eba29bd38b3a9684a10b948ed715612 +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Jun 14 16:50:03 2017 +0100 + + Fix address violation when disassembling a corrupt binary. + + PR binutils/21580 + binutils * objdump.c (disassemble_bytes): Check for buffer overrun when + printing out rae insns. + + ld * testsuite/ld-nds32/diff.d: Adjust expected output. + +Upstream-Status: Backport + +CVE: CVE-2017-9746 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c 2017-09-21 13:54:00.187228032 +0530 ++++ git/binutils/objdump.c 2017-09-21 13:54:00.659231783 +0530 +@@ -1780,20 +1780,23 @@ + + for (j = addr_offset * opb; j < addr_offset * opb + pb; j += bpc) + { +- int k; +- +- if (bpc > 1 && inf->display_endian == BFD_ENDIAN_LITTLE) +- { +- for (k = bpc - 1; k >= 0; k--) +- printf ("%02x", (unsigned) data[j + k]); +- putchar (' '); +- } +- else ++ /* PR 21580: Check for a buffer ending early. */ ++ if (j + bpc <= stop_offset * opb) + { +- for (k = 0; k < bpc; k++) +- printf ("%02x", (unsigned) data[j + k]); +- putchar (' '); ++ int k; ++ ++ if (inf->display_endian == BFD_ENDIAN_LITTLE) ++ { ++ for (k = bpc - 1; k >= 0; k--) ++ printf ("%02x", (unsigned) data[j + k]); ++ } ++ else ++ { ++ for (k = 0; k < bpc; k++) ++ printf ("%02x", (unsigned) data[j + k]); ++ } + } ++ putchar (' '); + } + + for (; pb < octets_per_line; pb += bpc) +Index: git/ld/testsuite/ld-nds32/diff.d +=================================================================== +--- git.orig/ld/testsuite/ld-nds32/diff.d 2017-09-21 13:53:52.395166097 +0530 ++++ git/ld/testsuite/ld-nds32/diff.d 2017-09-21 13:54:00.659231783 +0530 +@@ -7,9 +7,9 @@ + + Disassembly of section .data: + 00008000 <WORD> (7e 00 00 00|00 00 00 7e).* +-00008004 <HALF> (7e 00 7e fe|00 7e 7e fe).* +-00008006 <BYTE> 7e fe 00 fe.* +-00008007 <ULEB128> fe 00.* ++00008004 <HALF> (7e 00|00 7e).* ++00008006 <BYTE> 7e.* ++00008007 <ULEB128> fe.* + ... + 00008009 <ULEB128_2> fe 00.* + .* +Index: git/ld/ChangeLog +=================================================================== +--- git.orig/ld/ChangeLog 2017-09-21 13:53:59.611223454 +0530 ++++ git/ld/ChangeLog 2017-09-21 14:01:12.294643335 +0530 +@@ -1,3 +1,8 @@ ++2017-06-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21580 ++ * testsuite/ld-nds32/diff.d: Adjust expected output. ++ + 2016-12-05 Nick Clifton <nickc@redhat.com> + + PR ld/20906 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch new file mode 100644 index 0000000000..ee663b816e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch @@ -0,0 +1,40 @@ +commit 62b76e4b6e0b4cb5b3e0053d1de4097b32577049 +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Jun 15 13:08:47 2017 +0100 + + Fix address violation parsing a corrupt ieee binary. + + PR binutils/21581 + (ieee_archive_p): Use a static buffer to avoid compiler bugs. + +Upstream-Status: Backport + +CVE: CVE-2017-9747 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ieee.c +=================================================================== +--- git.orig/bfd/ieee.c 2017-09-21 14:37:12.152903139 +0530 ++++ git/bfd/ieee.c 2017-09-21 14:37:12.208903477 +0530 +@@ -1353,7 +1353,7 @@ + { + char *library; + unsigned int i; +- unsigned char buffer[512]; ++ static unsigned char buffer[512]; + file_ptr buffer_offset = 0; + ieee_ar_data_type *save = abfd->tdata.ieee_ar_data; + ieee_ar_data_type *ieee; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 14:37:12.152903139 +0530 ++++ git/bfd/ChangeLog 2017-09-21 14:45:57.020150977 +0530 +@@ -78,6 +78,8 @@ + PR binutils/21582 + * ieee.c (ieee_object_p): Use a static buffer to avoid compiler + bugs. ++ PR binutils/21581 ++ (ieee_archive_p): Likewise. + + 2017-04-29 Alan Modra <amodra@gmail.com> + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch new file mode 100644 index 0000000000..ea1f0dd62b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch @@ -0,0 +1,45 @@ +commit 63634bb4a107877dd08b6282e28e11cfd1a1649e +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Jun 15 12:44:23 2017 +0100 + + Avoid a possible compiler bug by using a static buffer instead of a stack local buffer. + + PR binutils/21582 + * ieee.c (ieee_object_p): Use a static buffer to avoid compiler + bugs. + +Upstream-Status: Backport + +CVE: CVE-2017-9748 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/ieee.c +=================================================================== +--- git.orig/bfd/ieee.c 2017-09-21 13:53:50.891154141 +0530 ++++ git/bfd/ieee.c 2017-09-21 13:54:00.715232229 +0530 +@@ -1871,7 +1871,7 @@ + char *processor; + unsigned int part; + ieee_data_type *ieee; +- unsigned char buffer[300]; ++ static unsigned char buffer[300]; + ieee_data_type *save = IEEE_DATA (abfd); + bfd_size_type amt; + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 13:54:00.483230385 +0530 ++++ git/bfd/ChangeLog 2017-09-21 13:57:44.885008549 +0530 +@@ -73,6 +73,12 @@ + (evax_bfd_print_egsd): Check for an overlarge record length. + (evax_bfd_print_etir): Likewise. + ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21582 ++ * ieee.c (ieee_object_p): Use a static buffer to avoid compiler ++ bugs. ++ + 2017-04-29 Alan Modra <amodra@gmail.com> + + PR 21432 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch new file mode 100644 index 0000000000..a033d3dce6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch @@ -0,0 +1,75 @@ +commit 08c7881b814c546efc3996fd1decdf0877f7a779 +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Jun 15 11:52:02 2017 +0100 + + Prevent invalid array accesses when disassembling a corrupt bfin binary. + + PR binutils/21586 + * bfin-dis.c (gregs): Clip index to prevent overflow. + (regs): Likewise. + (regs_lo): Likewise. + (regs_hi): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-9749 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/opcodes/bfin-dis.c +=================================================================== +--- git.orig/opcodes/bfin-dis.c 2017-09-21 13:53:52.667168259 +0530 ++++ git/opcodes/bfin-dis.c 2017-09-21 13:54:00.603231339 +0530 +@@ -350,7 +350,7 @@ + REG_P0, REG_P1, REG_P2, REG_P3, REG_P4, REG_P5, REG_SP, REG_FP, + }; + +-#define gregs(x, i) REGNAME (decode_gregs[((i) << 3) | (x)]) ++#define gregs(x, i) REGNAME (decode_gregs[(((i) << 3) | (x)) & 15]) + + /* [dregs pregs (iregs mregs) (bregs lregs)]. */ + static const enum machine_registers decode_regs[] = +@@ -361,7 +361,7 @@ + REG_B0, REG_B1, REG_B2, REG_B3, REG_L0, REG_L1, REG_L2, REG_L3, + }; + +-#define regs(x, i) REGNAME (decode_regs[((i) << 3) | (x)]) ++#define regs(x, i) REGNAME (decode_regs[(((i) << 3) | (x)) & 31]) + + /* [dregs pregs (iregs mregs) (bregs lregs) Low Half]. */ + static const enum machine_registers decode_regs_lo[] = +@@ -372,7 +372,7 @@ + REG_BL0, REG_BL1, REG_BL2, REG_BL3, REG_LL0, REG_LL1, REG_LL2, REG_LL3, + }; + +-#define regs_lo(x, i) REGNAME (decode_regs_lo[((i) << 3) | (x)]) ++#define regs_lo(x, i) REGNAME (decode_regs_lo[(((i) << 3) | (x)) & 31]) + + /* [dregs pregs (iregs mregs) (bregs lregs) High Half]. */ + static const enum machine_registers decode_regs_hi[] = +@@ -383,7 +383,7 @@ + REG_BH0, REG_BH1, REG_BH2, REG_BH3, REG_LH0, REG_LH1, REG_LH2, REG_LH3, + }; + +-#define regs_hi(x, i) REGNAME (decode_regs_hi[((i) << 3) | (x)]) ++#define regs_hi(x, i) REGNAME (decode_regs_hi[(((i) << 3) | (x)) & 31]) + + static const enum machine_registers decode_statbits[] = + { +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog 2017-09-21 13:54:00.543230862 +0530 ++++ git/opcodes/ChangeLog 2017-09-21 14:06:03.772928105 +0530 +@@ -1,5 +1,13 @@ + 2017-06-15 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21586 ++ * bfin-dis.c (gregs): Clip index to prevent overflow. ++ (regs): Likewise. ++ (regs_lo): Likewise. ++ (regs_hi): Likewise. ++ ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ + PR binutils/21588 + * rl78-decode.opc (OP_BUF_LEN): Define. + (GETBYTE): Check for the index exceeding OP_BUF_LEN. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch new file mode 100644 index 0000000000..3ea1725315 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch @@ -0,0 +1,262 @@ +commit db5fa770268baf8cc82cf9b141d69799fd485fe2 +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Jun 14 13:35:06 2017 +0100 + + Fix address violation problems when disassembling a corrupt RX binary. + + PR binutils/21587 + * rx-decode.opc: Include libiberty.h + (GET_SCALE): New macro - validates access to SCALE array. + (GET_PSCALE): New macro - validates access to PSCALE array. + (DIs, SIs, S2Is, rx_disp): Use new macros. + * rx-decode.c: Regenerate. + +Upstream-Status: Backport + +CVE: CVE-2017-9750 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/opcodes/rx-decode.c +=================================================================== +--- git.orig/opcodes/rx-decode.c 2017-09-21 14:41:57.478649861 +0530 ++++ git/opcodes/rx-decode.c 2017-09-21 14:41:57.458649736 +0530 +@@ -27,6 +27,7 @@ + #include <string.h> + #include "ansidecl.h" + #include "opcode/rx.h" ++#include "libiberty.h" + + #define RX_OPCODE_BIG_ENDIAN 0 + +@@ -45,7 +46,7 @@ + #define LSIZE 2 + + /* These are for when the upper bits are "don't care" or "undefined". */ +-static int bwl[] = ++static int bwl[4] = + { + RX_Byte, + RX_Word, +@@ -53,7 +54,7 @@ + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int sbwl[] = ++static int sbwl[4] = + { + RX_SByte, + RX_SWord, +@@ -61,7 +62,7 @@ + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int ubw[] = ++static int ubw[4] = + { + RX_UByte, + RX_UWord, +@@ -69,7 +70,7 @@ + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int memex[] = ++static int memex[4] = + { + RX_SByte, + RX_SWord, +@@ -89,6 +90,9 @@ + /* This is for the prefix size enum. */ + static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 }; + ++#define GET_SCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0) ++#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0) ++ + static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0, + 16, 17, 0, 0, 0, 0, 0, 0 }; + +@@ -107,7 +111,7 @@ + #define DC(c) OP (0, RX_Operand_Immediate, 0, c) + #define DR(r) OP (0, RX_Operand_Register, r, 0) + #define DI(r,a) OP (0, RX_Operand_Indirect, r, a) +-#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define DD(t,r,s) rx_disp (0, t, r, bwl[s], ld); + #define DF(r) OP (0, RX_Operand_Flag, flagmap[r], 0) + +@@ -115,7 +119,7 @@ + #define SR(r) OP (1, RX_Operand_Register, r, 0) + #define SRR(r) OP (1, RX_Operand_TwoReg, r, 0) + #define SI(r,a) OP (1, RX_Operand_Indirect, r, a) +-#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define SD(t,r,s) rx_disp (1, t, r, bwl[s], ld); + #define SP(t,r) rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1); + #define SPm(t,r,m) rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m]; +@@ -124,7 +128,7 @@ + #define S2C(i) OP (2, RX_Operand_Immediate, 0, i) + #define S2R(r) OP (2, RX_Operand_Register, r, 0) + #define S2I(r,a) OP (2, RX_Operand_Indirect, r, a) +-#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define S2D(t,r,s) rx_disp (2, t, r, bwl[s], ld); + #define S2P(t,r) rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2); + #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m]; +@@ -211,7 +215,7 @@ + } + + static void +-rx_disp (int n, int type, int reg, int size, LocalData * ld) ++rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld) + { + int disp; + +@@ -228,7 +232,7 @@ + case 1: + ld->rx->op[n].type = RX_Operand_Indirect; + disp = GETBYTE (); +- ld->rx->op[n].addend = disp * PSCALE[size]; ++ ld->rx->op[n].addend = disp * GET_PSCALE (size); + break; + case 2: + ld->rx->op[n].type = RX_Operand_Indirect; +@@ -238,7 +242,7 @@ + #else + disp = disp + GETBYTE () * 256; + #endif +- ld->rx->op[n].addend = disp * PSCALE[size]; ++ ld->rx->op[n].addend = disp * GET_PSCALE (size); + break; + default: + abort (); +Index: git/opcodes/rx-decode.opc +=================================================================== +--- git.orig/opcodes/rx-decode.opc 2017-09-21 14:41:57.478649861 +0530 ++++ git/opcodes/rx-decode.opc 2017-09-21 14:41:57.458649736 +0530 +@@ -26,6 +26,7 @@ + #include <string.h> + #include "ansidecl.h" + #include "opcode/rx.h" ++#include "libiberty.h" + + #define RX_OPCODE_BIG_ENDIAN 0 + +@@ -44,7 +45,7 @@ + #define LSIZE 2 + + /* These are for when the upper bits are "don't care" or "undefined". */ +-static int bwl[] = ++static int bwl[4] = + { + RX_Byte, + RX_Word, +@@ -52,7 +53,7 @@ + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int sbwl[] = ++static int sbwl[4] = + { + RX_SByte, + RX_SWord, +@@ -60,7 +61,7 @@ + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int ubw[] = ++static int ubw[4] = + { + RX_UByte, + RX_UWord, +@@ -68,7 +69,7 @@ + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int memex[] = ++static int memex[4] = + { + RX_SByte, + RX_SWord, +@@ -88,6 +89,9 @@ + /* This is for the prefix size enum. */ + static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 }; + ++#define GET_SCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0) ++#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0) ++ + static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0, + 16, 17, 0, 0, 0, 0, 0, 0 }; + +@@ -106,7 +110,7 @@ + #define DC(c) OP (0, RX_Operand_Immediate, 0, c) + #define DR(r) OP (0, RX_Operand_Register, r, 0) + #define DI(r,a) OP (0, RX_Operand_Indirect, r, a) +-#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define DD(t,r,s) rx_disp (0, t, r, bwl[s], ld); + #define DF(r) OP (0, RX_Operand_Flag, flagmap[r], 0) + +@@ -114,7 +118,7 @@ + #define SR(r) OP (1, RX_Operand_Register, r, 0) + #define SRR(r) OP (1, RX_Operand_TwoReg, r, 0) + #define SI(r,a) OP (1, RX_Operand_Indirect, r, a) +-#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define SD(t,r,s) rx_disp (1, t, r, bwl[s], ld); + #define SP(t,r) rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1); + #define SPm(t,r,m) rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m]; +@@ -123,7 +127,7 @@ + #define S2C(i) OP (2, RX_Operand_Immediate, 0, i) + #define S2R(r) OP (2, RX_Operand_Register, r, 0) + #define S2I(r,a) OP (2, RX_Operand_Indirect, r, a) +-#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define S2D(t,r,s) rx_disp (2, t, r, bwl[s], ld); + #define S2P(t,r) rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2); + #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m]; +@@ -210,7 +214,7 @@ + } + + static void +-rx_disp (int n, int type, int reg, int size, LocalData * ld) ++rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld) + { + int disp; + +@@ -227,7 +231,7 @@ + case 1: + ld->rx->op[n].type = RX_Operand_Indirect; + disp = GETBYTE (); +- ld->rx->op[n].addend = disp * PSCALE[size]; ++ ld->rx->op[n].addend = disp * GET_PSCALE (size); + break; + case 2: + ld->rx->op[n].type = RX_Operand_Indirect; +@@ -237,7 +241,7 @@ + #else + disp = disp + GETBYTE () * 256; + #endif +- ld->rx->op[n].addend = disp * PSCALE[size]; ++ ld->rx->op[n].addend = disp * GET_PSCALE (size); + break; + default: + abort (); +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog 2017-09-21 14:40:17.000000000 +0530 ++++ git/opcodes/ChangeLog 2017-09-21 14:44:07.503461009 +0530 +@@ -15,6 +15,15 @@ + array. + * rl78-decode.c: Regenerate. + ++2017-06-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21587 ++ * rx-decode.opc: Include libiberty.h ++ (GET_SCALE): New macro - validates access to SCALE array. ++ (GET_PSCALE): New macro - validates access to PSCALE array. ++ (DIs, SIs, S2Is, rx_disp): Use new macros. ++ * rx-decode.c: Regenerate. ++ + 2016-08-03 Tristan Gingold <gingold@adacore.com> + + * configure: Regenerate. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch new file mode 100644 index 0000000000..0d525e8ac1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch @@ -0,0 +1,3738 @@ +commit 63323b5b23bd83fa7b04ea00dff593c933e9b0e3 +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Jun 15 12:37:01 2017 +0100 + + Fix address violation when disassembling a corrupt RL78 binary. + + PR binutils/21588 + * rl78-decode.opc (OP_BUF_LEN): Define. + (GETBYTE): Check for the index exceeding OP_BUF_LEN. + (rl78_decode_opcode): Use OP_BUF_LEN as the length of the op_buf + array. + * rl78-decode.c: Regenerate. + +Upstream-Status: Backport + +CVE: CVE-2017-9751 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/opcodes/rl78-decode.c +=================================================================== +--- git.orig/opcodes/rl78-decode.c 2017-09-21 13:14:42.256835775 +0530 ++++ git/opcodes/rl78-decode.c 2017-09-21 13:14:49.444888350 +0530 +@@ -51,7 +51,9 @@ + #define W() rl78->size = RL78_Word + + #define AU ATTRIBUTE_UNUSED +-#define GETBYTE() (ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr)) ++ ++#define OP_BUF_LEN 20 ++#define GETBYTE() (ld->rl78->n_bytes < (OP_BUF_LEN - 1) ? ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr): 0) + #define B ((unsigned long) GETBYTE()) + + #define SYNTAX(x) rl78->syntax = x +@@ -169,7 +171,7 @@ + RL78_Dis_Isa isa) + { + LocalData lds, * ld = &lds; +- unsigned char op_buf[20] = {0}; ++ unsigned char op_buf[OP_BUF_LEN] = {0}; + unsigned char *op = op_buf; + int op0, op1; + +@@ -201,7 +203,7 @@ + op[0]); + } + SYNTAX("nop"); +-#line 911 "rl78-decode.opc" ++#line 913 "rl78-decode.opc" + ID(nop); + + /*----------------------------------------------------------------------*/ +@@ -214,7 +216,7 @@ + case 0x07: + { + /** 0000 0rw1 addw %0, %1 */ +-#line 274 "rl78-decode.opc" ++#line 276 "rl78-decode.opc" + int rw AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -224,7 +226,7 @@ + printf (" rw = 0x%x\n", rw); + } + SYNTAX("addw %0, %1"); +-#line 274 "rl78-decode.opc" ++#line 276 "rl78-decode.opc" + ID(add); W(); DR(AX); SRW(rw); Fzac; + + } +@@ -239,7 +241,7 @@ + op[0]); + } + SYNTAX("addw %0, %e!1"); +-#line 265 "rl78-decode.opc" ++#line 267 "rl78-decode.opc" + ID(add); W(); DR(AX); SM(None, IMMU(2)); Fzac; + + } +@@ -254,7 +256,7 @@ + op[0]); + } + SYNTAX("addw %0, #%1"); +-#line 271 "rl78-decode.opc" ++#line 273 "rl78-decode.opc" + ID(add); W(); DR(AX); SC(IMMU(2)); Fzac; + + } +@@ -269,7 +271,7 @@ + op[0]); + } + SYNTAX("addw %0, %1"); +-#line 277 "rl78-decode.opc" ++#line 279 "rl78-decode.opc" + ID(add); W(); DR(AX); SM(None, SADDR); Fzac; + + } +@@ -284,7 +286,7 @@ + op[0]); + } + SYNTAX("xch a, x"); +-#line 1234 "rl78-decode.opc" ++#line 1236 "rl78-decode.opc" + ID(xch); DR(A); SR(X); + + /*----------------------------------------------------------------------*/ +@@ -301,7 +303,7 @@ + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 678 "rl78-decode.opc" ++#line 680 "rl78-decode.opc" + ID(mov); DR(A); SM(B, IMMU(2)); + + } +@@ -316,7 +318,7 @@ + op[0]); + } + SYNTAX("add %0, #%1"); +-#line 228 "rl78-decode.opc" ++#line 230 "rl78-decode.opc" + ID(add); DM(None, SADDR); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -333,7 +335,7 @@ + op[0]); + } + SYNTAX("add %0, %1"); +-#line 222 "rl78-decode.opc" ++#line 224 "rl78-decode.opc" + ID(add); DR(A); SM(None, SADDR); Fzac; + + } +@@ -348,7 +350,7 @@ + op[0]); + } + SYNTAX("add %0, #%1"); +-#line 216 "rl78-decode.opc" ++#line 218 "rl78-decode.opc" + ID(add); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -363,7 +365,7 @@ + op[0]); + } + SYNTAX("add %0, %e1"); +-#line 204 "rl78-decode.opc" ++#line 206 "rl78-decode.opc" + ID(add); DR(A); SM(HL, 0); Fzac; + + } +@@ -378,7 +380,7 @@ + op[0]); + } + SYNTAX("add %0, %ea1"); +-#line 210 "rl78-decode.opc" ++#line 212 "rl78-decode.opc" + ID(add); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -393,7 +395,7 @@ + op[0]); + } + SYNTAX("add %0, %e!1"); +-#line 201 "rl78-decode.opc" ++#line 203 "rl78-decode.opc" + ID(add); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -408,7 +410,7 @@ + op[0]); + } + SYNTAX("addw %0, #%1"); +-#line 280 "rl78-decode.opc" ++#line 282 "rl78-decode.opc" + ID(add); W(); DR(SP); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -425,7 +427,7 @@ + op[0]); + } + SYNTAX("es:"); +-#line 193 "rl78-decode.opc" ++#line 195 "rl78-decode.opc" + DE(); SE(); + op ++; + pc ++; +@@ -440,7 +442,7 @@ + case 0x16: + { + /** 0001 0ra0 movw %0, %1 */ +-#line 859 "rl78-decode.opc" ++#line 861 "rl78-decode.opc" + int ra AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -450,7 +452,7 @@ + printf (" ra = 0x%x\n", ra); + } + SYNTAX("movw %0, %1"); +-#line 859 "rl78-decode.opc" ++#line 861 "rl78-decode.opc" + ID(mov); W(); DRW(ra); SR(AX); + + } +@@ -460,7 +462,7 @@ + case 0x17: + { + /** 0001 0ra1 movw %0, %1 */ +-#line 856 "rl78-decode.opc" ++#line 858 "rl78-decode.opc" + int ra AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -470,7 +472,7 @@ + printf (" ra = 0x%x\n", ra); + } + SYNTAX("movw %0, %1"); +-#line 856 "rl78-decode.opc" ++#line 858 "rl78-decode.opc" + ID(mov); W(); DR(AX); SRW(ra); + + } +@@ -485,7 +487,7 @@ + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 729 "rl78-decode.opc" ++#line 731 "rl78-decode.opc" + ID(mov); DM(B, IMMU(2)); SR(A); + + } +@@ -500,7 +502,7 @@ + op[0]); + } + SYNTAX("mov %e0, #%1"); +-#line 726 "rl78-decode.opc" ++#line 728 "rl78-decode.opc" + ID(mov); DM(B, IMMU(2)); SC(IMMU(1)); + + } +@@ -515,7 +517,7 @@ + op[0]); + } + SYNTAX("addc %0, #%1"); +-#line 260 "rl78-decode.opc" ++#line 262 "rl78-decode.opc" + ID(addc); DM(None, SADDR); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -532,7 +534,7 @@ + op[0]); + } + SYNTAX("addc %0, %1"); +-#line 257 "rl78-decode.opc" ++#line 259 "rl78-decode.opc" + ID(addc); DR(A); SM(None, SADDR); Fzac; + + } +@@ -547,7 +549,7 @@ + op[0]); + } + SYNTAX("addc %0, #%1"); +-#line 248 "rl78-decode.opc" ++#line 250 "rl78-decode.opc" + ID(addc); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -562,7 +564,7 @@ + op[0]); + } + SYNTAX("addc %0, %e1"); +-#line 236 "rl78-decode.opc" ++#line 238 "rl78-decode.opc" + ID(addc); DR(A); SM(HL, 0); Fzac; + + } +@@ -577,7 +579,7 @@ + op[0]); + } + SYNTAX("addc %0, %ea1"); +-#line 245 "rl78-decode.opc" ++#line 247 "rl78-decode.opc" + ID(addc); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -592,7 +594,7 @@ + op[0]); + } + SYNTAX("addc %0, %e!1"); +-#line 233 "rl78-decode.opc" ++#line 235 "rl78-decode.opc" + ID(addc); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -607,7 +609,7 @@ + op[0]); + } + SYNTAX("subw %0, #%1"); +-#line 1198 "rl78-decode.opc" ++#line 1200 "rl78-decode.opc" + ID(sub); W(); DR(SP); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -620,7 +622,7 @@ + case 0x27: + { + /** 0010 0rw1 subw %0, %1 */ +-#line 1192 "rl78-decode.opc" ++#line 1194 "rl78-decode.opc" + int rw AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -630,7 +632,7 @@ + printf (" rw = 0x%x\n", rw); + } + SYNTAX("subw %0, %1"); +-#line 1192 "rl78-decode.opc" ++#line 1194 "rl78-decode.opc" + ID(sub); W(); DR(AX); SRW(rw); Fzac; + + } +@@ -645,7 +647,7 @@ + op[0]); + } + SYNTAX("subw %0, %e!1"); +-#line 1183 "rl78-decode.opc" ++#line 1185 "rl78-decode.opc" + ID(sub); W(); DR(AX); SM(None, IMMU(2)); Fzac; + + } +@@ -660,7 +662,7 @@ + op[0]); + } + SYNTAX("subw %0, #%1"); +-#line 1189 "rl78-decode.opc" ++#line 1191 "rl78-decode.opc" + ID(sub); W(); DR(AX); SC(IMMU(2)); Fzac; + + } +@@ -675,7 +677,7 @@ + op[0]); + } + SYNTAX("subw %0, %1"); +-#line 1195 "rl78-decode.opc" ++#line 1197 "rl78-decode.opc" + ID(sub); W(); DR(AX); SM(None, SADDR); Fzac; + + } +@@ -690,7 +692,7 @@ + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 741 "rl78-decode.opc" ++#line 743 "rl78-decode.opc" + ID(mov); DM(C, IMMU(2)); SR(A); + + } +@@ -705,7 +707,7 @@ + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 684 "rl78-decode.opc" ++#line 686 "rl78-decode.opc" + ID(mov); DR(A); SM(C, IMMU(2)); + + } +@@ -720,7 +722,7 @@ + op[0]); + } + SYNTAX("sub %0, #%1"); +-#line 1146 "rl78-decode.opc" ++#line 1148 "rl78-decode.opc" + ID(sub); DM(None, SADDR); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -737,7 +739,7 @@ + op[0]); + } + SYNTAX("sub %0, %1"); +-#line 1140 "rl78-decode.opc" ++#line 1142 "rl78-decode.opc" + ID(sub); DR(A); SM(None, SADDR); Fzac; + + } +@@ -752,7 +754,7 @@ + op[0]); + } + SYNTAX("sub %0, #%1"); +-#line 1134 "rl78-decode.opc" ++#line 1136 "rl78-decode.opc" + ID(sub); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -767,7 +769,7 @@ + op[0]); + } + SYNTAX("sub %0, %e1"); +-#line 1122 "rl78-decode.opc" ++#line 1124 "rl78-decode.opc" + ID(sub); DR(A); SM(HL, 0); Fzac; + + } +@@ -782,7 +784,7 @@ + op[0]); + } + SYNTAX("sub %0, %ea1"); +-#line 1128 "rl78-decode.opc" ++#line 1130 "rl78-decode.opc" + ID(sub); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -797,7 +799,7 @@ + op[0]); + } + SYNTAX("sub %0, %e!1"); +-#line 1119 "rl78-decode.opc" ++#line 1121 "rl78-decode.opc" + ID(sub); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -808,7 +810,7 @@ + case 0x36: + { + /** 0011 0rg0 movw %0, #%1 */ +-#line 853 "rl78-decode.opc" ++#line 855 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -818,7 +820,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("movw %0, #%1"); +-#line 853 "rl78-decode.opc" ++#line 855 "rl78-decode.opc" + ID(mov); W(); DRW(rg); SC(IMMU(2)); + + } +@@ -830,7 +832,7 @@ + case 0x00: + { + /** 0011 0001 0bit 0000 btclr %s1, $%a0 */ +-#line 416 "rl78-decode.opc" ++#line 418 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -840,7 +842,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("btclr %s1, $%a0"); +-#line 416 "rl78-decode.opc" ++#line 418 "rl78-decode.opc" + ID(branch_cond_clear); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(T); + + /*----------------------------------------------------------------------*/ +@@ -850,7 +852,7 @@ + case 0x01: + { + /** 0011 0001 0bit 0001 btclr %1, $%a0 */ +-#line 410 "rl78-decode.opc" ++#line 412 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -860,7 +862,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("btclr %1, $%a0"); +-#line 410 "rl78-decode.opc" ++#line 412 "rl78-decode.opc" + ID(branch_cond_clear); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(T); + + } +@@ -868,7 +870,7 @@ + case 0x02: + { + /** 0011 0001 0bit 0010 bt %s1, $%a0 */ +-#line 402 "rl78-decode.opc" ++#line 404 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -878,7 +880,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bt %s1, $%a0"); +-#line 402 "rl78-decode.opc" ++#line 404 "rl78-decode.opc" + ID(branch_cond); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(T); + + /*----------------------------------------------------------------------*/ +@@ -888,7 +890,7 @@ + case 0x03: + { + /** 0011 0001 0bit 0011 bt %1, $%a0 */ +-#line 396 "rl78-decode.opc" ++#line 398 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -898,7 +900,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bt %1, $%a0"); +-#line 396 "rl78-decode.opc" ++#line 398 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(T); + + } +@@ -906,7 +908,7 @@ + case 0x04: + { + /** 0011 0001 0bit 0100 bf %s1, $%a0 */ +-#line 363 "rl78-decode.opc" ++#line 365 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -916,7 +918,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bf %s1, $%a0"); +-#line 363 "rl78-decode.opc" ++#line 365 "rl78-decode.opc" + ID(branch_cond); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(F); + + /*----------------------------------------------------------------------*/ +@@ -926,7 +928,7 @@ + case 0x05: + { + /** 0011 0001 0bit 0101 bf %1, $%a0 */ +-#line 357 "rl78-decode.opc" ++#line 359 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -936,7 +938,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bf %1, $%a0"); +-#line 357 "rl78-decode.opc" ++#line 359 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(F); + + } +@@ -944,7 +946,7 @@ + case 0x07: + { + /** 0011 0001 0cnt 0111 shl %0, %1 */ +-#line 1075 "rl78-decode.opc" ++#line 1077 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -954,7 +956,7 @@ + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("shl %0, %1"); +-#line 1075 "rl78-decode.opc" ++#line 1077 "rl78-decode.opc" + ID(shl); DR(C); SC(cnt); + + } +@@ -962,7 +964,7 @@ + case 0x08: + { + /** 0011 0001 0cnt 1000 shl %0, %1 */ +-#line 1072 "rl78-decode.opc" ++#line 1074 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -972,7 +974,7 @@ + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("shl %0, %1"); +-#line 1072 "rl78-decode.opc" ++#line 1074 "rl78-decode.opc" + ID(shl); DR(B); SC(cnt); + + } +@@ -980,7 +982,7 @@ + case 0x09: + { + /** 0011 0001 0cnt 1001 shl %0, %1 */ +-#line 1069 "rl78-decode.opc" ++#line 1071 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -990,7 +992,7 @@ + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("shl %0, %1"); +-#line 1069 "rl78-decode.opc" ++#line 1071 "rl78-decode.opc" + ID(shl); DR(A); SC(cnt); + + } +@@ -998,7 +1000,7 @@ + case 0x0a: + { + /** 0011 0001 0cnt 1010 shr %0, %1 */ +-#line 1086 "rl78-decode.opc" ++#line 1088 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1008,7 +1010,7 @@ + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("shr %0, %1"); +-#line 1086 "rl78-decode.opc" ++#line 1088 "rl78-decode.opc" + ID(shr); DR(A); SC(cnt); + + } +@@ -1016,7 +1018,7 @@ + case 0x0b: + { + /** 0011 0001 0cnt 1011 sar %0, %1 */ +-#line 1033 "rl78-decode.opc" ++#line 1035 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1026,7 +1028,7 @@ + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("sar %0, %1"); +-#line 1033 "rl78-decode.opc" ++#line 1035 "rl78-decode.opc" + ID(sar); DR(A); SC(cnt); + + } +@@ -1035,7 +1037,7 @@ + case 0x8c: + { + /** 0011 0001 wcnt 1100 shlw %0, %1 */ +-#line 1081 "rl78-decode.opc" ++#line 1083 "rl78-decode.opc" + int wcnt AU = (op[1] >> 4) & 0x0f; + if (trace) + { +@@ -1045,7 +1047,7 @@ + printf (" wcnt = 0x%x\n", wcnt); + } + SYNTAX("shlw %0, %1"); +-#line 1081 "rl78-decode.opc" ++#line 1083 "rl78-decode.opc" + ID(shl); W(); DR(BC); SC(wcnt); + + /*----------------------------------------------------------------------*/ +@@ -1056,7 +1058,7 @@ + case 0x8d: + { + /** 0011 0001 wcnt 1101 shlw %0, %1 */ +-#line 1078 "rl78-decode.opc" ++#line 1080 "rl78-decode.opc" + int wcnt AU = (op[1] >> 4) & 0x0f; + if (trace) + { +@@ -1066,7 +1068,7 @@ + printf (" wcnt = 0x%x\n", wcnt); + } + SYNTAX("shlw %0, %1"); +-#line 1078 "rl78-decode.opc" ++#line 1080 "rl78-decode.opc" + ID(shl); W(); DR(AX); SC(wcnt); + + } +@@ -1075,7 +1077,7 @@ + case 0x8e: + { + /** 0011 0001 wcnt 1110 shrw %0, %1 */ +-#line 1089 "rl78-decode.opc" ++#line 1091 "rl78-decode.opc" + int wcnt AU = (op[1] >> 4) & 0x0f; + if (trace) + { +@@ -1085,7 +1087,7 @@ + printf (" wcnt = 0x%x\n", wcnt); + } + SYNTAX("shrw %0, %1"); +-#line 1089 "rl78-decode.opc" ++#line 1091 "rl78-decode.opc" + ID(shr); W(); DR(AX); SC(wcnt); + + /*----------------------------------------------------------------------*/ +@@ -1096,7 +1098,7 @@ + case 0x8f: + { + /** 0011 0001 wcnt 1111 sarw %0, %1 */ +-#line 1036 "rl78-decode.opc" ++#line 1038 "rl78-decode.opc" + int wcnt AU = (op[1] >> 4) & 0x0f; + if (trace) + { +@@ -1106,7 +1108,7 @@ + printf (" wcnt = 0x%x\n", wcnt); + } + SYNTAX("sarw %0, %1"); +-#line 1036 "rl78-decode.opc" ++#line 1038 "rl78-decode.opc" + ID(sar); W(); DR(AX); SC(wcnt); + + /*----------------------------------------------------------------------*/ +@@ -1116,7 +1118,7 @@ + case 0x80: + { + /** 0011 0001 1bit 0000 btclr %s1, $%a0 */ +-#line 413 "rl78-decode.opc" ++#line 415 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1126,7 +1128,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("btclr %s1, $%a0"); +-#line 413 "rl78-decode.opc" ++#line 415 "rl78-decode.opc" + ID(branch_cond_clear); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(T); + + } +@@ -1134,7 +1136,7 @@ + case 0x81: + { + /** 0011 0001 1bit 0001 btclr %e1, $%a0 */ +-#line 407 "rl78-decode.opc" ++#line 409 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1144,7 +1146,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("btclr %e1, $%a0"); +-#line 407 "rl78-decode.opc" ++#line 409 "rl78-decode.opc" + ID(branch_cond_clear); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(T); + + } +@@ -1152,7 +1154,7 @@ + case 0x82: + { + /** 0011 0001 1bit 0010 bt %s1, $%a0 */ +-#line 399 "rl78-decode.opc" ++#line 401 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1162,7 +1164,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bt %s1, $%a0"); +-#line 399 "rl78-decode.opc" ++#line 401 "rl78-decode.opc" + ID(branch_cond); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(T); + + } +@@ -1170,7 +1172,7 @@ + case 0x83: + { + /** 0011 0001 1bit 0011 bt %e1, $%a0 */ +-#line 393 "rl78-decode.opc" ++#line 395 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1180,7 +1182,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bt %e1, $%a0"); +-#line 393 "rl78-decode.opc" ++#line 395 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(T); + + } +@@ -1188,7 +1190,7 @@ + case 0x84: + { + /** 0011 0001 1bit 0100 bf %s1, $%a0 */ +-#line 360 "rl78-decode.opc" ++#line 362 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1198,7 +1200,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bf %s1, $%a0"); +-#line 360 "rl78-decode.opc" ++#line 362 "rl78-decode.opc" + ID(branch_cond); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(F); + + } +@@ -1206,7 +1208,7 @@ + case 0x85: + { + /** 0011 0001 1bit 0101 bf %e1, $%a0 */ +-#line 354 "rl78-decode.opc" ++#line 356 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1216,7 +1218,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bf %e1, $%a0"); +-#line 354 "rl78-decode.opc" ++#line 356 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(F); + + } +@@ -1229,7 +1231,7 @@ + case 0x37: + { + /** 0011 0ra1 xchw %0, %1 */ +-#line 1239 "rl78-decode.opc" ++#line 1241 "rl78-decode.opc" + int ra AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -1239,7 +1241,7 @@ + printf (" ra = 0x%x\n", ra); + } + SYNTAX("xchw %0, %1"); +-#line 1239 "rl78-decode.opc" ++#line 1241 "rl78-decode.opc" + ID(xch); W(); DR(AX); SRW(ra); + + /*----------------------------------------------------------------------*/ +@@ -1256,7 +1258,7 @@ + op[0]); + } + SYNTAX("mov %e0, #%1"); +-#line 738 "rl78-decode.opc" ++#line 740 "rl78-decode.opc" + ID(mov); DM(C, IMMU(2)); SC(IMMU(1)); + + } +@@ -1271,7 +1273,7 @@ + op[0]); + } + SYNTAX("mov %e0, #%1"); +-#line 732 "rl78-decode.opc" ++#line 734 "rl78-decode.opc" + ID(mov); DM(BC, IMMU(2)); SC(IMMU(1)); + + } +@@ -1286,7 +1288,7 @@ + op[0]); + } + SYNTAX("subc %0, #%1"); +-#line 1178 "rl78-decode.opc" ++#line 1180 "rl78-decode.opc" + ID(subc); DM(None, SADDR); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -1303,7 +1305,7 @@ + op[0]); + } + SYNTAX("subc %0, %1"); +-#line 1175 "rl78-decode.opc" ++#line 1177 "rl78-decode.opc" + ID(subc); DR(A); SM(None, SADDR); Fzac; + + } +@@ -1318,7 +1320,7 @@ + op[0]); + } + SYNTAX("subc %0, #%1"); +-#line 1166 "rl78-decode.opc" ++#line 1168 "rl78-decode.opc" + ID(subc); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -1333,7 +1335,7 @@ + op[0]); + } + SYNTAX("subc %0, %e1"); +-#line 1154 "rl78-decode.opc" ++#line 1156 "rl78-decode.opc" + ID(subc); DR(A); SM(HL, 0); Fzac; + + } +@@ -1348,7 +1350,7 @@ + op[0]); + } + SYNTAX("subc %0, %ea1"); +-#line 1163 "rl78-decode.opc" ++#line 1165 "rl78-decode.opc" + ID(subc); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -1363,7 +1365,7 @@ + op[0]); + } + SYNTAX("subc %0, %e!1"); +-#line 1151 "rl78-decode.opc" ++#line 1153 "rl78-decode.opc" + ID(subc); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -1378,7 +1380,7 @@ + op[0]); + } + SYNTAX("cmp %e!0, #%1"); +-#line 480 "rl78-decode.opc" ++#line 482 "rl78-decode.opc" + ID(cmp); DM(None, IMMU(2)); SC(IMMU(1)); Fzac; + + } +@@ -1393,7 +1395,7 @@ + op[0]); + } + SYNTAX("mov %0, #%1"); +-#line 717 "rl78-decode.opc" ++#line 719 "rl78-decode.opc" + ID(mov); DR(ES); SC(IMMU(1)); + + } +@@ -1408,7 +1410,7 @@ + op[0]); + } + SYNTAX("cmpw %0, %e!1"); +-#line 531 "rl78-decode.opc" ++#line 533 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SM(None, IMMU(2)); Fzac; + + } +@@ -1418,7 +1420,7 @@ + case 0x47: + { + /** 0100 0ra1 cmpw %0, %1 */ +-#line 540 "rl78-decode.opc" ++#line 542 "rl78-decode.opc" + int ra AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -1428,7 +1430,7 @@ + printf (" ra = 0x%x\n", ra); + } + SYNTAX("cmpw %0, %1"); +-#line 540 "rl78-decode.opc" ++#line 542 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SRW(ra); Fzac; + + } +@@ -1443,7 +1445,7 @@ + op[0]); + } + SYNTAX("cmpw %0, #%1"); +-#line 537 "rl78-decode.opc" ++#line 539 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SC(IMMU(2)); Fzac; + + } +@@ -1458,7 +1460,7 @@ + op[0]); + } + SYNTAX("cmpw %0, %1"); +-#line 543 "rl78-decode.opc" ++#line 545 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SM(None, SADDR); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -1475,7 +1477,7 @@ + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 735 "rl78-decode.opc" ++#line 737 "rl78-decode.opc" + ID(mov); DM(BC, IMMU(2)); SR(A); + + } +@@ -1490,7 +1492,7 @@ + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 681 "rl78-decode.opc" ++#line 683 "rl78-decode.opc" + ID(mov); DR(A); SM(BC, IMMU(2)); + + } +@@ -1505,7 +1507,7 @@ + op[0]); + } + SYNTAX("cmp %0, #%1"); +-#line 483 "rl78-decode.opc" ++#line 485 "rl78-decode.opc" + ID(cmp); DM(None, SADDR); SC(IMMU(1)); Fzac; + + } +@@ -1520,7 +1522,7 @@ + op[0]); + } + SYNTAX("cmp %0, %1"); +-#line 510 "rl78-decode.opc" ++#line 512 "rl78-decode.opc" + ID(cmp); DR(A); SM(None, SADDR); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -1537,7 +1539,7 @@ + op[0]); + } + SYNTAX("cmp %0, #%1"); +-#line 501 "rl78-decode.opc" ++#line 503 "rl78-decode.opc" + ID(cmp); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -1552,7 +1554,7 @@ + op[0]); + } + SYNTAX("cmp %0, %e1"); +-#line 489 "rl78-decode.opc" ++#line 491 "rl78-decode.opc" + ID(cmp); DR(A); SM(HL, 0); Fzac; + + } +@@ -1567,7 +1569,7 @@ + op[0]); + } + SYNTAX("cmp %0, %ea1"); +-#line 498 "rl78-decode.opc" ++#line 500 "rl78-decode.opc" + ID(cmp); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -1582,7 +1584,7 @@ + op[0]); + } + SYNTAX("cmp %0, %e!1"); +-#line 486 "rl78-decode.opc" ++#line 488 "rl78-decode.opc" + ID(cmp); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -1597,7 +1599,7 @@ + case 0x57: + { + /** 0101 0reg mov %0, #%1 */ +-#line 669 "rl78-decode.opc" ++#line 671 "rl78-decode.opc" + int reg AU = op[0] & 0x07; + if (trace) + { +@@ -1607,7 +1609,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("mov %0, #%1"); +-#line 669 "rl78-decode.opc" ++#line 671 "rl78-decode.opc" + ID(mov); DRB(reg); SC(IMMU(1)); + + } +@@ -1622,7 +1624,7 @@ + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 871 "rl78-decode.opc" ++#line 873 "rl78-decode.opc" + ID(mov); W(); DM(B, IMMU(2)); SR(AX); + + } +@@ -1637,7 +1639,7 @@ + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 862 "rl78-decode.opc" ++#line 864 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(B, IMMU(2)); + + } +@@ -1652,7 +1654,7 @@ + op[0]); + } + SYNTAX("and %0, #%1"); +-#line 312 "rl78-decode.opc" ++#line 314 "rl78-decode.opc" + ID(and); DM(None, SADDR); SC(IMMU(1)); Fz; + + /*----------------------------------------------------------------------*/ +@@ -1669,7 +1671,7 @@ + op[0]); + } + SYNTAX("and %0, %1"); +-#line 309 "rl78-decode.opc" ++#line 311 "rl78-decode.opc" + ID(and); DR(A); SM(None, SADDR); Fz; + + } +@@ -1684,7 +1686,7 @@ + op[0]); + } + SYNTAX("and %0, #%1"); +-#line 300 "rl78-decode.opc" ++#line 302 "rl78-decode.opc" + ID(and); DR(A); SC(IMMU(1)); Fz; + + } +@@ -1699,7 +1701,7 @@ + op[0]); + } + SYNTAX("and %0, %e1"); +-#line 288 "rl78-decode.opc" ++#line 290 "rl78-decode.opc" + ID(and); DR(A); SM(HL, 0); Fz; + + } +@@ -1714,7 +1716,7 @@ + op[0]); + } + SYNTAX("and %0, %ea1"); +-#line 294 "rl78-decode.opc" ++#line 296 "rl78-decode.opc" + ID(and); DR(A); SM(HL, IMMU(1)); Fz; + + } +@@ -1729,7 +1731,7 @@ + op[0]); + } + SYNTAX("and %0, %e!1"); +-#line 285 "rl78-decode.opc" ++#line 287 "rl78-decode.opc" + ID(and); DR(A); SM(None, IMMU(2)); Fz; + + } +@@ -1743,7 +1745,7 @@ + case 0x67: + { + /** 0110 0rba mov %0, %1 */ +-#line 672 "rl78-decode.opc" ++#line 674 "rl78-decode.opc" + int rba AU = op[0] & 0x07; + if (trace) + { +@@ -1753,7 +1755,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("mov %0, %1"); +-#line 672 "rl78-decode.opc" ++#line 674 "rl78-decode.opc" + ID(mov); DR(A); SRB(rba); + + } +@@ -1772,7 +1774,7 @@ + case 0x07: + { + /** 0110 0001 0000 0reg add %0, %1 */ +-#line 225 "rl78-decode.opc" ++#line 227 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -1782,7 +1784,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("add %0, %1"); +-#line 225 "rl78-decode.opc" ++#line 227 "rl78-decode.opc" + ID(add); DRB(reg); SR(A); Fzac; + + } +@@ -1796,7 +1798,7 @@ + case 0x0f: + { + /** 0110 0001 0000 1rba add %0, %1 */ +-#line 219 "rl78-decode.opc" ++#line 221 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -1806,7 +1808,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("add %0, %1"); +-#line 219 "rl78-decode.opc" ++#line 221 "rl78-decode.opc" + ID(add); DR(A); SRB(rba); Fzac; + + } +@@ -1821,7 +1823,7 @@ + op[0], op[1]); + } + SYNTAX("addw %0, %ea1"); +-#line 268 "rl78-decode.opc" ++#line 270 "rl78-decode.opc" + ID(add); W(); DR(AX); SM(HL, IMMU(1)); Fzac; + + } +@@ -1836,7 +1838,7 @@ + case 0x17: + { + /** 0110 0001 0001 0reg addc %0, %1 */ +-#line 254 "rl78-decode.opc" ++#line 256 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -1846,7 +1848,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("addc %0, %1"); +-#line 254 "rl78-decode.opc" ++#line 256 "rl78-decode.opc" + ID(addc); DRB(reg); SR(A); Fzac; + + } +@@ -1860,7 +1862,7 @@ + case 0x1f: + { + /** 0110 0001 0001 1rba addc %0, %1 */ +-#line 251 "rl78-decode.opc" ++#line 253 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -1870,7 +1872,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("addc %0, %1"); +-#line 251 "rl78-decode.opc" ++#line 253 "rl78-decode.opc" + ID(addc); DR(A); SRB(rba); Fzac; + + } +@@ -1885,7 +1887,7 @@ + case 0x27: + { + /** 0110 0001 0010 0reg sub %0, %1 */ +-#line 1143 "rl78-decode.opc" ++#line 1145 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -1895,7 +1897,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("sub %0, %1"); +-#line 1143 "rl78-decode.opc" ++#line 1145 "rl78-decode.opc" + ID(sub); DRB(reg); SR(A); Fzac; + + } +@@ -1909,7 +1911,7 @@ + case 0x2f: + { + /** 0110 0001 0010 1rba sub %0, %1 */ +-#line 1137 "rl78-decode.opc" ++#line 1139 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -1919,7 +1921,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("sub %0, %1"); +-#line 1137 "rl78-decode.opc" ++#line 1139 "rl78-decode.opc" + ID(sub); DR(A); SRB(rba); Fzac; + + } +@@ -1934,7 +1936,7 @@ + op[0], op[1]); + } + SYNTAX("subw %0, %ea1"); +-#line 1186 "rl78-decode.opc" ++#line 1188 "rl78-decode.opc" + ID(sub); W(); DR(AX); SM(HL, IMMU(1)); Fzac; + + } +@@ -1949,7 +1951,7 @@ + case 0x37: + { + /** 0110 0001 0011 0reg subc %0, %1 */ +-#line 1172 "rl78-decode.opc" ++#line 1174 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -1959,7 +1961,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("subc %0, %1"); +-#line 1172 "rl78-decode.opc" ++#line 1174 "rl78-decode.opc" + ID(subc); DRB(reg); SR(A); Fzac; + + } +@@ -1973,7 +1975,7 @@ + case 0x3f: + { + /** 0110 0001 0011 1rba subc %0, %1 */ +-#line 1169 "rl78-decode.opc" ++#line 1171 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -1983,7 +1985,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("subc %0, %1"); +-#line 1169 "rl78-decode.opc" ++#line 1171 "rl78-decode.opc" + ID(subc); DR(A); SRB(rba); Fzac; + + } +@@ -1998,7 +2000,7 @@ + case 0x47: + { + /** 0110 0001 0100 0reg cmp %0, %1 */ +-#line 507 "rl78-decode.opc" ++#line 509 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2008,7 +2010,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("cmp %0, %1"); +-#line 507 "rl78-decode.opc" ++#line 509 "rl78-decode.opc" + ID(cmp); DRB(reg); SR(A); Fzac; + + } +@@ -2022,7 +2024,7 @@ + case 0x4f: + { + /** 0110 0001 0100 1rba cmp %0, %1 */ +-#line 504 "rl78-decode.opc" ++#line 506 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -2032,7 +2034,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("cmp %0, %1"); +-#line 504 "rl78-decode.opc" ++#line 506 "rl78-decode.opc" + ID(cmp); DR(A); SRB(rba); Fzac; + + } +@@ -2047,7 +2049,7 @@ + op[0], op[1]); + } + SYNTAX("cmpw %0, %ea1"); +-#line 534 "rl78-decode.opc" ++#line 536 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SM(HL, IMMU(1)); Fzac; + + } +@@ -2062,7 +2064,7 @@ + case 0x57: + { + /** 0110 0001 0101 0reg and %0, %1 */ +-#line 306 "rl78-decode.opc" ++#line 308 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2072,7 +2074,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("and %0, %1"); +-#line 306 "rl78-decode.opc" ++#line 308 "rl78-decode.opc" + ID(and); DRB(reg); SR(A); Fz; + + } +@@ -2086,7 +2088,7 @@ + case 0x5f: + { + /** 0110 0001 0101 1rba and %0, %1 */ +-#line 303 "rl78-decode.opc" ++#line 305 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -2096,7 +2098,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("and %0, %1"); +-#line 303 "rl78-decode.opc" ++#line 305 "rl78-decode.opc" + ID(and); DR(A); SRB(rba); Fz; + + } +@@ -2111,7 +2113,7 @@ + op[0], op[1]); + } + SYNTAX("inc %ea0"); +-#line 584 "rl78-decode.opc" ++#line 586 "rl78-decode.opc" + ID(add); DM(HL, IMMU(1)); SC(1); Fza; + + } +@@ -2126,7 +2128,7 @@ + case 0x67: + { + /** 0110 0001 0110 0reg or %0, %1 */ +-#line 961 "rl78-decode.opc" ++#line 963 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2136,7 +2138,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("or %0, %1"); +-#line 961 "rl78-decode.opc" ++#line 963 "rl78-decode.opc" + ID(or); DRB(reg); SR(A); Fz; + + } +@@ -2150,7 +2152,7 @@ + case 0x6f: + { + /** 0110 0001 0110 1rba or %0, %1 */ +-#line 958 "rl78-decode.opc" ++#line 960 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -2160,7 +2162,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("or %0, %1"); +-#line 958 "rl78-decode.opc" ++#line 960 "rl78-decode.opc" + ID(or); DR(A); SRB(rba); Fz; + + } +@@ -2175,7 +2177,7 @@ + op[0], op[1]); + } + SYNTAX("dec %ea0"); +-#line 551 "rl78-decode.opc" ++#line 553 "rl78-decode.opc" + ID(sub); DM(HL, IMMU(1)); SC(1); Fza; + + } +@@ -2190,7 +2192,7 @@ + case 0x77: + { + /** 0110 0001 0111 0reg xor %0, %1 */ +-#line 1265 "rl78-decode.opc" ++#line 1267 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2200,7 +2202,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("xor %0, %1"); +-#line 1265 "rl78-decode.opc" ++#line 1267 "rl78-decode.opc" + ID(xor); DRB(reg); SR(A); Fz; + + } +@@ -2214,7 +2216,7 @@ + case 0x7f: + { + /** 0110 0001 0111 1rba xor %0, %1 */ +-#line 1262 "rl78-decode.opc" ++#line 1264 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -2224,7 +2226,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("xor %0, %1"); +-#line 1262 "rl78-decode.opc" ++#line 1264 "rl78-decode.opc" + ID(xor); DR(A); SRB(rba); Fz; + + } +@@ -2239,7 +2241,7 @@ + op[0], op[1]); + } + SYNTAX("incw %ea0"); +-#line 598 "rl78-decode.opc" ++#line 600 "rl78-decode.opc" + ID(add); W(); DM(HL, IMMU(1)); SC(1); + + } +@@ -2255,7 +2257,7 @@ + op[0], op[1]); + } + SYNTAX("add %0, %e1"); +-#line 207 "rl78-decode.opc" ++#line 209 "rl78-decode.opc" + ID(add); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2270,7 +2272,7 @@ + op[0], op[1]); + } + SYNTAX("add %0, %e1"); +-#line 213 "rl78-decode.opc" ++#line 215 "rl78-decode.opc" + ID(add); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2309,9 +2311,9 @@ + case 0xf7: + { + /** 0110 0001 1nnn 01mm callt [%x0] */ +-#line 433 "rl78-decode.opc" ++#line 435 "rl78-decode.opc" + int nnn AU = (op[1] >> 4) & 0x07; +-#line 433 "rl78-decode.opc" ++#line 435 "rl78-decode.opc" + int mm AU = op[1] & 0x03; + if (trace) + { +@@ -2322,7 +2324,7 @@ + printf (" mm = 0x%x\n", mm); + } + SYNTAX("callt [%x0]"); +-#line 433 "rl78-decode.opc" ++#line 435 "rl78-decode.opc" + ID(call); DM(None, 0x80 + mm*16 + nnn*2); + + /*----------------------------------------------------------------------*/ +@@ -2338,7 +2340,7 @@ + case 0x8f: + { + /** 0110 0001 1000 1reg xch %0, %1 */ +-#line 1224 "rl78-decode.opc" ++#line 1226 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2348,7 +2350,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("xch %0, %1"); +-#line 1224 "rl78-decode.opc" ++#line 1226 "rl78-decode.opc" + /* Note: DECW uses reg == X, so this must follow DECW */ + ID(xch); DR(A); SRB(reg); + +@@ -2364,7 +2366,7 @@ + op[0], op[1]); + } + SYNTAX("decw %ea0"); +-#line 565 "rl78-decode.opc" ++#line 567 "rl78-decode.opc" + ID(sub); W(); DM(HL, IMMU(1)); SC(1); + + } +@@ -2379,7 +2381,7 @@ + op[0], op[1]); + } + SYNTAX("addc %0, %e1"); +-#line 239 "rl78-decode.opc" ++#line 241 "rl78-decode.opc" + ID(addc); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2394,7 +2396,7 @@ + op[0], op[1]); + } + SYNTAX("addc %0, %e1"); +-#line 242 "rl78-decode.opc" ++#line 244 "rl78-decode.opc" + ID(addc); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2410,7 +2412,7 @@ + op[0], op[1]); + } + SYNTAX("sub %0, %e1"); +-#line 1125 "rl78-decode.opc" ++#line 1127 "rl78-decode.opc" + ID(sub); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2425,7 +2427,7 @@ + op[0], op[1]); + } + SYNTAX("sub %0, %e1"); +-#line 1131 "rl78-decode.opc" ++#line 1133 "rl78-decode.opc" + ID(sub); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2440,7 +2442,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %1"); +-#line 1228 "rl78-decode.opc" ++#line 1230 "rl78-decode.opc" + ID(xch); DR(A); SM(None, SADDR); + + } +@@ -2455,7 +2457,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %e1"); +-#line 1221 "rl78-decode.opc" ++#line 1223 "rl78-decode.opc" + ID(xch); DR(A); SM2(HL, C, 0); + + } +@@ -2470,7 +2472,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %e!1"); +-#line 1203 "rl78-decode.opc" ++#line 1205 "rl78-decode.opc" + ID(xch); DR(A); SM(None, IMMU(2)); + + } +@@ -2485,7 +2487,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %s1"); +-#line 1231 "rl78-decode.opc" ++#line 1233 "rl78-decode.opc" + ID(xch); DR(A); SM(None, SFR); + + } +@@ -2500,7 +2502,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %e1"); +-#line 1212 "rl78-decode.opc" ++#line 1214 "rl78-decode.opc" + ID(xch); DR(A); SM(HL, 0); + + } +@@ -2515,7 +2517,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %ea1"); +-#line 1218 "rl78-decode.opc" ++#line 1220 "rl78-decode.opc" + ID(xch); DR(A); SM(HL, IMMU(1)); + + } +@@ -2530,7 +2532,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %e1"); +-#line 1206 "rl78-decode.opc" ++#line 1208 "rl78-decode.opc" + ID(xch); DR(A); SM(DE, 0); + + } +@@ -2545,7 +2547,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %ea1"); +-#line 1209 "rl78-decode.opc" ++#line 1211 "rl78-decode.opc" + ID(xch); DR(A); SM(DE, IMMU(1)); + + } +@@ -2560,7 +2562,7 @@ + op[0], op[1]); + } + SYNTAX("subc %0, %e1"); +-#line 1157 "rl78-decode.opc" ++#line 1159 "rl78-decode.opc" + ID(subc); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2575,7 +2577,7 @@ + op[0], op[1]); + } + SYNTAX("subc %0, %e1"); +-#line 1160 "rl78-decode.opc" ++#line 1162 "rl78-decode.opc" + ID(subc); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2590,7 +2592,7 @@ + op[0], op[1]); + } + SYNTAX("mov %0, %1"); +-#line 723 "rl78-decode.opc" ++#line 725 "rl78-decode.opc" + ID(mov); DR(ES); SM(None, SADDR); + + } +@@ -2605,7 +2607,7 @@ + op[0], op[1]); + } + SYNTAX("xch %0, %e1"); +-#line 1215 "rl78-decode.opc" ++#line 1217 "rl78-decode.opc" + ID(xch); DR(A); SM2(HL, B, 0); + + } +@@ -2620,7 +2622,7 @@ + op[0], op[1]); + } + SYNTAX("cmp %0, %e1"); +-#line 492 "rl78-decode.opc" ++#line 494 "rl78-decode.opc" + ID(cmp); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2635,7 +2637,7 @@ + op[0], op[1]); + } + SYNTAX("cmp %0, %e1"); +-#line 495 "rl78-decode.opc" ++#line 497 "rl78-decode.opc" + ID(cmp); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2650,7 +2652,7 @@ + op[0], op[1]); + } + SYNTAX("bh $%a0"); +-#line 340 "rl78-decode.opc" ++#line 342 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SR(None); COND(H); + + } +@@ -2665,7 +2667,7 @@ + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1094 "rl78-decode.opc" ++#line 1096 "rl78-decode.opc" + ID(skip); COND(C); + + } +@@ -2680,7 +2682,7 @@ + op[0], op[1]); + } + SYNTAX("mov %0, %e1"); +-#line 660 "rl78-decode.opc" ++#line 662 "rl78-decode.opc" + ID(mov); DR(A); SM2(HL, B, 0); + + } +@@ -2691,7 +2693,7 @@ + case 0xfa: + { + /** 0110 0001 11rg 1010 call %0 */ +-#line 430 "rl78-decode.opc" ++#line 432 "rl78-decode.opc" + int rg AU = (op[1] >> 4) & 0x03; + if (trace) + { +@@ -2701,7 +2703,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("call %0"); +-#line 430 "rl78-decode.opc" ++#line 432 "rl78-decode.opc" + ID(call); DRW(rg); + + } +@@ -2716,7 +2718,7 @@ + op[0], op[1]); + } + SYNTAX("br ax"); +-#line 380 "rl78-decode.opc" ++#line 382 "rl78-decode.opc" + ID(branch); DR(AX); + + /*----------------------------------------------------------------------*/ +@@ -2733,7 +2735,7 @@ + op[0], op[1]); + } + SYNTAX("brk"); +-#line 388 "rl78-decode.opc" ++#line 390 "rl78-decode.opc" + ID(break); + + /*----------------------------------------------------------------------*/ +@@ -2750,7 +2752,7 @@ + op[0], op[1]); + } + SYNTAX("pop %s0"); +-#line 989 "rl78-decode.opc" ++#line 991 "rl78-decode.opc" + ID(mov); W(); DR(PSW); SPOP(); + + /*----------------------------------------------------------------------*/ +@@ -2767,7 +2769,7 @@ + op[0], op[1]); + } + SYNTAX("movs %ea0, %1"); +-#line 811 "rl78-decode.opc" ++#line 813 "rl78-decode.opc" + ID(mov); DM(HL, IMMU(1)); SR(X); Fzc; + + /*----------------------------------------------------------------------*/ +@@ -2780,7 +2782,7 @@ + case 0xff: + { + /** 0110 0001 11rb 1111 sel rb%1 */ +-#line 1041 "rl78-decode.opc" ++#line 1043 "rl78-decode.opc" + int rb AU = (op[1] >> 4) & 0x03; + if (trace) + { +@@ -2790,7 +2792,7 @@ + printf (" rb = 0x%x\n", rb); + } + SYNTAX("sel rb%1"); +-#line 1041 "rl78-decode.opc" ++#line 1043 "rl78-decode.opc" + ID(sel); SC(rb); + + /*----------------------------------------------------------------------*/ +@@ -2807,7 +2809,7 @@ + op[0], op[1]); + } + SYNTAX("and %0, %e1"); +-#line 291 "rl78-decode.opc" ++#line 293 "rl78-decode.opc" + ID(and); DR(A); SM2(HL, B, 0); Fz; + + } +@@ -2822,7 +2824,7 @@ + op[0], op[1]); + } + SYNTAX("and %0, %e1"); +-#line 297 "rl78-decode.opc" ++#line 299 "rl78-decode.opc" + ID(and); DR(A); SM2(HL, C, 0); Fz; + + } +@@ -2837,7 +2839,7 @@ + op[0], op[1]); + } + SYNTAX("bnh $%a0"); +-#line 343 "rl78-decode.opc" ++#line 345 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SR(None); COND(NH); + + } +@@ -2852,7 +2854,7 @@ + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1100 "rl78-decode.opc" ++#line 1102 "rl78-decode.opc" + ID(skip); COND(NC); + + } +@@ -2867,7 +2869,7 @@ + op[0], op[1]); + } + SYNTAX("mov %e0, %1"); +-#line 627 "rl78-decode.opc" ++#line 629 "rl78-decode.opc" + ID(mov); DM2(HL, B, 0); SR(A); + + } +@@ -2882,7 +2884,7 @@ + op[0], op[1]); + } + SYNTAX("ror %0, %1"); +-#line 1022 "rl78-decode.opc" ++#line 1024 "rl78-decode.opc" + ID(ror); DR(A); SC(1); + + } +@@ -2897,7 +2899,7 @@ + op[0], op[1]); + } + SYNTAX("rolc %0, %1"); +-#line 1016 "rl78-decode.opc" ++#line 1018 "rl78-decode.opc" + ID(rolc); DR(A); SC(1); + + } +@@ -2912,7 +2914,7 @@ + op[0], op[1]); + } + SYNTAX("push %s1"); +-#line 997 "rl78-decode.opc" ++#line 999 "rl78-decode.opc" + ID(mov); W(); DPUSH(); SR(PSW); + + /*----------------------------------------------------------------------*/ +@@ -2929,7 +2931,7 @@ + op[0], op[1]); + } + SYNTAX("cmps %0, %ea1"); +-#line 526 "rl78-decode.opc" ++#line 528 "rl78-decode.opc" + ID(cmp); DR(X); SM(HL, IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -2946,7 +2948,7 @@ + op[0], op[1]); + } + SYNTAX("or %0, %e1"); +-#line 946 "rl78-decode.opc" ++#line 948 "rl78-decode.opc" + ID(or); DR(A); SM2(HL, B, 0); Fz; + + } +@@ -2961,7 +2963,7 @@ + op[0], op[1]); + } + SYNTAX("or %0, %e1"); +-#line 952 "rl78-decode.opc" ++#line 954 "rl78-decode.opc" + ID(or); DR(A); SM2(HL, C, 0); Fz; + + } +@@ -2976,7 +2978,7 @@ + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1097 "rl78-decode.opc" ++#line 1099 "rl78-decode.opc" + ID(skip); COND(H); + + } +@@ -2991,7 +2993,7 @@ + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1109 "rl78-decode.opc" ++#line 1111 "rl78-decode.opc" + ID(skip); COND(Z); + + /*----------------------------------------------------------------------*/ +@@ -3008,7 +3010,7 @@ + op[0], op[1]); + } + SYNTAX("mov %0, %e1"); +-#line 663 "rl78-decode.opc" ++#line 665 "rl78-decode.opc" + ID(mov); DR(A); SM2(HL, C, 0); + + } +@@ -3023,7 +3025,7 @@ + op[0], op[1]); + } + SYNTAX("rol %0, %1"); +-#line 1013 "rl78-decode.opc" ++#line 1015 "rl78-decode.opc" + ID(rol); DR(A); SC(1); + + } +@@ -3038,7 +3040,7 @@ + op[0], op[1]); + } + SYNTAX("retb"); +-#line 1008 "rl78-decode.opc" ++#line 1010 "rl78-decode.opc" + ID(reti); + + /*----------------------------------------------------------------------*/ +@@ -3055,7 +3057,7 @@ + op[0], op[1]); + } + SYNTAX("halt"); +-#line 576 "rl78-decode.opc" ++#line 578 "rl78-decode.opc" + ID(halt); + + /*----------------------------------------------------------------------*/ +@@ -3066,7 +3068,7 @@ + case 0xfe: + { + /** 0110 0001 111r 1110 rolwc %0, %1 */ +-#line 1019 "rl78-decode.opc" ++#line 1021 "rl78-decode.opc" + int r AU = (op[1] >> 4) & 0x01; + if (trace) + { +@@ -3076,7 +3078,7 @@ + printf (" r = 0x%x\n", r); + } + SYNTAX("rolwc %0, %1"); +-#line 1019 "rl78-decode.opc" ++#line 1021 "rl78-decode.opc" + ID(rolc); W(); DRW(r); SC(1); + + } +@@ -3091,7 +3093,7 @@ + op[0], op[1]); + } + SYNTAX("xor %0, %e1"); +-#line 1250 "rl78-decode.opc" ++#line 1252 "rl78-decode.opc" + ID(xor); DR(A); SM2(HL, B, 0); Fz; + + } +@@ -3106,7 +3108,7 @@ + op[0], op[1]); + } + SYNTAX("xor %0, %e1"); +-#line 1256 "rl78-decode.opc" ++#line 1258 "rl78-decode.opc" + ID(xor); DR(A); SM2(HL, C, 0); Fz; + + } +@@ -3121,7 +3123,7 @@ + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1103 "rl78-decode.opc" ++#line 1105 "rl78-decode.opc" + ID(skip); COND(NH); + + } +@@ -3136,7 +3138,7 @@ + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1106 "rl78-decode.opc" ++#line 1108 "rl78-decode.opc" + ID(skip); COND(NZ); + + } +@@ -3151,7 +3153,7 @@ + op[0], op[1]); + } + SYNTAX("mov %e0, %1"); +-#line 636 "rl78-decode.opc" ++#line 638 "rl78-decode.opc" + ID(mov); DM2(HL, C, 0); SR(A); + + } +@@ -3166,7 +3168,7 @@ + op[0], op[1]); + } + SYNTAX("rorc %0, %1"); +-#line 1025 "rl78-decode.opc" ++#line 1027 "rl78-decode.opc" + ID(rorc); DR(A); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -3186,7 +3188,7 @@ + op[0], op[1]); + } + SYNTAX("reti"); +-#line 1005 "rl78-decode.opc" ++#line 1007 "rl78-decode.opc" + ID(reti); + + } +@@ -3201,7 +3203,7 @@ + op[0], op[1]); + } + SYNTAX("stop"); +-#line 1114 "rl78-decode.opc" ++#line 1116 "rl78-decode.opc" + ID(stop); + + /*----------------------------------------------------------------------*/ +@@ -3221,7 +3223,7 @@ + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 874 "rl78-decode.opc" ++#line 876 "rl78-decode.opc" + ID(mov); W(); DM(C, IMMU(2)); SR(AX); + + } +@@ -3236,7 +3238,7 @@ + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 865 "rl78-decode.opc" ++#line 867 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(C, IMMU(2)); + + } +@@ -3251,7 +3253,7 @@ + op[0]); + } + SYNTAX("or %0, #%1"); +-#line 967 "rl78-decode.opc" ++#line 969 "rl78-decode.opc" + ID(or); DM(None, SADDR); SC(IMMU(1)); Fz; + + /*----------------------------------------------------------------------*/ +@@ -3268,7 +3270,7 @@ + op[0]); + } + SYNTAX("or %0, %1"); +-#line 964 "rl78-decode.opc" ++#line 966 "rl78-decode.opc" + ID(or); DR(A); SM(None, SADDR); Fz; + + } +@@ -3283,7 +3285,7 @@ + op[0]); + } + SYNTAX("or %0, #%1"); +-#line 955 "rl78-decode.opc" ++#line 957 "rl78-decode.opc" + ID(or); DR(A); SC(IMMU(1)); Fz; + + } +@@ -3298,7 +3300,7 @@ + op[0]); + } + SYNTAX("or %0, %e1"); +-#line 943 "rl78-decode.opc" ++#line 945 "rl78-decode.opc" + ID(or); DR(A); SM(HL, 0); Fz; + + } +@@ -3313,7 +3315,7 @@ + op[0]); + } + SYNTAX("or %0, %ea1"); +-#line 949 "rl78-decode.opc" ++#line 951 "rl78-decode.opc" + ID(or); DR(A); SM(HL, IMMU(1)); Fz; + + } +@@ -3328,7 +3330,7 @@ + op[0]); + } + SYNTAX("or %0, %e!1"); +-#line 940 "rl78-decode.opc" ++#line 942 "rl78-decode.opc" + ID(or); DR(A); SM(None, IMMU(2)); Fz; + + } +@@ -3342,7 +3344,7 @@ + case 0x77: + { + /** 0111 0rba mov %0, %1 */ +-#line 696 "rl78-decode.opc" ++#line 698 "rl78-decode.opc" + int rba AU = op[0] & 0x07; + if (trace) + { +@@ -3352,7 +3354,7 @@ + printf (" rba = 0x%x\n", rba); + } + SYNTAX("mov %0, %1"); +-#line 696 "rl78-decode.opc" ++#line 698 "rl78-decode.opc" + ID(mov); DRB(rba); SR(A); + + } +@@ -3371,7 +3373,7 @@ + case 0x70: + { + /** 0111 0001 0bit 0000 set1 %e!0 */ +-#line 1046 "rl78-decode.opc" ++#line 1048 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3381,7 +3383,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %e!0"); +-#line 1046 "rl78-decode.opc" ++#line 1048 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); DB(bit); SC(1); + + } +@@ -3396,7 +3398,7 @@ + case 0x71: + { + /** 0111 0001 0bit 0001 mov1 %0, cy */ +-#line 803 "rl78-decode.opc" ++#line 805 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3406,7 +3408,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 %0, cy"); +-#line 803 "rl78-decode.opc" ++#line 805 "rl78-decode.opc" + ID(mov); DM(None, SADDR); DB(bit); SCY(); + + } +@@ -3421,7 +3423,7 @@ + case 0x72: + { + /** 0111 0001 0bit 0010 set1 %0 */ +-#line 1064 "rl78-decode.opc" ++#line 1066 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3431,7 +3433,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %0"); +-#line 1064 "rl78-decode.opc" ++#line 1066 "rl78-decode.opc" + ID(mov); DM(None, SADDR); DB(bit); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -3448,7 +3450,7 @@ + case 0x73: + { + /** 0111 0001 0bit 0011 clr1 %0 */ +-#line 456 "rl78-decode.opc" ++#line 458 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3458,7 +3460,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %0"); +-#line 456 "rl78-decode.opc" ++#line 458 "rl78-decode.opc" + ID(mov); DM(None, SADDR); DB(bit); SC(0); + + /*----------------------------------------------------------------------*/ +@@ -3475,7 +3477,7 @@ + case 0x74: + { + /** 0111 0001 0bit 0100 mov1 cy, %1 */ +-#line 797 "rl78-decode.opc" ++#line 799 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3485,7 +3487,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 cy, %1"); +-#line 797 "rl78-decode.opc" ++#line 799 "rl78-decode.opc" + ID(mov); DCY(); SM(None, SADDR); SB(bit); + + } +@@ -3500,7 +3502,7 @@ + case 0x75: + { + /** 0111 0001 0bit 0101 and1 cy, %s1 */ +-#line 326 "rl78-decode.opc" ++#line 328 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3510,7 +3512,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("and1 cy, %s1"); +-#line 326 "rl78-decode.opc" ++#line 328 "rl78-decode.opc" + ID(and); DCY(); SM(None, SADDR); SB(bit); + + /*----------------------------------------------------------------------*/ +@@ -3530,7 +3532,7 @@ + case 0x76: + { + /** 0111 0001 0bit 0110 or1 cy, %s1 */ +-#line 981 "rl78-decode.opc" ++#line 983 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3540,7 +3542,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("or1 cy, %s1"); +-#line 981 "rl78-decode.opc" ++#line 983 "rl78-decode.opc" + ID(or); DCY(); SM(None, SADDR); SB(bit); + + /*----------------------------------------------------------------------*/ +@@ -3557,7 +3559,7 @@ + case 0x77: + { + /** 0111 0001 0bit 0111 xor1 cy, %s1 */ +-#line 1285 "rl78-decode.opc" ++#line 1287 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3567,7 +3569,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("xor1 cy, %s1"); +-#line 1285 "rl78-decode.opc" ++#line 1287 "rl78-decode.opc" + ID(xor); DCY(); SM(None, SADDR); SB(bit); + + /*----------------------------------------------------------------------*/ +@@ -3584,7 +3586,7 @@ + case 0x78: + { + /** 0111 0001 0bit 1000 clr1 %e!0 */ +-#line 438 "rl78-decode.opc" ++#line 440 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3594,7 +3596,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %e!0"); +-#line 438 "rl78-decode.opc" ++#line 440 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); DB(bit); SC(0); + + } +@@ -3609,7 +3611,7 @@ + case 0x79: + { + /** 0111 0001 0bit 1001 mov1 %s0, cy */ +-#line 806 "rl78-decode.opc" ++#line 808 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3619,7 +3621,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 %s0, cy"); +-#line 806 "rl78-decode.opc" ++#line 808 "rl78-decode.opc" + ID(mov); DM(None, SFR); DB(bit); SCY(); + + /*----------------------------------------------------------------------*/ +@@ -3636,7 +3638,7 @@ + case 0x7a: + { + /** 0111 0001 0bit 1010 set1 %s0 */ +-#line 1058 "rl78-decode.opc" ++#line 1060 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3646,7 +3648,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %s0"); +-#line 1058 "rl78-decode.opc" ++#line 1060 "rl78-decode.opc" + op0 = SFR; + ID(mov); DM(None, op0); DB(bit); SC(1); + if (op0 == RL78_SFR_PSW && bit == 7) +@@ -3664,7 +3666,7 @@ + case 0x7b: + { + /** 0111 0001 0bit 1011 clr1 %s0 */ +-#line 450 "rl78-decode.opc" ++#line 452 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3674,7 +3676,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %s0"); +-#line 450 "rl78-decode.opc" ++#line 452 "rl78-decode.opc" + op0 = SFR; + ID(mov); DM(None, op0); DB(bit); SC(0); + if (op0 == RL78_SFR_PSW && bit == 7) +@@ -3692,7 +3694,7 @@ + case 0x7c: + { + /** 0111 0001 0bit 1100 mov1 cy, %s1 */ +-#line 800 "rl78-decode.opc" ++#line 802 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3702,7 +3704,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 cy, %s1"); +-#line 800 "rl78-decode.opc" ++#line 802 "rl78-decode.opc" + ID(mov); DCY(); SM(None, SFR); SB(bit); + + } +@@ -3717,7 +3719,7 @@ + case 0x7d: + { + /** 0111 0001 0bit 1101 and1 cy, %s1 */ +-#line 323 "rl78-decode.opc" ++#line 325 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3727,7 +3729,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("and1 cy, %s1"); +-#line 323 "rl78-decode.opc" ++#line 325 "rl78-decode.opc" + ID(and); DCY(); SM(None, SFR); SB(bit); + + } +@@ -3742,7 +3744,7 @@ + case 0x7e: + { + /** 0111 0001 0bit 1110 or1 cy, %s1 */ +-#line 978 "rl78-decode.opc" ++#line 980 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3752,7 +3754,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("or1 cy, %s1"); +-#line 978 "rl78-decode.opc" ++#line 980 "rl78-decode.opc" + ID(or); DCY(); SM(None, SFR); SB(bit); + + } +@@ -3767,7 +3769,7 @@ + case 0x7f: + { + /** 0111 0001 0bit 1111 xor1 cy, %s1 */ +-#line 1282 "rl78-decode.opc" ++#line 1284 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3777,7 +3779,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("xor1 cy, %s1"); +-#line 1282 "rl78-decode.opc" ++#line 1284 "rl78-decode.opc" + ID(xor); DCY(); SM(None, SFR); SB(bit); + + } +@@ -3792,7 +3794,7 @@ + op[0], op[1]); + } + SYNTAX("set1 cy"); +-#line 1055 "rl78-decode.opc" ++#line 1057 "rl78-decode.opc" + ID(mov); DCY(); SC(1); + + } +@@ -3807,7 +3809,7 @@ + case 0xf1: + { + /** 0111 0001 1bit 0001 mov1 %e0, cy */ +-#line 785 "rl78-decode.opc" ++#line 787 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3817,7 +3819,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 %e0, cy"); +-#line 785 "rl78-decode.opc" ++#line 787 "rl78-decode.opc" + ID(mov); DM(HL, 0); DB(bit); SCY(); + + } +@@ -3832,7 +3834,7 @@ + case 0xf2: + { + /** 0111 0001 1bit 0010 set1 %e0 */ +-#line 1049 "rl78-decode.opc" ++#line 1051 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3842,7 +3844,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %e0"); +-#line 1049 "rl78-decode.opc" ++#line 1051 "rl78-decode.opc" + ID(mov); DM(HL, 0); DB(bit); SC(1); + + } +@@ -3857,7 +3859,7 @@ + case 0xf3: + { + /** 0111 0001 1bit 0011 clr1 %e0 */ +-#line 441 "rl78-decode.opc" ++#line 443 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3867,7 +3869,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %e0"); +-#line 441 "rl78-decode.opc" ++#line 443 "rl78-decode.opc" + ID(mov); DM(HL, 0); DB(bit); SC(0); + + } +@@ -3882,7 +3884,7 @@ + case 0xf4: + { + /** 0111 0001 1bit 0100 mov1 cy, %e1 */ +-#line 791 "rl78-decode.opc" ++#line 793 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3892,7 +3894,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 cy, %e1"); +-#line 791 "rl78-decode.opc" ++#line 793 "rl78-decode.opc" + ID(mov); DCY(); SM(HL, 0); SB(bit); + + } +@@ -3907,7 +3909,7 @@ + case 0xf5: + { + /** 0111 0001 1bit 0101 and1 cy, %e1 */ +-#line 317 "rl78-decode.opc" ++#line 319 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3917,7 +3919,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("and1 cy, %e1"); +-#line 317 "rl78-decode.opc" ++#line 319 "rl78-decode.opc" + ID(and); DCY(); SM(HL, 0); SB(bit); + + } +@@ -3932,7 +3934,7 @@ + case 0xf6: + { + /** 0111 0001 1bit 0110 or1 cy, %e1 */ +-#line 972 "rl78-decode.opc" ++#line 974 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3942,7 +3944,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("or1 cy, %e1"); +-#line 972 "rl78-decode.opc" ++#line 974 "rl78-decode.opc" + ID(or); DCY(); SM(HL, 0); SB(bit); + + } +@@ -3957,7 +3959,7 @@ + case 0xf7: + { + /** 0111 0001 1bit 0111 xor1 cy, %e1 */ +-#line 1276 "rl78-decode.opc" ++#line 1278 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3967,7 +3969,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("xor1 cy, %e1"); +-#line 1276 "rl78-decode.opc" ++#line 1278 "rl78-decode.opc" + ID(xor); DCY(); SM(HL, 0); SB(bit); + + } +@@ -3982,7 +3984,7 @@ + op[0], op[1]); + } + SYNTAX("clr1 cy"); +-#line 447 "rl78-decode.opc" ++#line 449 "rl78-decode.opc" + ID(mov); DCY(); SC(0); + + } +@@ -3997,7 +3999,7 @@ + case 0xf9: + { + /** 0111 0001 1bit 1001 mov1 %e0, cy */ +-#line 788 "rl78-decode.opc" ++#line 790 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4007,7 +4009,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 %e0, cy"); +-#line 788 "rl78-decode.opc" ++#line 790 "rl78-decode.opc" + ID(mov); DR(A); DB(bit); SCY(); + + } +@@ -4022,7 +4024,7 @@ + case 0xfa: + { + /** 0111 0001 1bit 1010 set1 %0 */ +-#line 1052 "rl78-decode.opc" ++#line 1054 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4032,7 +4034,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %0"); +-#line 1052 "rl78-decode.opc" ++#line 1054 "rl78-decode.opc" + ID(mov); DR(A); DB(bit); SC(1); + + } +@@ -4047,7 +4049,7 @@ + case 0xfb: + { + /** 0111 0001 1bit 1011 clr1 %0 */ +-#line 444 "rl78-decode.opc" ++#line 446 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4057,7 +4059,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %0"); +-#line 444 "rl78-decode.opc" ++#line 446 "rl78-decode.opc" + ID(mov); DR(A); DB(bit); SC(0); + + } +@@ -4072,7 +4074,7 @@ + case 0xfc: + { + /** 0111 0001 1bit 1100 mov1 cy, %e1 */ +-#line 794 "rl78-decode.opc" ++#line 796 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4082,7 +4084,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 cy, %e1"); +-#line 794 "rl78-decode.opc" ++#line 796 "rl78-decode.opc" + ID(mov); DCY(); SR(A); SB(bit); + + } +@@ -4097,7 +4099,7 @@ + case 0xfd: + { + /** 0111 0001 1bit 1101 and1 cy, %1 */ +-#line 320 "rl78-decode.opc" ++#line 322 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4107,7 +4109,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("and1 cy, %1"); +-#line 320 "rl78-decode.opc" ++#line 322 "rl78-decode.opc" + ID(and); DCY(); SR(A); SB(bit); + + } +@@ -4122,7 +4124,7 @@ + case 0xfe: + { + /** 0111 0001 1bit 1110 or1 cy, %1 */ +-#line 975 "rl78-decode.opc" ++#line 977 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4132,7 +4134,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("or1 cy, %1"); +-#line 975 "rl78-decode.opc" ++#line 977 "rl78-decode.opc" + ID(or); DCY(); SR(A); SB(bit); + + } +@@ -4147,7 +4149,7 @@ + case 0xff: + { + /** 0111 0001 1bit 1111 xor1 cy, %1 */ +-#line 1279 "rl78-decode.opc" ++#line 1281 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4157,7 +4159,7 @@ + printf (" bit = 0x%x\n", bit); + } + SYNTAX("xor1 cy, %1"); +-#line 1279 "rl78-decode.opc" ++#line 1281 "rl78-decode.opc" + ID(xor); DCY(); SR(A); SB(bit); + + } +@@ -4172,7 +4174,7 @@ + op[0], op[1]); + } + SYNTAX("not1 cy"); +-#line 916 "rl78-decode.opc" ++#line 918 "rl78-decode.opc" + ID(xor); DCY(); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -4192,7 +4194,7 @@ + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 877 "rl78-decode.opc" ++#line 879 "rl78-decode.opc" + ID(mov); W(); DM(BC, IMMU(2)); SR(AX); + + } +@@ -4207,7 +4209,7 @@ + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 868 "rl78-decode.opc" ++#line 870 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(BC, IMMU(2)); + + } +@@ -4222,7 +4224,7 @@ + op[0]); + } + SYNTAX("xor %0, #%1"); +-#line 1271 "rl78-decode.opc" ++#line 1273 "rl78-decode.opc" + ID(xor); DM(None, SADDR); SC(IMMU(1)); Fz; + + /*----------------------------------------------------------------------*/ +@@ -4239,7 +4241,7 @@ + op[0]); + } + SYNTAX("xor %0, %1"); +-#line 1268 "rl78-decode.opc" ++#line 1270 "rl78-decode.opc" + ID(xor); DR(A); SM(None, SADDR); Fz; + + } +@@ -4254,7 +4256,7 @@ + op[0]); + } + SYNTAX("xor %0, #%1"); +-#line 1259 "rl78-decode.opc" ++#line 1261 "rl78-decode.opc" + ID(xor); DR(A); SC(IMMU(1)); Fz; + + } +@@ -4269,7 +4271,7 @@ + op[0]); + } + SYNTAX("xor %0, %e1"); +-#line 1247 "rl78-decode.opc" ++#line 1249 "rl78-decode.opc" + ID(xor); DR(A); SM(HL, 0); Fz; + + } +@@ -4284,7 +4286,7 @@ + op[0]); + } + SYNTAX("xor %0, %ea1"); +-#line 1253 "rl78-decode.opc" ++#line 1255 "rl78-decode.opc" + ID(xor); DR(A); SM(HL, IMMU(1)); Fz; + + } +@@ -4299,7 +4301,7 @@ + op[0]); + } + SYNTAX("xor %0, %e!1"); +-#line 1244 "rl78-decode.opc" ++#line 1246 "rl78-decode.opc" + ID(xor); DR(A); SM(None, IMMU(2)); Fz; + + } +@@ -4314,7 +4316,7 @@ + case 0x87: + { + /** 1000 0reg inc %0 */ +-#line 587 "rl78-decode.opc" ++#line 589 "rl78-decode.opc" + int reg AU = op[0] & 0x07; + if (trace) + { +@@ -4324,7 +4326,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("inc %0"); +-#line 587 "rl78-decode.opc" ++#line 589 "rl78-decode.opc" + ID(add); DRB(reg); SC(1); Fza; + + } +@@ -4339,7 +4341,7 @@ + op[0]); + } + SYNTAX("mov %0, %ea1"); +-#line 666 "rl78-decode.opc" ++#line 668 "rl78-decode.opc" + ID(mov); DR(A); SM(SP, IMMU(1)); + + } +@@ -4354,7 +4356,7 @@ + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 648 "rl78-decode.opc" ++#line 650 "rl78-decode.opc" + ID(mov); DR(A); SM(DE, 0); + + } +@@ -4369,7 +4371,7 @@ + op[0]); + } + SYNTAX("mov %0, %ea1"); +-#line 651 "rl78-decode.opc" ++#line 653 "rl78-decode.opc" + ID(mov); DR(A); SM(DE, IMMU(1)); + + } +@@ -4384,7 +4386,7 @@ + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 654 "rl78-decode.opc" ++#line 656 "rl78-decode.opc" + ID(mov); DR(A); SM(HL, 0); + + } +@@ -4399,7 +4401,7 @@ + op[0]); + } + SYNTAX("mov %0, %ea1"); +-#line 657 "rl78-decode.opc" ++#line 659 "rl78-decode.opc" + ID(mov); DR(A); SM(HL, IMMU(1)); + + } +@@ -4414,7 +4416,7 @@ + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 690 "rl78-decode.opc" ++#line 692 "rl78-decode.opc" + ID(mov); DR(A); SM(None, SADDR); + + } +@@ -4429,7 +4431,7 @@ + op[0]); + } + SYNTAX("mov %0, %s1"); +-#line 687 "rl78-decode.opc" ++#line 689 "rl78-decode.opc" + ID(mov); DR(A); SM(None, SFR); + + } +@@ -4444,7 +4446,7 @@ + op[0]); + } + SYNTAX("mov %0, %e!1"); +-#line 645 "rl78-decode.opc" ++#line 647 "rl78-decode.opc" + ID(mov); DR(A); SM(None, IMMU(2)); + + } +@@ -4459,7 +4461,7 @@ + case 0x97: + { + /** 1001 0reg dec %0 */ +-#line 554 "rl78-decode.opc" ++#line 556 "rl78-decode.opc" + int reg AU = op[0] & 0x07; + if (trace) + { +@@ -4469,7 +4471,7 @@ + printf (" reg = 0x%x\n", reg); + } + SYNTAX("dec %0"); +-#line 554 "rl78-decode.opc" ++#line 556 "rl78-decode.opc" + ID(sub); DRB(reg); SC(1); Fza; + + } +@@ -4484,7 +4486,7 @@ + op[0]); + } + SYNTAX("mov %a0, %1"); +-#line 642 "rl78-decode.opc" ++#line 644 "rl78-decode.opc" + ID(mov); DM(SP, IMMU(1)); SR(A); + + } +@@ -4499,7 +4501,7 @@ + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 615 "rl78-decode.opc" ++#line 617 "rl78-decode.opc" + ID(mov); DM(DE, 0); SR(A); + + } +@@ -4514,7 +4516,7 @@ + op[0]); + } + SYNTAX("mov %ea0, %1"); +-#line 621 "rl78-decode.opc" ++#line 623 "rl78-decode.opc" + ID(mov); DM(DE, IMMU(1)); SR(A); + + } +@@ -4529,7 +4531,7 @@ + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 624 "rl78-decode.opc" ++#line 626 "rl78-decode.opc" + ID(mov); DM(HL, 0); SR(A); + + } +@@ -4544,7 +4546,7 @@ + op[0]); + } + SYNTAX("mov %ea0, %1"); +-#line 633 "rl78-decode.opc" ++#line 635 "rl78-decode.opc" + ID(mov); DM(HL, IMMU(1)); SR(A); + + } +@@ -4559,7 +4561,7 @@ + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 747 "rl78-decode.opc" ++#line 749 "rl78-decode.opc" + ID(mov); DM(None, SADDR); SR(A); + + } +@@ -4574,7 +4576,7 @@ + op[0]); + } + SYNTAX("mov %s0, %1"); +-#line 780 "rl78-decode.opc" ++#line 782 "rl78-decode.opc" + ID(mov); DM(None, SFR); SR(A); + + /*----------------------------------------------------------------------*/ +@@ -4591,7 +4593,7 @@ + op[0]); + } + SYNTAX("mov %e!0, %1"); +-#line 612 "rl78-decode.opc" ++#line 614 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); SR(A); + + } +@@ -4606,7 +4608,7 @@ + op[0]); + } + SYNTAX("inc %e!0"); +-#line 581 "rl78-decode.opc" ++#line 583 "rl78-decode.opc" + ID(add); DM(None, IMMU(2)); SC(1); Fza; + + } +@@ -4617,7 +4619,7 @@ + case 0xa7: + { + /** 1010 0rg1 incw %0 */ +-#line 601 "rl78-decode.opc" ++#line 603 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -4627,7 +4629,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("incw %0"); +-#line 601 "rl78-decode.opc" ++#line 603 "rl78-decode.opc" + ID(add); W(); DRW(rg); SC(1); + + } +@@ -4642,7 +4644,7 @@ + op[0]); + } + SYNTAX("incw %e!0"); +-#line 595 "rl78-decode.opc" ++#line 597 "rl78-decode.opc" + ID(add); W(); DM(None, IMMU(2)); SC(1); + + } +@@ -4657,7 +4659,7 @@ + op[0]); + } + SYNTAX("inc %0"); +-#line 590 "rl78-decode.opc" ++#line 592 "rl78-decode.opc" + ID(add); DM(None, SADDR); SC(1); Fza; + + /*----------------------------------------------------------------------*/ +@@ -4674,7 +4676,7 @@ + op[0]); + } + SYNTAX("incw %0"); +-#line 604 "rl78-decode.opc" ++#line 606 "rl78-decode.opc" + ID(add); W(); DM(None, SADDR); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -4691,7 +4693,7 @@ + op[0]); + } + SYNTAX("movw %0, %a1"); +-#line 850 "rl78-decode.opc" ++#line 852 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(SP, IMMU(1)); + + } +@@ -4706,7 +4708,7 @@ + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 838 "rl78-decode.opc" ++#line 840 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(DE, 0); + + } +@@ -4721,7 +4723,7 @@ + op[0]); + } + SYNTAX("movw %0, %ea1"); +-#line 841 "rl78-decode.opc" ++#line 843 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(DE, IMMU(1)); + + } +@@ -4736,7 +4738,7 @@ + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 844 "rl78-decode.opc" ++#line 846 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(HL, 0); + + } +@@ -4751,7 +4753,7 @@ + op[0]); + } + SYNTAX("movw %0, %ea1"); +-#line 847 "rl78-decode.opc" ++#line 849 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(HL, IMMU(1)); + + } +@@ -4766,7 +4768,7 @@ + op[0]); + } + SYNTAX("movw %0, %1"); +-#line 880 "rl78-decode.opc" ++#line 882 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(None, SADDR); + + } +@@ -4781,7 +4783,7 @@ + op[0]); + } + SYNTAX("movw %0, %s1"); +-#line 883 "rl78-decode.opc" ++#line 885 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(None, SFR); + + } +@@ -4796,7 +4798,7 @@ + op[0]); + } + SYNTAX("movw %0, %e!1"); +-#line 834 "rl78-decode.opc" ++#line 836 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(None, IMMU(2)); + + +@@ -4812,7 +4814,7 @@ + op[0]); + } + SYNTAX("dec %e!0"); +-#line 548 "rl78-decode.opc" ++#line 550 "rl78-decode.opc" + ID(sub); DM(None, IMMU(2)); SC(1); Fza; + + } +@@ -4823,7 +4825,7 @@ + case 0xb7: + { + /** 1011 0rg1 decw %0 */ +-#line 568 "rl78-decode.opc" ++#line 570 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -4833,7 +4835,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("decw %0"); +-#line 568 "rl78-decode.opc" ++#line 570 "rl78-decode.opc" + ID(sub); W(); DRW(rg); SC(1); + + } +@@ -4848,7 +4850,7 @@ + op[0]); + } + SYNTAX("decw %e!0"); +-#line 562 "rl78-decode.opc" ++#line 564 "rl78-decode.opc" + ID(sub); W(); DM(None, IMMU(2)); SC(1); + + } +@@ -4863,7 +4865,7 @@ + op[0]); + } + SYNTAX("dec %0"); +-#line 557 "rl78-decode.opc" ++#line 559 "rl78-decode.opc" + ID(sub); DM(None, SADDR); SC(1); Fza; + + /*----------------------------------------------------------------------*/ +@@ -4880,7 +4882,7 @@ + op[0]); + } + SYNTAX("decw %0"); +-#line 571 "rl78-decode.opc" ++#line 573 "rl78-decode.opc" + ID(sub); W(); DM(None, SADDR); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -4897,7 +4899,7 @@ + op[0]); + } + SYNTAX("movw %a0, %1"); +-#line 831 "rl78-decode.opc" ++#line 833 "rl78-decode.opc" + ID(mov); W(); DM(SP, IMMU(1)); SR(AX); + + } +@@ -4912,7 +4914,7 @@ + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 819 "rl78-decode.opc" ++#line 821 "rl78-decode.opc" + ID(mov); W(); DM(DE, 0); SR(AX); + + } +@@ -4927,7 +4929,7 @@ + op[0]); + } + SYNTAX("movw %ea0, %1"); +-#line 822 "rl78-decode.opc" ++#line 824 "rl78-decode.opc" + ID(mov); W(); DM(DE, IMMU(1)); SR(AX); + + } +@@ -4942,7 +4944,7 @@ + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 825 "rl78-decode.opc" ++#line 827 "rl78-decode.opc" + ID(mov); W(); DM(HL, 0); SR(AX); + + } +@@ -4957,7 +4959,7 @@ + op[0]); + } + SYNTAX("movw %ea0, %1"); +-#line 828 "rl78-decode.opc" ++#line 830 "rl78-decode.opc" + ID(mov); W(); DM(HL, IMMU(1)); SR(AX); + + } +@@ -4972,7 +4974,7 @@ + op[0]); + } + SYNTAX("movw %0, %1"); +-#line 895 "rl78-decode.opc" ++#line 897 "rl78-decode.opc" + ID(mov); W(); DM(None, SADDR); SR(AX); + + } +@@ -4987,7 +4989,7 @@ + op[0]); + } + SYNTAX("movw %s0, %1"); +-#line 901 "rl78-decode.opc" ++#line 903 "rl78-decode.opc" + ID(mov); W(); DM(None, SFR); SR(AX); + + /*----------------------------------------------------------------------*/ +@@ -5004,7 +5006,7 @@ + op[0]); + } + SYNTAX("movw %e!0, %1"); +-#line 816 "rl78-decode.opc" ++#line 818 "rl78-decode.opc" + ID(mov); W(); DM(None, IMMU(2)); SR(AX); + + } +@@ -5015,7 +5017,7 @@ + case 0xc6: + { + /** 1100 0rg0 pop %0 */ +-#line 986 "rl78-decode.opc" ++#line 988 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -5025,7 +5027,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("pop %0"); +-#line 986 "rl78-decode.opc" ++#line 988 "rl78-decode.opc" + ID(mov); W(); DRW(rg); SPOP(); + + } +@@ -5036,7 +5038,7 @@ + case 0xc7: + { + /** 1100 0rg1 push %1 */ +-#line 994 "rl78-decode.opc" ++#line 996 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -5046,7 +5048,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("push %1"); +-#line 994 "rl78-decode.opc" ++#line 996 "rl78-decode.opc" + ID(mov); W(); DPUSH(); SRW(rg); + + } +@@ -5061,7 +5063,7 @@ + op[0]); + } + SYNTAX("mov %a0, #%1"); +-#line 639 "rl78-decode.opc" ++#line 641 "rl78-decode.opc" + ID(mov); DM(SP, IMMU(1)); SC(IMMU(1)); + + } +@@ -5076,7 +5078,7 @@ + op[0]); + } + SYNTAX("movw %0, #%1"); +-#line 892 "rl78-decode.opc" ++#line 894 "rl78-decode.opc" + ID(mov); W(); DM(None, SADDR); SC(IMMU(2)); + + } +@@ -5091,7 +5093,7 @@ + op[0]); + } + SYNTAX("mov %ea0, #%1"); +-#line 618 "rl78-decode.opc" ++#line 620 "rl78-decode.opc" + ID(mov); DM(DE, IMMU(1)); SC(IMMU(1)); + + } +@@ -5106,7 +5108,7 @@ + op[0]); + } + SYNTAX("movw %s0, #%1"); +-#line 898 "rl78-decode.opc" ++#line 900 "rl78-decode.opc" + ID(mov); W(); DM(None, SFR); SC(IMMU(2)); + + } +@@ -5121,7 +5123,7 @@ + op[0]); + } + SYNTAX("mov %ea0, #%1"); +-#line 630 "rl78-decode.opc" ++#line 632 "rl78-decode.opc" + ID(mov); DM(HL, IMMU(1)); SC(IMMU(1)); + + } +@@ -5136,7 +5138,7 @@ + op[0]); + } + SYNTAX("mov %0, #%1"); +-#line 744 "rl78-decode.opc" ++#line 746 "rl78-decode.opc" + ID(mov); DM(None, SADDR); SC(IMMU(1)); + + } +@@ -5151,7 +5153,7 @@ + op[0]); + } + SYNTAX("mov %s0, #%1"); +-#line 750 "rl78-decode.opc" ++#line 752 "rl78-decode.opc" + op0 = SFR; + op1 = IMMU(1); + ID(mov); DM(None, op0); SC(op1); +@@ -5193,7 +5195,7 @@ + op[0]); + } + SYNTAX("mov %e!0, #%1"); +-#line 609 "rl78-decode.opc" ++#line 611 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); SC(IMMU(1)); + + } +@@ -5204,7 +5206,7 @@ + case 0xd3: + { + /** 1101 00rg cmp0 %0 */ +-#line 518 "rl78-decode.opc" ++#line 520 "rl78-decode.opc" + int rg AU = op[0] & 0x03; + if (trace) + { +@@ -5214,7 +5216,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("cmp0 %0"); +-#line 518 "rl78-decode.opc" ++#line 520 "rl78-decode.opc" + ID(cmp); DRB(rg); SC(0); Fzac; + + } +@@ -5229,7 +5231,7 @@ + op[0]); + } + SYNTAX("cmp0 %0"); +-#line 521 "rl78-decode.opc" ++#line 523 "rl78-decode.opc" + ID(cmp); DM(None, SADDR); SC(0); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -5246,7 +5248,7 @@ + op[0]); + } + SYNTAX("cmp0 %e!0"); +-#line 515 "rl78-decode.opc" ++#line 517 "rl78-decode.opc" + ID(cmp); DM(None, IMMU(2)); SC(0); Fzac; + + } +@@ -5261,7 +5263,7 @@ + op[0]); + } + SYNTAX("mulu x"); +-#line 906 "rl78-decode.opc" ++#line 908 "rl78-decode.opc" + ID(mulu); + + /*----------------------------------------------------------------------*/ +@@ -5278,7 +5280,7 @@ + op[0]); + } + SYNTAX("ret"); +-#line 1002 "rl78-decode.opc" ++#line 1004 "rl78-decode.opc" + ID(ret); + + } +@@ -5293,7 +5295,7 @@ + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 711 "rl78-decode.opc" ++#line 713 "rl78-decode.opc" + ID(mov); DR(X); SM(None, SADDR); + + } +@@ -5308,7 +5310,7 @@ + op[0]); + } + SYNTAX("mov %0, %e!1"); +-#line 708 "rl78-decode.opc" ++#line 710 "rl78-decode.opc" + ID(mov); DR(X); SM(None, IMMU(2)); + + } +@@ -5318,7 +5320,7 @@ + case 0xfa: + { + /** 11ra 1010 movw %0, %1 */ +-#line 889 "rl78-decode.opc" ++#line 891 "rl78-decode.opc" + int ra AU = (op[0] >> 4) & 0x03; + if (trace) + { +@@ -5328,7 +5330,7 @@ + printf (" ra = 0x%x\n", ra); + } + SYNTAX("movw %0, %1"); +-#line 889 "rl78-decode.opc" ++#line 891 "rl78-decode.opc" + ID(mov); W(); DRW(ra); SM(None, SADDR); + + } +@@ -5338,7 +5340,7 @@ + case 0xfb: + { + /** 11ra 1011 movw %0, %es!1 */ +-#line 886 "rl78-decode.opc" ++#line 888 "rl78-decode.opc" + int ra AU = (op[0] >> 4) & 0x03; + if (trace) + { +@@ -5348,7 +5350,7 @@ + printf (" ra = 0x%x\n", ra); + } + SYNTAX("movw %0, %es!1"); +-#line 886 "rl78-decode.opc" ++#line 888 "rl78-decode.opc" + ID(mov); W(); DRW(ra); SM(None, IMMU(2)); + + } +@@ -5363,7 +5365,7 @@ + op[0]); + } + SYNTAX("bc $%a0"); +-#line 334 "rl78-decode.opc" ++#line 336 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(C); + + } +@@ -5378,7 +5380,7 @@ + op[0]); + } + SYNTAX("bz $%a0"); +-#line 346 "rl78-decode.opc" ++#line 348 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(Z); + + } +@@ -5393,7 +5395,7 @@ + op[0]); + } + SYNTAX("bnc $%a0"); +-#line 337 "rl78-decode.opc" ++#line 339 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(NC); + + } +@@ -5408,7 +5410,7 @@ + op[0]); + } + SYNTAX("bnz $%a0"); +-#line 349 "rl78-decode.opc" ++#line 351 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(NZ); + + /*----------------------------------------------------------------------*/ +@@ -5421,7 +5423,7 @@ + case 0xe3: + { + /** 1110 00rg oneb %0 */ +-#line 924 "rl78-decode.opc" ++#line 926 "rl78-decode.opc" + int rg AU = op[0] & 0x03; + if (trace) + { +@@ -5431,7 +5433,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("oneb %0"); +-#line 924 "rl78-decode.opc" ++#line 926 "rl78-decode.opc" + ID(mov); DRB(rg); SC(1); + + } +@@ -5446,7 +5448,7 @@ + op[0]); + } + SYNTAX("oneb %0"); +-#line 927 "rl78-decode.opc" ++#line 929 "rl78-decode.opc" + ID(mov); DM(None, SADDR); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -5463,7 +5465,7 @@ + op[0]); + } + SYNTAX("oneb %e!0"); +-#line 921 "rl78-decode.opc" ++#line 923 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); SC(1); + + } +@@ -5478,7 +5480,7 @@ + op[0]); + } + SYNTAX("onew %0"); +-#line 932 "rl78-decode.opc" ++#line 934 "rl78-decode.opc" + ID(mov); DR(AX); SC(1); + + } +@@ -5493,7 +5495,7 @@ + op[0]); + } + SYNTAX("onew %0"); +-#line 935 "rl78-decode.opc" ++#line 937 "rl78-decode.opc" + ID(mov); DR(BC); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -5510,7 +5512,7 @@ + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 699 "rl78-decode.opc" ++#line 701 "rl78-decode.opc" + ID(mov); DR(B); SM(None, SADDR); + + } +@@ -5525,7 +5527,7 @@ + op[0]); + } + SYNTAX("mov %0, %e!1"); +-#line 693 "rl78-decode.opc" ++#line 695 "rl78-decode.opc" + ID(mov); DR(B); SM(None, IMMU(2)); + + } +@@ -5540,7 +5542,7 @@ + op[0]); + } + SYNTAX("br !%!a0"); +-#line 368 "rl78-decode.opc" ++#line 370 "rl78-decode.opc" + ID(branch); DC(IMMU(3)); + + } +@@ -5555,7 +5557,7 @@ + op[0]); + } + SYNTAX("br %!a0"); +-#line 371 "rl78-decode.opc" ++#line 373 "rl78-decode.opc" + ID(branch); DC(IMMU(2)); + + } +@@ -5570,7 +5572,7 @@ + op[0]); + } + SYNTAX("br $%!a0"); +-#line 374 "rl78-decode.opc" ++#line 376 "rl78-decode.opc" + ID(branch); DC(pc+IMMS(2)+3); + + } +@@ -5585,7 +5587,7 @@ + op[0]); + } + SYNTAX("br $%a0"); +-#line 377 "rl78-decode.opc" ++#line 379 "rl78-decode.opc" + ID(branch); DC(pc+IMMS(1)+2); + + } +@@ -5596,7 +5598,7 @@ + case 0xf3: + { + /** 1111 00rg clrb %0 */ +-#line 464 "rl78-decode.opc" ++#line 466 "rl78-decode.opc" + int rg AU = op[0] & 0x03; + if (trace) + { +@@ -5606,7 +5608,7 @@ + printf (" rg = 0x%x\n", rg); + } + SYNTAX("clrb %0"); +-#line 464 "rl78-decode.opc" ++#line 466 "rl78-decode.opc" + ID(mov); DRB(rg); SC(0); + + } +@@ -5621,7 +5623,7 @@ + op[0]); + } + SYNTAX("clrb %0"); +-#line 467 "rl78-decode.opc" ++#line 469 "rl78-decode.opc" + ID(mov); DM(None, SADDR); SC(0); + + /*----------------------------------------------------------------------*/ +@@ -5638,7 +5640,7 @@ + op[0]); + } + SYNTAX("clrb %e!0"); +-#line 461 "rl78-decode.opc" ++#line 463 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); SC(0); + + } +@@ -5653,7 +5655,7 @@ + op[0]); + } + SYNTAX("clrw %0"); +-#line 472 "rl78-decode.opc" ++#line 474 "rl78-decode.opc" + ID(mov); DR(AX); SC(0); + + } +@@ -5668,7 +5670,7 @@ + op[0]); + } + SYNTAX("clrw %0"); +-#line 475 "rl78-decode.opc" ++#line 477 "rl78-decode.opc" + ID(mov); DR(BC); SC(0); + + /*----------------------------------------------------------------------*/ +@@ -5685,7 +5687,7 @@ + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 705 "rl78-decode.opc" ++#line 707 "rl78-decode.opc" + ID(mov); DR(C); SM(None, SADDR); + + } +@@ -5700,7 +5702,7 @@ + op[0]); + } + SYNTAX("mov %0, %e!1"); +-#line 702 "rl78-decode.opc" ++#line 704 "rl78-decode.opc" + ID(mov); DR(C); SM(None, IMMU(2)); + + } +@@ -5715,7 +5717,7 @@ + op[0]); + } + SYNTAX("call !%!a0"); +-#line 421 "rl78-decode.opc" ++#line 423 "rl78-decode.opc" + ID(call); DC(IMMU(3)); + + } +@@ -5730,7 +5732,7 @@ + op[0]); + } + SYNTAX("call %!a0"); +-#line 424 "rl78-decode.opc" ++#line 426 "rl78-decode.opc" + ID(call); DC(IMMU(2)); + + } +@@ -5745,7 +5747,7 @@ + op[0]); + } + SYNTAX("call $%!a0"); +-#line 427 "rl78-decode.opc" ++#line 429 "rl78-decode.opc" + ID(call); DC(pc+IMMS(2)+3); + + } +@@ -5760,13 +5762,13 @@ + op[0]); + } + SYNTAX("brk1"); +-#line 385 "rl78-decode.opc" ++#line 387 "rl78-decode.opc" + ID(break); + + } + break; + } +-#line 1290 "rl78-decode.opc" ++#line 1292 "rl78-decode.opc" + + return rl78->n_bytes; + } +Index: git/opcodes/rl78-decode.opc +=================================================================== +--- git.orig/opcodes/rl78-decode.opc 2017-09-21 13:14:42.256835775 +0530 ++++ git/opcodes/rl78-decode.opc 2017-09-21 13:14:49.444888350 +0530 +@@ -50,7 +50,9 @@ + #define W() rl78->size = RL78_Word + + #define AU ATTRIBUTE_UNUSED +-#define GETBYTE() (ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr)) ++ ++#define OP_BUF_LEN 20 ++#define GETBYTE() (ld->rl78->n_bytes < (OP_BUF_LEN - 1) ? ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr): 0) + #define B ((unsigned long) GETBYTE()) + + #define SYNTAX(x) rl78->syntax = x +@@ -168,7 +170,7 @@ + RL78_Dis_Isa isa) + { + LocalData lds, * ld = &lds; +- unsigned char op_buf[20] = {0}; ++ unsigned char op_buf[OP_BUF_LEN] = {0}; + unsigned char *op = op_buf; + int op0, op1; + +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog 2017-09-21 13:14:41.676831533 +0530 ++++ git/opcodes/ChangeLog 2017-09-21 13:16:51.065779064 +0530 +@@ -1,3 +1,12 @@ ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21588 ++ * rl78-decode.opc (OP_BUF_LEN): Define. ++ (GETBYTE): Check for the index exceeding OP_BUF_LEN. ++ (rl78_decode_opcode): Use OP_BUF_LEN as the length of the op_buf ++ array. ++ * rl78-decode.c: Regenerate. ++ + 2016-08-03 Tristan Gingold <gingold@adacore.com> + + * configure: Regenerate. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch new file mode 100644 index 0000000000..fce5b14b20 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch @@ -0,0 +1,204 @@ +commit c53d2e6d744da000aaafe0237bced090aab62818 +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Jun 14 11:27:15 2017 +0100 + + Fix potential address violations when processing a corrupt Alpha VMA binary. + + PR binutils/21589 + * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the + maximum value for the ascic pointer. Check that name processing + does not read beyond this value. + (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the + end of etir record. + +Upstream-Status: Backport + +CVE: CVE-2017-9752 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c 2017-09-21 15:00:19.117805347 +0530 ++++ git/bfd/vms-alpha.c 2017-09-21 15:00:20.673815960 +0530 +@@ -1507,7 +1507,7 @@ + /* Write multiple bytes to section image. */ + + static bfd_boolean +-image_write (bfd *abfd, unsigned char *ptr, int size) ++image_write (bfd *abfd, unsigned char *ptr, unsigned int size) + { + #if VMS_DEBUG + _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size, +@@ -1654,14 +1654,16 @@ + #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L) + + static void +-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic, ++_bfd_vms_get_value (bfd *abfd, ++ const unsigned char *ascic, ++ const unsigned char *max_ascic, + struct bfd_link_info *info, + bfd_vma *vma, + struct alpha_vms_link_hash_entry **hp) + { + char name[257]; +- int len; +- int i; ++ unsigned int len; ++ unsigned int i; + struct alpha_vms_link_hash_entry *h; + + /* Not linking. Do not try to resolve the symbol. */ +@@ -1673,6 +1675,14 @@ + } + + len = *ascic; ++ if (ascic + len >= max_ascic) ++ { ++ _bfd_error_handler (_("Corrupt vms value")); ++ *vma = 0; ++ *hp = NULL; ++ return; ++ } ++ + for (i = 0; i < len; i++) + name[i] = ascic[i + 1]; + name[i] = 0; +@@ -1797,6 +1807,15 @@ + _bfd_hexdump (8, ptr, cmd_length - 4, 0); + #endif + ++ /* PR 21589: Check for a corrupt ETIR record. */ ++ if (cmd_length < 4) ++ { ++ corrupt_etir: ++ _bfd_error_handler (_("Corrupt ETIR record encountered")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + switch (cmd) + { + /* Stack global +@@ -1804,7 +1823,7 @@ + + stack 32 bit value of symbol (high bits set to 0). */ + case ETIR__C_STA_GBL: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h)); + break; + +@@ -1813,6 +1832,8 @@ + + stack 32 bit value, sign extend to 64 bit. */ + case ETIR__C_STA_LW: ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE); + break; + +@@ -1821,6 +1842,8 @@ + + stack 64 bit value of symbol. */ + case ETIR__C_STA_QW: ++ if (ptr + 8 >= maxptr) ++ goto corrupt_etir; + _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE); + break; + +@@ -1834,6 +1857,8 @@ + { + int psect; + ++ if (ptr + 12 >= maxptr) ++ goto corrupt_etir; + psect = bfd_getl32 (ptr); + if ((unsigned int) psect >= PRIV (section_count)) + { +@@ -1923,6 +1948,8 @@ + { + int size; + ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + size = bfd_getl32 (ptr); + _bfd_vms_pop (abfd, &op1, &rel1); + if (rel1 != RELC_NONE) +@@ -1935,7 +1962,7 @@ + /* Store global: write symbol value + arg: cs global symbol name. */ + case ETIR__C_STO_GBL: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->typ == EGSD__C_SYMG) +@@ -1957,7 +1984,7 @@ + /* Store code address: write address of entry point + arg: cs global symbol name (procedure). */ + case ETIR__C_STO_CA: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->flags & EGSY__V_NORM) +@@ -2002,8 +2029,10 @@ + da data. */ + case ETIR__C_STO_IMM: + { +- int size; ++ unsigned int size; + ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + size = bfd_getl32 (ptr); + image_write (abfd, ptr + 4, size); + } +@@ -2016,7 +2045,7 @@ + store global longword: store 32bit value of symbol + arg: cs symbol name. */ + case ETIR__C_STO_GBL_LW: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + #if 0 + abort (); + #endif +@@ -2069,7 +2098,7 @@ + da signature. */ + + case ETIR__C_STC_LP_PSB: +- _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->typ == EGSD__C_SYMG) +@@ -2165,6 +2194,8 @@ + /* Augment relocation base: increment image location counter by offset + arg: lw offset value. */ + case ETIR__C_CTL_AUGRB: ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + op1 = bfd_getl32 (ptr); + image_inc_ptr (abfd, op1); + break; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 15:04:44.000000000 +0530 ++++ git/bfd/ChangeLog 2017-09-21 15:07:58.268949291 +0530 +@@ -81,6 +81,15 @@ + PR binutils/21581 + (ieee_archive_p): Likewise. + ++2017-06-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21589 ++ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the ++ maximum value for the ascic pointer. Check that name processing ++ does not read beyond this value. ++ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the ++ end of etir record. ++ + 2017-04-29 Alan Modra <amodra@gmail.com> + + PR 21432 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch new file mode 100644 index 0000000000..fe1f9a100d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch @@ -0,0 +1,76 @@ +commit 04f963fd489cae724a60140e13984415c205f4ac +Author: Nick Clifton <nickc@redhat.com> +Date: Wed Jun 14 10:35:16 2017 +0100 + + Fix seg-faults in objdump when disassembling a corrupt versados binary. + + PR binutils/21591 + * versados.c (versados_mkobject): Zero the allocated tdata structure. + (process_otr): Check for an invalid offset in the otr structure. + +Upstream-Status: Backport + +CVE: CVE-2017-9753 and CVE-2017-9754 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/versados.c +=================================================================== +--- git.orig/bfd/versados.c 2017-09-21 15:08:34.445197987 +0530 ++++ git/bfd/versados.c 2017-09-21 15:08:34.429197878 +0530 +@@ -149,7 +149,7 @@ + if (abfd->tdata.versados_data == NULL) + { + bfd_size_type amt = sizeof (tdata_type); +- tdata_type *tdata = bfd_alloc (abfd, amt); ++ tdata_type *tdata = bfd_zalloc (abfd, amt); + + if (tdata == NULL) + return FALSE; +@@ -344,13 +344,13 @@ + }; + + static int +-get_offset (int len, unsigned char *ptr) ++get_offset (unsigned int len, unsigned char *ptr) + { + int val = 0; + + if (len) + { +- int i; ++ unsigned int i; + + val = *ptr++; + if (val & 0x80) +@@ -393,9 +393,13 @@ + int flag = *srcp++; + int esdids = (flag >> 5) & 0x7; + int sizeinwords = ((flag >> 3) & 1) ? 2 : 1; +- int offsetlen = flag & 0x7; ++ unsigned int offsetlen = flag & 0x7; + int j; + ++ /* PR 21591: Check for invalid lengths. */ ++ if (srcp + esdids + offsetlen >= endp) ++ return; ++ + if (esdids == 0) + { + /* A zero esdid means the new pc is the offset given. */ +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 15:08:34.445197987 +0530 ++++ git/bfd/ChangeLog 2017-09-21 15:08:34.429197878 +0530 +@@ -90,6 +90,12 @@ + (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the + end of etir record. + ++2017-06-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21591 ++ * versados.c (versados_mkobject): Zero the allocated tdata structure. ++ (process_otr): Check for an invalid offset in the otr structure. ++ + 2017-04-29 Alan Modra <amodra@gmail.com> + + PR 21432 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch new file mode 100644 index 0000000000..3ad32189b1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch @@ -0,0 +1,60 @@ +commit 0d96e4df4812c3bad77c229dfef47a9bc115ac12 +Author: H.J. Lu <hjl.tools@gmail.com> +Date: Thu Jun 15 06:40:17 2017 -0700 + + i386-dis: Check valid bnd register + + Since there are only 4 bnd registers, return "(bad)" for register + number > 3. + + PR binutils/21594 + * i386-dis.c (OP_E_register): Check valid bnd register. + (OP_G): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-9755 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/opcodes/i386-dis.c +=================================================================== +--- git.orig/opcodes/i386-dis.c 2017-09-21 15:38:46.907182525 +0530 ++++ git/opcodes/i386-dis.c 2017-09-21 15:38:54.703174976 +0530 +@@ -15211,6 +15211,11 @@ + names = address_mode == mode_64bit ? names64 : names32; + break; + case bnd_mode: ++ if (reg > 0x3) ++ { ++ oappend ("(bad)"); ++ return; ++ } + names = names_bnd; + break; + case indir_v_mode: +@@ -15751,6 +15756,11 @@ + oappend (names64[modrm.reg + add]); + break; + case bnd_mode: ++ if (modrm.reg > 0x3) ++ { ++ oappend ("(bad)"); ++ return; ++ } + oappend (names_bnd[modrm.reg]); + break; + case v_mode: +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog 2017-09-21 15:38:54.531175122 +0530 ++++ git/opcodes/ChangeLog 2017-09-21 15:45:32.264491166 +0530 +@@ -1,3 +1,9 @@ ++2017-06-15 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21594 ++ * i386-dis.c (OP_E_register): Check valid bnd register. ++ (OP_G): Likewise. ++ + 2017-06-15 Nick Clifton <nickc@redhat.com> + + PR binutils/21586 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch new file mode 100644 index 0000000000..69e1607d8b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch @@ -0,0 +1,101 @@ +commit 8cac017d35ef374e65acc98818a17cf8a652cbd0 +Author: H.J. Lu <hjl.tools@gmail.com> +Date: Thu Jun 15 08:21:48 2017 -0700 + + i386-dis: Add 2 tests with invalid bnd register + + PR binutils/21594 + * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd + register. + * testsuite/gas/i386/x86-64-mpx.s: Likewise. + * testsuite/gas/i386/mpx.d: Updated. + * testsuite/gas/i386/x86-64-mpx.d: Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-9755 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/gas/testsuite/gas/i386/mpx.d +=================================================================== +--- git.orig/gas/testsuite/gas/i386/mpx.d 2017-09-21 15:45:57.640640603 +0530 ++++ git/gas/testsuite/gas/i386/mpx.d 2017-09-21 15:45:57.616640460 +0530 +@@ -130,4 +130,8 @@ + + [a-f0-9]+ <foo>: + [ ]*[a-f0-9]+: f2 c3 bnd ret ++ ++[a-f0-9]+ <bad>: ++[ ]*[a-f0-9]+: 0f 1a 30 bndldx \(%eax\),\(bad\) ++[ ]*[a-f0-9]+: 66 0f 1a c4 bndmov \(bad\),%bnd0 + #pass +Index: git/gas/testsuite/gas/i386/mpx.s +=================================================================== +--- git.orig/gas/testsuite/gas/i386/mpx.s 2017-09-21 15:45:57.640640603 +0530 ++++ git/gas/testsuite/gas/i386/mpx.s 2017-09-21 15:45:57.616640460 +0530 +@@ -157,3 +157,15 @@ + bnd ret + + foo: bnd ret ++ ++bad: ++ # bndldx (%eax),(bad) ++ .byte 0x0f ++ .byte 0x1a ++ .byte 0x30 ++ ++ # bndmov (bad),%bnd0 ++ .byte 0x66 ++ .byte 0x0f ++ .byte 0x1a ++ .byte 0xc4 +Index: git/gas/testsuite/gas/i386/x86-64-mpx.d +=================================================================== +--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.d 2017-09-21 15:45:57.640640603 +0530 ++++ git/gas/testsuite/gas/i386/x86-64-mpx.d 2017-09-21 15:45:57.616640460 +0530 +@@ -182,4 +182,8 @@ + + [a-f0-9]+ <foo>: + [ ]*[a-f0-9]+: f2 c3 bnd retq ++ ++[a-f0-9]+ <bad>: ++[ ]*[a-f0-9]+: 0f 1a 30 bndldx \(%rax\),\(bad\) ++[ ]*[a-f0-9]+: 66 0f 1a c4 bndmov \(bad\),%bnd0 + #pass +Index: git/gas/testsuite/gas/i386/x86-64-mpx.s +=================================================================== +--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.s 2017-09-21 15:45:57.640640603 +0530 ++++ git/gas/testsuite/gas/i386/x86-64-mpx.s 2017-09-21 15:45:57.616640460 +0530 +@@ -209,3 +209,15 @@ + bnd ret + + foo: bnd ret ++ ++bad: ++ # bndldx (%eax),(bad) ++ .byte 0x0f ++ .byte 0x1a ++ .byte 0x30 ++ ++ # bndmov (bad),%bnd0 ++ .byte 0x66 ++ .byte 0x0f ++ .byte 0x1a ++ .byte 0xc4 +Index: git/gas/ChangeLog +=================================================================== +--- git.orig/gas/ChangeLog 2017-09-21 15:38:53.143176323 +0530 ++++ git/gas/ChangeLog 2017-09-21 15:48:07.134368927 +0530 +@@ -1,3 +1,12 @@ ++2017-06-15 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21594 ++ * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd ++ register. ++ * testsuite/gas/i386/x86-64-mpx.s: Likewise. ++ * testsuite/gas/i386/mpx.d: Updated. ++ * testsuite/gas/i386/x86-64-mpx.d: Likewise. ++ + 2016-12-01 Nick Clifton <nickc@redhat.com> + + PR gas/20898 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch new file mode 100644 index 0000000000..e40a26eb3c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch @@ -0,0 +1,43 @@ +commit cd3ea7c69acc5045eb28f9bf80d923116e15e4f5 +Author: Nick Clifton <nickc@redhat.com> +Date: Thu Jun 15 13:26:54 2017 +0100 + + Prevent address violation problem when disassembling corrupt aarch64 binary. + + PR binutils/21595 + * aarch64-dis.c (aarch64_ext_ldst_reglist): Check for an out of + range value. + +Upstream-Status: Backport + +CVE: CVE-2017-9756 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/opcodes/aarch64-dis.c +=================================================================== +--- git.orig/opcodes/aarch64-dis.c 2017-09-21 15:48:27.154646380 +0530 ++++ git/opcodes/aarch64-dis.c 2017-09-21 15:48:27.134646104 +0530 +@@ -381,6 +381,9 @@ + info->reglist.first_regno = extract_field (FLD_Rt, code, 0); + /* opcode */ + value = extract_field (FLD_opcode, code, 0); ++ /* PR 21595: Check for a bogus value. */ ++ if (value >= ARRAY_SIZE (data)) ++ return 0; + if (expected_num != data[value].num_elements || data[value].is_reserved) + return 0; + info->reglist.num_regs = data[value].num_regs; +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog 2017-09-21 15:45:32.264491166 +0530 ++++ git/opcodes/ChangeLog 2017-09-21 15:49:53.751803571 +0530 +@@ -1,3 +1,9 @@ ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21595 ++ * aarch64-dis.c (aarch64_ext_ldst_reglist): Check for an out of ++ range value. ++ + 2017-06-15 H.J. Lu <hongjiu.lu@intel.com> + + PR binutils/21594 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch new file mode 100644 index 0000000000..26515721e3 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch @@ -0,0 +1,58 @@ +commit 04e15b4a9462cb1ae819e878a6009829aab8020b +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Jun 26 15:46:34 2017 +0100 + + Fix address violation parsing a corrupt texhex format file. + + PR binutils/21670 + * tekhex.c (getvalue): Check for the source pointer exceeding the + end pointer before the first byte is read. + +Upstream-Status: Backport + +CVE: CVE-2017-9954 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/tekhex.c +=================================================================== +--- git.orig/bfd/tekhex.c 2017-09-21 16:19:42.570877476 +0530 ++++ git/bfd/tekhex.c 2017-09-21 16:20:06.878964516 +0530 +@@ -273,6 +273,9 @@ + bfd_vma value = 0; + unsigned int len; + ++ if (src >= endp) ++ return FALSE; ++ + if (!ISHEX (*src)) + return FALSE; + +@@ -514,9 +517,10 @@ + /* To the front of the file. */ + if (bfd_seek (abfd, (file_ptr) 0, SEEK_SET) != 0) + return FALSE; ++ + while (! is_eof) + { +- char src[MAXCHUNK]; ++ static char src[MAXCHUNK]; + char type; + + /* Find first '%'. */ +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 16:20:06.822964309 +0530 ++++ git/bfd/ChangeLog 2017-09-21 16:22:29.383577439 +0530 +@@ -55,6 +55,12 @@ + correct magic bytes at the start, set the error to wrong format + and clear the format selector before returning NULL. + ++2017-06-26 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21670 ++ * tekhex.c (getvalue): Check for the source pointer exceeding the ++ end pointer before the first byte is read. ++ + 2017-06-21 Nick Clifton <nickc@redhat.com> + + PR binutils/21637 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch new file mode 100644 index 0000000000..6cd86c2a30 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch @@ -0,0 +1,93 @@ +commit cfd14a500e0485374596234de4db10e88ebc7618 +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Jun 26 15:25:08 2017 +0100 + + Fix address violations when atempting to parse fuzzed binaries. + + PR binutils/21665 + * compress.c (bfd_get_full_section_contents): Check for and reject + a section whoes size is greater than the size of the entire file. + * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not + contain a notes section. + + binutils* objdump.c (disassemble_section): Skip any section that is bigger + than the entire file. + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/compress.c +=================================================================== +--- git.orig/bfd/compress.c 2017-09-21 17:32:51.645611404 +0530 ++++ git/bfd/compress.c 2017-09-21 17:32:52.965622987 +0530 +@@ -239,6 +239,12 @@ + *ptr = NULL; + return TRUE; + } ++ else if (bfd_get_file_size (abfd) > 0 ++ && sz > (bfd_size_type) bfd_get_file_size (abfd)) ++ { ++ *ptr = NULL; ++ return FALSE; ++ } + + switch (sec->compress_status) + { +Index: git/bfd/elf32-v850.c +=================================================================== +--- git.orig/bfd/elf32-v850.c 2017-09-21 17:32:35.053465773 +0530 ++++ git/bfd/elf32-v850.c 2017-09-21 17:32:52.965622987 +0530 +@@ -2448,7 +2448,9 @@ + BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont)); + + if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL) +- BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont)); ++ /* If the output is being stripped then it is possible for ++ the notes section to disappear. In this case do nothing. */ ++ return; + + /* Copy/overwrite notes from the input to the output. */ + memcpy (ocont, icont, bfd_section_size (obfd, onotes)); +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c 2017-09-21 17:32:52.337617476 +0530 ++++ git/binutils/objdump.c 2017-09-21 17:32:52.965622987 +0530 +@@ -1973,7 +1973,7 @@ + return; + + datasize = bfd_get_section_size (section); +- if (datasize == 0) ++ if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd)) + return; + + if (start_address == (bfd_vma) -1 +@@ -2839,7 +2839,7 @@ + static void + dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED) + { +- bfd_byte *data = 0; ++ bfd_byte *data = NULL; + bfd_size_type datasize; + bfd_vma addr_offset; + bfd_vma start_offset; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 17:32:52.909622495 +0530 ++++ git/bfd/ChangeLog 2017-09-21 17:35:57.863164167 +0530 +@@ -11,6 +11,14 @@ + of end pointer. + (evax_bfd_print_emh): Check for invalid string lengths. + ++2017-06-26 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21665 ++ * compress.c (bfd_get_full_section_contents): Check for and reject ++ a section whoes size is greater than the size of the entire file. ++ * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not ++ contain a notes section. ++ + 2017-07-24 Nick Clifton <nickc@redhat.com> + + PR 21813 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch new file mode 100644 index 0000000000..6e1824bbab --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch @@ -0,0 +1,112 @@ +commit 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f +Author: H.J. Lu <hjl.tools@gmail.com> +Date: Mon Jun 26 09:24:49 2017 -0700 + + Check file size before getting section contents + + Don't check the section size in bfd_get_full_section_contents since + the size of a decompressed section may be larger than the file size. + Instead, check file size in _bfd_generic_get_section_contents. + + PR binutils/21665 + * compress.c (bfd_get_full_section_contents): Don't check the + file size here. + * libbfd.c (_bfd_generic_get_section_contents): Check for and + reject a section whoes size + offset is greater than the size + of the entire file. + (_bfd_generic_get_section_contents_in_window): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c 2017-09-21 17:41:59.457841691 +0530 ++++ git/bfd/libbfd.c 2017-09-21 17:42:18.269987768 +0530 +@@ -780,6 +780,7 @@ + bfd_size_type count) + { + bfd_size_type sz; ++ file_ptr filesz; + if (count == 0) + return TRUE; + +@@ -801,8 +802,15 @@ + sz = section->rawsize; + else + sz = section->size; ++ filesz = bfd_get_file_size (abfd); ++ if (filesz < 0) ++ { ++ /* This should never happen. */ ++ abort (); ++ } + if (offset + count < count +- || offset + count > sz) ++ || offset + count > sz ++ || (section->filepos + offset + sz) > (bfd_size_type) filesz) + { + bfd_set_error (bfd_error_invalid_operation); + return FALSE; +@@ -825,6 +833,7 @@ + { + #ifdef USE_MMAP + bfd_size_type sz; ++ file_ptr filesz; + + if (count == 0) + return TRUE; +@@ -857,7 +866,13 @@ + sz = section->rawsize; + else + sz = section->size; ++ filesz = bfd_get_file_size (abfd); ++ { ++ /* This should never happen. */ ++ abort (); ++ } + if (offset + count > sz ++ || (section->filepos + offset + sz) > (bfd_size_type) filesz + || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, + TRUE)) + return FALSE; +Index: git/bfd/compress.c +=================================================================== +--- git.orig/bfd/compress.c 2017-09-21 17:42:18.213987332 +0530 ++++ git/bfd/compress.c 2017-09-21 17:45:17.107399434 +0530 +@@ -239,12 +239,6 @@ + *ptr = NULL; + return TRUE; + } +- else if (bfd_get_file_size (abfd) > 0 +- && sz > (bfd_size_type) bfd_get_file_size (abfd)) +- { +- *ptr = NULL; +- return FALSE; +- } + + switch (sec->compress_status) + { +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 17:42:18.213987332 +0530 ++++ git/bfd/ChangeLog 2017-09-21 17:47:03.668256850 +0530 +@@ -11,6 +11,16 @@ + of end pointer. + (evax_bfd_print_emh): Check for invalid string lengths. + ++2017-06-26 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21665 ++ * compress.c (bfd_get_full_section_contents): Don't check the ++ file size here. ++ * libbfd.c (_bfd_generic_get_section_contents): Check for and ++ reject a section whoes size + offset is greater than the size ++ of the entire file. ++ (_bfd_generic_get_section_contents_in_window): Likewise. ++ + 2017-06-26 Nick Clifton <nickc@redhat.com> + + PR binutils/21665 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch new file mode 100644 index 0000000000..c8741b13ca --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch @@ -0,0 +1,44 @@ +commit 1f473e3d0ad285195934e6a077c7ed32afe66437 +Author: H.J. Lu <hjl.tools@gmail.com> +Date: Mon Jun 26 15:47:16 2017 -0700 + + Add a missing line to _bfd_generic_get_section_contents_in_window + + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents_in_window): Add + a missing line. + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c 2017-09-21 17:57:11.424955516 +0530 ++++ git/bfd/libbfd.c 2017-09-21 17:58:57.000000000 +0530 +@@ -867,6 +867,7 @@ + else + sz = section->size; + filesz = bfd_get_file_size (abfd); ++ if (filesz < 0) + { + /* This should never happen. */ + abort (); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 17:57:11.424955516 +0530 ++++ git/bfd/ChangeLog 2017-09-21 18:01:32.258884464 +0530 +@@ -14,6 +14,12 @@ + 2017-06-26 H.J. Lu <hongjiu.lu@intel.com> + + PR binutils/21665 ++ * libbfd.c (_bfd_generic_get_section_contents_in_window): Add ++ a missing line. ++ ++2017-06-26 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21665 + * compress.c (bfd_get_full_section_contents): Don't check the + file size here. + * libbfd.c (_bfd_generic_get_section_contents): Check for and diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch new file mode 100644 index 0000000000..d6b6a14254 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch @@ -0,0 +1,50 @@ +commit ab27f80c5dceaa23c4ba7f62c0d5d22a5d5dd7a1 +Author: Pedro Alves <palves@redhat.com> +Date: Tue Jun 27 00:21:25 2017 +0100 + + Fix GDB regressions caused by previous bfd_get_section_contents changes + + Ref: https://sourceware.org/ml/binutils/2017-06/msg00343.html + + bfd/ChangeLog: + 2017-06-26 Pedro Alves <palves@redhat.com> + + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents): Add "count", not + "sz". + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c 2017-09-21 18:01:58.079078554 +0530 ++++ git/bfd/libbfd.c 2017-09-21 18:01:58.063078433 +0530 +@@ -810,7 +810,7 @@ + } + if (offset + count < count + || offset + count > sz +- || (section->filepos + offset + sz) > (bfd_size_type) filesz) ++ || (section->filepos + offset + count) > (bfd_size_type) filesz) + { + bfd_set_error (bfd_error_invalid_operation); + return FALSE; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 18:01:32.258884464 +0530 ++++ git/bfd/ChangeLog 2017-09-21 18:03:42.955872017 +0530 +@@ -11,6 +11,12 @@ + of end pointer. + (evax_bfd_print_emh): Check for invalid string lengths. + ++2017-06-26 Pedro Alves <palves@redhat.com> ++ ++ PR binutils/21665 ++ * libbfd.c (_bfd_generic_get_section_contents): Add "count", not ++ "sz". ++ + 2017-06-26 H.J. Lu <hongjiu.lu@intel.com> + + PR binutils/21665 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch new file mode 100644 index 0000000000..3634421923 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch @@ -0,0 +1,89 @@ +commit 7211ae501eb0de1044983f2dfb00091a58fbd66c +Author: Alan Modra <amodra@gmail.com> +Date: Tue Jun 27 09:45:04 2017 +0930 + + More fixes for bfd_get_section_contents change + + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents): Delete abort. + Use unsigned file pointer type, and remove cast. + * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise. + Add "count", not "sz". + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c 2017-09-21 18:04:47.316362760 +0530 ++++ git/bfd/libbfd.c 2017-09-21 18:04:47.300362638 +0530 +@@ -780,7 +780,7 @@ + bfd_size_type count) + { + bfd_size_type sz; +- file_ptr filesz; ++ ufile_ptr filesz; + if (count == 0) + return TRUE; + +@@ -803,14 +803,9 @@ + else + sz = section->size; + filesz = bfd_get_file_size (abfd); +- if (filesz < 0) +- { +- /* This should never happen. */ +- abort (); +- } + if (offset + count < count + || offset + count > sz +- || (section->filepos + offset + count) > (bfd_size_type) filesz) ++ || section->filepos + offset + count > filesz) + { + bfd_set_error (bfd_error_invalid_operation); + return FALSE; +@@ -833,7 +828,7 @@ + { + #ifdef USE_MMAP + bfd_size_type sz; +- file_ptr filesz; ++ ufile_ptr filesz; + + if (count == 0) + return TRUE; +@@ -867,13 +862,8 @@ + else + sz = section->size; + filesz = bfd_get_file_size (abfd); +- if (filesz < 0) +- { +- /* This should never happen. */ +- abort (); +- } + if (offset + count > sz +- || (section->filepos + offset + sz) > (bfd_size_type) filesz ++ || section->filepos + offset + count > filesz + || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, + TRUE)) + return FALSE; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 18:03:42.955872017 +0530 ++++ git/bfd/ChangeLog 2017-09-21 18:06:39.973228125 +0530 +@@ -11,6 +11,14 @@ + of end pointer. + (evax_bfd_print_emh): Check for invalid string lengths. + ++2017-06-27 Alan Modra <amodra@gmail.com> ++ ++ PR binutils/21665 ++ * libbfd.c (_bfd_generic_get_section_contents): Delete abort. ++ Use unsigned file pointer type, and remove cast. ++ * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise. ++ Add "count", not "sz". ++ + 2017-06-26 Pedro Alves <palves@redhat.com> + + PR binutils/21665 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch new file mode 100644 index 0000000000..55feb79c17 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch @@ -0,0 +1,55 @@ +commit ea9aafc41a764e4e2dbb88a7b031e886b481b99a +Author: Alan Modra <amodra@gmail.com> +Date: Tue Jun 27 14:43:49 2017 +0930 + + Warning fix + + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents): Warning fix. + (_bfd_generic_get_section_contents_in_window): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + + +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c 2017-09-21 18:07:34.777651818 +0530 ++++ git/bfd/libbfd.c 2017-09-21 18:07:34.761651695 +0530 +@@ -805,7 +805,7 @@ + filesz = bfd_get_file_size (abfd); + if (offset + count < count + || offset + count > sz +- || section->filepos + offset + count > filesz) ++ || (ufile_ptr) section->filepos + offset + count > filesz) + { + bfd_set_error (bfd_error_invalid_operation); + return FALSE; +@@ -863,7 +863,7 @@ + sz = section->size; + filesz = bfd_get_file_size (abfd); + if (offset + count > sz +- || section->filepos + offset + count > filesz ++ || (ufile_ptr) section->filepos + offset + count > filesz + || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, + TRUE)) + return FALSE; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 18:06:39.973228125 +0530 ++++ git/bfd/ChangeLog 2017-09-21 18:09:41.798640031 +0530 +@@ -19,6 +19,12 @@ + * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise. + Add "count", not "sz". + ++2017-06-27 Alan Modra <amodra@gmail.com> ++ ++ PR binutils/21665 ++ * libbfd.c (_bfd_generic_get_section_contents): Warning fix. ++ (_bfd_generic_get_section_contents_in_window): Likewise. ++ + 2017-06-26 Pedro Alves <palves@redhat.com> + + PR binutils/21665 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch new file mode 100644 index 0000000000..0950561e10 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch @@ -0,0 +1,79 @@ +commit 60a02042bacf8d25814430080adda61ed086bca6 +Author: Nick Clifton <nickc@redhat.com> +Date: Fri Jun 30 11:03:37 2017 +0100 + + Fix failures in MMIX linker tests introduced by fix for PR 21665. + + PR binutils/21665 + * objdump.c (disassemble_section): Move check for an overlarge + section to just before the allocation of memory. Do not check + section size against file size, but instead use an arbitrary 2Gb + limit. Issue a warning message if the section is too big. + +Upstream-Status: CVE-2017-9955 + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c 2017-09-21 18:10:55.499217078 +0530 ++++ git/binutils/objdump.c 2017-09-21 18:10:55.483216953 +0530 +@@ -1973,7 +1973,7 @@ + return; + + datasize = bfd_get_section_size (section); +- if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd)) ++ if (datasize == 0) + return; + + if (start_address == (bfd_vma) -1 +@@ -2037,6 +2037,29 @@ + } + rel_ppend = rel_pp + rel_count; + ++ /* PR 21665: Check for overlarge datasizes. ++ Note - we used to check for "datasize > bfd_get_file_size (abfd)" but ++ this fails when using compressed sections or compressed file formats ++ (eg MMO, tekhex). ++ ++ The call to xmalloc below will fail if too much memory is requested, ++ which will catch the problem in the normal use case. But if a memory ++ checker is in use, eg valgrind or sanitize, then an exception will ++ be still generated, so we try to catch the problem first. ++ ++ Unfortunately there is no simple way to determine how much memory can ++ be allocated by calling xmalloc. So instead we use a simple, arbitrary ++ limit of 2Gb. Hopefully this should be enough for most users. If ++ someone does start trying to disassemble sections larger then 2Gb in ++ size they will doubtless complain and we can increase the limit. */ ++#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */ ++ if (datasize > MAX_XMALLOC) ++ { ++ non_fatal (_("Reading section %s failed because it is too big (%#lx)"), ++ section->name, (unsigned long) datasize); ++ return; ++ } ++ + data = (bfd_byte *) xmalloc (datasize); + + bfd_get_section_contents (abfd, section, data, 0, datasize); +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog 2017-09-21 17:57:10.448948416 +0530 ++++ git/binutils/ChangeLog 2017-09-21 18:13:09.052268892 +0530 +@@ -4,6 +4,14 @@ + * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty + string whilst concatenating symbol names. + ++2017-06-30 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21665 ++ * objdump.c (disassemble_section): Move check for an overlarge ++ section to just before the allocation of memory. Do not check ++ section size against file size, but instead use an arbitrary 2Gb ++ limit. Issue a warning message if the section is too big. ++ + 2017-05-02 Nick Clifton <nickc@redhat.com> + + PR 21440 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch new file mode 100644 index 0000000000..8035ab38cb --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch @@ -0,0 +1,170 @@ +commit bae7501e87ab614115d9d3213b4dd18d96e604db +Author: Alan Modra <amodra@gmail.com> +Date: Sat Jul 1 21:58:10 2017 +0930 + + Use bfd_malloc_and_get_section + + It's nicer than xmalloc followed by bfd_get_section_contents, since + xmalloc exits on failure and needs a check that its size_t arg doesn't + lose high bits when converted from bfd_size_type. + + PR binutils/21665 + * objdump.c (strtab): Make var a bfd_byte*. + (disassemble_section): Don't limit malloc size. Instead, use + bfd_malloc_and_get_section. + (read_section_stabs): Use bfd_malloc_and_get_section. Return + bfd_byte*. + (find_stabs_section): Remove now unnecessary cast. + * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free + contents on error return. + * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section. + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/binutils/nlmconv.c +=================================================================== +--- git.orig/binutils/nlmconv.c 2017-09-21 18:14:15.792797232 +0530 ++++ git/binutils/nlmconv.c 2017-09-21 18:14:15.776797105 +0530 +@@ -1224,7 +1224,7 @@ + const char *inname; + asection *outsec; + bfd_size_type size; +- void *contents; ++ bfd_byte *contents; + long reloc_size; + bfd_byte buf[4]; + bfd_size_type add; +@@ -1240,9 +1240,7 @@ + contents = NULL; + else + { +- contents = xmalloc (size); +- if (! bfd_get_section_contents (inbfd, insec, contents, +- (file_ptr) 0, size)) ++ if (!bfd_malloc_and_get_section (inbfd, insec, &contents)) + bfd_fatal (bfd_get_filename (inbfd)); + } + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c 2017-09-21 18:14:15.792797232 +0530 ++++ git/binutils/objdump.c 2017-09-21 18:23:30.420895459 +0530 +@@ -180,7 +180,7 @@ + static bfd_byte *stabs; + static bfd_size_type stab_size; + +-static char *strtab; ++static bfd_byte *strtab; + static bfd_size_type stabstr_size; + + static bfd_boolean is_relocatable = FALSE; +@@ -2037,33 +2037,13 @@ + } + rel_ppend = rel_pp + rel_count; + +- /* PR 21665: Check for overlarge datasizes. +- Note - we used to check for "datasize > bfd_get_file_size (abfd)" but +- this fails when using compressed sections or compressed file formats +- (eg MMO, tekhex). +- +- The call to xmalloc below will fail if too much memory is requested, +- which will catch the problem in the normal use case. But if a memory +- checker is in use, eg valgrind or sanitize, then an exception will +- be still generated, so we try to catch the problem first. +- +- Unfortunately there is no simple way to determine how much memory can +- be allocated by calling xmalloc. So instead we use a simple, arbitrary +- limit of 2Gb. Hopefully this should be enough for most users. If +- someone does start trying to disassemble sections larger then 2Gb in +- size they will doubtless complain and we can increase the limit. */ +-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */ +- if (datasize > MAX_XMALLOC) ++ if (!bfd_malloc_and_get_section (abfd, section, &data)) + { +- non_fatal (_("Reading section %s failed because it is too big (%#lx)"), +- section->name, (unsigned long) datasize); ++ non_fatal (_("Reading section %s failed because: %s"), ++ section->name, bfd_errmsg (bfd_get_error ())); + return; + } + +- data = (bfd_byte *) xmalloc (datasize); +- +- bfd_get_section_contents (abfd, section, data, 0, datasize); +- + paux->sec = section; + pinfo->buffer = data; + pinfo->buffer_vma = section->vma; +@@ -2579,12 +2559,11 @@ + /* Read ABFD's stabs section STABSECT_NAME, and return a pointer to + it. Return NULL on failure. */ + +-static char * ++static bfd_byte * + read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr) + { + asection *stabsect; +- bfd_size_type size; +- char *contents; ++ bfd_byte *contents; + + stabsect = bfd_get_section_by_name (abfd, sect_name); + if (stabsect == NULL) +@@ -2593,10 +2572,7 @@ + return FALSE; + } + +- size = bfd_section_size (abfd, stabsect); +- contents = (char *) xmalloc (size); +- +- if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size)) ++ if (!bfd_malloc_and_get_section (abfd, stabsect, &contents)) + { + non_fatal (_("reading %s section of %s failed: %s"), + sect_name, bfd_get_filename (abfd), +@@ -2606,7 +2582,7 @@ + return NULL; + } + +- *size_ptr = size; ++ *size_ptr = bfd_section_size (abfd, stabsect); + + return contents; + } +@@ -2733,8 +2709,7 @@ + + if (strtab) + { +- stabs = (bfd_byte *) read_section_stabs (abfd, section->name, +- &stab_size); ++ stabs = read_section_stabs (abfd, section->name, &stab_size); + if (stabs) + print_section_stabs (abfd, section->name, &sought->string_offset); + } +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog 2017-09-21 18:13:09.052268892 +0530 ++++ git/binutils/ChangeLog 2017-09-21 18:25:00.195937741 +0530 +@@ -4,6 +4,19 @@ + * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty + string whilst concatenating symbol names. + ++2017-07-01 Alan Modra <amodra@gmail.com> ++ ++ PR binutils/21665 ++ * objdump.c (strtab): Make var a bfd_byte*. ++ (disassemble_section): Don't limit malloc size. Instead, use ++ bfd_malloc_and_get_section. ++ (read_section_stabs): Use bfd_malloc_and_get_section. Return ++ bfd_byte*. ++ (find_stabs_section): Remove now unnecessary cast. ++ * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free ++ contents on error return. ++ * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section. ++ + 2017-06-30 Nick Clifton <nickc@redhat.com> + + PR binutils/21665 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch new file mode 100644 index 0000000000..2f50337dab --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch @@ -0,0 +1,360 @@ +commit 8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d +Author: H.J. Lu <hjl.tools@gmail.com> +Date: Tue May 30 06:34:05 2017 -0700 + + Add bfd_get_file_size to get archive element size + + We can't use stat() to get archive element size. Add bfd_get_file_size + to get size for both normal files and archive elements. + + bfd/ + + PR binutils/21519 + * bfdio.c (bfd_get_file_size): New function. + * bfd-in2.h: Regenerated. + + binutils/ + + PR binutils/21519 + * objdump.c (dump_relocs_in_section): Replace get_file_size + with bfd_get_file_size to get archive element size. + * testsuite/binutils-all/objdump.exp (test_objdump_f): New + proc. + (test_objdump_h): Likewise. + (test_objdump_t): Likewise. + (test_objdump_r): Likewise. + (test_objdump_s): Likewise. + Add objdump tests on archive. + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/bfd-in2.h +=================================================================== +--- git.orig/bfd/bfd-in2.h 2017-09-21 20:09:13.475032861 +0530 ++++ git/bfd/bfd-in2.h 2017-09-21 20:09:16.375051269 +0530 +@@ -1208,6 +1208,8 @@ + + file_ptr bfd_get_size (bfd *abfd); + ++file_ptr bfd_get_file_size (bfd *abfd); ++ + void *bfd_mmap (bfd *abfd, void *addr, bfd_size_type len, + int prot, int flags, file_ptr offset, + void **map_addr, bfd_size_type *map_len); +Index: git/bfd/bfdio.c +=================================================================== +--- git.orig/bfd/bfdio.c 2017-09-21 20:08:55.774919453 +0530 ++++ git/bfd/bfdio.c 2017-09-21 20:09:16.375051269 +0530 +@@ -434,6 +434,29 @@ + return buf.st_size; + } + ++/* ++FUNCTION ++ bfd_get_file_size ++ ++SYNOPSIS ++ file_ptr bfd_get_file_size (bfd *abfd); ++ ++DESCRIPTION ++ Return the file size (as read from file system) for the file ++ associated with BFD @var{abfd}. It supports both normal files ++ and archive elements. ++ ++*/ ++ ++file_ptr ++bfd_get_file_size (bfd *abfd) ++{ ++ if (abfd->my_archive != NULL ++ && !bfd_is_thin_archive (abfd->my_archive)) ++ return arelt_size (abfd); ++ ++ return bfd_get_size (abfd); ++} + + /* + FUNCTION +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c 2017-09-21 20:09:16.319050914 +0530 ++++ git/binutils/objdump.c 2017-09-21 20:09:16.375051269 +0530 +@@ -3240,7 +3240,7 @@ + } + + if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 +- && relsize > get_file_size (bfd_get_filename (abfd))) ++ && relsize > bfd_get_file_size (abfd)) + { + printf (" (too many: 0x%x)\n", section->reloc_count); + bfd_set_error (bfd_error_file_truncated); +Index: git/binutils/testsuite/binutils-all/objdump.exp +=================================================================== +--- git.orig/binutils/testsuite/binutils-all/objdump.exp 2017-09-21 20:08:55.982920797 +0530 ++++ git/binutils/testsuite/binutils-all/objdump.exp 2017-09-21 20:09:16.375051269 +0530 +@@ -64,96 +64,168 @@ + if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest.o]} then { + return + } ++if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest2.o]} then { ++ return ++} + if [is_remote host] { + set testfile [remote_download host tmpdir/bintest.o] ++ set testfile2 [remote_download host tmpdir/bintest2.o] + } else { + set testfile tmpdir/bintest.o ++ set testfile2 tmpdir/bintest2.o ++} ++ ++if { ![istarget "alpha-*-*"] || [is_elf_format] } then { ++ remote_file host file delete tmpdir/bintest.a ++ set got [binutils_run $AR "rc tmpdir/bintest.a $testfile2"] ++ if ![string match "" $got] then { ++ fail "bintest.a" ++ remote_file host delete tmpdir/bintest.a ++ } else { ++ if [is_remote host] { ++ set testarchive [remote_download host tmpdir/bintest.a] ++ } else { ++ set testarchive tmpdir/bintest.a ++ } ++ } ++ remote_file host delete tmpdir/bintest2.o + } + + # Test objdump -f + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"] ++proc test_objdump_f { testfile dumpfile } { ++ global OBJDUMP ++ global OBJDUMPFLAGS ++ global cpus_regex + +-set want "$testfile:\[ \]*file format.*architecture:\[ \]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS" ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"] + +-if ![regexp $want $got] then { +- fail "objdump -f" +-} else { +- pass "objdump -f" ++ set want "$dumpfile:\[ \]*file format.*architecture:\[ \]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS" ++ ++ if ![regexp $want $got] then { ++ fail "objdump -f ($testfile, $dumpfile)" ++ } else { ++ pass "objdump -f ($testfile, $dumpfile)" ++ } ++} ++ ++test_objdump_f $testfile $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_f $testarchive bintest2.o + } + + # Test objdump -h + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"] ++proc test_objdump_h { testfile dumpfile } { ++ global OBJDUMP ++ global OBJDUMPFLAGS + +-set want "$testfile:\[ \]*file format.*Sections.*\[0-9\]+\[ \]+\[^ \]*(text|TEXT|P|\\\$CODE\\\$)\[^ \]*\[ \]*(\[0-9a-fA-F\]+).*\[0-9\]+\[ \]+\[^ \]*(\\.data|DATA|D_1)\[^ \]*\[ \]*(\[0-9a-fA-F\]+)" ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"] + +-if ![regexp $want $got all text_name text_size data_name data_size] then { +- fail "objdump -h" +-} else { +- verbose "text name is $text_name size is $text_size" +- verbose "data name is $data_name size is $data_size" +- set ets 8 +- set eds 4 +- # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1 +- if [istarget *c4x*-*-*] then { +- set ets 2 +- set eds 1 +- } +- # c54x section sizes are in bytes, not octets; adjust accordingly +- if [istarget *c54x*-*-*] then { +- set ets 4 +- set eds 2 +- } +- if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then { +- send_log "sizes too small\n" +- fail "objdump -h" ++ set want "$dumpfile:\[ \]*file format.*Sections.*\[0-9\]+\[ \]+\[^ \]*(text|TEXT|P|\\\$CODE\\\$)\[^ \]*\[ \]*(\[0-9a-fA-F\]+).*\[0-9\]+\[ \]+\[^ \]*(\\.data|DATA|D_1)\[^ \]*\[ \]*(\[0-9a-fA-F\]+)" ++ ++ if ![regexp $want $got all text_name text_size data_name data_size] then { ++ fail "objdump -h ($testfile, $dumpfile)" + } else { +- pass "objdump -h" ++ verbose "text name is $text_name size is $text_size" ++ verbose "data name is $data_name size is $data_size" ++ set ets 8 ++ set eds 4 ++ # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1 ++ if [istarget *c4x*-*-*] then { ++ set ets 2 ++ set eds 1 ++ } ++ # c54x section sizes are in bytes, not octets; adjust accordingly ++ if [istarget *c54x*-*-*] then { ++ set ets 4 ++ set eds 2 ++ } ++ if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then { ++ send_log "sizes too small\n" ++ fail "objdump -h ($testfile, $dumpfile)" ++ } else { ++ pass "objdump -h ($testfile, $dumpfile)" ++ } + } + } + ++test_objdump_h $testfile $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_h $testarchive bintest2.o ++} ++ + # Test objdump -t + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"] ++proc test_objdump_t { testfile} { ++ global OBJDUMP ++ global OBJDUMPFLAGS ++ ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"] ++ ++ if [info exists vars] then { unset vars } ++ while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} { ++ set vars($symbol) 1 ++ set got $rest ++ } + +-if [info exists vars] then { unset vars } +-while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} { +- set vars($symbol) 1 +- set got $rest ++ if {![info exists vars(text_symbol)] \ ++ || ![info exists vars(data_symbol)] \ ++ || ![info exists vars(common_symbol)] \ ++ || ![info exists vars(external_symbol)]} then { ++ fail "objdump -t ($testfile)" ++ } else { ++ pass "objdump -t ($testfile)" ++ } + } + +-if {![info exists vars(text_symbol)] \ +- || ![info exists vars(data_symbol)] \ +- || ![info exists vars(common_symbol)] \ +- || ![info exists vars(external_symbol)]} then { +- fail "objdump -t" +-} else { +- pass "objdump -t" ++test_objdump_t $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_t $testarchive + } + + # Test objdump -r + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"] ++proc test_objdump_r { testfile dumpfile } { ++ global OBJDUMP ++ global OBJDUMPFLAGS + +-set want "$testfile:\[ \]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol" ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"] + +-if [regexp $want $got] then { +- pass "objdump -r" +-} else { +- fail "objdump -r" ++ set want "$dumpfile:\[ \]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol" ++ ++ if [regexp $want $got] then { ++ pass "objdump -r ($testfile, $dumpfile)" ++ } else { ++ fail "objdump -r ($testfile, $dumpfile)" ++ } ++} ++ ++test_objdump_r $testfile $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_r $testarchive bintest2.o + } + + # Test objdump -s + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"] ++proc test_objdump_s { testfile dumpfile } { ++ global OBJDUMP ++ global OBJDUMPFLAGS + +-set want "$testfile:\[ \]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000002|02000000|00000200)" ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"] + +-if [regexp $want $got] then { +- pass "objdump -s" +-} else { +- fail "objdump -s" ++ set want "$dumpfile:\[ \]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000002|02000000|00000200)" ++ ++ if [regexp $want $got] then { ++ pass "objdump -s ($testfile, $dumpfile)" ++ } else { ++ fail "objdump -s ($testfile, $dumpfile)" ++ } ++} ++ ++test_objdump_s $testfile $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_s $testarchive bintest2.o + } + + # Test objdump -s on a file that contains a compressed .debug section +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 20:09:16.207050204 +0530 ++++ git/bfd/ChangeLog 2017-09-21 20:13:41.504562787 +0530 +@@ -158,6 +158,12 @@ + (bfd_perform_relocation, bfd_install_relocation): Use it. + (_bfd_final_link_relocate): Likewise. + ++2017-05-30 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21519 ++ * bfdio.c (bfd_get_file_size): New function. ++ * bfd-in2.h: Regenerated. ++ + 2017-04-26 Nick Clifton <nickc@redhat.com> + + PR binutils/21434 +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog 2017-09-21 20:09:16.319050914 +0530 ++++ git/binutils/ChangeLog 2017-09-21 20:12:42.624252645 +0530 +@@ -25,6 +25,19 @@ + section size against file size, but instead use an arbitrary 2Gb + limit. Issue a warning message if the section is too big. + ++2017-05-30 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21519 ++ * objdump.c (dump_relocs_in_section): Replace get_file_size ++ with bfd_get_file_size to get archive element size. ++ * testsuite/binutils-all/objdump.exp (test_objdump_f): New ++ proc. ++ (test_objdump_h): Likewise. ++ (test_objdump_t): Likewise. ++ (test_objdump_r): Likewise. ++ (test_objdump_s): Likewise. ++ Add objdump tests on archive. ++ + 2017-05-02 Nick Clifton <nickc@redhat.com> + + PR 21440 |