diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils')
42 files changed, 5862 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14930.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14930.patch new file mode 100644 index 0000000000..bbd267a959 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14930.patch @@ -0,0 +1,53 @@ +From a26a013f22a19e2c16729e64f40ef8a7dfcc086e Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 24 Sep 2017 17:10:14 +0930 +Subject: [PATCH] PR22191, memory leak in dwarf2.c + +table->sequences is a linked list before it is replaced by a bfd_alloc +array in sort_line_sequences. + + PR 22191 + * dwarf2.c (decode_line_info): Properly free line sequences on error. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14930 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/dwarf2.c | 8 ++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -2473,8 +2473,12 @@ decode_line_info (struct comp_unit *unit + return table; + + fail: +- if (table->sequences != NULL) +- free (table->sequences); ++ while (table->sequences != NULL) ++ { ++ struct line_sequence* seq = table->sequences; ++ table->sequences = table->sequences->prev_sequence; ++ free (seq); ++ } + if (table->files != NULL) + free (table->files); + if (table->dirs != NULL) +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,8 @@ ++2017-09-24 Alan Modra <amodra@gmail.com> ++ ++ PR 22191 ++ * dwarf2.c (decode_line_info): Properly free line sequences on error. ++ + 2017-11-28 Nick Clifton <nickc@redhat.com> + + PR 22507 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14932.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14932.patch new file mode 100644 index 0000000000..a436031dc2 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14932.patch @@ -0,0 +1,46 @@ +From e338894dc2e603683bed2172e8e9f25b29051005 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 26 Sep 2017 09:32:18 +0930 +Subject: [PATCH] PR22204, Lack of DW_LNE_end_sequence causes "infinite" loop + + PR 22204 + * dwarf2.c (decode_line_info): Ensure line_ptr stays within + bounds in inner loop. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14932 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -2269,7 +2269,7 @@ decode_line_info (struct comp_unit *unit + bfd_vma high_pc = 0; + + /* Decode the table. */ +- while (! end_sequence) ++ while (!end_sequence && line_ptr < line_end) + { + op_code = read_1_byte (abfd, line_ptr, line_end); + line_ptr += 1; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-09-26 Alan Modra <amodra@gmail.com> ++ ++ PR 22204 ++ * dwarf2.c (decode_line_info): Ensure line_ptr stays within ++ bounds in inner loop. ++ + 2017-09-24 Alan Modra <amodra@gmail.com> + + PR 22191 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch new file mode 100644 index 0000000000..9df8138401 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch @@ -0,0 +1,58 @@ +From 30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 26 Sep 2017 14:37:47 +0100 +Subject: [PATCH] Avoid needless resource usage when processing a corrupt DWARF + directory or file name table. + + PR 22210 + * dwarf2.c (read_formatted_entries): Fail early if we know that + the loop parsing data entries will overflow the end of the + section. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14933 #1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 7 +++++++ + bfd/dwarf2.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-09-26 Nick Clifton <nickc@redhat.com> ++ ++ PR 22210 ++ * dwarf2.c (read_formatted_entries): Fail early if we know that ++ the loop parsing data entries will overflow the end of the ++ section. ++ + 2017-09-26 Alan Modra <amodra@gmail.com> + + PR 22204 +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -1933,6 +1933,17 @@ read_formatted_entries (struct comp_unit + + data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end); + buf += bytes_read; ++ ++ /* PR 22210. Paranoia check. Don't bother running the loop ++ if we know that we are going to run out of buffer. */ ++ if (data_count > (bfd_vma) (buf_end - buf)) ++ { ++ _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."), ++ data_count); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + for (datai = 0; datai < data_count; datai++) + { + bfd_byte *format = format_header_data; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch new file mode 100644 index 0000000000..607d92f3d4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch @@ -0,0 +1,102 @@ +From 33e0a9a056bd23e923b929a4f2ab049ade0b1c32 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 26 Sep 2017 23:20:06 +0930 +Subject: [PATCH] Tidy reading data in read_formatted_entries + +Using read_attribute_value accomplishes two things: It checks for +unexpected formats, and ensures the buffer pointer always increments. + + PR 22210 + * dwarf2.c (read_formatted_entries): Use read_attribute_value to + read data. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14933 #2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 37 +++++++------------------------------ + 2 files changed, 13 insertions(+), 30 deletions(-) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-09-26 Alan Modra <amodra@gmail.com> ++ ++ PR 22210 ++ * dwarf2.c (read_formatted_entries): Use read_attribute_value to ++ read data. ++ + 2017-09-26 Nick Clifton <nickc@redhat.com> + + PR 22210 +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -1955,6 +1955,7 @@ read_formatted_entries (struct comp_unit + char *string_trash; + char **stringp = &string_trash; + unsigned int uint_trash, *uintp = &uint_trash; ++ struct attribute attr; + + content_type = _bfd_safe_read_leb128 (abfd, format, &bytes_read, + FALSE, buf_end); +@@ -1986,47 +1987,23 @@ read_formatted_entries (struct comp_unit + form = _bfd_safe_read_leb128 (abfd, format, &bytes_read, FALSE, + buf_end); + format += bytes_read; ++ ++ buf = read_attribute_value (&attr, form, 0, unit, buf, buf_end); ++ if (buf == NULL) ++ return FALSE; + switch (form) + { + case DW_FORM_string: +- *stringp = read_string (abfd, buf, buf_end, &bytes_read); +- buf += bytes_read; +- break; +- + case DW_FORM_line_strp: +- *stringp = read_indirect_line_string (unit, buf, buf_end, &bytes_read); +- buf += bytes_read; ++ *stringp = attr.u.str; + break; + + case DW_FORM_data1: +- *uintp = read_1_byte (abfd, buf, buf_end); +- buf += 1; +- break; +- + case DW_FORM_data2: +- *uintp = read_2_bytes (abfd, buf, buf_end); +- buf += 2; +- break; +- + case DW_FORM_data4: +- *uintp = read_4_bytes (abfd, buf, buf_end); +- buf += 4; +- break; +- + case DW_FORM_data8: +- *uintp = read_8_bytes (abfd, buf, buf_end); +- buf += 8; +- break; +- + case DW_FORM_udata: +- *uintp = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, +- buf_end); +- buf += bytes_read; +- break; +- +- case DW_FORM_block: +- /* It is valid only for DW_LNCT_timestamp which is ignored by +- current GDB. */ ++ *uintp = attr.u.val; + break; + } + } diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch new file mode 100644 index 0000000000..57733f08cf --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch @@ -0,0 +1,63 @@ +From 19485196044b2521af979f1e5c4a89bfb90fba0b Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 27 Sep 2017 10:42:51 +0100 +Subject: [PATCH] Prevent an infinite loop in the DWARF parsing code when + encountering a CU structure with a small negative size. + + PR 22219 + * dwarf.c (process_debug_info): Add a check for a negative + cu_length field. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14934 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/dwarf.c | 11 ++++++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +Index: git/binutils/dwarf.c +=================================================================== +--- git.orig/binutils/dwarf.c ++++ git/binutils/dwarf.c +@@ -2547,7 +2547,7 @@ process_debug_info (struct dwarf_section + int level, last_level, saved_level; + dwarf_vma cu_offset; + unsigned int offset_size; +- int initial_length_size; ++ unsigned int initial_length_size; + dwarf_vma signature_high = 0; + dwarf_vma signature_low = 0; + dwarf_vma type_offset = 0; +@@ -2695,6 +2695,15 @@ process_debug_info (struct dwarf_section + num_units = unit; + break; + } ++ else if (compunit.cu_length + initial_length_size < initial_length_size) ++ { ++ warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"), ++ dwarf_vmatoa ("x", cu_offset), ++ dwarf_vmatoa ("x", compunit.cu_length)); ++ num_units = unit; ++ break; ++ } ++ + tags = hdrptr; + start += compunit.cu_length + initial_length_size; + +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-09-27 Nick Clifton <nickc@redhat.com> ++ ++ PR 22219 ++ * dwarf.c (process_debug_info): Add a check for a negative ++ cu_length field. ++ + 2017-11-01 Alan Modra <amodra@gmail.com> + + Apply from master diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch new file mode 100644 index 0000000000..e62c73c06d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch @@ -0,0 +1,64 @@ +From bd61e135492ecf624880e6b78e5fcde3c9716df6 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 24 Sep 2017 14:34:57 +0930 +Subject: [PATCH] PR22166, SHT_GNU_verneed memory allocation + +The sanity check covers the previous minimim size, plus that the size +is at least enough for sh_info verneed entries. + +Also, since we write all verneed fields or exit with an error, there +isn't any need to zero the memory allocated for verneed entries. + + PR 22166 + * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on + SHT_GNU_verneed section for sanity. Don't zalloc memory for + verref. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14938 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 7 +++++++ + bfd/elf.c | 5 +++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c ++++ git/bfd/elf.c +@@ -8198,7 +8198,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd + + hdr = &elf_tdata (abfd)->dynverref_hdr; + +- if (hdr->sh_info == 0 || hdr->sh_size < sizeof (Elf_External_Verneed)) ++ if (hdr->sh_info == 0 ++ || hdr->sh_info > hdr->sh_size / sizeof (Elf_External_Verneed)) + { + error_return_bad_verref: + _bfd_error_handler +@@ -8219,7 +8220,7 @@ error_return_verref: + goto error_return_verref; + + elf_tdata (abfd)->verref = (Elf_Internal_Verneed *) +- bfd_zalloc2 (abfd, hdr->sh_info, sizeof (Elf_Internal_Verneed)); ++ bfd_alloc2 (abfd, hdr->sh_info, sizeof (Elf_Internal_Verneed)); + + if (elf_tdata (abfd)->verref == NULL) + goto error_return_verref; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-09-24 Alan Modra <amodra@gmail.com> ++ ++ PR 22166 ++ * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on ++ SHT_GNU_verneed section for sanity. Don't zalloc memory for ++ verref. ++ + 2017-09-26 Alan Modra <amodra@gmail.com> + + PR 22210 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch new file mode 100644 index 0000000000..d1e4c3e609 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14939.patch @@ -0,0 +1,56 @@ +From 515f23e63c0074ab531bc954f84ca40c6281a724 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 24 Sep 2017 14:36:16 +0930 +Subject: [PATCH] PR22169, heap-based buffer overflow in read_1_byte + +The .debug_line header length field doesn't include the length field +itself, ie. it's the size of the rest of .debug_line. + + PR 22169 + * dwarf2.c (decode_line_info): Correct .debug_line unit_length check. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14939 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/dwarf2.c | 7 ++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -2084,12 +2084,13 @@ decode_line_info (struct comp_unit *unit + offset_size = 8; + } + +- if (unit->line_offset + lh.total_length > stash->dwarf_line_size) ++ if (lh.total_length > (size_t) (line_end - line_ptr)) + { + _bfd_error_handler + /* xgettext: c-format */ +- (_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"), +- lh.total_length, stash->dwarf_line_size - unit->line_offset); ++ (_("Dwarf Error: Line info data is bigger (%#Lx)" ++ " than the space remaining in the section (%#lx)"), ++ lh.total_length, (unsigned long) (line_end - line_ptr)); + bfd_set_error (bfd_error_bad_value); + return NULL; + } +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,9 @@ + 2017-09-24 Alan Modra <amodra@gmail.com> ++ ++ PR 22169 ++ * dwarf2.c (decode_line_info): Correct .debug_line unit_length check. ++ ++2017-09-24 Alan Modra <amodra@gmail.com> + + PR 22166 + * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14940.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14940.patch new file mode 100644 index 0000000000..49b0bdc546 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14940.patch @@ -0,0 +1,47 @@ +From 0d76029f92182c3682d8be2c833d45bc9a2068fe Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 24 Sep 2017 14:35:33 +0930 +Subject: [PATCH] PR22167, NULL pointer dereference in scan_unit_for_symbols + + PR 22167 + * dwarf2.c (scan_unit_for_symbols): Check u.blk->data is non-NULL. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14940 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/dwarf2.c | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -3202,7 +3202,8 @@ scan_unit_for_symbols (struct comp_unit + case DW_FORM_block2: + case DW_FORM_block4: + case DW_FORM_exprloc: +- if (*attr.u.blk->data == DW_OP_addr) ++ if (attr.u.blk->data != NULL ++ && *attr.u.blk->data == DW_OP_addr) + { + var->stack = 0; + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,5 +1,10 @@ + 2017-09-24 Alan Modra <amodra@gmail.com> + ++ PR 22167 ++ * dwarf2.c (scan_unit_for_symbols): Check u.blk->data is non-NULL. ++ ++2017-09-24 Alan Modra <amodra@gmail.com> ++ + PR 22169 + * dwarf2.c (decode_line_info): Correct .debug_line unit_length check. + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15021.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15021.patch new file mode 100644 index 0000000000..caca7b107e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15021.patch @@ -0,0 +1,48 @@ +From 52b36c51e5bf6d7600fdc6ba115b170b0e78e31d Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 24 Sep 2017 21:36:18 +0930 +Subject: [PATCH] PR22197, buffer overflow in bfd_get_debug_link_info_1 + + PR 22197 + * opncls.c (bfd_get_debug_link_info_1): Properly check that crc is + within section bounds. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15021 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/opncls.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/opncls.c +=================================================================== +--- git.orig/bfd/opncls.c ++++ git/bfd/opncls.c +@@ -1200,7 +1200,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo + /* PR 17597: avoid reading off the end of the buffer. */ + crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; + crc_offset = (crc_offset + 3) & ~3; +- if (crc_offset >= bfd_get_section_size (sect)) ++ if (crc_offset + 4 > bfd_get_section_size (sect)) + return NULL; + + *crc32 = bfd_get_32 (abfd, contents + crc_offset); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,5 +1,11 @@ + 2017-09-24 Alan Modra <amodra@gmail.com> + ++ PR 22197 ++ * opncls.c (bfd_get_debug_link_info_1): Properly check that crc is ++ within section bounds. ++ ++2017-09-24 Alan Modra <amodra@gmail.com> ++ + PR 22167 + * dwarf2.c (scan_unit_for_symbols): Check u.blk->data is non-NULL. + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15022.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15022.patch new file mode 100644 index 0000000000..c9acfa7853 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15022.patch @@ -0,0 +1,61 @@ +From 11855d8a1f11b102a702ab76e95b22082cccf2f8 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Mon, 25 Sep 2017 19:46:34 +0930 +Subject: [PATCH] PR22201, DW_AT_name with out of bounds reference + +DW_AT_name ought to always have a string value. + + PR 22201 + * dwarf2.c (scan_unit_for_symbols): Ignore DW_AT_name unless it + has string form. + (parse_comp_unit): Likewise. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15022 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 7 +++++++ + bfd/dwarf2.c | 6 ++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -3177,7 +3177,8 @@ scan_unit_for_symbols (struct comp_unit + switch (attr.name) + { + case DW_AT_name: +- var->name = attr.u.str; ++ if (is_str_attr (attr.form)) ++ var->name = attr.u.str; + break; + + case DW_AT_decl_file: +@@ -3429,7 +3430,8 @@ parse_comp_unit (struct dwarf2_debug *st + break; + + case DW_AT_name: +- unit->name = attr.u.str; ++ if (is_str_attr (attr.form)) ++ unit->name = attr.u.str; + break; + + case DW_AT_low_pc: +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-09-25 Alan Modra <amodra@gmail.com> ++ ++ PR 22201 ++ * dwarf2.c (scan_unit_for_symbols): Ignore DW_AT_name unless it ++ has string form. ++ (parse_comp_unit): Likewise. ++ + 2017-09-24 Alan Modra <amodra@gmail.com> + + PR 22197 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15023.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15023.patch new file mode 100644 index 0000000000..9439b7b55f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15023.patch @@ -0,0 +1,52 @@ +From c361faae8d964db951b7100cada4dcdc983df1bf Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Mon, 25 Sep 2017 19:03:46 +0930 +Subject: [PATCH] PR22200, DWARF5 .debug_line sanity check + +The format_count entry can't be zero unless the count is also zero. + + PR 22200 + * dwarf2.c (read_formatted_entries): Error on format_count zero. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15023 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/dwarf2.c | 7 +++++++ + 2 files changed, 12 insertions(+) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -1934,6 +1934,13 @@ read_formatted_entries (struct comp_unit + data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end); + buf += bytes_read; + ++ if (format_count == 0 && data_count != 0) ++ { ++ _bfd_error_handler (_("Dwarf Error: Zero format count.")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + /* PR 22210. Paranoia check. Don't bother running the loop + if we know that we are going to run out of buffer. */ + if (data_count > (bfd_vma) (buf_end - buf)) +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,9 @@ + 2017-09-25 Alan Modra <amodra@gmail.com> ++ ++ PR 22200 ++ * dwarf2.c (read_formatted_entries): Error on format_count zero. ++ ++2017-09-25 Alan Modra <amodra@gmail.com> + + PR 22201 + * dwarf2.c (scan_unit_for_symbols): Ignore DW_AT_name unless it diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch new file mode 100644 index 0000000000..53b072ebaf --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch @@ -0,0 +1,227 @@ +From 52a93b95ec0771c97e26f0bb28630a271a667bd2 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 24 Sep 2017 14:37:16 +0930 +Subject: [PATCH] PR22187, infinite loop in find_abstract_instance_name + +This patch prevents the simple case of infinite recursion in +find_abstract_instance_name by ensuring that the attributes being +processed are not the same as the previous call. + +The patch also does a little cleanup, and leaves in place some changes +to the nested_funcs array that I made when I wrongly thought looping +might occur in scan_unit_for_symbols. + + PR 22187 + * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and + pname param. Return status. Make name const. Don't abort, + return an error. Formatting. Exit if current info_ptr matches + orig_info_ptr. Update callers. + (scan_unit_for_symbols): Start at nesting_level of zero. Make + nested_funcs an array of structs for extensibility. Formatting. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15024 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 10 ++++++++ + bfd/dwarf2.c | 76 +++++++++++++++++++++++++++++++++++++++-------------------- + 2 files changed, 61 insertions(+), 25 deletions(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -2823,9 +2823,11 @@ lookup_symbol_in_variable_table (struct + return FALSE; + } + +-static char * ++static bfd_boolean + find_abstract_instance_name (struct comp_unit *unit, ++ bfd_byte *orig_info_ptr, + struct attribute *attr_ptr, ++ const char **pname, + bfd_boolean *is_linkage) + { + bfd *abfd = unit->abfd; +@@ -2835,7 +2837,7 @@ find_abstract_instance_name (struct comp + struct abbrev_info *abbrev; + bfd_uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; +- char *name = NULL; ++ const char *name = NULL; + + /* DW_FORM_ref_addr can reference an entry in a different CU. It + is an offset from the .debug_info section, not the current CU. */ +@@ -2844,7 +2846,12 @@ find_abstract_instance_name (struct comp + /* We only support DW_FORM_ref_addr within the same file, so + any relocations should be resolved already. */ + if (!die_ref) +- abort (); ++ { ++ _bfd_error_handler ++ (_("Dwarf Error: Abstract instance DIE ref zero.")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } + + info_ptr = unit->sec_info_ptr + die_ref; + info_ptr_end = unit->end_ptr; +@@ -2879,9 +2886,10 @@ find_abstract_instance_name (struct comp + _bfd_error_handler + (_("Dwarf Error: Unable to read alt ref %u."), die_ref); + bfd_set_error (bfd_error_bad_value); +- return NULL; ++ return FALSE; + } +- info_ptr_end = unit->stash->alt_dwarf_info_buffer + unit->stash->alt_dwarf_info_size; ++ info_ptr_end = (unit->stash->alt_dwarf_info_buffer ++ + unit->stash->alt_dwarf_info_size); + + /* FIXME: Do we need to locate the correct CU, in a similar + fashion to the code in the DW_FORM_ref_addr case above ? */ +@@ -2904,6 +2912,7 @@ find_abstract_instance_name (struct comp + _bfd_error_handler + (_("Dwarf Error: Could not find abbrev number %u."), abbrev_number); + bfd_set_error (bfd_error_bad_value); ++ return FALSE; + } + else + { +@@ -2913,6 +2922,15 @@ find_abstract_instance_name (struct comp + info_ptr, info_ptr_end); + if (info_ptr == NULL) + break; ++ /* It doesn't ever make sense for DW_AT_specification to ++ refer to the same DIE. Stop simple recursion. */ ++ if (info_ptr == orig_info_ptr) ++ { ++ _bfd_error_handler ++ (_("Dwarf Error: Abstract instance recursion detected.")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } + switch (attr.name) + { + case DW_AT_name: +@@ -2926,7 +2944,9 @@ find_abstract_instance_name (struct comp + } + break; + case DW_AT_specification: +- name = find_abstract_instance_name (unit, &attr, is_linkage); ++ if (!find_abstract_instance_name (unit, info_ptr, &attr, ++ pname, is_linkage)) ++ return FALSE; + break; + case DW_AT_linkage_name: + case DW_AT_MIPS_linkage_name: +@@ -2944,7 +2964,8 @@ find_abstract_instance_name (struct comp + } + } + } +- return name; ++ *pname = name; ++ return TRUE; + } + + static bfd_boolean +@@ -3005,20 +3026,22 @@ scan_unit_for_symbols (struct comp_unit + bfd *abfd = unit->abfd; + bfd_byte *info_ptr = unit->first_child_die_ptr; + bfd_byte *info_ptr_end = unit->stash->info_ptr_end; +- int nesting_level = 1; +- struct funcinfo **nested_funcs; ++ int nesting_level = 0; ++ struct nest_funcinfo { ++ struct funcinfo *func; ++ } *nested_funcs; + int nested_funcs_size; + + /* Maintain a stack of in-scope functions and inlined functions, which we + can use to set the caller_func field. */ + nested_funcs_size = 32; +- nested_funcs = (struct funcinfo **) +- bfd_malloc (nested_funcs_size * sizeof (struct funcinfo *)); ++ nested_funcs = (struct nest_funcinfo *) ++ bfd_malloc (nested_funcs_size * sizeof (*nested_funcs)); + if (nested_funcs == NULL) + return FALSE; +- nested_funcs[nesting_level] = 0; ++ nested_funcs[nesting_level].func = 0; + +- while (nesting_level) ++ while (nesting_level >= 0) + { + unsigned int abbrev_number, bytes_read, i; + struct abbrev_info *abbrev; +@@ -3076,13 +3099,13 @@ scan_unit_for_symbols (struct comp_unit + BFD_ASSERT (!unit->cached); + + if (func->tag == DW_TAG_inlined_subroutine) +- for (i = nesting_level - 1; i >= 1; i--) +- if (nested_funcs[i]) ++ for (i = nesting_level; i-- != 0; ) ++ if (nested_funcs[i].func) + { +- func->caller_func = nested_funcs[i]; ++ func->caller_func = nested_funcs[i].func; + break; + } +- nested_funcs[nesting_level] = func; ++ nested_funcs[nesting_level].func = func; + } + else + { +@@ -3102,12 +3125,13 @@ scan_unit_for_symbols (struct comp_unit + } + + /* No inline function in scope at this nesting level. */ +- nested_funcs[nesting_level] = 0; ++ nested_funcs[nesting_level].func = 0; + } + + for (i = 0; i < abbrev->num_attrs; ++i) + { +- info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, info_ptr_end); ++ info_ptr = read_attribute (&attr, &abbrev->attrs[i], ++ unit, info_ptr, info_ptr_end); + if (info_ptr == NULL) + goto fail; + +@@ -3126,8 +3150,10 @@ scan_unit_for_symbols (struct comp_unit + + case DW_AT_abstract_origin: + case DW_AT_specification: +- func->name = find_abstract_instance_name (unit, &attr, +- &func->is_linkage); ++ if (!find_abstract_instance_name (unit, info_ptr, &attr, ++ &func->name, ++ &func->is_linkage)) ++ goto fail; + break; + + case DW_AT_name: +@@ -3254,17 +3280,17 @@ scan_unit_for_symbols (struct comp_unit + + if (nesting_level >= nested_funcs_size) + { +- struct funcinfo **tmp; ++ struct nest_funcinfo *tmp; + + nested_funcs_size *= 2; +- tmp = (struct funcinfo **) ++ tmp = (struct nest_funcinfo *) + bfd_realloc (nested_funcs, +- nested_funcs_size * sizeof (struct funcinfo *)); ++ nested_funcs_size * sizeof (*nested_funcs)); + if (tmp == NULL) + goto fail; + nested_funcs = tmp; + } +- nested_funcs[nesting_level] = 0; ++ nested_funcs[nesting_level].func = 0; + } + } + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15025.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15025.patch new file mode 100644 index 0000000000..ce5315976a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15025.patch @@ -0,0 +1,47 @@ +From d8010d3e75ec7194a4703774090b27486b742d48 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 24 Sep 2017 14:36:48 +0930 +Subject: [PATCH] PR22186, divide-by-zero in decode_line_info + + PR 22186 + * dwarf2.c (decode_line_info): Fail on lh.line_range of zero + rather than dividing by zero. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15025 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 2 ++ + 2 files changed, 8 insertions(+) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -2432,6 +2432,8 @@ decode_line_info (struct comp_unit *unit + case DW_LNS_set_basic_block: + break; + case DW_LNS_const_add_pc: ++ if (lh.line_range == 0) ++ goto line_fail; + if (lh.maximum_ops_per_insn == 1) + address += (lh.minimum_instruction_length + * ((255 - lh.opcode_base) / lh.line_range)); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-09-24 Alan Modra <amodra@gmail.com> ++ ++ PR 22186 ++ * dwarf2.c (decode_line_info): Fail on lh.line_range of zero ++ rather than dividing by zero. ++ ++ + 2017-09-25 Alan Modra <amodra@gmail.com> + + PR 22200 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15225.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15225.patch new file mode 100644 index 0000000000..2ef3f53737 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15225.patch @@ -0,0 +1,48 @@ +From b55ec8b676ed05d93ee49d6c79ae0403616c4fb0 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Mon, 9 Oct 2017 13:21:44 +1030 +Subject: [PATCH] PR22212, memory leak in nm + + PR 22212 + * dwarf2.c (_bfd_dwarf2_cleanup_debug_info): Free + funcinfo_hash_table and varinfo_hash_table. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15225 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 4 ++++ + 2 files changed, 10 insertions(+) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -4932,6 +4932,10 @@ _bfd_dwarf2_cleanup_debug_info (bfd *abf + } + } + ++ if (stash->funcinfo_hash_table) ++ bfd_hash_table_free (&stash->funcinfo_hash_table->base); ++ if (stash->varinfo_hash_table) ++ bfd_hash_table_free (&stash->varinfo_hash_table->base); + if (stash->dwarf_abbrev_buffer) + free (stash->dwarf_abbrev_buffer); + if (stash->dwarf_line_buffer) +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-10-09 Alan Modra <amodra@gmail.com> ++ ++ PR 22212 ++ * dwarf2.c (_bfd_dwarf2_cleanup_debug_info): Free ++ funcinfo_hash_table and varinfo_hash_table. ++ + 2017-09-24 Alan Modra <amodra@gmail.com> + + PR 22186 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch new file mode 100644 index 0000000000..bccad763f4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch @@ -0,0 +1,113 @@ +From a54018b72d75abf2e74bf36016702da06399c1d9 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 26 Sep 2017 09:38:26 +0930 +Subject: [PATCH] PR22205, .debug_line file table NULL filename + +The PR22200 fuzzer testcase found one way to put NULLs into .debug_line +file tables. PR22205 finds another. This patch gives up on trying to +prevent NULL files in the file table and instead just copes with them. +Arguably, this is better than giving up and showing no info from +.debug_line. I've also fixed a case where the fairly recent DWARF5 +support in handling broken DWARG could result in uninitialized memory +reads, and made a small tidy. + + PR 22205 + * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename. + (read_formatted_entries): Init "fe". + (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15939 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 7 +++++++ + bfd/dwarf2.c | 35 +++++++++++++---------------------- + 2 files changed, 20 insertions(+), 22 deletions(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -1597,6 +1597,8 @@ concat_filename (struct line_info_table + } + + filename = table->files[file - 1].name; ++ if (filename == NULL) ++ return strdup ("<unknown>"); + + if (!IS_ABSOLUTE_PATH (filename)) + { +@@ -1956,6 +1958,7 @@ read_formatted_entries (struct comp_unit + bfd_byte *format = format_header_data; + struct fileinfo fe; + ++ memset (&fe, 0, sizeof fe); + for (formati = 0; formati < format_count; formati++) + { + bfd_vma content_type, form; +@@ -2256,6 +2259,7 @@ decode_line_info (struct comp_unit *unit + unsigned int discriminator = 0; + int is_stmt = lh.default_is_stmt; + int end_sequence = 0; ++ unsigned int dir, xtime, size; + /* eraxxon@alumni.rice.edu: Against the DWARF2 specs, some + compilers generate address sequences that are wildly out of + order using DW_LNE_set_address (e.g. Intel C++ 6.0 compiler +@@ -2330,31 +2334,18 @@ decode_line_info (struct comp_unit *unit + case DW_LNE_define_file: + cur_file = read_string (abfd, line_ptr, line_end, &bytes_read); + line_ptr += bytes_read; +- if ((table->num_files % FILE_ALLOC_CHUNK) == 0) +- { +- struct fileinfo *tmp; +- +- amt = table->num_files + FILE_ALLOC_CHUNK; +- amt *= sizeof (struct fileinfo); +- tmp = (struct fileinfo *) bfd_realloc (table->files, amt); +- if (tmp == NULL) +- goto line_fail; +- table->files = tmp; +- } +- table->files[table->num_files].name = cur_file; +- table->files[table->num_files].dir = +- _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, +- FALSE, line_end); ++ dir = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, ++ FALSE, line_end); + line_ptr += bytes_read; +- table->files[table->num_files].time = +- _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, +- FALSE, line_end); ++ xtime = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, ++ FALSE, line_end); + line_ptr += bytes_read; +- table->files[table->num_files].size = +- _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, +- FALSE, line_end); ++ size = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, ++ FALSE, line_end); + line_ptr += bytes_read; +- table->num_files++; ++ if (!line_info_add_file_name (table, cur_file, dir, ++ xtime, size)) ++ goto line_fail; + break; + case DW_LNE_set_discriminator: + discriminator = +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-09-26 Alan Modra <amodra@gmail.com> ++ ++ PR 22205 ++ * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename. ++ (read_formatted_entries): Init "fe". ++ (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name. ++ + 2017-10-09 Alan Modra <amodra@gmail.com> + + PR 22212 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch new file mode 100644 index 0000000000..dab8380e33 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch @@ -0,0 +1,84 @@ +From d91f0b20e561e326ee91a09a76206257bde8438b Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 28 Oct 2017 21:31:16 +1030 +Subject: [PATCH] PR22361 readelf buffer overflow on fuzzed archive header + + PR 22361 + * readelf.c (process_archive_index_and_symbols): Ensure ar_size + field is zero terminated for strtoul. + (setup_archive, get_archive_member_name): Likewise. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15996 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 7 +++++++ + binutils/elfcomm.c | 11 +++++++++++ + 2 files changed, 18 insertions(+) + +Index: git/binutils/elfcomm.c +=================================================================== +--- git.orig/binutils/elfcomm.c ++++ git/binutils/elfcomm.c +@@ -466,8 +466,12 @@ process_archive_index_and_symbols (struc + { + size_t got; + unsigned long size; ++ char fmag_save; + ++ fmag_save = arch->arhdr.ar_fmag[0]; ++ arch->arhdr.ar_fmag[0] = 0; + size = strtoul (arch->arhdr.ar_size, NULL, 10); ++ arch->arhdr.ar_fmag[0] = fmag_save; + /* PR 17531: file: 912bd7de. */ + if ((signed long) size < 0) + { +@@ -655,7 +659,10 @@ setup_archive (struct archive_info *arch + if (const_strneq (arch->arhdr.ar_name, "// ")) + { + /* This is the archive string table holding long member names. */ ++ char fmag_save = arch->arhdr.ar_fmag[0]; ++ arch->arhdr.ar_fmag[0] = 0; + arch->longnames_size = strtoul (arch->arhdr.ar_size, NULL, 10); ++ arch->arhdr.ar_fmag[0] = fmag_save; + /* PR 17531: file: 01068045. */ + if (arch->longnames_size < 8) + { +@@ -758,6 +765,7 @@ get_archive_member_name (struct archive_ + char *endp; + char *member_file_name; + char *member_name; ++ char fmag_save; + + if (arch->longnames == NULL || arch->longnames_size == 0) + { +@@ -766,9 +774,12 @@ get_archive_member_name (struct archive_ + } + + arch->nested_member_origin = 0; ++ fmag_save = arch->arhdr.ar_fmag[0]; ++ arch->arhdr.ar_fmag[0] = 0; + k = j = strtoul (arch->arhdr.ar_name + 1, &endp, 10); + if (arch->is_thin_archive && endp != NULL && * endp == ':') + arch->nested_member_origin = strtoul (endp + 1, NULL, 10); ++ arch->arhdr.ar_fmag[0] = fmag_save; + + if (j > arch->longnames_size) + { +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-10-28 Alan Modra <amodra@gmail.com> ++ ++ PR 22361 ++ * readelf.c (process_archive_index_and_symbols): Ensure ar_size ++ field is zero terminated for strtoul. ++ (setup_archive, get_archive_member_name): Likewise. ++ + 2017-09-26 Alan Modra <amodra@gmail.com> + + PR 22205 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16826.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16826.patch new file mode 100644 index 0000000000..bb24ba8834 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16826.patch @@ -0,0 +1,53 @@ +From a67d66eb97e7613a38ffe6622d837303b3ecd31d Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 1 Nov 2017 15:21:46 +0000 +Subject: [PATCH] Prevent illegal memory accesses when attempting to read + excessively large COFF line number tables. + + PR 22376 + * coffcode.h (coff_slurp_line_table): Check for an excessively + large line number count. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16826 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/coffcode.h | 8 ++++++++ + 2 files changed, 14 insertions(+) + +Index: git/bfd/coffcode.h +=================================================================== +--- git.orig/bfd/coffcode.h ++++ git/bfd/coffcode.h +@@ -4578,6 +4578,14 @@ coff_slurp_line_table (bfd *abfd, asecti + + BFD_ASSERT (asect->lineno == NULL); + ++ if (asect->lineno_count > asect->size) ++ { ++ _bfd_error_handler ++ (_("%B: warning: line number count (%#lx) exceeds section size (%#lx)"), ++ abfd, (unsigned long) asect->lineno_count, (unsigned long) asect->size); ++ return FALSE; ++ } ++ + amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent); + lineno_cache = (alent *) bfd_alloc (abfd, amt); + if (lineno_cache == NULL) +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-11-01 Nick Clifton <nickc@redhat.com> ++ ++ PR 22376 ++ * coffcode.h (coff_slurp_line_table): Check for an excessively ++ large line number count. ++ + 2017-10-28 Alan Modra <amodra@gmail.com> + + PR 22361 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch new file mode 100644 index 0000000000..dbc577c8e0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch @@ -0,0 +1,95 @@ +From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 17 Oct 2017 16:43:47 +1030 +Subject: [PATCH] PR22306, Invalid free() in slurp_symtab() + + PR 22306 + * aoutx.h (aout_get_external_symbols): Handle stringsize of zero, + and error for any other size that doesn't cover the header word. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16827 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/aoutx.h | 45 ++++++++++++++++++++++++++++++--------------- + 2 files changed, 36 insertions(+), 15 deletions(-) + +Index: git/bfd/aoutx.h +=================================================================== +--- git.orig/bfd/aoutx.h ++++ git/bfd/aoutx.h +@@ -1352,27 +1352,42 @@ aout_get_external_symbols (bfd *abfd) + || bfd_bread ((void *) string_chars, amt, abfd) != amt) + return FALSE; + stringsize = GET_WORD (abfd, string_chars); ++ if (stringsize == 0) ++ stringsize = 1; ++ else if (stringsize < BYTES_IN_WORD ++ || (size_t) stringsize != stringsize) ++ { ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } + + #ifdef USE_MMAP +- if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize, +- &obj_aout_string_window (abfd), TRUE)) +- return FALSE; +- strings = (char *) obj_aout_string_window (abfd).data; +-#else +- strings = (char *) bfd_malloc (stringsize + 1); +- if (strings == NULL) +- return FALSE; +- +- /* Skip space for the string count in the buffer for convenience +- when using indexes. */ +- amt = stringsize - BYTES_IN_WORD; +- if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt) ++ if (stringsize >= BYTES_IN_WORD) + { +- free (strings); +- return FALSE; ++ if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize, ++ &obj_aout_string_window (abfd), TRUE)) ++ return FALSE; ++ strings = (char *) obj_aout_string_window (abfd).data; + } ++ else + #endif ++ { ++ strings = (char *) bfd_malloc (stringsize); ++ if (strings == NULL) ++ return FALSE; + ++ if (stringsize >= BYTES_IN_WORD) ++ { ++ /* Keep the string count in the buffer for convenience ++ when indexing with e_strx. */ ++ amt = stringsize - BYTES_IN_WORD; ++ if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt) ++ { ++ free (strings); ++ return FALSE; ++ } ++ } ++ } + /* Ensure that a zero index yields an empty string. */ + strings[0] = '\0'; + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-10-17 Alan Modra <amodra@gmail.com> ++ ++ PR 22306 ++ * aoutx.h (aout_get_external_symbols): Handle stringsize of zero, ++ and error for any other size that doesn't cover the header word. ++ + 2017-11-01 Nick Clifton <nickc@redhat.com> + + PR 22376 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch new file mode 100644 index 0000000000..310908f86d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch @@ -0,0 +1,79 @@ +From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 5 Oct 2017 17:32:18 +1030 +Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames + +Pointer comparisons have traps for the unwary. After adding a large +unknown value to "start", the test "start < end" depends on where +"start" is originally in memory. + + PR 22239 + * dwarf.c (read_cie): Don't compare "start" and "end" pointers + after adding a possibly wild length to "start", compare the length + to the difference of the pointers instead. Remove now redundant + "negative" length test. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16828 patch1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 8 ++++++++ + binutils/dwarf.c | 15 ++++----------- + 2 files changed, 12 insertions(+), 11 deletions(-) + +Index: git/binutils/dwarf.c +=================================================================== +--- git.orig/binutils/dwarf.c ++++ git/binutils/dwarf.c +@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned + { + READ_ULEB (augmentation_data_len); + augmentation_data = start; +- start += augmentation_data_len; + /* PR 17512: file: 11042-2589-0.004. */ +- if (start > end) ++ if (augmentation_data_len > (size_t) (end - start)) + { + warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"), +- augmentation_data_len, (long)((end - start) + augmentation_data_len)); ++ augmentation_data_len, (unsigned long) (end - start)); + return end; + } ++ start += augmentation_data_len; + } + + if (augmentation_data_len) +@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned + q = augmentation_data; + qend = q + augmentation_data_len; + +- /* PR 17531: file: 015adfaa. */ +- if (qend < q) +- { +- warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len); +- augmentation_data_len = 0; +- } +- +- while (p < end && q < augmentation_data + augmentation_data_len) ++ while (p < end && q < qend) + { + if (*p == 'L') + q++; +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,11 @@ ++2017-10-05 Alan Modra <amodra@gmail.com> ++ ++ PR 22239 ++ * dwarf.c (read_cie): Don't compare "start" and "end" pointers ++ after adding a possibly wild length to "start", compare the length ++ to the difference of the pointers instead. Remove now redundant ++ "negative" length test. ++ + 2017-09-27 Nick Clifton <nickc@redhat.com> + + PR 22219 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch new file mode 100644 index 0000000000..5073d31ce0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch @@ -0,0 +1,149 @@ +From bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 3 Nov 2017 13:57:15 +0000 +Subject: [PATCH] Fix integer overflow problems when reading an ELF binary with + corrupt augmentation data. + + PR 22386 + * dwarf.c (read_cie): Use bfd_size_type for + augmentation_data_len. + (display_augmentation_data): New function. + (display_debug_frames): Use it. + Check for integer overflow when testing augmentation_data_len. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16828 patch2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 10 +++++++++ + binutils/dwarf.c | 65 +++++++++++++++++++++++++++++++++--------------------- + 2 files changed, 50 insertions(+), 25 deletions(-) + +Index: git/binutils/dwarf.c +=================================================================== +--- git.orig/binutils/dwarf.c ++++ git/binutils/dwarf.c +@@ -6577,13 +6577,13 @@ frame_display_row (Frame_Chunk *fc, int + static unsigned char * + read_cie (unsigned char *start, unsigned char *end, + Frame_Chunk **p_cie, int *p_version, +- unsigned long *p_aug_len, unsigned char **p_aug) ++ bfd_size_type *p_aug_len, unsigned char **p_aug) + { + int version; + Frame_Chunk *fc; + unsigned int length_return; + unsigned char *augmentation_data = NULL; +- unsigned long augmentation_data_len = 0; ++ bfd_size_type augmentation_data_len = 0; + + * p_cie = NULL; + /* PR 17512: file: 001-228113-0.004. */ +@@ -6653,10 +6653,11 @@ read_cie (unsigned char *start, unsigned + READ_ULEB (augmentation_data_len); + augmentation_data = start; + /* PR 17512: file: 11042-2589-0.004. */ +- if (augmentation_data_len > (size_t) (end - start)) ++ if (augmentation_data_len > (bfd_size_type) (end - start)) + { +- warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"), +- augmentation_data_len, (unsigned long) (end - start)); ++ warn (_("Augmentation data too long: 0x%s, expected at most %#lx\n"), ++ dwarf_vmatoa ("x", augmentation_data_len), ++ (unsigned long) (end - start)); + return end; + } + start += augmentation_data_len; +@@ -6701,6 +6702,31 @@ read_cie (unsigned char *start, unsigned + return start; + } + ++/* Prints out the contents on the augmentation data array. ++ If do_wide is not enabled, then formats the output to fit into 80 columns. */ ++ ++static void ++display_augmentation_data (const unsigned char * data, const bfd_size_type len) ++{ ++ bfd_size_type i; ++ ++ i = printf (_(" Augmentation data: ")); ++ ++ if (do_wide || len < ((80 - i) / 3)) ++ for (i = 0; i < len; ++i) ++ printf (" %02x", data[i]); ++ else ++ { ++ for (i = 0; i < len; ++i) ++ { ++ if (i % (80 / 3) == 0) ++ putchar ('\n'); ++ printf (" %02x", data[i]); ++ } ++ } ++ putchar ('\n'); ++} ++ + static int + display_debug_frames (struct dwarf_section *section, + void *file ATTRIBUTE_UNUSED) +@@ -6729,7 +6755,7 @@ display_debug_frames (struct dwarf_secti + Frame_Chunk *cie; + int need_col_headers = 1; + unsigned char *augmentation_data = NULL; +- unsigned long augmentation_data_len = 0; ++ bfd_size_type augmentation_data_len = 0; + unsigned int encoded_ptr_size = saved_eh_addr_size; + unsigned int offset_size; + unsigned int initial_length_size; +@@ -6823,16 +6849,8 @@ display_debug_frames (struct dwarf_secti + printf (" Return address column: %d\n", fc->ra); + + if (augmentation_data_len) +- { +- unsigned long i; ++ display_augmentation_data (augmentation_data, augmentation_data_len); + +- printf (" Augmentation data: "); +- for (i = 0; i < augmentation_data_len; ++i) +- /* FIXME: If do_wide is FALSE, then we should +- add carriage returns at 80 columns... */ +- printf (" %02x", augmentation_data[i]); +- putchar ('\n'); +- } + putchar ('\n'); + } + } +@@ -6988,11 +7006,13 @@ display_debug_frames (struct dwarf_secti + READ_ULEB (augmentation_data_len); + augmentation_data = start; + start += augmentation_data_len; +- /* PR 17512: file: 722-8446-0.004. */ +- if (start >= end || ((signed long) augmentation_data_len) < 0) ++ /* PR 17512 file: 722-8446-0.004 and PR 22386. */ ++ if (start >= end ++ || ((bfd_signed_vma) augmentation_data_len) < 0 ++ || augmentation_data > start) + { +- warn (_("Corrupt augmentation data length: %lx\n"), +- augmentation_data_len); ++ warn (_("Corrupt augmentation data length: 0x%s\n"), ++ dwarf_vmatoa ("x", augmentation_data_len)); + start = end; + augmentation_data = NULL; + augmentation_data_len = 0; +@@ -7014,12 +7034,7 @@ display_debug_frames (struct dwarf_secti + + if (! do_debug_frames_interp && augmentation_data_len) + { +- unsigned long i; +- +- printf (" Augmentation data: "); +- for (i = 0; i < augmentation_data_len; ++i) +- printf (" %02x", augmentation_data[i]); +- putchar ('\n'); ++ display_augmentation_data (augmentation_data, augmentation_data_len); + putchar ('\n'); + } + } diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch new file mode 100644 index 0000000000..f9410e2728 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch @@ -0,0 +1,82 @@ +From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 17 Oct 2017 21:57:29 +1030 +Subject: [PATCH] PR22307, Heap out of bounds read in + _bfd_elf_parse_gnu_properties + +When adding an unbounded increment to a pointer, you can't just check +against the end of the buffer but also must check that overflow +doesn't result in "negative" pointer movement. Pointer comparisons +are signed. Better, check the increment against the space left using +an unsigned comparison. + + PR 22307 + * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz + against size left rather than comparing pointers. Reorganise loop. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16829 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf-properties.c | 18 +++++++++--------- + 2 files changed, 15 insertions(+), 9 deletions(-) + +Index: git/bfd/elf-properties.c +=================================================================== +--- git.orig/bfd/elf-properties.c ++++ git/bfd/elf-properties.c +@@ -93,15 +93,20 @@ bad_size: + return FALSE; + } + +- while (1) ++ while (ptr != ptr_end) + { +- unsigned int type = bfd_h_get_32 (abfd, ptr); +- unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4); ++ unsigned int type; ++ unsigned int datasz; + elf_property *prop; + ++ if ((size_t) (ptr_end - ptr) < 8) ++ goto bad_size; ++ ++ type = bfd_h_get_32 (abfd, ptr); ++ datasz = bfd_h_get_32 (abfd, ptr + 4); + ptr += 8; + +- if ((ptr + datasz) > ptr_end) ++ if (datasz > (size_t) (ptr_end - ptr)) + { + _bfd_error_handler + (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"), +@@ -182,11 +187,6 @@ bad_size: + + next: + ptr += (datasz + (align_size - 1)) & ~ (align_size - 1); +- if (ptr == ptr_end) +- break; +- +- if (ptr > (ptr_end - 8)) +- goto bad_size; + } + + return TRUE; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,10 @@ + 2017-10-17 Alan Modra <amodra@gmail.com> ++ ++ PR 22307 ++ * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz ++ against size left rather than comparing pointers. Reorganise loop. ++ ++2017-10-17 Alan Modra <amodra@gmail.com> + + PR 22306 + * aoutx.h (aout_get_external_symbols): Handle stringsize of zero, diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch new file mode 100644 index 0000000000..1382c8e3e7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch @@ -0,0 +1,91 @@ +From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001 +From: Mingi Cho <mgcho.minic@gmail.com> +Date: Thu, 2 Nov 2017 17:01:08 +0000 +Subject: [PATCH] Work around integer overflows when readelf is checking for + corrupt ELF notes when run on a 32-bit host. + + PR 22384 + * readelf.c (print_gnu_property_note): Improve overflow checks so + that they will work on a 32-bit host. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16830 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 33 +++++++++++++++++---------------- + 2 files changed, 23 insertions(+), 16 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No + return; + } + +- while (1) ++ while (ptr < ptr_end) + { + unsigned int j; +- unsigned int type = byte_get (ptr, 4); +- unsigned int datasz = byte_get (ptr + 4, 4); ++ unsigned int type; ++ unsigned int datasz; ++ ++ if ((size_t) (ptr_end - ptr) < 8) ++ { ++ printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); ++ break; ++ } ++ ++ type = byte_get (ptr, 4); ++ datasz = byte_get (ptr + 4, 4); + + ptr += 8; + +- if ((ptr + datasz) > ptr_end) ++ if (datasz > (size_t) (ptr_end - ptr)) + { + printf (_("<corrupt type (%#x) datasz: %#x>\n"), + type, datasz); +@@ -16520,19 +16529,11 @@ next: + ptr += ((datasz + (size - 1)) & ~ (size - 1)); + if (ptr == ptr_end) + break; +- else +- { +- if (do_wide) +- printf (", "); +- else +- printf ("\n\t"); +- } + +- if (ptr > (ptr_end - 8)) +- { +- printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); +- break; +- } ++ if (do_wide) ++ printf (", "); ++ else ++ printf ("\n\t"); + } + + printf ("\n"); +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-11-02 Mingi Cho <mgcho.minic@gmail.com> ++ ++ PR 22384 ++ * readelf.c (print_gnu_property_note): Improve overflow checks so ++ that they will work on a 32-bit host. ++ + 2017-10-05 Alan Modra <amodra@gmail.com> + + PR 22239 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch new file mode 100644 index 0000000000..7acd5e0f2f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch @@ -0,0 +1,77 @@ +From 6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 3 Nov 2017 11:55:21 +0000 +Subject: [PATCH] Fix excessive memory allocation attempts and possible integer + overfloaws when attempting to read a COFF binary with a corrupt symbol count. + + PR 22385 + * coffgen.c (_bfd_coff_get_external_symbols): Check for an + overlarge raw syment count. + (coff_get_normalized_symtab): Likewise. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16831 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 8 ++++++++ + bfd/coffgen.c | 17 +++++++++++++++-- + 2 files changed, 23 insertions(+), 2 deletions(-) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,11 @@ ++2017-11-03 Mingi Cho <mgcho.minic@gmail.com> ++ Nick Clifton <nickc@redhat.com> ++ ++ PR 22385 ++ * coffgen.c (_bfd_coff_get_external_symbols): Check for an ++ overlarge raw syment count. ++ (coff_get_normalized_symtab): Likewise. ++ + 2017-10-17 Alan Modra <amodra@gmail.com> + + PR 22307 +Index: git/bfd/coffgen.c +=================================================================== +--- git.orig/bfd/coffgen.c ++++ git/bfd/coffgen.c +@@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abf + size = obj_raw_syment_count (abfd) * symesz; + if (size == 0) + return TRUE; ++ /* Check for integer overflow and for unreasonable symbol counts. */ ++ if (size < obj_raw_syment_count (abfd) ++ || (bfd_get_file_size (abfd) > 0 ++ && size > bfd_get_file_size (abfd))) ++ ++ { ++ _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"), ++ abfd, obj_raw_syment_count (abfd)); ++ return FALSE; ++ } + + syms = bfd_malloc (size); + if (syms == NULL) + { + /* PR 21013: Provide an error message when the alloc fails. */ +- _bfd_error_handler (_("%B: Not enough memory to allocate space for %lu symbols"), +- abfd, size); ++ _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"), ++ abfd, obj_raw_syment_count (abfd), symesz); + return FALSE; + } + +@@ -1790,6 +1800,9 @@ coff_get_normalized_symtab (bfd *abfd) + return NULL; + + size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type); ++ /* Check for integer overflow. */ ++ if (size < obj_raw_syment_count (abfd)) ++ return NULL; + internal = (combined_entry_type *) bfd_zalloc (abfd, size); + if (internal == NULL && size != 0) + return NULL; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch new file mode 100644 index 0000000000..9044bccf95 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch @@ -0,0 +1,61 @@ +From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 31 Oct 2017 14:29:40 +0000 +Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary + with a corrupt data dictionary. + + PR 22373 + * peicode.h (pe_bfd_read_buildid): Check for invalid size and data + offset values. + +Upstrem-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16832 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/peicode.h | 9 ++++++--- + 2 files changed, 12 insertions(+), 3 deletions(-) + +Index: git/bfd/peicode.h +=================================================================== +--- git.orig/bfd/peicode.h ++++ git/bfd/peicode.h +@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd) + bfd_byte *data = 0; + bfd_size_type dataoff; + unsigned int i; +- + bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress; + bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size; + +@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd) + + dataoff = addr - section->vma; + +- /* PR 20605: Make sure that the data is really there. */ +- if (dataoff + size > section->size) ++ /* PR 20605 and 22373: Make sure that the data is really there. ++ Note - since we are dealing with unsigned quantities we have ++ to be careful to check for potential overflows. */ ++ if (dataoff > section->size ++ || size > section->size ++ || dataoff + size > section->size) + { + _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."), + abfd); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-10-31 Nick Clifton <nickc@redhat.com> ++ ++ PR 22373 ++ * peicode.h (pe_bfd_read_buildid): Check for invalid size and data ++ offset values. ++ + 2017-11-03 Mingi Cho <mgcho.minic@gmail.com> + Nick Clifton <nickc@redhat.com> + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17080.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17080.patch new file mode 100644 index 0000000000..611a276def --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17080.patch @@ -0,0 +1,78 @@ +From 80a0437873045cc08753fcac4af154e2931a99fd Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 16 Nov 2017 14:53:32 +0000 +Subject: [PATCH] Prevent illegal memory accesses when parsing incorrecctly + formated core notes. + + PR 22421 + * elf.c (elfcore_grok_netbsd_procinfo): Check that the note is big enough. + (elfcore_grok_openbsd_procinfo): Likewise. + (elfcore_grok_nto_status): Likewise. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-17080 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 7 +++++++ + bfd/elf.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c ++++ git/bfd/elf.c +@@ -9862,6 +9862,7 @@ elfcore_grok_freebsd_psinfo (bfd *abfd, + /* Check for version 1 in pr_version. */ + if (bfd_h_get_32 (abfd, (bfd_byte *) note->descdata) != 1) + return FALSE; ++ + offset = 4; + + /* Skip over pr_psinfosz. */ +@@ -10030,6 +10031,9 @@ elfcore_netbsd_get_lwpid (Elf_Internal_N + static bfd_boolean + elfcore_grok_netbsd_procinfo (bfd *abfd, Elf_Internal_Note *note) + { ++ if (note->descsz <= 0x7c + 31) ++ return FALSE; ++ + /* Signal number at offset 0x08. */ + elf_tdata (abfd)->core->signal + = bfd_h_get_32 (abfd, (bfd_byte *) note->descdata + 0x08); +@@ -10114,6 +10118,9 @@ elfcore_grok_netbsd_note (bfd *abfd, Elf + static bfd_boolean + elfcore_grok_openbsd_procinfo (bfd *abfd, Elf_Internal_Note *note) + { ++ if (note->descsz <= 0x48 + 31) ++ return FALSE; ++ + /* Signal number at offset 0x08. */ + elf_tdata (abfd)->core->signal + = bfd_h_get_32 (abfd, (bfd_byte *) note->descdata + 0x08); +@@ -10185,6 +10192,9 @@ elfcore_grok_nto_status (bfd *abfd, Elf_ + short sig; + unsigned flags; + ++ if (note->descsz < 16) ++ return FALSE; ++ + /* nto_procfs_status 'pid' field is at offset 0. */ + elf_tdata (abfd)->core->pid = bfd_get_32 (abfd, (bfd_byte *) ddata); + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-11-16 Nick Clifton <nickc@redhat.com> ++ ++ PR 22421 ++ * elf.c (elfcore_grok_netbsd_procinfo): Check that the note is big enough. ++ (elfcore_grok_openbsd_procinfo): Likewise. ++ (elfcore_grok_nto_status): Likewise. ++ + 2017-10-31 Nick Clifton <nickc@redhat.com> + + PR 22373 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch new file mode 100644 index 0000000000..4b675f7b72 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17121.patch @@ -0,0 +1,366 @@ +From b23dc97fe237a1d9e850d7cbeee066183a00630b Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 28 Nov 2017 13:20:31 +0000 +Subject: [PATCH] Fix a memory access violation when attempting to parse a + corrupt COFF binary with a relocation that points beyond the end of the + section to be relocated. + + PR 22506 + * reloc.c (reloc_offset_in_range): Rename to + bfd_reloc_offset_in_range and export. + (bfd_perform_relocation): Rename function invocation. + (bfd_install_relocation): Likewise. + (bfd_final_link_relocate): Likewise. + * bfd-in2.h: Regenerate. + * coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range. + * coff-i386.c (coff_i386_reloc): Likewise. + * coff-i860.c (coff_i860_reloc): Likewise. + * coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise. + * coff-m88k.c (m88k_special_reloc): Likewise. + * coff-mips.c (mips_reflo_reloc): Likewise. + * coff-x86_64.c (coff_amd64_reloc): Likewise. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-17121 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 17 +++++++++++++++ + bfd/bfd-in2.h | 6 +++++ + bfd/coff-arm.c | 65 ++++++++++++++++++++++++++++++------------------------- + bfd/coff-i386.c | 5 +++++ + bfd/coff-i860.c | 5 +++++ + bfd/coff-m68k.c | 5 +++++ + bfd/coff-m88k.c | 9 +++++++- + bfd/coff-mips.c | 6 +++++ + bfd/coff-x86_64.c | 16 +++++--------- + bfd/reloc.c | 40 +++++++++++++++++++++++++++++----- + 10 files changed, 126 insertions(+), 48 deletions(-) + +Index: git/bfd/bfd-in2.h +=================================================================== +--- git.orig/bfd/bfd-in2.h ++++ git/bfd/bfd-in2.h +@@ -2661,6 +2661,12 @@ bfd_reloc_status_type bfd_check_overflow + unsigned int addrsize, + bfd_vma relocation); + ++bfd_boolean bfd_reloc_offset_in_range ++ (reloc_howto_type *howto, ++ bfd *abfd, ++ asection *section, ++ bfd_size_type offset); ++ + bfd_reloc_status_type bfd_perform_relocation + (bfd *abfd, + arelent *reloc_entry, +Index: git/bfd/coff-arm.c +=================================================================== +--- git.orig/bfd/coff-arm.c ++++ git/bfd/coff-arm.c +@@ -109,41 +109,46 @@ coff_arm_reloc (bfd *abfd, + x = ((x & ~howto->dst_mask) \ + | (((x & howto->src_mask) + diff) & howto->dst_mask)) + +- if (diff != 0) +- { +- reloc_howto_type *howto = reloc_entry->howto; +- unsigned char *addr = (unsigned char *) data + reloc_entry->address; ++ if (diff != 0) ++ { ++ reloc_howto_type *howto = reloc_entry->howto; ++ unsigned char *addr = (unsigned char *) data + reloc_entry->address; ++ ++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, ++ reloc_entry->address ++ * bfd_octets_per_byte (abfd))) ++ return bfd_reloc_outofrange; ++ ++ switch (howto->size) ++ { ++ case 0: ++ { ++ char x = bfd_get_8 (abfd, addr); ++ DOIT (x); ++ bfd_put_8 (abfd, x, addr); ++ } ++ break; + +- switch (howto->size) ++ case 1: + { +- case 0: +- { +- char x = bfd_get_8 (abfd, addr); +- DOIT (x); +- bfd_put_8 (abfd, x, addr); +- } +- break; +- +- case 1: +- { +- short x = bfd_get_16 (abfd, addr); +- DOIT (x); +- bfd_put_16 (abfd, (bfd_vma) x, addr); +- } +- break; +- +- case 2: +- { +- long x = bfd_get_32 (abfd, addr); +- DOIT (x); +- bfd_put_32 (abfd, (bfd_vma) x, addr); +- } +- break; ++ short x = bfd_get_16 (abfd, addr); ++ DOIT (x); ++ bfd_put_16 (abfd, (bfd_vma) x, addr); ++ } ++ break; + +- default: +- abort (); ++ case 2: ++ { ++ long x = bfd_get_32 (abfd, addr); ++ DOIT (x); ++ bfd_put_32 (abfd, (bfd_vma) x, addr); + } +- } ++ break; ++ ++ default: ++ abort (); ++ } ++ } + + /* Now let bfd_perform_relocation finish everything up. */ + return bfd_reloc_continue; +Index: git/bfd/coff-i386.c +=================================================================== +--- git.orig/bfd/coff-i386.c ++++ git/bfd/coff-i386.c +@@ -144,6 +144,11 @@ coff_i386_reloc (bfd *abfd, + reloc_howto_type *howto = reloc_entry->howto; + unsigned char *addr = (unsigned char *) data + reloc_entry->address; + ++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, ++ reloc_entry->address ++ * bfd_octets_per_byte (abfd))) ++ return bfd_reloc_outofrange; ++ + switch (howto->size) + { + case 0: +Index: git/bfd/coff-i860.c +=================================================================== +--- git.orig/bfd/coff-i860.c ++++ git/bfd/coff-i860.c +@@ -95,6 +95,11 @@ coff_i860_reloc (bfd *abfd, + reloc_howto_type *howto = reloc_entry->howto; + unsigned char *addr = (unsigned char *) data + reloc_entry->address; + ++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, ++ reloc_entry->address ++ * bfd_octets_per_byte (abfd))) ++ return bfd_reloc_outofrange; ++ + switch (howto->size) + { + case 0: +Index: git/bfd/coff-m68k.c +=================================================================== +--- git.orig/bfd/coff-m68k.c ++++ git/bfd/coff-m68k.c +@@ -305,6 +305,11 @@ m68kcoff_common_addend_special_fn (bfd * + reloc_howto_type *howto = reloc_entry->howto; + unsigned char *addr = (unsigned char *) data + reloc_entry->address; + ++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, ++ reloc_entry->address ++ * bfd_octets_per_byte (abfd))) ++ return bfd_reloc_outofrange; ++ + switch (howto->size) + { + case 0: +Index: git/bfd/coff-m88k.c +=================================================================== +--- git.orig/bfd/coff-m88k.c ++++ git/bfd/coff-m88k.c +@@ -72,10 +72,17 @@ m88k_special_reloc (bfd *abfd, + { + bfd_vma output_base = 0; + bfd_vma addr = reloc_entry->address; +- bfd_vma x = bfd_get_16 (abfd, (bfd_byte *) data + addr); ++ bfd_vma x; + asection *reloc_target_output_section; + long relocation = 0; + ++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, ++ reloc_entry->address ++ * bfd_octets_per_byte (abfd))) ++ return bfd_reloc_outofrange; ++ ++ x = bfd_get_16 (abfd, (bfd_byte *) data + addr); ++ + /* Work out which section the relocation is targeted at and the + initial relocation command value. */ + +Index: git/bfd/coff-mips.c +=================================================================== +--- git.orig/bfd/coff-mips.c ++++ git/bfd/coff-mips.c +@@ -504,6 +504,12 @@ mips_reflo_reloc (bfd *abfd ATTRIBUTE_UN + unsigned long vallo; + struct mips_hi *next; + ++ if (! bfd_reloc_offset_in_range (reloc_entry->howto, abfd, ++ input_section, ++ reloc_entry->address ++ * bfd_octets_per_byte (abfd))) ++ return bfd_reloc_outofrange; ++ + /* Do the REFHI relocation. Note that we actually don't + need to know anything about the REFLO itself, except + where to find the low 16 bits of the addend needed by the +Index: git/bfd/coff-x86_64.c +=================================================================== +--- git.orig/bfd/coff-x86_64.c ++++ git/bfd/coff-x86_64.c +@@ -143,16 +143,10 @@ coff_amd64_reloc (bfd *abfd, + reloc_howto_type *howto = reloc_entry->howto; + unsigned char *addr = (unsigned char *) data + reloc_entry->address; + +- /* FIXME: We do not have an end address for data, so we cannot +- accurately range check any addresses computed against it. +- cf: PR binutils/17512: file: 1085-1761-0.004. +- For now we do the best that we can. */ +- if (addr < (unsigned char *) data +- || addr > ((unsigned char *) data) + input_section->size) +- { +- bfd_set_error (bfd_error_bad_value); +- return bfd_reloc_notsupported; +- } ++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, ++ reloc_entry->address ++ * bfd_octets_per_byte (abfd))) ++ return bfd_reloc_outofrange; + + switch (howto->size) + { +Index: git/bfd/reloc.c +=================================================================== +--- git.orig/bfd/reloc.c ++++ git/bfd/reloc.c +@@ -538,12 +538,31 @@ bfd_check_overflow (enum complain_overfl + return flag; + } + ++/* ++FUNCTION ++ bfd_reloc_offset_in_range ++ ++SYNOPSIS ++ bfd_boolean bfd_reloc_offset_in_range ++ (reloc_howto_type *howto, ++ bfd *abfd, ++ asection *section, ++ bfd_size_type offset); ++ ++DESCRIPTION ++ Returns TRUE if the reloc described by @var{HOWTO} can be ++ applied at @var{OFFSET} octets in @var{SECTION}. ++ ++*/ ++ + /* HOWTO describes a relocation, at offset OCTET. Return whether the + relocation field is within SECTION of ABFD. */ + +-static bfd_boolean +-reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd, +- asection *section, bfd_size_type octet) ++bfd_boolean ++bfd_reloc_offset_in_range (reloc_howto_type *howto, ++ bfd *abfd, ++ asection *section, ++ bfd_size_type octet) + { + bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section); + bfd_size_type reloc_size = bfd_get_reloc_size (howto); +@@ -617,6 +636,11 @@ bfd_perform_relocation (bfd *abfd, + if (howto && howto->special_function) + { + bfd_reloc_status_type cont; ++ ++ /* Note - we do not call bfd_reloc_offset_in_range here as the ++ reloc_entry->address field might actually be valid for the ++ backend concerned. It is up to the special_function itself ++ to call bfd_reloc_offset_in_range if needed. */ + cont = howto->special_function (abfd, reloc_entry, symbol, data, + input_section, output_bfd, + error_message); +@@ -637,7 +661,7 @@ bfd_perform_relocation (bfd *abfd, + + /* Is the address of the relocation really within the section? */ + octets = reloc_entry->address * bfd_octets_per_byte (abfd); +- if (!reloc_offset_in_range (howto, abfd, input_section, octets)) ++ if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* Work out which section the relocation is targeted at and the +@@ -1003,6 +1027,10 @@ bfd_install_relocation (bfd *abfd, + { + bfd_reloc_status_type cont; + ++ /* Note - we do not call bfd_reloc_offset_in_range here as the ++ reloc_entry->address field might actually be valid for the ++ backend concerned. It is up to the special_function itself ++ to call bfd_reloc_offset_in_range if needed. */ + /* XXX - The special_function calls haven't been fixed up to deal + with creating new relocations and section contents. */ + cont = howto->special_function (abfd, reloc_entry, symbol, +@@ -1025,7 +1053,7 @@ bfd_install_relocation (bfd *abfd, + + /* Is the address of the relocation really within the section? */ + octets = reloc_entry->address * bfd_octets_per_byte (abfd); +- if (!reloc_offset_in_range (howto, abfd, input_section, octets)) ++ if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* Work out which section the relocation is targeted at and the +@@ -1363,7 +1391,7 @@ _bfd_final_link_relocate (reloc_howto_ty + bfd_size_type octets = address * bfd_octets_per_byte (input_bfd); + + /* Sanity check the address. */ +- if (!reloc_offset_in_range (howto, input_bfd, input_section, octets)) ++ if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* This function assumes that we are dealing with a basic relocation +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,20 @@ ++2017-11-28 Nick Clifton <nickc@redhat.com> ++ ++ PR 22506 ++ * reloc.c (reloc_offset_in_range): Rename to ++ bfd_reloc_offset_in_range and export. ++ (bfd_perform_relocation): Rename function invocation. ++ (bfd_install_relocation): Likewise. ++ (bfd_final_link_relocate): Likewise. ++ * bfd-in2.h: Regenerate. ++ * coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range. ++ * coff-i386.c (coff_i386_reloc): Likewise. ++ * coff-i860.c (coff_i860_reloc): Likewise. ++ * coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise. ++ * coff-m88k.c (m88k_special_reloc): Likewise. ++ * coff-mips.c (mips_reflo_reloc): Likewise. ++ * coff-x86_64.c (coff_amd64_reloc): Likewise. ++ + 2017-11-16 Nick Clifton <nickc@redhat.com> + + PR 22421 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch new file mode 100644 index 0000000000..5ae749bcca --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch @@ -0,0 +1,58 @@ +From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 29 Nov 2017 12:40:43 +0000 +Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of + memory when parsing relocs in a corrupt file. + + PR 22508 + * objdump.c (dump_relocs_in_section): Also check the section's + relocation count to make sure that it is reasonable before + attempting to allocate space for the relocs. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-17122 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 7 +++++++ + binutils/objdump.c | 11 ++++++++++- + 2 files changed, 17 insertions(+), 1 deletion(-) + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -3381,7 +3381,16 @@ dump_relocs_in_section (bfd *abfd, + } + + if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 +- && (ufile_ptr) relsize > bfd_get_file_size (abfd)) ++ && (((ufile_ptr) relsize > bfd_get_file_size (abfd)) ++ /* Also check the section's reloc count since if this is negative ++ (or very large) the computation in bfd_get_reloc_upper_bound ++ may have resulted in returning a small, positive integer. ++ See PR 22508 for a reproducer. ++ ++ Note - we check against file size rather than section size as ++ it is possible for there to be more relocs that apply to a ++ section than there are bytes in that section. */ ++ || (section->reloc_count > bfd_get_file_size (abfd)))) + { + printf (" (too many: 0x%x)\n", section->reloc_count); + bfd_set_error (bfd_error_file_truncated); +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,10 @@ ++2017-11-29 Nick Clifton <nickc@redhat.com> ++ ++ PR 22508 ++ * objdump.c (dump_relocs_in_section): Also check the section's ++ relocation count to make sure that it is reasonable before ++ attempting to allocate space for the relocs. ++ + 2017-11-02 Mingi Cho <mgcho.minic@gmail.com> + + PR 22384 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17123.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17123.patch new file mode 100644 index 0000000000..08412108da --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17123.patch @@ -0,0 +1,33 @@ +From 4581a1c7d304ce14e714b27522ebf3d0188d6543 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 29 Nov 2017 17:12:12 +0000 +Subject: [PATCH] Check for a NULL symbol pointer when reading relocs from a + COFF based file. + + PR 22509 + * coffcode.h (coff_slurp_reloc_table): Check for a NULL symbol + pointer when processing relocs. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-17123 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/coffcode.h | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/coffcode.h +=================================================================== +--- git.orig/bfd/coffcode.h ++++ git/bfd/coffcode.h +@@ -5326,7 +5326,7 @@ coff_slurp_reloc_table (bfd * abfd, sec_ + #else + cache_ptr->address = dst.r_vaddr; + +- if (dst.r_symndx != -1) ++ if (dst.r_symndx != -1 && symbols != NULL) + { + if (dst.r_symndx < 0 || dst.r_symndx >= obj_conv_table_size (abfd)) + { diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17124.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17124.patch new file mode 100644 index 0000000000..16f0768d95 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17124.patch @@ -0,0 +1,47 @@ +From b0029dce6867de1a2828293177b0e030d2f0f03c Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 28 Nov 2017 18:00:29 +0000 +Subject: [PATCH] Prevent a memory exhaustion problem when trying to read in + strings from a COFF binary with a corrupt string table size. + + PR 22507 + * coffgen.c (_bfd_coff_read_string_table): Check for an excessive + size of the external string table. + +Upstream-Status: Backport +Affects binutls <= 2.29.1 +CVE: CVE-2017-17124 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/coffgen.c | 4 ++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +Index: git/bfd/coffgen.c +=================================================================== +--- git.orig/bfd/coffgen.c ++++ git/bfd/coffgen.c +@@ -1709,7 +1709,7 @@ _bfd_coff_read_string_table (bfd *abfd) + #endif + } + +- if (strsize < STRING_SIZE_SIZE) ++ if (strsize < STRING_SIZE_SIZE || strsize > bfd_get_file_size (abfd)) + { + _bfd_error_handler + /* xgettext: c-format */ +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-11-28 Nick Clifton <nickc@redhat.com> ++ ++ PR 22507 ++ * coffgen.c (_bfd_coff_read_string_table): Check for an excessive ++ size of the external string table. ++ + 2018-03-28 Eric Botcazou <ebotcazou@adacore.com> + + PR ld/22972 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch new file mode 100644 index 0000000000..30dc6d5727 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17125.patch @@ -0,0 +1,129 @@ +From 160b1a618ad94988410dc81fce9189fcda5b7ff4 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 18 Nov 2017 23:18:22 +1030 +Subject: [PATCH] PR22443, Global buffer overflow in + _bfd_elf_get_symbol_version_string + +Symbols like *ABS* defined in bfd/section.c:global_syms are not +elf_symbol_type. They can appear on relocs and perhaps other places +in an ELF bfd, so a number of places in nm.c and objdump.c are wrong +to cast an asymbol based on the bfd being ELF. I think we lose +nothing by excluding all section symbols, not just the global_syms. + + PR 22443 + * nm.c (sort_symbols_by_size): Don't attempt to access + section symbol internal_elf_sym. + (print_symbol): Likewise. Don't call bfd_get_symbol_version_string + for section symbols. + * objdump.c (compare_symbols): Don't attempt to access + section symbol internal_elf_sym. + (objdump_print_symname): Don't call bfd_get_symbol_version_string + for section symbols. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-17125 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 12 ++++++++++++ + binutils/nm.c | 17 ++++++++++------- + binutils/objdump.c | 6 +++--- + 3 files changed, 25 insertions(+), 10 deletions(-) + +Index: git/binutils/nm.c +=================================================================== +--- git.orig/binutils/nm.c ++++ git/binutils/nm.c +@@ -765,7 +765,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boo + asection *sec; + bfd_vma sz; + asymbol *temp; +- int synthetic = (sym->flags & BSF_SYNTHETIC); + + if (from + size < fromend) + { +@@ -782,10 +781,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boo + sec = bfd_get_section (sym); + + /* Synthetic symbols don't have a full type set of data available, thus +- we can't rely on that information for the symbol size. */ +- if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour) ++ we can't rely on that information for the symbol size. Ditto for ++ bfd/section.c:global_syms like *ABS*. */ ++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 ++ && bfd_get_flavour (abfd) == bfd_target_elf_flavour) + sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size; +- else if (!synthetic && bfd_is_com_section (sec)) ++ else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 ++ && bfd_is_com_section (sec)) + sz = sym->value; + else + { +@@ -874,8 +876,9 @@ print_symbol (bfd * abfd, + + info.sinfo = &syminfo; + info.ssize = ssize; +- /* Synthetic symbols do not have a full symbol type set of data available. */ +- if ((sym->flags & BSF_SYNTHETIC) != 0) ++ /* Synthetic symbols do not have a full symbol type set of data available. ++ Nor do bfd/section.c:global_syms like *ABS*. */ ++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0) + { + info.elfinfo = NULL; + info.coffinfo = NULL; +@@ -893,7 +896,7 @@ print_symbol (bfd * abfd, + const char * version_string = NULL; + bfd_boolean hidden = FALSE; + +- if ((sym->flags & BSF_SYNTHETIC) == 0) ++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) + version_string = bfd_get_symbol_version_string (abfd, sym, &hidden); + + if (bfd_is_und_section (bfd_get_section (sym))) +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const v + bfd_vma asz, bsz; + + asz = 0; +- if ((a->flags & BSF_SYNTHETIC) == 0) ++ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) + asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; + bsz = 0; +- if ((b->flags & BSF_SYNTHETIC) == 0) ++ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) + bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; + if (asz != bsz) + return asz > bsz ? -1 : 1; +@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct + name = alloc; + } + +- if ((sym->flags & BSF_SYNTHETIC) == 0) ++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) + version_string = bfd_get_symbol_version_string (abfd, sym, &hidden); + + if (bfd_is_und_section (bfd_get_section (sym))) +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,15 @@ ++2017-11-18 Alan Modra <amodra@gmail.com> ++ ++ PR 22443 ++ * nm.c (sort_symbols_by_size): Don't attempt to access ++ section symbol internal_elf_sym. ++ (print_symbol): Likewise. Don't call bfd_get_symbol_version_string ++ for section symbols. ++ * objdump.c (compare_symbols): Don't attempt to access ++ section symbol internal_elf_sym. ++ (objdump_print_symname): Don't call bfd_get_symbol_version_string ++ for section symbols. ++ + 2017-11-29 Nick Clifton <nickc@redhat.com> + + PR 22508 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-10372.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-10372.patch new file mode 100644 index 0000000000..caaaf2317e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-10372.patch @@ -0,0 +1,58 @@ +From 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 17 Apr 2018 12:35:55 +0100 +Subject: [PATCH] Fix illegal memory access when parsing corrupt DWARF + information. + + PR 23064 + * dwarf.c (process_cu_tu_index): Test for a potential buffer + overrun before copying signature pointer. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-10372 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/dwarf.c | 13 ++++++++++++- + 2 files changed, 18 insertions(+), 1 deletion(-) + +Index: git/binutils/dwarf.c +=================================================================== +--- git.orig/binutils/dwarf.c ++++ git/binutils/dwarf.c +@@ -8526,7 +8526,18 @@ process_cu_tu_index (struct dwarf_sectio + } + + if (!do_display) +- memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t)); ++ { ++ size_t num_copy = sizeof (uint64_t); ++ ++ /* PR 23064: Beware of buffer overflow. */ ++ if (ph + num_copy < limit) ++ memcpy (&this_set[row - 1].signature, ph, num_copy); ++ else ++ { ++ warn (_("Signature (%p) extends beyond end of space in section\n"), ph); ++ return 0; ++ } ++ } + + prow = poffsets + (row - 1) * ncols * 4; + /* PR 17531: file: b8ce60a8. */ +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2018-04-17 Nick Clifton <nickc@redhat.com> ++ ++ PR 23064 ++ * dwarf.c (process_cu_tu_index): Test for a potential buffer ++ overrun before copying signature pointer. ++ + 2017-11-18 Alan Modra <amodra@gmail.com> + + PR 22443 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-10373.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-10373.patch new file mode 100644 index 0000000000..963d767f84 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-10373.patch @@ -0,0 +1,45 @@ +From 6327533b1fd29fa86f6bf34e61c332c010e3c689 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 17 Apr 2018 14:30:07 +0100 +Subject: [PATCH] Add a check for a NULL table pointer before attempting to + compute a DWARF filename. + + PR 23065 + * dwarf2.c (concat_filename): Check for a NULL table pointer. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-10373 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/dwarf2.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -1587,7 +1587,7 @@ concat_filename (struct line_info_table + { + char *filename; + +- if (file - 1 >= table->num_files) ++ if (table == NULL || file - 1 >= table->num_files) + { + /* FILE == 0 means unknown. */ + if (file) +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,8 @@ ++2018-04-17 Nick Clifton <nickc@redhat.com> ++ ++ PR 23065 ++ * dwarf2.c (concat_filename): Check for a NULL table pointer. ++ + 2017-11-28 Nick Clifton <nickc@redhat.com> + + PR 22506 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-10534.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-10534.patch new file mode 100644 index 0000000000..27e86285a2 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-10534.patch @@ -0,0 +1,2443 @@ +From aa4a8c2a2a67545e90c877162c53cc9de42dc8b4 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 24 Apr 2018 16:31:27 +0100 +Subject: [PATCH] Fix an illegal memory access when copying a PE format file + with corrupt debug information. + + PR 23110 + * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for + a negative PE_DEBUG_DATA size before iterating over the debug data. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-10534 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 + + bfd/peXXigen.c | 9 + + bfd/po/bfd.pot | 5631 ++++++++++++++++++++++++++------------------------------ + 3 files changed, 2662 insertions(+), 2984 deletions(-) + +Index: git/bfd/peXXigen.c +=================================================================== +--- git.orig/bfd/peXXigen.c ++++ git/bfd/peXXigen.c +@@ -2991,6 +2991,15 @@ _bfd_XX_bfd_copy_private_bfd_data_common + bfd_get_section_size (section) - (addr - section->vma)); + return FALSE; + } ++ /* PR 23110. */ ++ else if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size < 0) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler ++ (_("%pB: Data Directory size (%#lx) is negative"), ++ obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size); ++ return FALSE; ++ } + + for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size + / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++) +Index: git/bfd/po/bfd.pot +=================================================================== +--- git.orig/bfd/po/bfd.pot ++++ git/bfd/po/bfd.pot +@@ -6119,1961 +6119,1932 @@ msgstr "" + #. Rotate. + #. Redefine symbol to current location. + #. Define a literal. +-#: vms-alpha.c:2115 vms-alpha.c:2146 vms-alpha.c:2237 vms-alpha.c:2395 ++#: vms-alpha.c:2116 vms-alpha.c:2147 vms-alpha.c:2238 vms-alpha.c:2396 + #, c-format + msgid "%s: not supported" + msgstr "" + +-#: vms-alpha.c:2121 ++#: vms-alpha.c:2122 + #, c-format + msgid "%s: not implemented" + msgstr "" + +-#: vms-alpha.c:2379 ++#: vms-alpha.c:2380 + #, c-format + msgid "invalid use of %s with contexts" + msgstr "" + +-#: vms-alpha.c:2413 ++#: vms-alpha.c:2414 + #, c-format + msgid "reserved cmd %d" + msgstr "" + +-#: vms-alpha.c:2497 +-msgid "Corrupt EEOM record - size is too small" ++#: vms-alpha.c:2498 ++msgid "corrupt EEOM record - size is too small" + msgstr "" + +-#: vms-alpha.c:2506 +-msgid "Object module NOT error-free !\n" ++#: vms-alpha.c:2507 ++msgid "object module not error-free !" + msgstr "" + +-#: vms-alpha.c:3830 ++#: vms-alpha.c:3831 + #, c-format +-msgid "SEC_RELOC with no relocs in section %A" ++msgid "SEC_RELOC with no relocs in section %pA" + msgstr "" + +-#: vms-alpha.c:3882 vms-alpha.c:4095 ++#: vms-alpha.c:3883 vms-alpha.c:4096 + #, c-format +-msgid "Size error in section %A" ++msgid "size error in section %pA" + msgstr "" + +-#: vms-alpha.c:4041 +-msgid "Spurious ALPHA_R_BSR reloc" ++#: vms-alpha.c:4042 ++msgid "spurious ALPHA_R_BSR reloc" + msgstr "" + +-#: vms-alpha.c:4082 ++#: vms-alpha.c:4083 + #, c-format +-msgid "Unhandled relocation %s" ++msgid "unhandled relocation %s" + msgstr "" + +-#: vms-alpha.c:4375 ++#: vms-alpha.c:4376 + #, c-format + msgid "unknown source command %d" + msgstr "" + +-#: vms-alpha.c:4436 +-msgid "DST__K_SET_LINUM_INCR not implemented" +-msgstr "" +- +-#: vms-alpha.c:4442 +-msgid "DST__K_SET_LINUM_INCR_W not implemented" +-msgstr "" +- +-#: vms-alpha.c:4448 +-msgid "DST__K_RESET_LINUM_INCR not implemented" +-msgstr "" +- +-#: vms-alpha.c:4454 +-msgid "DST__K_BEG_STMT_MODE not implemented" +-msgstr "" +- +-#: vms-alpha.c:4460 +-msgid "DST__K_END_STMT_MODE not implemented" +-msgstr "" +- +-#: vms-alpha.c:4487 +-msgid "DST__K_SET_PC not implemented" +-msgstr "" +- +-#: vms-alpha.c:4493 +-msgid "DST__K_SET_PC_W not implemented" +-msgstr "" +- +-#: vms-alpha.c:4499 +-msgid "DST__K_SET_PC_L not implemented" +-msgstr "" +- +-#: vms-alpha.c:4505 +-msgid "DST__K_SET_STMTNUM not implemented" ++#: vms-alpha.c:4437 vms-alpha.c:4443 vms-alpha.c:4449 vms-alpha.c:4455 ++#: vms-alpha.c:4461 vms-alpha.c:4488 vms-alpha.c:4494 vms-alpha.c:4500 ++#: vms-alpha.c:4506 ++#, c-format ++msgid "%s not implemented" + msgstr "" + +-#: vms-alpha.c:4548 ++#: vms-alpha.c:4549 + #, c-format + msgid "unknown line command %d" + msgstr "" + +-#: vms-alpha.c:5008 vms-alpha.c:5026 vms-alpha.c:5041 vms-alpha.c:5057 +-#: vms-alpha.c:5070 vms-alpha.c:5082 vms-alpha.c:5095 ++#: vms-alpha.c:5009 vms-alpha.c:5027 vms-alpha.c:5042 vms-alpha.c:5058 ++#: vms-alpha.c:5071 vms-alpha.c:5083 vms-alpha.c:5096 + #, c-format +-msgid "Unknown reloc %s + %s" ++msgid "unknown reloc %s + %s" + msgstr "" + +-#: vms-alpha.c:5150 ++#: vms-alpha.c:5151 + #, c-format +-msgid "Unknown reloc %s" ++msgid "unknown reloc %s" + msgstr "" + +-#: vms-alpha.c:5163 +-msgid "Invalid section index in ETIR" ++#: vms-alpha.c:5164 ++msgid "invalid section index in ETIR" + msgstr "" + +-#: vms-alpha.c:5172 +-msgid "Relocation for non-REL psect" ++#: vms-alpha.c:5173 ++msgid "relocation for non-REL psect" + msgstr "" + +-#: vms-alpha.c:5219 ++#: vms-alpha.c:5220 + #, c-format +-msgid "Unknown symbol in command %s" ++msgid "unknown symbol in command %s" + msgstr "" + +-#: vms-alpha.c:5629 ++#: vms-alpha.c:5630 + #, c-format + msgid "reloc (%d) is *UNKNOWN*" + msgstr "" + +-#: vms-alpha.c:5745 ++#: vms-alpha.c:5746 + #, c-format + msgid " EMH %u (len=%u): " + msgstr "" + +-#: vms-alpha.c:5750 ++#: vms-alpha.c:5751 + #, c-format + msgid " Error: The length is less than the length of an EMH record\n" + msgstr "" + +-#: vms-alpha.c:5767 ++#: vms-alpha.c:5768 + #, c-format + msgid "" + " Error: The record length is less than the size of an EMH_MHD record\n" + msgstr "" + +-#: vms-alpha.c:5770 ++#: vms-alpha.c:5771 + #, c-format + msgid "Module header\n" + msgstr "" + +-#: vms-alpha.c:5771 ++#: vms-alpha.c:5772 + #, c-format + msgid " structure level: %u\n" + msgstr "" + +-#: vms-alpha.c:5772 ++#: vms-alpha.c:5773 + #, c-format + msgid " max record size: %u\n" + msgstr "" + +-#: vms-alpha.c:5778 ++#: vms-alpha.c:5779 + #, c-format + msgid " Error: The module name is missing\n" + msgstr "" + +-#: vms-alpha.c:5784 ++#: vms-alpha.c:5785 + #, c-format + msgid " Error: The module name is too long\n" + msgstr "" + +-#: vms-alpha.c:5787 ++#: vms-alpha.c:5788 + #, c-format + msgid " module name : %.*s\n" + msgstr "" + +-#: vms-alpha.c:5791 ++#: vms-alpha.c:5792 + #, c-format + msgid " Error: The module version is missing\n" + msgstr "" + +-#: vms-alpha.c:5797 ++#: vms-alpha.c:5798 + #, c-format + msgid " Error: The module version is too long\n" + msgstr "" + +-#: vms-alpha.c:5800 ++#: vms-alpha.c:5801 + #, c-format + msgid " module version : %.*s\n" + msgstr "" + +-#: vms-alpha.c:5803 ++#: vms-alpha.c:5804 + #, c-format + msgid " Error: The compile date is truncated\n" + msgstr "" + +-#: vms-alpha.c:5805 ++#: vms-alpha.c:5806 + #, c-format + msgid " compile date : %.17s\n" + msgstr "" + +-#: vms-alpha.c:5810 ++#: vms-alpha.c:5811 + #, c-format + msgid "Language Processor Name\n" + msgstr "" + +-#: vms-alpha.c:5811 ++#: vms-alpha.c:5812 + #, c-format + msgid " language name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:5815 ++#: vms-alpha.c:5816 + #, c-format + msgid "Source Files Header\n" + msgstr "" + +-#: vms-alpha.c:5816 ++#: vms-alpha.c:5817 + #, c-format + msgid " file: %.*s\n" + msgstr "" + +-#: vms-alpha.c:5820 ++#: vms-alpha.c:5821 + #, c-format + msgid "Title Text Header\n" + msgstr "" + +-#: vms-alpha.c:5821 ++#: vms-alpha.c:5822 + #, c-format + msgid " title: %.*s\n" + msgstr "" + +-#: vms-alpha.c:5825 ++#: vms-alpha.c:5826 + #, c-format + msgid "Copyright Header\n" + msgstr "" + +-#: vms-alpha.c:5826 ++#: vms-alpha.c:5827 + #, c-format + msgid " copyright: %.*s\n" + msgstr "" + +-#: vms-alpha.c:5830 ++#: vms-alpha.c:5831 + #, c-format + msgid "unhandled emh subtype %u\n" + msgstr "" + +-#: vms-alpha.c:5840 ++#: vms-alpha.c:5841 + #, c-format + msgid " EEOM (len=%u):\n" + msgstr "" + +-#: vms-alpha.c:5845 ++#: vms-alpha.c:5846 + #, c-format + msgid " Error: The length is less than the length of an EEOM record\n" + msgstr "" + +-#: vms-alpha.c:5849 ++#: vms-alpha.c:5850 + #, c-format + msgid " number of cond linkage pairs: %u\n" + msgstr "" + +-#: vms-alpha.c:5851 ++#: vms-alpha.c:5852 + #, c-format + msgid " completion code: %u\n" + msgstr "" + +-#: vms-alpha.c:5855 ++#: vms-alpha.c:5856 + #, c-format + msgid " transfer addr flags: 0x%02x\n" + msgstr "" + +-#: vms-alpha.c:5856 ++#: vms-alpha.c:5857 + #, c-format + msgid " transfer addr psect: %u\n" + msgstr "" + +-#: vms-alpha.c:5858 ++#: vms-alpha.c:5859 + #, c-format + msgid " transfer address : 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:5867 ++#: vms-alpha.c:5868 + msgid " WEAK" + msgstr "" + +-#: vms-alpha.c:5869 ++#: vms-alpha.c:5870 + msgid " DEF" + msgstr "" + +-#: vms-alpha.c:5871 ++#: vms-alpha.c:5872 + msgid " UNI" + msgstr "" + +-#: vms-alpha.c:5873 vms-alpha.c:5894 ++#: vms-alpha.c:5874 vms-alpha.c:5895 + msgid " REL" + msgstr "" + +-#: vms-alpha.c:5875 ++#: vms-alpha.c:5876 + msgid " COMM" + msgstr "" + +-#: vms-alpha.c:5877 ++#: vms-alpha.c:5878 + msgid " VECEP" + msgstr "" + +-#: vms-alpha.c:5879 ++#: vms-alpha.c:5880 + msgid " NORM" + msgstr "" + +-#: vms-alpha.c:5881 ++#: vms-alpha.c:5882 + msgid " QVAL" + msgstr "" + +-#: vms-alpha.c:5888 ++#: vms-alpha.c:5889 + msgid " PIC" + msgstr "" + +-#: vms-alpha.c:5890 ++#: vms-alpha.c:5891 + msgid " LIB" + msgstr "" + +-#: vms-alpha.c:5892 ++#: vms-alpha.c:5893 + msgid " OVR" + msgstr "" + +-#: vms-alpha.c:5896 ++#: vms-alpha.c:5897 + msgid " GBL" + msgstr "" + +-#: vms-alpha.c:5898 ++#: vms-alpha.c:5899 + msgid " SHR" + msgstr "" + +-#: vms-alpha.c:5900 ++#: vms-alpha.c:5901 + msgid " EXE" + msgstr "" + +-#: vms-alpha.c:5902 ++#: vms-alpha.c:5903 + msgid " RD" + msgstr "" + +-#: vms-alpha.c:5904 ++#: vms-alpha.c:5905 + msgid " WRT" + msgstr "" + +-#: vms-alpha.c:5906 ++#: vms-alpha.c:5907 + msgid " VEC" + msgstr "" + +-#: vms-alpha.c:5908 ++#: vms-alpha.c:5909 + msgid " NOMOD" + msgstr "" + +-#: vms-alpha.c:5910 ++#: vms-alpha.c:5911 + msgid " COM" + msgstr "" + +-#: vms-alpha.c:5912 ++#: vms-alpha.c:5913 + msgid " 64B" + msgstr "" + +-#: vms-alpha.c:5921 ++#: vms-alpha.c:5922 + #, c-format + msgid " EGSD (len=%u):\n" + msgstr "" + +-#: vms-alpha.c:5934 ++#: vms-alpha.c:5935 + #, c-format + msgid " EGSD entry %2u (type: %u, len: %u): " + msgstr "" + +-#: vms-alpha.c:5940 vms-alpha.c:6191 ++#: vms-alpha.c:5941 vms-alpha.c:6192 + #, c-format + msgid " Error: length larger than remaining space in record\n" + msgstr "" + +-#: vms-alpha.c:5952 ++#: vms-alpha.c:5953 + #, c-format + msgid "PSC - Program section definition\n" + msgstr "" + +-#: vms-alpha.c:5953 vms-alpha.c:5970 ++#: vms-alpha.c:5954 vms-alpha.c:5971 + #, c-format + msgid " alignment : 2**%u\n" + msgstr "" + +-#: vms-alpha.c:5954 vms-alpha.c:5971 ++#: vms-alpha.c:5955 vms-alpha.c:5972 + #, c-format + msgid " flags : 0x%04x" + msgstr "" + +-#: vms-alpha.c:5958 ++#: vms-alpha.c:5959 + #, c-format + msgid " alloc (len): %u (0x%08x)\n" + msgstr "" + +-#: vms-alpha.c:5959 vms-alpha.c:6016 vms-alpha.c:6065 ++#: vms-alpha.c:5960 vms-alpha.c:6017 vms-alpha.c:6066 + #, c-format + msgid " name : %.*s\n" + msgstr "" + +-#: vms-alpha.c:5969 ++#: vms-alpha.c:5970 + #, c-format + msgid "SPSC - Shared Image Program section def\n" + msgstr "" + +-#: vms-alpha.c:5975 ++#: vms-alpha.c:5976 + #, c-format + msgid " alloc (len) : %u (0x%08x)\n" + msgstr "" + +-#: vms-alpha.c:5976 ++#: vms-alpha.c:5977 + #, c-format + msgid " image offset : 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:5978 ++#: vms-alpha.c:5979 + #, c-format + msgid " symvec offset : 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:5980 ++#: vms-alpha.c:5981 + #, c-format + msgid " name : %.*s\n" + msgstr "" + +-#: vms-alpha.c:5993 ++#: vms-alpha.c:5994 + #, c-format + msgid "SYM - Global symbol definition\n" + msgstr "" + +-#: vms-alpha.c:5994 vms-alpha.c:6054 vms-alpha.c:6075 vms-alpha.c:6094 ++#: vms-alpha.c:5995 vms-alpha.c:6055 vms-alpha.c:6076 vms-alpha.c:6095 + #, c-format + msgid " flags: 0x%04x" + msgstr "" + +-#: vms-alpha.c:5997 ++#: vms-alpha.c:5998 + #, c-format + msgid " psect offset: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6001 ++#: vms-alpha.c:6002 + #, c-format + msgid " code address: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6003 ++#: vms-alpha.c:6004 + #, c-format + msgid " psect index for entry point : %u\n" + msgstr "" + +-#: vms-alpha.c:6006 vms-alpha.c:6082 vms-alpha.c:6101 ++#: vms-alpha.c:6007 vms-alpha.c:6083 vms-alpha.c:6102 + #, c-format + msgid " psect index : %u\n" + msgstr "" + +-#: vms-alpha.c:6008 vms-alpha.c:6084 vms-alpha.c:6103 ++#: vms-alpha.c:6009 vms-alpha.c:6085 vms-alpha.c:6104 + #, c-format + msgid " name : %.*s\n" + msgstr "" + +-#: vms-alpha.c:6015 ++#: vms-alpha.c:6016 + #, c-format + msgid "SYM - Global symbol reference\n" + msgstr "" + +-#: vms-alpha.c:6027 ++#: vms-alpha.c:6028 + #, c-format + msgid "IDC - Ident Consistency check\n" + msgstr "" + +-#: vms-alpha.c:6028 ++#: vms-alpha.c:6029 + #, c-format + msgid " flags : 0x%08x" + msgstr "" + +-#: vms-alpha.c:6032 ++#: vms-alpha.c:6033 + #, c-format + msgid " id match : %x\n" + msgstr "" + +-#: vms-alpha.c:6034 ++#: vms-alpha.c:6035 + #, c-format + msgid " error severity: %x\n" + msgstr "" + +-#: vms-alpha.c:6037 ++#: vms-alpha.c:6038 + #, c-format + msgid " entity name : %.*s\n" + msgstr "" + +-#: vms-alpha.c:6039 ++#: vms-alpha.c:6040 + #, c-format + msgid " object name : %.*s\n" + msgstr "" + +-#: vms-alpha.c:6042 ++#: vms-alpha.c:6043 + #, c-format + msgid " binary ident : 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6045 ++#: vms-alpha.c:6046 + #, c-format + msgid " ascii ident : %.*s\n" + msgstr "" + +-#: vms-alpha.c:6053 ++#: vms-alpha.c:6054 + #, c-format + msgid "SYMG - Universal symbol definition\n" + msgstr "" + +-#: vms-alpha.c:6057 ++#: vms-alpha.c:6058 + #, c-format + msgid " symbol vector offset: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6059 ++#: vms-alpha.c:6060 + #, c-format + msgid " entry point: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6061 ++#: vms-alpha.c:6062 + #, c-format + msgid " proc descr : 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6063 ++#: vms-alpha.c:6064 + #, c-format + msgid " psect index: %u\n" + msgstr "" + +-#: vms-alpha.c:6074 ++#: vms-alpha.c:6075 + #, c-format + msgid "SYMV - Vectored symbol definition\n" + msgstr "" + +-#: vms-alpha.c:6078 ++#: vms-alpha.c:6079 + #, c-format + msgid " vector : 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6080 vms-alpha.c:6099 ++#: vms-alpha.c:6081 vms-alpha.c:6100 + #, c-format + msgid " psect offset: %u\n" + msgstr "" + +-#: vms-alpha.c:6093 ++#: vms-alpha.c:6094 + #, c-format + msgid "SYMM - Global symbol definition with version\n" + msgstr "" + +-#: vms-alpha.c:6097 ++#: vms-alpha.c:6098 + #, c-format + msgid " version mask: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6108 ++#: vms-alpha.c:6109 + #, c-format + msgid "unhandled egsd entry type %u\n" + msgstr "" + +-#: vms-alpha.c:6143 ++#: vms-alpha.c:6144 + #, c-format + msgid " linkage index: %u, replacement insn: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6147 ++#: vms-alpha.c:6148 + #, c-format + msgid " psect idx 1: %u, offset 1: 0x%08x %08x\n" + msgstr "" + +-#: vms-alpha.c:6152 ++#: vms-alpha.c:6153 + #, c-format + msgid " psect idx 2: %u, offset 2: 0x%08x %08x\n" + msgstr "" + +-#: vms-alpha.c:6158 ++#: vms-alpha.c:6159 + #, c-format + msgid " psect idx 3: %u, offset 3: 0x%08x %08x\n" + msgstr "" + +-#: vms-alpha.c:6163 ++#: vms-alpha.c:6164 + #, c-format + msgid " global name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:6174 ++#: vms-alpha.c:6175 + #, c-format + msgid " %s (len=%u+%u):\n" + msgstr "" + +-#: vms-alpha.c:6196 ++#: vms-alpha.c:6197 + #, c-format + msgid " (type: %3u, size: 4+%3u): " + msgstr "" + +-#: vms-alpha.c:6200 ++#: vms-alpha.c:6201 + #, c-format + msgid "STA_GBL (stack global) %.*s\n" + msgstr "" + +-#: vms-alpha.c:6204 ++#: vms-alpha.c:6205 + #, c-format + msgid "STA_LW (stack longword) 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6208 ++#: vms-alpha.c:6209 + #, c-format + msgid "STA_QW (stack quadword) 0x%08x %08x\n" + msgstr "" + +-#: vms-alpha.c:6213 ++#: vms-alpha.c:6214 + #, c-format + msgid "STA_PQ (stack psect base + offset)\n" + msgstr "" + +-#: vms-alpha.c:6215 ++#: vms-alpha.c:6216 + #, c-format + msgid " psect: %u, offset: 0x%08x %08x\n" + msgstr "" + +-#: vms-alpha.c:6221 ++#: vms-alpha.c:6222 + #, c-format + msgid "STA_LI (stack literal)\n" + msgstr "" + +-#: vms-alpha.c:6224 ++#: vms-alpha.c:6225 + #, c-format + msgid "STA_MOD (stack module)\n" + msgstr "" + +-#: vms-alpha.c:6227 ++#: vms-alpha.c:6228 + #, c-format + msgid "STA_CKARG (compare procedure argument)\n" + msgstr "" + +-#: vms-alpha.c:6231 ++#: vms-alpha.c:6232 + #, c-format + msgid "STO_B (store byte)\n" + msgstr "" + +-#: vms-alpha.c:6234 ++#: vms-alpha.c:6235 + #, c-format + msgid "STO_W (store word)\n" + msgstr "" + +-#: vms-alpha.c:6237 ++#: vms-alpha.c:6238 + #, c-format + msgid "STO_LW (store longword)\n" + msgstr "" + +-#: vms-alpha.c:6240 ++#: vms-alpha.c:6241 + #, c-format + msgid "STO_QW (store quadword)\n" + msgstr "" + +-#: vms-alpha.c:6246 ++#: vms-alpha.c:6247 + #, c-format + msgid "STO_IMMR (store immediate repeat) %u bytes\n" + msgstr "" + +-#: vms-alpha.c:6253 ++#: vms-alpha.c:6254 + #, c-format + msgid "STO_GBL (store global) %.*s\n" + msgstr "" + +-#: vms-alpha.c:6257 ++#: vms-alpha.c:6258 + #, c-format + msgid "STO_CA (store code address) %.*s\n" + msgstr "" + +-#: vms-alpha.c:6261 ++#: vms-alpha.c:6262 + #, c-format + msgid "STO_RB (store relative branch)\n" + msgstr "" + +-#: vms-alpha.c:6264 ++#: vms-alpha.c:6265 + #, c-format + msgid "STO_AB (store absolute branch)\n" + msgstr "" + +-#: vms-alpha.c:6267 ++#: vms-alpha.c:6268 + #, c-format + msgid "STO_OFF (store offset to psect)\n" + msgstr "" + +-#: vms-alpha.c:6273 ++#: vms-alpha.c:6274 + #, c-format + msgid "STO_IMM (store immediate) %u bytes\n" + msgstr "" + +-#: vms-alpha.c:6280 ++#: vms-alpha.c:6281 + #, c-format + msgid "STO_GBL_LW (store global longword) %.*s\n" + msgstr "" + +-#: vms-alpha.c:6284 ++#: vms-alpha.c:6285 + #, c-format + msgid "STO_OFF (store LP with procedure signature)\n" + msgstr "" + +-#: vms-alpha.c:6287 ++#: vms-alpha.c:6288 + #, c-format + msgid "STO_BR_GBL (store branch global) *todo*\n" + msgstr "" + +-#: vms-alpha.c:6290 ++#: vms-alpha.c:6291 + #, c-format + msgid "STO_BR_PS (store branch psect + offset) *todo*\n" + msgstr "" + +-#: vms-alpha.c:6294 ++#: vms-alpha.c:6295 + #, c-format + msgid "OPR_NOP (no-operation)\n" + msgstr "" + +-#: vms-alpha.c:6297 ++#: vms-alpha.c:6298 + #, c-format + msgid "OPR_ADD (add)\n" + msgstr "" + +-#: vms-alpha.c:6300 ++#: vms-alpha.c:6301 + #, c-format + msgid "OPR_SUB (subtract)\n" + msgstr "" + +-#: vms-alpha.c:6303 ++#: vms-alpha.c:6304 + #, c-format + msgid "OPR_MUL (multiply)\n" + msgstr "" + +-#: vms-alpha.c:6306 ++#: vms-alpha.c:6307 + #, c-format + msgid "OPR_DIV (divide)\n" + msgstr "" + +-#: vms-alpha.c:6309 ++#: vms-alpha.c:6310 + #, c-format + msgid "OPR_AND (logical and)\n" + msgstr "" + +-#: vms-alpha.c:6312 ++#: vms-alpha.c:6313 + #, c-format + msgid "OPR_IOR (logical inclusive or)\n" + msgstr "" + +-#: vms-alpha.c:6315 ++#: vms-alpha.c:6316 + #, c-format + msgid "OPR_EOR (logical exclusive or)\n" + msgstr "" + +-#: vms-alpha.c:6318 ++#: vms-alpha.c:6319 + #, c-format + msgid "OPR_NEG (negate)\n" + msgstr "" + +-#: vms-alpha.c:6321 ++#: vms-alpha.c:6322 + #, c-format + msgid "OPR_COM (complement)\n" + msgstr "" + +-#: vms-alpha.c:6324 ++#: vms-alpha.c:6325 + #, c-format + msgid "OPR_INSV (insert field)\n" + msgstr "" + +-#: vms-alpha.c:6327 ++#: vms-alpha.c:6328 + #, c-format + msgid "OPR_ASH (arithmetic shift)\n" + msgstr "" + +-#: vms-alpha.c:6330 ++#: vms-alpha.c:6331 + #, c-format + msgid "OPR_USH (unsigned shift)\n" + msgstr "" + +-#: vms-alpha.c:6333 ++#: vms-alpha.c:6334 + #, c-format + msgid "OPR_ROT (rotate)\n" + msgstr "" + +-#: vms-alpha.c:6336 ++#: vms-alpha.c:6337 + #, c-format + msgid "OPR_SEL (select)\n" + msgstr "" + +-#: vms-alpha.c:6339 ++#: vms-alpha.c:6340 + #, c-format + msgid "OPR_REDEF (redefine symbol to curr location)\n" + msgstr "" + +-#: vms-alpha.c:6342 ++#: vms-alpha.c:6343 + #, c-format + msgid "OPR_REDEF (define a literal)\n" + msgstr "" + +-#: vms-alpha.c:6346 ++#: vms-alpha.c:6347 + #, c-format + msgid "STC_LP (store cond linkage pair)\n" + msgstr "" + +-#: vms-alpha.c:6350 ++#: vms-alpha.c:6351 + #, c-format + msgid "STC_LP_PSB (store cond linkage pair + signature)\n" + msgstr "" + +-#: vms-alpha.c:6352 ++#: vms-alpha.c:6353 + #, c-format + msgid " linkage index: %u, procedure: %.*s\n" + msgstr "" + +-#: vms-alpha.c:6355 ++#: vms-alpha.c:6356 + #, c-format + msgid " signature: %.*s\n" + msgstr "" + +-#: vms-alpha.c:6358 ++#: vms-alpha.c:6359 + #, c-format + msgid "STC_GBL (store cond global)\n" + msgstr "" + +-#: vms-alpha.c:6360 ++#: vms-alpha.c:6361 + #, c-format + msgid " linkage index: %u, global: %.*s\n" + msgstr "" + +-#: vms-alpha.c:6364 ++#: vms-alpha.c:6365 + #, c-format + msgid "STC_GCA (store cond code address)\n" + msgstr "" + +-#: vms-alpha.c:6366 ++#: vms-alpha.c:6367 + #, c-format + msgid " linkage index: %u, procedure name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:6370 ++#: vms-alpha.c:6371 + #, c-format + msgid "STC_PS (store cond psect + offset)\n" + msgstr "" + +-#: vms-alpha.c:6373 ++#: vms-alpha.c:6374 + #, c-format + msgid " linkage index: %u, psect: %u, offset: 0x%08x %08x\n" + msgstr "" + +-#: vms-alpha.c:6380 ++#: vms-alpha.c:6381 + #, c-format + msgid "STC_NOP_GBL (store cond NOP at global addr)\n" + msgstr "" + +-#: vms-alpha.c:6384 ++#: vms-alpha.c:6385 + #, c-format + msgid "STC_NOP_PS (store cond NOP at psect + offset)\n" + msgstr "" + +-#: vms-alpha.c:6388 ++#: vms-alpha.c:6389 + #, c-format + msgid "STC_BSR_GBL (store cond BSR at global addr)\n" + msgstr "" + +-#: vms-alpha.c:6392 ++#: vms-alpha.c:6393 + #, c-format + msgid "STC_BSR_PS (store cond BSR at psect + offset)\n" + msgstr "" + +-#: vms-alpha.c:6396 ++#: vms-alpha.c:6397 + #, c-format + msgid "STC_LDA_GBL (store cond LDA at global addr)\n" + msgstr "" + +-#: vms-alpha.c:6400 ++#: vms-alpha.c:6401 + #, c-format + msgid "STC_LDA_PS (store cond LDA at psect + offset)\n" + msgstr "" + +-#: vms-alpha.c:6404 ++#: vms-alpha.c:6405 + #, c-format + msgid "STC_BOH_GBL (store cond BOH at global addr)\n" + msgstr "" + +-#: vms-alpha.c:6408 ++#: vms-alpha.c:6409 + #, c-format + msgid "STC_BOH_PS (store cond BOH at psect + offset)\n" + msgstr "" + +-#: vms-alpha.c:6413 ++#: vms-alpha.c:6414 + #, c-format + msgid "STC_NBH_GBL (store cond or hint at global addr)\n" + msgstr "" + +-#: vms-alpha.c:6417 ++#: vms-alpha.c:6418 + #, c-format + msgid "STC_NBH_PS (store cond or hint at psect + offset)\n" + msgstr "" + +-#: vms-alpha.c:6421 ++#: vms-alpha.c:6422 + #, c-format + msgid "CTL_SETRB (set relocation base)\n" + msgstr "" + +-#: vms-alpha.c:6427 ++#: vms-alpha.c:6428 + #, c-format + msgid "CTL_AUGRB (augment relocation base) %u\n" + msgstr "" + +-#: vms-alpha.c:6431 ++#: vms-alpha.c:6432 + #, c-format + msgid "CTL_DFLOC (define location)\n" + msgstr "" + +-#: vms-alpha.c:6434 ++#: vms-alpha.c:6435 + #, c-format + msgid "CTL_STLOC (set location)\n" + msgstr "" + +-#: vms-alpha.c:6437 ++#: vms-alpha.c:6438 + #, c-format + msgid "CTL_STKDL (stack defined location)\n" + msgstr "" + +-#: vms-alpha.c:6440 vms-alpha.c:6864 vms-alpha.c:6990 ++#: vms-alpha.c:6441 vms-alpha.c:6865 vms-alpha.c:6991 + #, c-format + msgid "*unhandled*\n" + msgstr "" + +-#: vms-alpha.c:6470 vms-alpha.c:6509 ++#: vms-alpha.c:6471 vms-alpha.c:6510 + #, c-format + msgid "cannot read GST record length\n" + msgstr "" + + #. Ill-formed. +-#: vms-alpha.c:6491 ++#: vms-alpha.c:6492 + #, c-format + msgid "cannot find EMH in first GST record\n" + msgstr "" + +-#: vms-alpha.c:6517 ++#: vms-alpha.c:6518 + #, c-format + msgid "cannot read GST record header\n" + msgstr "" + +-#: vms-alpha.c:6530 ++#: vms-alpha.c:6531 + #, c-format + msgid " corrupted GST\n" + msgstr "" + +-#: vms-alpha.c:6538 ++#: vms-alpha.c:6539 + #, c-format + msgid "cannot read GST record\n" + msgstr "" + +-#: vms-alpha.c:6567 ++#: vms-alpha.c:6568 + #, c-format + msgid " unhandled EOBJ record type %u\n" + msgstr "" + +-#: vms-alpha.c:6591 ++#: vms-alpha.c:6592 + #, c-format + msgid " bitcount: %u, base addr: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6605 ++#: vms-alpha.c:6606 + #, c-format + msgid " bitmap: 0x%08x (count: %u):\n" + msgstr "" + +-#: vms-alpha.c:6612 ++#: vms-alpha.c:6613 + #, c-format + msgid " %08x" + msgstr "" + +-#: vms-alpha.c:6638 ++#: vms-alpha.c:6639 + #, c-format + msgid " image %u (%u entries)\n" + msgstr "" + +-#: vms-alpha.c:6644 ++#: vms-alpha.c:6645 + #, c-format + msgid " offset: 0x%08x, val: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6666 ++#: vms-alpha.c:6667 + #, c-format + msgid " image %u (%u entries), offsets:\n" + msgstr "" + +-#: vms-alpha.c:6673 ++#: vms-alpha.c:6674 + #, c-format + msgid " 0x%08x" + msgstr "" + + #. 64 bits. +-#: vms-alpha.c:6795 ++#: vms-alpha.c:6796 + #, c-format + msgid "64 bits *unhandled*\n" + msgstr "" + +-#: vms-alpha.c:6800 ++#: vms-alpha.c:6801 + #, c-format + msgid "class: %u, dtype: %u, length: %u, pointer: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6811 ++#: vms-alpha.c:6812 + #, c-format + msgid "non-contiguous array of %s\n" + msgstr "" + +-#: vms-alpha.c:6816 ++#: vms-alpha.c:6817 + #, c-format + msgid "dimct: %u, aflags: 0x%02x, digits: %u, scale: %u\n" + msgstr "" + +-#: vms-alpha.c:6821 ++#: vms-alpha.c:6822 + #, c-format + msgid "arsize: %u, a0: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6825 ++#: vms-alpha.c:6826 + #, c-format + msgid "Strides:\n" + msgstr "" + +-#: vms-alpha.c:6835 ++#: vms-alpha.c:6836 + #, c-format + msgid "Bounds:\n" + msgstr "" + +-#: vms-alpha.c:6841 ++#: vms-alpha.c:6842 + #, c-format + msgid "[%u]: Lower: %u, upper: %u\n" + msgstr "" + +-#: vms-alpha.c:6853 ++#: vms-alpha.c:6854 + #, c-format + msgid "unaligned bit-string of %s\n" + msgstr "" + +-#: vms-alpha.c:6858 ++#: vms-alpha.c:6859 + #, c-format + msgid "base: %u, pos: %u\n" + msgstr "" + +-#: vms-alpha.c:6879 ++#: vms-alpha.c:6880 + #, c-format + msgid "vflags: 0x%02x, value: 0x%08x " + msgstr "" + +-#: vms-alpha.c:6885 ++#: vms-alpha.c:6886 + #, c-format + msgid "(no value)\n" + msgstr "" + +-#: vms-alpha.c:6888 ++#: vms-alpha.c:6889 + #, c-format + msgid "(not active)\n" + msgstr "" + +-#: vms-alpha.c:6891 ++#: vms-alpha.c:6892 + #, c-format + msgid "(not allocated)\n" + msgstr "" + +-#: vms-alpha.c:6894 ++#: vms-alpha.c:6895 + #, c-format + msgid "(descriptor)\n" + msgstr "" + +-#: vms-alpha.c:6898 ++#: vms-alpha.c:6899 + #, c-format + msgid "(trailing value)\n" + msgstr "" + +-#: vms-alpha.c:6901 ++#: vms-alpha.c:6902 + #, c-format + msgid "(value spec follows)\n" + msgstr "" + +-#: vms-alpha.c:6904 ++#: vms-alpha.c:6905 + #, c-format + msgid "(at bit offset %u)\n" + msgstr "" + +-#: vms-alpha.c:6908 ++#: vms-alpha.c:6909 + #, c-format + msgid "(reg: %u, disp: %u, indir: %u, kind: " + msgstr "" + +-#: vms-alpha.c:6915 ++#: vms-alpha.c:6916 + msgid "literal" + msgstr "" + +-#: vms-alpha.c:6918 ++#: vms-alpha.c:6919 + msgid "address" + msgstr "" + +-#: vms-alpha.c:6921 ++#: vms-alpha.c:6922 + msgid "desc" + msgstr "" + +-#: vms-alpha.c:6924 ++#: vms-alpha.c:6925 + msgid "reg" + msgstr "" + +-#: vms-alpha.c:6941 ++#: vms-alpha.c:6942 + #, c-format + msgid "len: %2u, kind: %2u " + msgstr "" + +-#: vms-alpha.c:6947 ++#: vms-alpha.c:6948 + #, c-format + msgid "atomic, type=0x%02x %s\n" + msgstr "" + +-#: vms-alpha.c:6951 ++#: vms-alpha.c:6952 + #, c-format + msgid "indirect, defined at 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:6955 ++#: vms-alpha.c:6956 + #, c-format + msgid "typed pointer\n" + msgstr "" + +-#: vms-alpha.c:6959 ++#: vms-alpha.c:6960 + #, c-format + msgid "pointer\n" + msgstr "" + +-#: vms-alpha.c:6967 ++#: vms-alpha.c:6968 + #, c-format + msgid "array, dim: %u, bitmap: " + msgstr "" + +-#: vms-alpha.c:6974 ++#: vms-alpha.c:6975 + #, c-format + msgid "array descriptor:\n" + msgstr "" + +-#: vms-alpha.c:6981 ++#: vms-alpha.c:6982 + #, c-format + msgid "type spec for element:\n" + msgstr "" + +-#: vms-alpha.c:6983 ++#: vms-alpha.c:6984 + #, c-format + msgid "type spec for subscript %u:\n" + msgstr "" + +-#: vms-alpha.c:7001 ++#: vms-alpha.c:7002 + #, c-format + msgid "Debug symbol table:\n" + msgstr "" + +-#: vms-alpha.c:7012 ++#: vms-alpha.c:7013 + #, c-format + msgid "cannot read DST header\n" + msgstr "" + +-#: vms-alpha.c:7018 ++#: vms-alpha.c:7019 + #, c-format + msgid " type: %3u, len: %3u (at 0x%08x): " + msgstr "" + +-#: vms-alpha.c:7032 ++#: vms-alpha.c:7033 + #, c-format + msgid "cannot read DST symbol\n" + msgstr "" + +-#: vms-alpha.c:7075 ++#: vms-alpha.c:7076 + #, c-format + msgid "standard data: %s\n" + msgstr "" + +-#: vms-alpha.c:7078 vms-alpha.c:7166 ++#: vms-alpha.c:7079 vms-alpha.c:7167 + #, c-format + msgid " name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7085 ++#: vms-alpha.c:7086 + #, c-format + msgid "modbeg\n" + msgstr "" + +-#: vms-alpha.c:7087 ++#: vms-alpha.c:7088 + #, c-format + msgid " flags: %d, language: %u, major: %u, minor: %u\n" + msgstr "" + +-#: vms-alpha.c:7093 vms-alpha.c:7367 ++#: vms-alpha.c:7094 vms-alpha.c:7368 + #, c-format + msgid " module name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7096 ++#: vms-alpha.c:7097 + #, c-format + msgid " compiler : %.*s\n" + msgstr "" + +-#: vms-alpha.c:7101 ++#: vms-alpha.c:7102 + #, c-format + msgid "modend\n" + msgstr "" + +-#: vms-alpha.c:7108 ++#: vms-alpha.c:7109 + msgid "rtnbeg\n" + msgstr "" + +-#: vms-alpha.c:7110 ++#: vms-alpha.c:7111 + #, c-format + msgid " flags: %u, address: 0x%08x, pd-address: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7115 ++#: vms-alpha.c:7116 + #, c-format + msgid " routine name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7123 ++#: vms-alpha.c:7124 + #, c-format + msgid "rtnend: size 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7131 ++#: vms-alpha.c:7132 + #, c-format + msgid "prolog: bkpt address 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7140 ++#: vms-alpha.c:7141 + #, c-format + msgid "epilog: flags: %u, count: %u\n" + msgstr "" + +-#: vms-alpha.c:7150 ++#: vms-alpha.c:7151 + #, c-format + msgid "blkbeg: address: 0x%08x, name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7159 ++#: vms-alpha.c:7160 + #, c-format + msgid "blkend: size: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7165 ++#: vms-alpha.c:7166 + #, c-format + msgid "typspec (len: %u)\n" + msgstr "" + +-#: vms-alpha.c:7172 ++#: vms-alpha.c:7173 + #, c-format + msgid "septyp, name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7181 ++#: vms-alpha.c:7182 + #, c-format + msgid "recbeg: name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7183 ++#: vms-alpha.c:7184 + #, c-format + msgid " len: %u bits\n" + msgstr "" + +-#: vms-alpha.c:7188 ++#: vms-alpha.c:7189 + #, c-format + msgid "recend\n" + msgstr "" + +-#: vms-alpha.c:7192 ++#: vms-alpha.c:7193 + #, c-format + msgid "enumbeg, len: %u, name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7196 ++#: vms-alpha.c:7197 + #, c-format + msgid "enumelt, name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7200 ++#: vms-alpha.c:7201 + #, c-format + msgid "enumend\n" + msgstr "" + +-#: vms-alpha.c:7205 ++#: vms-alpha.c:7206 + #, c-format + msgid "label, name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7207 ++#: vms-alpha.c:7208 + #, c-format + msgid " address: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7217 ++#: vms-alpha.c:7218 + #, c-format + msgid "discontiguous range (nbr: %u)\n" + msgstr "" + +-#: vms-alpha.c:7220 ++#: vms-alpha.c:7221 + #, c-format + msgid " address: 0x%08x, size: %u\n" + msgstr "" + +-#: vms-alpha.c:7230 ++#: vms-alpha.c:7231 + #, c-format + msgid "line num (len: %u)\n" + msgstr "" + +-#: vms-alpha.c:7247 ++#: vms-alpha.c:7248 + #, c-format + msgid "delta_pc_w %u\n" + msgstr "" + +-#: vms-alpha.c:7254 ++#: vms-alpha.c:7255 + #, c-format + msgid "incr_linum(b): +%u\n" + msgstr "" + +-#: vms-alpha.c:7260 ++#: vms-alpha.c:7261 + #, c-format + msgid "incr_linum_w: +%u\n" + msgstr "" + +-#: vms-alpha.c:7266 ++#: vms-alpha.c:7267 + #, c-format + msgid "incr_linum_l: +%u\n" + msgstr "" + +-#: vms-alpha.c:7272 ++#: vms-alpha.c:7273 + #, c-format + msgid "set_line_num(w) %u\n" + msgstr "" + +-#: vms-alpha.c:7277 ++#: vms-alpha.c:7278 + #, c-format + msgid "set_line_num_b %u\n" + msgstr "" + +-#: vms-alpha.c:7282 ++#: vms-alpha.c:7283 + #, c-format + msgid "set_line_num_l %u\n" + msgstr "" + +-#: vms-alpha.c:7287 ++#: vms-alpha.c:7288 + #, c-format + msgid "set_abs_pc: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7291 ++#: vms-alpha.c:7292 + #, c-format + msgid "delta_pc_l: +0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7296 ++#: vms-alpha.c:7297 + #, c-format + msgid "term(b): 0x%02x" + msgstr "" + +-#: vms-alpha.c:7298 ++#: vms-alpha.c:7299 + #, c-format + msgid " pc: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7303 ++#: vms-alpha.c:7304 + #, c-format + msgid "term_w: 0x%04x" + msgstr "" + +-#: vms-alpha.c:7305 ++#: vms-alpha.c:7306 + #, c-format + msgid " pc: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7311 ++#: vms-alpha.c:7312 + #, c-format + msgid "delta pc +%-4d" + msgstr "" + +-#: vms-alpha.c:7315 ++#: vms-alpha.c:7316 + #, c-format + msgid " pc: 0x%08x line: %5u\n" + msgstr "" + +-#: vms-alpha.c:7320 ++#: vms-alpha.c:7321 + #, c-format + msgid " *unhandled* cmd %u\n" + msgstr "" + +-#: vms-alpha.c:7335 ++#: vms-alpha.c:7336 + #, c-format + msgid "source (len: %u)\n" + msgstr "" + +-#: vms-alpha.c:7350 ++#: vms-alpha.c:7351 + #, c-format + msgid " declfile: len: %u, flags: %u, fileid: %u\n" + msgstr "" + +-#: vms-alpha.c:7355 ++#: vms-alpha.c:7356 + #, c-format + msgid " rms: cdt: 0x%08x %08x, ebk: 0x%08x, ffb: 0x%04x, rfo: %u\n" + msgstr "" + +-#: vms-alpha.c:7364 ++#: vms-alpha.c:7365 + #, c-format + msgid " filename : %.*s\n" + msgstr "" + +-#: vms-alpha.c:7373 ++#: vms-alpha.c:7374 + #, c-format + msgid " setfile %u\n" + msgstr "" + +-#: vms-alpha.c:7378 vms-alpha.c:7383 ++#: vms-alpha.c:7379 vms-alpha.c:7384 + #, c-format + msgid " setrec %u\n" + msgstr "" + +-#: vms-alpha.c:7388 vms-alpha.c:7393 ++#: vms-alpha.c:7389 vms-alpha.c:7394 + #, c-format + msgid " setlnum %u\n" + msgstr "" + +-#: vms-alpha.c:7398 vms-alpha.c:7403 ++#: vms-alpha.c:7399 vms-alpha.c:7404 + #, c-format + msgid " deflines %u\n" + msgstr "" + +-#: vms-alpha.c:7407 ++#: vms-alpha.c:7408 + #, c-format + msgid " formfeed\n" + msgstr "" + +-#: vms-alpha.c:7411 ++#: vms-alpha.c:7412 + #, c-format + msgid " *unhandled* cmd %u\n" + msgstr "" + +-#: vms-alpha.c:7423 ++#: vms-alpha.c:7424 + #, c-format + msgid "*unhandled* dst type %u\n" + msgstr "" + +-#: vms-alpha.c:7455 ++#: vms-alpha.c:7456 + #, c-format + msgid "cannot read EIHD\n" + msgstr "" + +-#: vms-alpha.c:7459 ++#: vms-alpha.c:7460 + #, c-format + msgid "EIHD: (size: %u, nbr blocks: %u)\n" + msgstr "" + +-#: vms-alpha.c:7463 ++#: vms-alpha.c:7464 + #, c-format + msgid " majorid: %u, minorid: %u\n" + msgstr "" + +-#: vms-alpha.c:7471 ++#: vms-alpha.c:7472 + msgid "executable" + msgstr "" + +-#: vms-alpha.c:7474 ++#: vms-alpha.c:7475 + msgid "linkable image" + msgstr "" + +-#: vms-alpha.c:7481 ++#: vms-alpha.c:7482 + #, c-format + msgid " image type: %u (%s)" + msgstr "" + +-#: vms-alpha.c:7487 ++#: vms-alpha.c:7488 + msgid "native" + msgstr "" + +-#: vms-alpha.c:7490 ++#: vms-alpha.c:7491 + msgid "CLI" + msgstr "" + +-#: vms-alpha.c:7497 ++#: vms-alpha.c:7498 + #, c-format + msgid ", subtype: %u (%s)\n" + msgstr "" + +-#: vms-alpha.c:7504 ++#: vms-alpha.c:7505 + #, c-format + msgid " offsets: isd: %u, activ: %u, symdbg: %u, imgid: %u, patch: %u\n" + msgstr "" + +-#: vms-alpha.c:7508 ++#: vms-alpha.c:7509 + #, c-format + msgid " fixup info rva: " + msgstr "" + +-#: vms-alpha.c:7510 ++#: vms-alpha.c:7511 + #, c-format + msgid ", symbol vector rva: " + msgstr "" + +-#: vms-alpha.c:7513 ++#: vms-alpha.c:7514 + #, c-format + msgid "" + "\n" + " version array off: %u\n" + msgstr "" + +-#: vms-alpha.c:7518 ++#: vms-alpha.c:7519 + #, c-format + msgid " img I/O count: %u, nbr channels: %u, req pri: %08x%08x\n" + msgstr "" + +-#: vms-alpha.c:7524 ++#: vms-alpha.c:7525 + #, c-format + msgid " linker flags: %08x:" + msgstr "" + +-#: vms-alpha.c:7555 ++#: vms-alpha.c:7556 + #, c-format + msgid " ident: 0x%08x, sysver: 0x%08x, match ctrl: %u, symvect_size: %u\n" + msgstr "" + +-#: vms-alpha.c:7561 ++#: vms-alpha.c:7562 + #, c-format + msgid " BPAGE: %u" + msgstr "" + +-#: vms-alpha.c:7568 ++#: vms-alpha.c:7569 + #, c-format + msgid ", ext fixup offset: %u, no_opt psect off: %u" + msgstr "" + +-#: vms-alpha.c:7571 ++#: vms-alpha.c:7572 + #, c-format + msgid ", alias: %u\n" + msgstr "" + +-#: vms-alpha.c:7579 ++#: vms-alpha.c:7580 + #, c-format + msgid "system version array information:\n" + msgstr "" + +-#: vms-alpha.c:7583 ++#: vms-alpha.c:7584 + #, c-format + msgid "cannot read EIHVN header\n" + msgstr "" + +-#: vms-alpha.c:7593 ++#: vms-alpha.c:7594 + #, c-format + msgid "cannot read EIHVN version\n" + msgstr "" + +-#: vms-alpha.c:7596 ++#: vms-alpha.c:7597 + #, c-format + msgid " %02u " + msgstr "" + +-#: vms-alpha.c:7600 ++#: vms-alpha.c:7601 + msgid "BASE_IMAGE " + msgstr "" + +-#: vms-alpha.c:7603 ++#: vms-alpha.c:7604 + msgid "MEMORY_MANAGEMENT" + msgstr "" + +-#: vms-alpha.c:7606 ++#: vms-alpha.c:7607 + msgid "IO " + msgstr "" + +-#: vms-alpha.c:7609 ++#: vms-alpha.c:7610 + msgid "FILES_VOLUMES " + msgstr "" + +-#: vms-alpha.c:7612 ++#: vms-alpha.c:7613 + msgid "PROCESS_SCHED " + msgstr "" + +-#: vms-alpha.c:7615 ++#: vms-alpha.c:7616 + msgid "SYSGEN " + msgstr "" + +-#: vms-alpha.c:7618 ++#: vms-alpha.c:7619 + msgid "CLUSTERS_LOCKMGR " + msgstr "" + +-#: vms-alpha.c:7621 ++#: vms-alpha.c:7622 + msgid "LOGICAL_NAMES " + msgstr "" + +-#: vms-alpha.c:7624 ++#: vms-alpha.c:7625 + msgid "SECURITY " + msgstr "" + +-#: vms-alpha.c:7627 ++#: vms-alpha.c:7628 + msgid "IMAGE_ACTIVATOR " + msgstr "" + +-#: vms-alpha.c:7630 ++#: vms-alpha.c:7631 + msgid "NETWORKS " + msgstr "" + +-#: vms-alpha.c:7633 ++#: vms-alpha.c:7634 + msgid "COUNTERS " + msgstr "" + +-#: vms-alpha.c:7636 ++#: vms-alpha.c:7637 + msgid "STABLE " + msgstr "" + +-#: vms-alpha.c:7639 ++#: vms-alpha.c:7640 + msgid "MISC " + msgstr "" + +-#: vms-alpha.c:7642 ++#: vms-alpha.c:7643 + msgid "CPU " + msgstr "" + +-#: vms-alpha.c:7645 ++#: vms-alpha.c:7646 + msgid "VOLATILE " + msgstr "" + +-#: vms-alpha.c:7648 ++#: vms-alpha.c:7649 + msgid "SHELL " + msgstr "" + +-#: vms-alpha.c:7651 ++#: vms-alpha.c:7652 + msgid "POSIX " + msgstr "" + +-#: vms-alpha.c:7654 ++#: vms-alpha.c:7655 + msgid "MULTI_PROCESSING " + msgstr "" + +-#: vms-alpha.c:7657 ++#: vms-alpha.c:7658 + msgid "GALAXY " + msgstr "" + +-#: vms-alpha.c:7660 ++#: vms-alpha.c:7661 + msgid "*unknown* " + msgstr "" + +-#: vms-alpha.c:7676 vms-alpha.c:7951 ++#: vms-alpha.c:7677 vms-alpha.c:7952 + #, c-format + msgid "cannot read EIHA\n" + msgstr "" + +-#: vms-alpha.c:7679 ++#: vms-alpha.c:7680 + #, c-format + msgid "Image activation: (size=%u)\n" + msgstr "" + +-#: vms-alpha.c:7682 ++#: vms-alpha.c:7683 + #, c-format + msgid " First address : 0x%08x 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7686 ++#: vms-alpha.c:7687 + #, c-format + msgid " Second address: 0x%08x 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7690 ++#: vms-alpha.c:7691 + #, c-format + msgid " Third address : 0x%08x 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7694 ++#: vms-alpha.c:7695 + #, c-format + msgid " Fourth address: 0x%08x 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7698 ++#: vms-alpha.c:7699 + #, c-format + msgid " Shared image : 0x%08x 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7709 ++#: vms-alpha.c:7710 + #, c-format + msgid "cannot read EIHI\n" + msgstr "" + +-#: vms-alpha.c:7713 ++#: vms-alpha.c:7714 + #, c-format + msgid "Image identification: (major: %u, minor: %u)\n" + msgstr "" + +-#: vms-alpha.c:7716 ++#: vms-alpha.c:7717 + #, c-format + msgid " image name : %.*s\n" + msgstr "" + +-#: vms-alpha.c:7718 ++#: vms-alpha.c:7719 + #, c-format + msgid " link time : %s\n" + msgstr "" + +-#: vms-alpha.c:7720 ++#: vms-alpha.c:7721 + #, c-format + msgid " image ident : %.*s\n" + msgstr "" + +-#: vms-alpha.c:7722 ++#: vms-alpha.c:7723 + #, c-format + msgid " linker ident : %.*s\n" + msgstr "" + +-#: vms-alpha.c:7724 ++#: vms-alpha.c:7725 + #, c-format + msgid " image build ident: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7734 ++#: vms-alpha.c:7735 + #, c-format + msgid "cannot read EIHS\n" + msgstr "" + +-#: vms-alpha.c:7738 ++#: vms-alpha.c:7739 + #, c-format + msgid "Image symbol & debug table: (major: %u, minor: %u)\n" + msgstr "" + +-#: vms-alpha.c:7744 ++#: vms-alpha.c:7745 + #, c-format + msgid " debug symbol table : vbn: %u, size: %u (0x%x)\n" + msgstr "" + +-#: vms-alpha.c:7749 ++#: vms-alpha.c:7750 + #, c-format + msgid " global symbol table: vbn: %u, records: %u\n" + msgstr "" + +-#: vms-alpha.c:7754 ++#: vms-alpha.c:7755 + #, c-format + msgid " debug module table : vbn: %u, size: %u\n" + msgstr "" + +-#: vms-alpha.c:7767 ++#: vms-alpha.c:7768 + #, c-format + msgid "cannot read EISD\n" + msgstr "" + +-#: vms-alpha.c:7778 ++#: vms-alpha.c:7779 + #, c-format + msgid "" + "Image section descriptor: (major: %u, minor: %u, size: %u, offset: %u)\n" + msgstr "" + +-#: vms-alpha.c:7786 ++#: vms-alpha.c:7787 + #, c-format + msgid " section: base: 0x%08x%08x size: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7791 ++#: vms-alpha.c:7792 + #, c-format + msgid " flags: 0x%04x" + msgstr "" + +-#: vms-alpha.c:7829 ++#: vms-alpha.c:7830 + #, c-format + msgid " vbn: %u, pfc: %u, matchctl: %u type: %u (" + msgstr "" + +-#: vms-alpha.c:7835 ++#: vms-alpha.c:7836 + msgid "NORMAL" + msgstr "" + +-#: vms-alpha.c:7838 ++#: vms-alpha.c:7839 + msgid "SHRFXD" + msgstr "" + +-#: vms-alpha.c:7841 ++#: vms-alpha.c:7842 + msgid "PRVFXD" + msgstr "" + +-#: vms-alpha.c:7844 ++#: vms-alpha.c:7845 + msgid "SHRPIC" + msgstr "" + +-#: vms-alpha.c:7847 ++#: vms-alpha.c:7848 + msgid "PRVPIC" + msgstr "" + +-#: vms-alpha.c:7850 ++#: vms-alpha.c:7851 + msgid "USRSTACK" + msgstr "" + +-#: vms-alpha.c:7856 ++#: vms-alpha.c:7857 + msgid ")\n" + msgstr "" + +-#: vms-alpha.c:7859 ++#: vms-alpha.c:7860 + #, c-format + msgid " ident: 0x%08x, name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:7869 ++#: vms-alpha.c:7870 + #, c-format + msgid "cannot read DMT\n" + msgstr "" + +-#: vms-alpha.c:7873 ++#: vms-alpha.c:7874 + #, c-format + msgid "Debug module table:\n" + msgstr "" + +-#: vms-alpha.c:7882 ++#: vms-alpha.c:7883 + #, c-format + msgid "cannot read DMT header\n" + msgstr "" + +-#: vms-alpha.c:7888 ++#: vms-alpha.c:7889 + #, c-format + msgid " module offset: 0x%08x, size: 0x%08x, (%u psects)\n" + msgstr "" + +-#: vms-alpha.c:7898 ++#: vms-alpha.c:7899 + #, c-format + msgid "cannot read DMT psect\n" + msgstr "" + +-#: vms-alpha.c:7902 ++#: vms-alpha.c:7903 + #, c-format + msgid " psect start: 0x%08x, length: %u\n" + msgstr "" + +-#: vms-alpha.c:7915 ++#: vms-alpha.c:7916 + #, c-format + msgid "cannot read DST\n" + msgstr "" + +-#: vms-alpha.c:7925 ++#: vms-alpha.c:7926 + #, c-format + msgid "cannot read GST\n" + msgstr "" + +-#: vms-alpha.c:7929 ++#: vms-alpha.c:7930 + #, c-format + msgid "Global symbol table:\n" + msgstr "" + +-#: vms-alpha.c:7958 ++#: vms-alpha.c:7959 + #, c-format + msgid "Image activator fixup: (major: %u, minor: %u)\n" + msgstr "" + +-#: vms-alpha.c:7962 ++#: vms-alpha.c:7963 + #, c-format + msgid " iaflink : 0x%08x %08x\n" + msgstr "" + +-#: vms-alpha.c:7966 ++#: vms-alpha.c:7967 + #, c-format + msgid " fixuplnk: 0x%08x %08x\n" + msgstr "" + +-#: vms-alpha.c:7969 ++#: vms-alpha.c:7970 + #, c-format + msgid " size : %u\n" + msgstr "" + +-#: vms-alpha.c:7971 ++#: vms-alpha.c:7972 + #, c-format + msgid " flags: 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:7976 ++#: vms-alpha.c:7977 + #, c-format + msgid " qrelfixoff: %5u, lrelfixoff: %5u\n" + msgstr "" + +-#: vms-alpha.c:7981 ++#: vms-alpha.c:7982 + #, c-format + msgid " qdotadroff: %5u, ldotadroff: %5u\n" + msgstr "" + +-#: vms-alpha.c:7986 ++#: vms-alpha.c:7987 + #, c-format + msgid " codeadroff: %5u, lpfixoff : %5u\n" + msgstr "" + +-#: vms-alpha.c:7989 ++#: vms-alpha.c:7990 + #, c-format + msgid " chgprtoff : %5u\n" + msgstr "" + +-#: vms-alpha.c:7993 ++#: vms-alpha.c:7994 + #, c-format + msgid " shlstoff : %5u, shrimgcnt : %5u\n" + msgstr "" + +-#: vms-alpha.c:7996 ++#: vms-alpha.c:7997 + #, c-format + msgid " shlextra : %5u, permctx : %5u\n" + msgstr "" + +-#: vms-alpha.c:7999 ++#: vms-alpha.c:8000 + #, c-format + msgid " base_va : 0x%08x\n" + msgstr "" + +-#: vms-alpha.c:8001 ++#: vms-alpha.c:8002 + #, c-format + msgid " lppsbfixoff: %5u\n" + msgstr "" + +-#: vms-alpha.c:8009 ++#: vms-alpha.c:8010 + #, c-format + msgid " Shareable images:\n" + msgstr "" + +-#: vms-alpha.c:8014 ++#: vms-alpha.c:8015 + #, c-format + msgid " %u: size: %u, flags: 0x%02x, name: %.*s\n" + msgstr "" + +-#: vms-alpha.c:8021 ++#: vms-alpha.c:8022 + #, c-format + msgid " quad-word relocation fixups:\n" + msgstr "" + +-#: vms-alpha.c:8026 ++#: vms-alpha.c:8027 + #, c-format + msgid " long-word relocation fixups:\n" + msgstr "" + +-#: vms-alpha.c:8031 ++#: vms-alpha.c:8032 + #, c-format + msgid " quad-word .address reference fixups:\n" + msgstr "" + +-#: vms-alpha.c:8036 ++#: vms-alpha.c:8037 + #, c-format + msgid " long-word .address reference fixups:\n" + msgstr "" + +-#: vms-alpha.c:8041 ++#: vms-alpha.c:8042 + #, c-format + msgid " Code Address Reference Fixups:\n" + msgstr "" + +-#: vms-alpha.c:8046 ++#: vms-alpha.c:8047 + #, c-format + msgid " Linkage Pairs Reference Fixups:\n" + msgstr "" + +-#: vms-alpha.c:8055 ++#: vms-alpha.c:8056 + #, c-format + msgid " Change Protection (%u entries):\n" + msgstr "" + +-#: vms-alpha.c:8061 ++#: vms-alpha.c:8062 + #, c-format + msgid " base: 0x%08x %08x, size: 0x%08x, prot: 0x%08x " + msgstr "" + + #. FIXME: we do not yet support relocatable link. It is not obvious + #. how to do it for debug infos. +-#: vms-alpha.c:8901 ++#: vms-alpha.c:8902 + msgid "%P: relocatable link is not supported\n" + msgstr "" + +-#: vms-alpha.c:8972 ++#: vms-alpha.c:8973 + #, c-format +-msgid "%P: multiple entry points: in modules %B and %B\n" ++msgid "%P: multiple entry points: in modules %pB and %pB\n" + msgstr "" + + #: vms-lib.c:1445 +@@ -8537,7 +8508,7 @@ msgstr "" + #: peigen.c:1906 peigen.c:2103 pepigen.c:1906 pepigen.c:2103 pex64igen.c:1906 + #: pex64igen.c:2103 + #, c-format +-msgid "Warning, .pdata section size (%ld) is not a multiple of %d\n" ++msgid "warning, .pdata section size (%ld) is not a multiple of %d\n" + msgstr "" + + #: peigen.c:1910 peigen.c:2107 pepigen.c:1910 pepigen.c:2107 pex64igen.c:1910 +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2018-04-24 Nick Clifton <nickc@redhat.com> ++ ++ PR 23110 ++ * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for ++ a negative PE_DEBUG_DATA size before iterating over the debug data. ++ + 2018-04-17 Nick Clifton <nickc@redhat.com> + + PR 23065 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch new file mode 100644 index 0000000000..29b834337e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch @@ -0,0 +1,63 @@ +From db0c309f4011ca94a4abc8458e27f3734dab92ac Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 24 Apr 2018 16:57:04 +0100 +Subject: [PATCH] Fix an illegal memory access when trying to copy an ELF + binary with corrupt section symbols. + + PR 23113 + * elf.c (ignore_section_sym): Check for the output_section pointer + being NULL before dereferencing it. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-10535 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 4 ++++ + bfd/elf.c | 9 ++++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c ++++ git/bfd/elf.c +@@ -3994,15 +3994,22 @@ ignore_section_sym (bfd *abfd, asymbol * + { + elf_symbol_type *type_ptr; + ++ if (sym == NULL) ++ return FALSE; ++ + if ((sym->flags & BSF_SECTION_SYM) == 0) + return FALSE; + ++ if (sym->section == NULL) ++ return TRUE; ++ + type_ptr = elf_symbol_from (abfd, sym); + return ((type_ptr != NULL + && type_ptr->internal_elf_sym.st_shndx != 0 + && bfd_is_abs_section (sym->section)) + || !(sym->section->owner == abfd +- || (sym->section->output_section->owner == abfd ++ || (sym->section->output_section != NULL ++ && sym->section->output_section->owner == abfd + && sym->section->output_offset == 0) + || bfd_is_abs_section (sym->section))); + } +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,10 @@ + 2018-04-24 Nick Clifton <nickc@redhat.com> ++ ++ PR 23113 ++ * elf.c (ignore_section_sym): Check for the output_section pointer ++ being NULL before dereferencing it. ++ ++2018-04-24 Nick Clifton <nickc@redhat.com> + + PR 23110 + * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch new file mode 100644 index 0000000000..3fa852c951 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch @@ -0,0 +1,71 @@ +From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 8 May 2018 12:51:06 +0100 +Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a + fuzzed input file with corrupt string and attribute sections. + + PR 22809 + * elf.c (bfd_elf_get_str_section): Check for an excessively large + string section. + * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the + attribute section is larger than the size of the file. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-13033 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 8 ++++++++ + bfd/elf-attrs.c | 9 +++++++++ + bfd/elf.c | 1 + + 3 files changed, 18 insertions(+) + +Index: git/bfd/elf-attrs.c +=================================================================== +--- git.orig/bfd/elf-attrs.c ++++ git/bfd/elf-attrs.c +@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El + /* PR 17512: file: 2844a11d. */ + if (hdr->sh_size == 0) + return; ++ if (hdr->sh_size > bfd_get_file_size (abfd)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"), ++ abfd, hdr->bfd_section, (long long) hdr->sh_size); ++ bfd_set_error (bfd_error_invalid_operation); ++ return; ++ } ++ + contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1); + if (!contents) + return; +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c ++++ git/bfd/elf.c +@@ -297,6 +297,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi + /* Allocate and clear an extra byte at the end, to prevent crashes + in case the string table is not terminated. */ + if (shstrtabsize + 1 <= 1 ++ || shstrtabsize > bfd_get_file_size (abfd) + || bfd_seek (abfd, offset, SEEK_SET) != 0 + || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL) + shstrtab = NULL; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,11 @@ ++2018-05-08 Nick Clifton <nickc@redhat.com> ++ ++ PR 22809 ++ * elf.c (bfd_elf_get_str_section): Check for an excessively large ++ string section. ++ * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the ++ attribute section is larger than the size of the file. ++ + 2018-04-24 Nick Clifton <nickc@redhat.com> + + PR 23113 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-6323.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-6323.patch new file mode 100644 index 0000000000..2c6b1b2427 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-6323.patch @@ -0,0 +1,55 @@ +From 38e64b0ecc7f4ee64a02514b8d532782ac057fa2 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 25 Jan 2018 21:47:41 +1030 +Subject: [PATCH] PR22746, crash when running 32-bit objdump on corrupted file + +Avoid unsigned int overflow by performing bfd_size_type multiplication. + + PR 22746 + * elfcode.h (elf_object_p): Avoid integer overflow. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2018-6323 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/elfcode.h | 4 ++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +Index: git/bfd/elfcode.h +=================================================================== +--- git.orig/bfd/elfcode.h ++++ git/bfd/elfcode.h +@@ -680,7 +680,7 @@ elf_object_p (bfd *abfd) + if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp)) + goto got_wrong_format_error; + #endif +- amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum; ++ amt = sizeof (*i_shdrp) * (bfd_size_type) i_ehdrp->e_shnum; + i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); + if (!i_shdrp) + goto got_no_match; +@@ -776,7 +776,7 @@ elf_object_p (bfd *abfd) + if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr)) + goto got_wrong_format_error; + #endif +- amt = i_ehdrp->e_phnum * sizeof (*i_phdr); ++ amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr); + elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt); + if (elf_tdata (abfd)->phdr == NULL) + goto got_no_match; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,8 @@ ++2018-01-25 Alan Modra <amodra@gmail.com> ++ ++ PR 22746 ++ * elfcode.h (elf_object_p): Avoid integer overflow. ++ + 2018-05-08 Nick Clifton <nickc@redhat.com> + + PR 22809 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch new file mode 100644 index 0000000000..3b0e98a0a3 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch @@ -0,0 +1,108 @@ +From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 6 Feb 2018 15:48:29 +0000 +Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by + chacking the size of debuglink sections. + + PR 22794 + * opncls.c (bfd_get_debug_link_info_1): Check the size of the + section before attempting to read it in. + (bfd_get_alt_debug_link_info): Likewise. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-6759 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 7 +++++++ + bfd/opncls.c | 22 +++++++++++++++++----- + 2 files changed, 24 insertions(+), 5 deletions(-) + +Index: git/bfd/opncls.c +=================================================================== +--- git.orig/bfd/opncls.c ++++ git/bfd/opncls.c +@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo + bfd_byte *contents; + unsigned int crc_offset; + char *name; ++ bfd_size_type size; + + BFD_ASSERT (abfd); + BFD_ASSERT (crc32_out); +@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo + if (sect == NULL) + return NULL; + ++ size = bfd_get_section_size (sect); ++ ++ /* PR 22794: Make sure that the section has a reasonable size. */ ++ if (size < 8 || size >= bfd_get_size (abfd)) ++ return NULL; ++ + if (!bfd_malloc_and_get_section (abfd, sect, &contents)) + { + if (contents != NULL) +@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo + + /* CRC value is stored after the filename, aligned up to 4 bytes. */ + name = (char *) contents; +- /* PR 17597: avoid reading off the end of the buffer. */ +- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; ++ /* PR 17597: Avoid reading off the end of the buffer. */ ++ crc_offset = strnlen (name, size) + 1; + crc_offset = (crc_offset + 3) & ~3; +- if (crc_offset + 4 > bfd_get_section_size (sect)) ++ if (crc_offset + 4 > size) + return NULL; + + *crc32 = bfd_get_32 (abfd, contents + crc_offset); +@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, + bfd_byte *contents; + unsigned int buildid_offset; + char *name; ++ bfd_size_type size; + + BFD_ASSERT (abfd); + BFD_ASSERT (buildid_len); +@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, + if (sect == NULL) + return NULL; + ++ size = bfd_get_section_size (sect); ++ if (size < 8 || size >= bfd_get_size (abfd)) ++ return NULL; ++ + if (!bfd_malloc_and_get_section (abfd, sect, & contents)) + { + if (contents != NULL) +@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, + + /* BuildID value is stored after the filename. */ + name = (char *) contents; +- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1; ++ buildid_offset = strnlen (name, size) + 1; + if (buildid_offset >= bfd_get_section_size (sect)) + return NULL; + +- *buildid_len = bfd_get_section_size (sect) - buildid_offset; ++ *buildid_len = size - buildid_offset; + *buildid_out = bfd_malloc (*buildid_len); + memcpy (*buildid_out, contents + buildid_offset, *buildid_len); + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2018-02-06 Nick Clifton <nickc@redhat.com> ++ ++ PR 22794 ++ * opncls.c (bfd_get_debug_link_info_1): Check the size of the ++ section before attempting to read it in. ++ (bfd_get_alt_debug_link_info): Likewise. ++ + 2018-01-25 Alan Modra <amodra@gmail.com> + + PR 22746 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch new file mode 100644 index 0000000000..7d78db7eb3 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch @@ -0,0 +1,47 @@ +From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 27 Jan 2018 08:19:33 +1030 +Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object + + PR 22741 + * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in + range before converting to a symbol table pointer. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-7208 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/coffgen.c | 3 ++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +Index: git/bfd/coffgen.c +=================================================================== +--- git.orig/bfd/coffgen.c ++++ git/bfd/coffgen.c +@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd, + } + /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can + generate one, so we must be careful to ignore it. */ +- if (auxent->u.auxent.x_sym.x_tagndx.l > 0) ++ if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l ++ < obj_raw_syment_count (abfd)) + { + auxent->u.auxent.x_sym.x_tagndx.p = + table_base + auxent->u.auxent.x_sym.x_tagndx.l; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2018-01-29 Alan Modra <amodra@gmail.com> ++ ++ PR 22741 ++ * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in ++ range before converting to a symbol table pointer. ++ + 2018-02-06 Nick Clifton <nickc@redhat.com> + + PR 22794 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p1.patch new file mode 100644 index 0000000000..b014080a7e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p1.patch @@ -0,0 +1,161 @@ +From 1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Mon, 25 Sep 2017 20:20:38 +0930 +Subject: [PATCH] PR22202, buffer overflow in parse_die + +There was a complete lack of sanity checking in dwarf1.c + + PR 22202 + * dwarf1.c (parse_die): Sanity check pointer against section limit + before dereferencing. + (parse_line_table): Likewise. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-7568 patch1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 7 +++++++ + bfd/dwarf1.c | 56 ++++++++++++++++++++++++++++++++++++++------------------ + 2 files changed, 45 insertions(+), 18 deletions(-) + +Index: git/bfd/dwarf1.c +=================================================================== +--- git.orig/bfd/dwarf1.c ++++ git/bfd/dwarf1.c +@@ -189,11 +189,14 @@ parse_die (bfd * abfd, + memset (aDieInfo, 0, sizeof (* aDieInfo)); + + /* First comes the length. */ +- aDieInfo->length = bfd_get_32 (abfd, (bfd_byte *) xptr); ++ if (xptr + 4 > aDiePtrEnd) ++ return FALSE; ++ aDieInfo->length = bfd_get_32 (abfd, xptr); + xptr += 4; + if (aDieInfo->length == 0 +- || (this_die + aDieInfo->length) >= aDiePtrEnd) ++ || this_die + aDieInfo->length > aDiePtrEnd) + return FALSE; ++ aDiePtrEnd = this_die + aDieInfo->length; + if (aDieInfo->length < 6) + { + /* Just padding bytes. */ +@@ -202,18 +205,20 @@ parse_die (bfd * abfd, + } + + /* Then the tag. */ +- aDieInfo->tag = bfd_get_16 (abfd, (bfd_byte *) xptr); ++ if (xptr + 2 > aDiePtrEnd) ++ return FALSE; ++ aDieInfo->tag = bfd_get_16 (abfd, xptr); + xptr += 2; + + /* Then the attributes. */ +- while (xptr < (this_die + aDieInfo->length)) ++ while (xptr + 2 <= aDiePtrEnd) + { + unsigned short attr; + + /* Parse the attribute based on its form. This section + must handle all dwarf1 forms, but need only handle the + actual attributes that we care about. */ +- attr = bfd_get_16 (abfd, (bfd_byte *) xptr); ++ attr = bfd_get_16 (abfd, xptr); + xptr += 2; + + switch (FORM_FROM_ATTR (attr)) +@@ -223,12 +228,15 @@ parse_die (bfd * abfd, + break; + case FORM_DATA4: + case FORM_REF: +- if (attr == AT_sibling) +- aDieInfo->sibling = bfd_get_32 (abfd, (bfd_byte *) xptr); +- else if (attr == AT_stmt_list) ++ if (xptr + 4 <= aDiePtrEnd) + { +- aDieInfo->stmt_list_offset = bfd_get_32 (abfd, (bfd_byte *) xptr); +- aDieInfo->has_stmt_list = 1; ++ if (attr == AT_sibling) ++ aDieInfo->sibling = bfd_get_32 (abfd, xptr); ++ else if (attr == AT_stmt_list) ++ { ++ aDieInfo->stmt_list_offset = bfd_get_32 (abfd, xptr); ++ aDieInfo->has_stmt_list = 1; ++ } + } + xptr += 4; + break; +@@ -236,22 +244,29 @@ parse_die (bfd * abfd, + xptr += 8; + break; + case FORM_ADDR: +- if (attr == AT_low_pc) +- aDieInfo->low_pc = bfd_get_32 (abfd, (bfd_byte *) xptr); +- else if (attr == AT_high_pc) +- aDieInfo->high_pc = bfd_get_32 (abfd, (bfd_byte *) xptr); ++ if (xptr + 4 <= aDiePtrEnd) ++ { ++ if (attr == AT_low_pc) ++ aDieInfo->low_pc = bfd_get_32 (abfd, xptr); ++ else if (attr == AT_high_pc) ++ aDieInfo->high_pc = bfd_get_32 (abfd, xptr); ++ } + xptr += 4; + break; + case FORM_BLOCK2: +- xptr += 2 + bfd_get_16 (abfd, (bfd_byte *) xptr); ++ if (xptr + 2 <= aDiePtrEnd) ++ xptr += bfd_get_16 (abfd, xptr); ++ xptr += 2; + break; + case FORM_BLOCK4: +- xptr += 4 + bfd_get_32 (abfd, (bfd_byte *) xptr); ++ if (xptr + 4 <= aDiePtrEnd) ++ xptr += bfd_get_32 (abfd, xptr); ++ xptr += 4; + break; + case FORM_STRING: + if (attr == AT_name) + aDieInfo->name = (char *) xptr; +- xptr += strlen ((char *) xptr) + 1; ++ xptr += strnlen ((char *) xptr, aDiePtrEnd - xptr) + 1; + break; + } + } +@@ -290,7 +305,7 @@ parse_line_table (struct dwarf1_debug* s + } + + xptr = stash->line_section + aUnit->stmt_list_offset; +- if (xptr < stash->line_section_end) ++ if (xptr + 8 <= stash->line_section_end) + { + unsigned long eachLine; + bfd_byte *tblend; +@@ -318,6 +333,11 @@ parse_line_table (struct dwarf1_debug* s + + for (eachLine = 0; eachLine < aUnit->line_count; eachLine++) + { ++ if (xptr + 10 > stash->line_section_end) ++ { ++ aUnit->line_count = eachLine; ++ break; ++ } + /* A line number. */ + aUnit->linenumber_table[eachLine].linenumber + = bfd_get_32 (stash->abfd, (bfd_byte *) xptr); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-09-25 Alan Modra <amodra@gmail.com> ++ ++ PR 22202 ++ * dwarf1.c (parse_die): Sanity check pointer against section limit ++ before dereferencing. ++ (parse_line_table): Likewise. ++ + 2018-01-29 Alan Modra <amodra@gmail.com> + + PR 22741 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch new file mode 100644 index 0000000000..b5511d7d8a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch @@ -0,0 +1,73 @@ +From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 28 Feb 2018 10:13:54 +0000 +Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1 + debug information. + + PR 22894 + * dwarf1.c (parse_die): Check the length of form blocks before + advancing the data pointer. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-7568 patch2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf1.c | 17 +++++++++++++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +Index: git/bfd/dwarf1.c +=================================================================== +--- git.orig/bfd/dwarf1.c ++++ git/bfd/dwarf1.c +@@ -213,6 +213,7 @@ parse_die (bfd * abfd, + /* Then the attributes. */ + while (xptr + 2 <= aDiePtrEnd) + { ++ unsigned int block_len; + unsigned short attr; + + /* Parse the attribute based on its form. This section +@@ -255,12 +256,24 @@ parse_die (bfd * abfd, + break; + case FORM_BLOCK2: + if (xptr + 2 <= aDiePtrEnd) +- xptr += bfd_get_16 (abfd, xptr); ++ { ++ block_len = bfd_get_16 (abfd, xptr); ++ if (xptr + block_len > aDiePtrEnd ++ || xptr + block_len < xptr) ++ return FALSE; ++ xptr += block_len; ++ } + xptr += 2; + break; + case FORM_BLOCK4: + if (xptr + 4 <= aDiePtrEnd) +- xptr += bfd_get_32 (abfd, xptr); ++ { ++ block_len = bfd_get_32 (abfd, xptr); ++ if (xptr + block_len > aDiePtrEnd ++ || xptr + block_len < xptr) ++ return FALSE; ++ xptr += block_len; ++ } + xptr += 4; + break; + case FORM_STRING: +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2018-02-28 Nick Clifton <nickc@redhat.com> ++ ++ PR 22894 ++ * dwarf1.c (parse_die): Check the length of form blocks before ++ advancing the data pointer. ++ + 2017-09-25 Alan Modra <amodra@gmail.com> + + PR 22202 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch new file mode 100644 index 0000000000..e77118bc13 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch @@ -0,0 +1,120 @@ +From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 28 Feb 2018 11:50:49 +0000 +Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF + FORM blocks. + + PR 22895 + PR 22893 + * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block + pointer. Drop unused abfd parameter. Check the size of the block + before initialising the data field. Return the end pointer if the + size is invalid. + (read_attribute_value): Adjust invocations of read_n_bytes. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-7569 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 8 ++++++++ + bfd/dwarf2.c | 36 +++++++++++++++++++++--------------- + 2 files changed, 29 insertions(+), 15 deletions(-) + +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -649,14 +649,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf, + } + + static bfd_byte * +-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED, +- bfd_byte *buf, +- bfd_byte *end, +- unsigned int size ATTRIBUTE_UNUSED) +-{ +- if (buf + size > end) +- return NULL; +- return buf; ++read_n_bytes (bfd_byte * buf, ++ bfd_byte * end, ++ struct dwarf_block * block) ++{ ++ unsigned int size = block->size; ++ bfd_byte * block_end = buf + size; ++ ++ if (block_end > end || block_end < buf) ++ { ++ block->data = NULL; ++ block->size = 0; ++ return end; ++ } ++ else ++ { ++ block->data = buf; ++ return block_end; ++ } + } + + /* Scans a NUL terminated string starting at BUF, returning a pointer to it. +@@ -1154,8 +1164,7 @@ read_attribute_value (struct attribute * + return NULL; + blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end); + info_ptr += 2; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_block4: +@@ -1165,8 +1174,7 @@ read_attribute_value (struct attribute * + return NULL; + blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end); + info_ptr += 4; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_data2: +@@ -1206,8 +1214,7 @@ read_attribute_value (struct attribute * + blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read, + FALSE, info_ptr_end); + info_ptr += bytes_read; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_block1: +@@ -1217,8 +1224,7 @@ read_attribute_value (struct attribute * + return NULL; + blk->size = read_1_byte (abfd, info_ptr, info_ptr_end); + info_ptr += 1; +- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); +- info_ptr += blk->size; ++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); + attr->u.blk = blk; + break; + case DW_FORM_data1: +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,14 @@ + 2018-02-28 Nick Clifton <nickc@redhat.com> ++ ++ PR 22895 ++ PR 22893 ++ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block ++ pointer. Drop unused abfd parameter. Check the size of the block ++ before initialising the data field. Return the end pointer if the ++ size is invalid. ++ (read_attribute_value): Adjust invocations of read_n_bytes. ++ ++2018-02-28 Nick Clifton <nickc@redhat.com> + + PR 22894 + * dwarf1.c (parse_die): Check the length of form blocks before diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7642.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7642.patch new file mode 100644 index 0000000000..14b233e2c1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7642.patch @@ -0,0 +1,51 @@ +From 116acb2c268c89c89186673a7c92620d21825b25 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 28 Feb 2018 22:09:50 +1030 +Subject: [PATCH] PR22887, null pointer dereference in + aout_32_swap_std_reloc_out + + PR 22887 + * aoutx.h (swap_std_reloc_in): Correct r_index bound check. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-7642 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/aoutx.h | 6 ++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,8 @@ ++2018-02-28 Alan Modra <amodra@gmail.com> ++ ++ PR 22887 ++ * aoutx.h (swap_std_reloc_in): Correct r_index bound check. ++ + 2018-02-28 Nick Clifton <nickc@redhat.com> + + PR 22895 +Index: git/bfd/aoutx.h +=================================================================== +--- git.orig/bfd/aoutx.h ++++ git/bfd/aoutx.h +@@ -2211,10 +2211,12 @@ NAME (aout, swap_ext_reloc_in) (bfd *abf + || r_type == (unsigned int) RELOC_BASE22) + r_extern = 1; + +- if (r_extern && r_index > symcount) ++ if (r_extern && r_index >= symcount) + { + /* We could arrange to return an error, but it might be useful +- to see the file even if it is bad. */ ++ to see the file even if it is bad. FIXME: Of course this ++ means that objdump -r *doesn't* see the actual reloc, and ++ objcopy silently writes a different reloc. */ + r_extern = 0; + r_index = N_ABS; + } |