[pyro][PATCH 19/26] Binutils: Security fix for CVE-2017-9750

[Armin Kuster <akuster808@gmail.com>]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   1 +
 .../binutils/binutils/CVE-2017-9750.patch          | 247 +++++++++++++++++++++
 2 files changed, 248 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index b88e154..c63a2e5 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -61,6 +61,7 @@ SRC_URI = "\
      file://CVE-2017-9747.patch \
      file://CVE-2017-9748.patch \
      file://CVE-2017-9749.patch \
+     file://CVE-2017-9750.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch
new file mode 100644
index 0000000..fe8fa69
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch
@@ -0,0 +1,247 @@
+From db5fa770268baf8cc82cf9b141d69799fd485fe2 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 13:35:06 +0100
+Subject: [PATCH] Fix address violation problems when disassembling a corrupt
+ RX binary.
+
+	PR binutils/21587
+	* rx-decode.opc: Include libiberty.h
+	(GET_SCALE): New macro - validates access to SCALE array.
+	(GET_PSCALE): New macro - validates access to PSCALE array.
+	(DIs, SIs, S2Is, rx_disp): Use new macros.
+	* rx-decode.c: Regenerate.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9750
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ opcodes/ChangeLog     |  9 +++++++++
+ opcodes/rx-decode.c   | 24 ++++++++++++++----------
+ opcodes/rx-decode.opc | 24 ++++++++++++++----------
+ 3 files changed, 37 insertions(+), 20 deletions(-)
+
+Index: git/opcodes/rx-decode.c
+===================================================================
+--- git.orig/opcodes/rx-decode.c
++++ git/opcodes/rx-decode.c
+@@ -27,6 +27,7 @@
+ #include <string.h>
+ #include "ansidecl.h"
+ #include "opcode/rx.h"
++#include "libiberty.h"
+ 
+ #define RX_OPCODE_BIG_ENDIAN 0
+ 
+@@ -45,7 +46,7 @@ static int trace = 0;
+ #define LSIZE 2
+ 
+ /* These are for when the upper bits are "don't care" or "undefined".  */
+-static int bwl[] =
++static int bwl[4] =
+ {
+   RX_Byte,
+   RX_Word,
+@@ -53,7 +54,7 @@ static int bwl[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int sbwl[] =
++static int sbwl[4] =
+ {
+   RX_SByte,
+   RX_SWord,
+@@ -61,7 +62,7 @@ static int sbwl[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int ubw[] =
++static int ubw[4] =
+ {
+   RX_UByte,
+   RX_UWord,
+@@ -69,7 +70,7 @@ static int ubw[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int memex[] =
++static int memex[4] =
+ {
+   RX_SByte,
+   RX_SWord,
+@@ -89,6 +90,9 @@ static int SCALE[] = { 1, 2, 4, 0 };
+ /* This is for the prefix size enum.  */
+ static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 };
+ 
++#define GET_SCALE(_indx)  ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0)
++#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0)
++
+ static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0,
+ 		       16, 17, 0, 0, 0, 0, 0, 0 };
+ 
+@@ -107,7 +111,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define DC(c)       OP (0, RX_Operand_Immediate, 0, c)
+ #define DR(r)       OP (0, RX_Operand_Register,  r, 0)
+ #define DI(r,a)     OP (0, RX_Operand_Indirect,  r, a)
+-#define DIs(r,a,s)  OP (0, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define DIs(r,a,s)  OP (0, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define DD(t,r,s)   rx_disp (0, t, r, bwl[s], ld);
+ #define DF(r)       OP (0, RX_Operand_Flag,  flagmap[r], 0)
+ 
+@@ -115,7 +119,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define SR(r)       OP (1, RX_Operand_Register,  r, 0)
+ #define SRR(r)      OP (1, RX_Operand_TwoReg,  r, 0)
+ #define SI(r,a)     OP (1, RX_Operand_Indirect,  r, a)
+-#define SIs(r,a,s)  OP (1, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define SIs(r,a,s)  OP (1, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define SD(t,r,s)   rx_disp (1, t, r, bwl[s], ld);
+ #define SP(t,r)     rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1);
+ #define SPm(t,r,m)  rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m];
+@@ -124,7 +128,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define S2C(i)      OP (2, RX_Operand_Immediate, 0, i)
+ #define S2R(r)      OP (2, RX_Operand_Register,  r, 0)
+ #define S2I(r,a)    OP (2, RX_Operand_Indirect,  r, a)
+-#define S2Is(r,a,s) OP (2, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define S2Is(r,a,s) OP (2, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define S2D(t,r,s)  rx_disp (2, t, r, bwl[s], ld);
+ #define S2P(t,r)    rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2);
+ #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m];
+@@ -211,7 +215,7 @@ immediate (int sfield, int ex, LocalData
+ }
+ 
+ static void
+-rx_disp (int n, int type, int reg, int size, LocalData * ld)
++rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld)
+ {
+   int disp;
+ 
+@@ -228,7 +232,7 @@ rx_disp (int n, int type, int reg, int s
+     case 1:
+       ld->rx->op[n].type = RX_Operand_Indirect;
+       disp = GETBYTE ();
+-      ld->rx->op[n].addend = disp * PSCALE[size];
++      ld->rx->op[n].addend = disp * GET_PSCALE (size);
+       break;
+     case 2:
+       ld->rx->op[n].type = RX_Operand_Indirect;
+@@ -238,7 +242,7 @@ rx_disp (int n, int type, int reg, int s
+ #else
+       disp = disp + GETBYTE () * 256;
+ #endif
+-      ld->rx->op[n].addend = disp * PSCALE[size];
++      ld->rx->op[n].addend = disp * GET_PSCALE (size);
+       break;
+     default:
+       abort ();
+Index: git/opcodes/rx-decode.opc
+===================================================================
+--- git.orig/opcodes/rx-decode.opc
++++ git/opcodes/rx-decode.opc
+@@ -26,6 +26,7 @@
+ #include <string.h>
+ #include "ansidecl.h"
+ #include "opcode/rx.h"
++#include "libiberty.h"
+ 
+ #define RX_OPCODE_BIG_ENDIAN 0
+ 
+@@ -44,7 +45,7 @@ static int trace = 0;
+ #define LSIZE 2
+ 
+ /* These are for when the upper bits are "don't care" or "undefined".  */
+-static int bwl[] =
++static int bwl[4] =
+ {
+   RX_Byte,
+   RX_Word,
+@@ -52,7 +53,7 @@ static int bwl[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int sbwl[] =
++static int sbwl[4] =
+ {
+   RX_SByte,
+   RX_SWord,
+@@ -60,7 +61,7 @@ static int sbwl[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int ubw[] =
++static int ubw[4] =
+ {
+   RX_UByte,
+   RX_UWord,
+@@ -68,7 +69,7 @@ static int ubw[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int memex[] =
++static int memex[4] =
+ {
+   RX_SByte,
+   RX_SWord,
+@@ -88,6 +89,9 @@ static int SCALE[] = { 1, 2, 4, 0 };
+ /* This is for the prefix size enum.  */
+ static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 };
+ 
++#define GET_SCALE(_indx)  ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0)
++#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0)
++
+ static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0,
+ 		       16, 17, 0, 0, 0, 0, 0, 0 };
+ 
+@@ -106,7 +110,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define DC(c)       OP (0, RX_Operand_Immediate, 0, c)
+ #define DR(r)       OP (0, RX_Operand_Register,  r, 0)
+ #define DI(r,a)     OP (0, RX_Operand_Indirect,  r, a)
+-#define DIs(r,a,s)  OP (0, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define DIs(r,a,s)  OP (0, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define DD(t,r,s)   rx_disp (0, t, r, bwl[s], ld);
+ #define DF(r)       OP (0, RX_Operand_Flag,  flagmap[r], 0)
+ 
+@@ -114,7 +118,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define SR(r)       OP (1, RX_Operand_Register,  r, 0)
+ #define SRR(r)      OP (1, RX_Operand_TwoReg,  r, 0)
+ #define SI(r,a)     OP (1, RX_Operand_Indirect,  r, a)
+-#define SIs(r,a,s)  OP (1, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define SIs(r,a,s)  OP (1, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define SD(t,r,s)   rx_disp (1, t, r, bwl[s], ld);
+ #define SP(t,r)     rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1);
+ #define SPm(t,r,m)  rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m];
+@@ -123,7 +127,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define S2C(i)      OP (2, RX_Operand_Immediate, 0, i)
+ #define S2R(r)      OP (2, RX_Operand_Register,  r, 0)
+ #define S2I(r,a)    OP (2, RX_Operand_Indirect,  r, a)
+-#define S2Is(r,a,s) OP (2, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define S2Is(r,a,s) OP (2, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define S2D(t,r,s)  rx_disp (2, t, r, bwl[s], ld);
+ #define S2P(t,r)    rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2);
+ #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m];
+@@ -210,7 +214,7 @@ immediate (int sfield, int ex, LocalData
+ }
+ 
+ static void
+-rx_disp (int n, int type, int reg, int size, LocalData * ld)
++rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld)
+ {
+   int disp;
+ 
+@@ -227,7 +231,7 @@ rx_disp (int n, int type, int reg, int s
+     case 1:
+       ld->rx->op[n].type = RX_Operand_Indirect;
+       disp = GETBYTE ();
+-      ld->rx->op[n].addend = disp * PSCALE[size];
++      ld->rx->op[n].addend = disp * GET_PSCALE (size);
+       break;
+     case 2:
+       ld->rx->op[n].type = RX_Operand_Indirect;
+@@ -237,7 +241,7 @@ rx_disp (int n, int type, int reg, int s
+ #else
+       disp = disp + GETBYTE () * 256;
+ #endif
+-      ld->rx->op[n].addend = disp * PSCALE[size];
++      ld->rx->op[n].addend = disp * GET_PSCALE (size);
+       break;
+     default:
+       abort ();
-- 
2.7.4