[ROCKO][PATCH 26/27] binutls: Security fix for CVE-2017-17122

[Armin Kuster <akuster808@gmail.com>]

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-17122.patch         | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index c1d5740..577bbf0 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -62,6 +62,7 @@ SRC_URI = "\
      file://CVE-2017-16832.patch \
      file://CVE-2017-17080.patch \
      file://CVE-2017-17121.patch \
+     file://CVE-2017-17122.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
new file mode 100644
index 0000000..5ae749b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
@@ -0,0 +1,58 @@
+From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 29 Nov 2017 12:40:43 +0000
+Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of
+ memory when parsing relocs in a corrupt file.
+
+	PR 22508
+	* objdump.c (dump_relocs_in_section): Also check the section's
+	relocation count to make sure that it is reasonable before
+	attempting to allocate space for the relocs.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE:  CVE-2017-17122
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  7 +++++++
+ binutils/objdump.c | 11 ++++++++++-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -3381,7 +3381,16 @@ dump_relocs_in_section (bfd *abfd,
+     }
+ 
+   if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
+-      && (ufile_ptr) relsize > bfd_get_file_size (abfd))
++      && (((ufile_ptr) relsize > bfd_get_file_size (abfd))
++	  /* Also check the section's reloc count since if this is negative
++	     (or very large) the computation in bfd_get_reloc_upper_bound
++	     may have resulted in returning a small, positive integer.
++	     See PR 22508 for a reproducer.
++
++	     Note - we check against file size rather than section size as
++	     it is possible for there to be more relocs that apply to a
++	     section than there are bytes in that section.  */
++	  || (section->reloc_count > bfd_get_file_size (abfd))))
+     {
+       printf (" (too many: 0x%x)\n", section->reloc_count);
+       bfd_set_error (bfd_error_file_truncated);
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,10 @@
++2017-11-29  Nick Clifton  <nickc@redhat.com>
++
++       PR 22508
++       * objdump.c (dump_relocs_in_section): Also check the section's
++       relocation count to make sure that it is reasonable before
++       attempting to allocate space for the relocs.
++
+ 2017-11-02  Mingi Cho  <mgcho.minic@gmail.com>
+ 
+        PR 22384
-- 
2.7.4