new file mode 100644

@@ -0,0 +1,312 @@

+Author: nickc

+Date: Fri Dec  7 10:33:30 2018

+New Revision: 266886

+

+URL: https://gcc.gnu.org/viewcvs?rev=266886&root=gcc&view=rev

+Log:

+Add a recursion limit to libiberty's demangling code.  The limit is enabled by default, but can be disabled via a new demangling option.

+

+include * demangle.h (DMGL_NO_RECURSE_LIMIT): Define.

+        (DEMANGLE_RECURSION_LIMIT): Define

+

+        PR 87681

+        PR 87675

+        PR 87636

+        PR 87350

+        PR 87335

+libiberty * cp-demangle.h (struct d_info): Add recursion_level field.

+        * cp-demangle.c (d_function_type): Add recursion counter.

+        If the recursion limit is reached and the check is not disabled,

+        then return with a failure result.

+        (cplus_demangle_init_info): Initialise the recursion_level field.

+        (d_demangle_callback): If the recursion limit is enabled, check

+        for a mangled string that is so long that there is not enough

+        stack space for the local arrays.

+        * cplus-dem.c (struct work): Add recursion_level field.

+        (squangle_mop_up): Set the numb and numk fields to zero.

+        (work_stuff_copy_to_from): Handle the case where a btypevec or

+        ktypevec field is NULL.

+        (demangle_nested_args): Add recursion counter.  If

+        the recursion limit is not disabled and reached, return with a

+        failure result.

+

+Modified:

+    trunk/include/ChangeLog

+    trunk/include/demangle.h

+    trunk/libiberty/ChangeLog

+    trunk/libiberty/cp-demangle.c

+    trunk/libiberty/cp-demangle.h

+    trunk/libiberty/cplus-dem.c

+

+diff --git a/include/ChangeLog b/include/ChangeLog

+index 18655f0..2c4a7bd 100644

+--- a/include/ChangeLog

+@@ -1,3 +1,8 @@

++2018-12-07  Nick Clifton  <nickc@redhat.com>

++

++	* demangle.h (DMGL_NO_RECURSE_LIMIT): Define.

++	 (DEMANGLE_RECURSION_LIMIT): Define

++

+ 2018-07-14  Nick Clifton  <nickc@redhat.com>

+ 

+ 	2.31 Release point.

+diff --git a/include/demangle.h b/include/demangle.h

+index b8d57cf..9bb8a19 100644

+--- a/include/demangle.h

+@@ -68,6 +68,17 @@ extern "C" {

+ /* If none of these are set, use 'current_demangling_style' as the default. */

+ #define DMGL_STYLE_MASK (DMGL_AUTO|DMGL_GNU|DMGL_LUCID|DMGL_ARM|DMGL_HP|DMGL_EDG|DMGL_GNU_V3|DMGL_JAVA|DMGL_GNAT|DMGL_DLANG|DMGL_RUST)

+ 

++/* Disable a limit on the depth of recursion in mangled strings.

++   Note if this limit is disabled then stack exhaustion is possible when

++   demangling pathologically complicated strings.  Bug reports about stack

++   exhaustion when the option is enabled will be rejected.  */  

++#define DMGL_NO_RECURSE_LIMIT (1 << 18)	

++

++/* If DMGL_NO_RECURSE_LIMIT is not enabled, then this is the value used as

++   the maximum depth of recursion allowed.  It should be enough for any

++   real-world mangled name.  */

++#define DEMANGLE_RECURSION_LIMIT 1024

++  

+ /* Enumeration of possible demangling styles.

+ 

+    Lucid and ARM styles are still kept logically distinct, even though

+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog

+index c944f9e..e547a48 100644

+--- a/libiberty/ChangeLog

+@@ -1,3 +1,26 @@

++2018-12-07  Nick Clifton  <nickc@redhat.com>

++

++	PR 87681

++	PR 87675

++	PR 87636

++	PR 87350

++	PR 87335

++	* cp-demangle.h (struct d_info): Add recursion_level field.

++	* cp-demangle.c (d_function_type): Add recursion counter.

++	If the recursion limit is reached and the check is not disabled,

++	then return with a failure result.

++	(cplus_demangle_init_info): Initialise the recursion_level field.

++	 (d_demangle_callback): If the recursion limit is enabled, check

++	for a mangled string that is so long that there is not enough

++	stack space for the local arrays.

++	 * cplus-dem.c (struct work): Add recursion_level field.

++	(squangle_mop_up): Set the numb and numk fields to zero.

++	(work_stuff_copy_to_from): Handle the case where a btypevec or

++	ktypevec field is NULL.

++	(demangle_nested_args): Add recursion counter.  If

++	the recursion limit is not disabled and reached, return with a

++	failure result.

++

+ 2018-06-19  Simon Marchi  <simon.marchi@ericsson.com>

+ 

+ 	* configure.ac: Remove AC_PREREQ.

+diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c

+index 3f2a097..c374e46 100644

+--- a/libiberty/cp-demangle.c

+@@ -2843,21 +2843,35 @@ d_ref_qualifier (struct d_info *di, struct demangle_component *sub)

+ static struct demangle_component *

+ d_function_type (struct d_info *di)

+ {

+-  struct demangle_component *ret;

++  struct demangle_component *ret = NULL;

+ 

+-  if (! d_check_char (di, 'F'))

+-    return NULL;

+-  if (d_peek_char (di) == 'Y')

++  if ((di->options & DMGL_NO_RECURSE_LIMIT) == 0)

+     {

+-      /* Function has C linkage.  We don't print this information.

+-	 FIXME: We should print it in verbose mode.  */

+-      d_advance (di, 1);

++      if (di->recursion_level > DEMANGLE_RECURSION_LIMIT)

++	/* FIXME: There ought to be a way to report

++	   that the recursion limit has been reached.  */

++	return NULL;

++

++      di->recursion_level ++;

+     }

+-  ret = d_bare_function_type (di, 1);

+-  ret = d_ref_qualifier (di, ret);

+ 

+-  if (! d_check_char (di, 'E'))

+-    return NULL;

++  if (d_check_char (di, 'F'))

++    {

++      if (d_peek_char (di) == 'Y')

++	{

++	  /* Function has C linkage.  We don't print this information.

++	     FIXME: We should print it in verbose mode.  */

++	  d_advance (di, 1);

++	}

++      ret = d_bare_function_type (di, 1);

++      ret = d_ref_qualifier (di, ret);

++      

++      if (! d_check_char (di, 'E'))

++	ret = NULL;

++    }

++

++  if ((di->options & DMGL_NO_RECURSE_LIMIT) == 0)

++    di->recursion_level --;

+   return ret;

+ }

+ 

+@@ -6188,6 +6202,7 @@ cplus_demangle_init_info (const char *mangled, int options, size_t len,

+   di->expansion = 0;

+   di->is_expression = 0;

+   di->is_conversion = 0;

++  di->recursion_level = 0;

+ }

+ 

+ /* Internal implementation for the demangler.  If MANGLED is a g++ v3 ABI

+@@ -6227,6 +6242,20 @@ d_demangle_callback (const char *mangled, int options,

+ 

+   cplus_demangle_init_info (mangled, options, strlen (mangled), &di);

+ 

++  /* PR 87675 - Check for a mangled string that is so long

++     that we do not have enough stack space to demangle it.  */

++  if (((options & DMGL_NO_RECURSE_LIMIT) == 0)

++      /* This check is a bit arbitrary, since what we really want to do is to

++	 compare the sizes of the di.comps and di.subs arrays against the

++	 amount of stack space remaining.  But there is no portable way to do

++	 this, so instead we use the recursion limit as a guide to the maximum

++	 size of the arrays.  */

++      && (unsigned long) di.num_comps > DEMANGLE_RECURSION_LIMIT)

++    {

++      /* FIXME: We need a way to indicate that a stack limit has been reached.  */

++      return 0;

++    }

++

+   {

+ #ifdef CP_DYNAMIC_ARRAYS

+     __extension__ struct demangle_component comps[di.num_comps];

+diff --git a/libiberty/cp-demangle.h b/libiberty/cp-demangle.h

+index 51b8a24..d87a830 100644

+--- a/libiberty/cp-demangle.h

+@@ -122,6 +122,9 @@ struct d_info

+   /* Non-zero if we are parsing the type operand of a conversion

+      operator, but not when in an expression.  */

+   int is_conversion;

++  /* If DMGL_NO_RECURSE_LIMIT is not active then this is set to

++     the current recursion level.  */

++  unsigned int recursion_level;

+ };

+ 

+ /* To avoid running past the ending '\0', don't:

+diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c

+index 6d58bd8..8b9646f 100644

+--- a/libiberty/cplus-dem.c

+@@ -146,6 +146,7 @@ struct work_stuff

+   int *proctypevec;     /* Indices of currently processed remembered typevecs.  */

+   int proctypevec_size;

+   int nproctypes;

++  unsigned int recursion_level;

+ };

+ 

+ #define PRINT_ANSI_QUALIFIERS (work -> options & DMGL_ANSI)

+@@ -1292,12 +1293,14 @@ squangle_mop_up (struct work_stuff *work)

+       free ((char *) work -> btypevec);

+       work->btypevec = NULL;

+       work->bsize = 0;

++      work->numb = 0;

+     }

+   if (work -> ktypevec != NULL)

+     {

+       free ((char *) work -> ktypevec);

+       work->ktypevec = NULL;

+       work->ksize = 0;

++      work->numk = 0;

+     }

+ }

+ 

+@@ -1331,8 +1334,15 @@ work_stuff_copy_to_from (struct work_stuff *to, struct work_stuff *from)

+ 

+   for (i = 0; i < from->numk; i++)

+     {

+-      int len = strlen (from->ktypevec[i]) + 1;

++      int len;

++

++      if (from->ktypevec[i] == NULL)

++	{

++	  to->ktypevec[i] = NULL;

++	  continue;

++	}

+ 

++      len = strlen (from->ktypevec[i]) + 1;

+       to->ktypevec[i] = XNEWVEC (char, len);

+       memcpy (to->ktypevec[i], from->ktypevec[i], len);

+     }

+@@ -1342,8 +1352,15 @@ work_stuff_copy_to_from (struct work_stuff *to, struct work_stuff *from)

+ 

+   for (i = 0; i < from->numb; i++)

+     {

+-      int len = strlen (from->btypevec[i]) + 1;

++      int len;

++

++      if (from->btypevec[i] == NULL)

++	{

++	  to->btypevec[i] = NULL;

++	  continue;

++	}

+ 

++      len = strlen (from->btypevec[i]) + 1;

+       to->btypevec[i] = XNEWVEC (char , len);

+       memcpy (to->btypevec[i], from->btypevec[i], len);

+     }

+@@ -1401,6 +1418,7 @@ delete_non_B_K_work_stuff (struct work_stuff *work)

+ 

+       free ((char*) work->tmpl_argvec);

+       work->tmpl_argvec = NULL;

++      work->ntmpl_args = 0;

+     }

+   if (work->previous_argument)

+     {

+@@ -4477,6 +4495,7 @@ remember_Btype (struct work_stuff *work, const char *start,

+ }

+ 

+ /* Lose all the info related to B and K type codes. */

++

+ static void

+ forget_B_and_K_types (struct work_stuff *work)

+ {

+@@ -4502,6 +4521,7 @@ forget_B_and_K_types (struct work_stuff *work)

+ 	}

+     }

+ }

++

+ /* Forget the remembered types, but not the type vector itself.  */

+ 

+ static void

+@@ -4696,6 +4716,16 @@ demangle_nested_args (struct work_stuff *work, const char **mangled,

+   int result;

+   int saved_nrepeats;

+ 

++  if ((work->options & DMGL_NO_RECURSE_LIMIT) == 0)

++    {

++      if (work->recursion_level > DEMANGLE_RECURSION_LIMIT)

++	/* FIXME: There ought to be a way to report

++	   that the recursion limit has been reached.  */

++	return 0;

++

++      work->recursion_level ++;

++    }

++

+   /* The G++ name-mangling algorithm does not remember types on nested

+      argument lists, unless -fsquangling is used, and in that case the

+      type vector updated by remember_type is not used.  So, we turn

+@@ -4722,6 +4752,9 @@ demangle_nested_args (struct work_stuff *work, const char **mangled,

+   --work->forgetting_types;

+   work->nrepeats = saved_nrepeats;

+ 

++  if ((work->options & DMGL_NO_RECURSE_LIMIT) == 0)

++    --work->recursion_level;

++

+   return result;

+ }

+ 

new file mode 100644

@@ -0,0 +1,41 @@

+From ab419ddbb2cdd17ca83618990f2cacf904ce1d61 Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Tue, 23 Oct 2018 18:29:24 +1030

+Subject: [PATCH] PR23804, buffer overflow in sec_merge_hash_lookup

+

+        PR 23804

+        * merge.c (_bfd_add_merge_section): Don't attempt to merge

+        sections where size is not a multiple of entsize.

+---

+ bfd/ChangeLog | 6 ++++++

+ bfd/merge.c   | 3 +++

+ 2 files changed, 9 insertions(+)

+

+diff --git a/bfd/ChangeLog b/bfd/ChangeLog

+index f05251a..d584505 100644

+--- a/bfd/ChangeLog

+@@ -1,3 +1,9 @@

++2018-10-23  Alan Modra  <amodra@gmail.com>

++

++	PR 23804

++	* merge.c (_bfd_add_merge_section): Don't attempt to merge

++	sections where size is not a multiple of entsize.

++

+ 2018-07-14  Nick Clifton  <nickc@redhat.com>

+ 

+ 	2.31 Release point.

+diff --git a/bfd/merge.c b/bfd/merge.c

+index 7904552..5e3bba0 100644

+--- a/bfd/merge.c

+@@ -376,6 +376,9 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec,

+       || sec->entsize == 0)

+     return TRUE;

+ 

++  if (sec->size % sec->entsize != 0)

++    return TRUE;

++

+   if ((sec->flags & SEC_RELOC) != 0)

+     {

+       /* We aren't prepared to handle relocations in merged sections.  */

new file mode 100644

@@ -0,0 +1,64 @@

+From 45a0eaf77022963d639d6d19871dbab7b79703fc Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Tue, 23 Oct 2018 19:02:06 +1030

+Subject: [PATCH] PR23806, NULL pointer dereference in merge_strings

+

+        PR 23806

+        * merge.c (_bfd_add_merge_section): Don't attempt to merge

+        sections with ridiculously large alignments.

+---

+ bfd/ChangeLog |  6 ++++++

+ bfd/merge.c   | 15 +++++++++++----

+ 2 files changed, 17 insertions(+), 4 deletions(-)

+

+diff --git a/bfd/ChangeLog b/bfd/ChangeLog

+index cc04287..f13882a 100644

+--- a/bfd/ChangeLog

+@@ -1,5 +1,11 @@

+ 2018-10-23  Alan Modra  <amodra@gmail.com>

+ 

++	PR 23806

++	* merge.c (_bfd_add_merge_section): Don't attempt to merge

++	sections with ridiculously large alignments.

++

++2018-10-23  Alan Modra  <amodra@gmail.com>

++

+ 	PR 23805

+ 	* elflink.c (elf_link_input_bfd): Don't segfault on finding

+ 	STT_TLS symbols without any TLS sections.  Instead, change the

+diff --git a/bfd/merge.c b/bfd/merge.c

+index 5e3bba0..7de0c88 100644

+--- a/bfd/merge.c

+@@ -24,6 +24,7 @@

+    as used in ELF SHF_MERGE.  */

+ 

+ #include "sysdep.h"

++#include <limits.h>

+ #include "bfd.h"

+ #include "elf-bfd.h"

+ #include "libbfd.h"

+@@ -385,12 +386,18 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec,

+       return TRUE;

+     }

+ 

+-  align = sec->alignment_power;

+-  if ((sec->entsize < (unsigned) 1 << align

++#ifndef CHAR_BIT

++#define CHAR_BIT 8

++#endif

++  if (sec->alignment_power >= sizeof (align) * CHAR_BIT)

++    return TRUE;

++

++  align = 1u << sec->alignment_power;

++  if ((sec->entsize < align

+        && ((sec->entsize & (sec->entsize - 1))

+ 	   || !(sec->flags & SEC_STRINGS)))

+-      || (sec->entsize > (unsigned) 1 << align

+-	  && (sec->entsize & (((unsigned) 1 << align) - 1))))

++      || (sec->entsize > align

++	  && (sec->entsize & (align - 1))))

+     {

+       /* Sanity check.  If string character size is smaller than

+ 	 alignment, then we require character size to be a power

new file mode 100644

@@ -0,0 +1,74 @@

+From 102def4da826b3d9e169741421e5e67e8731909a Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Tue, 23 Oct 2018 18:30:22 +1030

+Subject: [PATCH] PR23805, NULL pointer dereference in elf_link_input_bfd

+

+	PR 23805

+	* elflink.c (elf_link_input_bfd): Don't segfault on finding

+	STT_TLS symbols without any TLS sections.  Instead, change the

+	symbol type to STT_NOTYPE.

+---

+ bfd/ChangeLog |  7 +++++++

+ bfd/elflink.c | 20 ++++++++++++++------

+ 2 files changed, 21 insertions(+), 6 deletions(-)

+

+diff --git a/bfd/ChangeLog b/bfd/ChangeLog

+index da423b1..1f3fc1c 100644

+--- a/bfd/ChangeLog

+@@ -1,5 +1,12 @@

+ 2018-10-23  Alan Modra  <amodra@gmail.com>

+ 

++	PR 23805

++	* elflink.c (elf_link_input_bfd): Don't segfault on finding

++	STT_TLS symbols without any TLS sections.  Instead, change the

++	symbol type to STT_NOTYPE.

++

++2018-10-23  Alan Modra  <amodra@gmail.com>

++

+ 	PR 23804

+ 	* merge.c (_bfd_add_merge_section): Don't attempt to merge

+ 	sections where size is not a multiple of entsize.

+diff --git a/bfd/elflink.c b/bfd/elflink.c

+index c3876cb..87440db 100644

+--- a/bfd/elflink.c

+@@ -10489,8 +10489,11 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)

+ 	  if (ELF_ST_TYPE (osym.st_info) == STT_TLS)

+ 	    {

+ 	      /* STT_TLS symbols are relative to PT_TLS segment base.  */

+-	      BFD_ASSERT (elf_hash_table (flinfo->info)->tls_sec != NULL);

+-	      osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma;

++	      if (elf_hash_table (flinfo->info)->tls_sec != NULL)

++		osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma;

++	      else

++		osym.st_info = ELF_ST_INFO (ELF_ST_BIND (osym.st_info),

++					    STT_NOTYPE);

+ 	    }

+ 	}

+ 

+@@ -11046,12 +11049,17 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)

+ 			      sym.st_value += osec->vma;

+ 			      if (ELF_ST_TYPE (sym.st_info) == STT_TLS)

+ 				{

++				  struct elf_link_hash_table *htab

++				    = elf_hash_table (flinfo->info);

++

+ 				  /* STT_TLS symbols are relative to PT_TLS

+ 				     segment base.  */

+-				  BFD_ASSERT (elf_hash_table (flinfo->info)

+-					      ->tls_sec != NULL);

+-				  sym.st_value -= (elf_hash_table (flinfo->info)

+-						   ->tls_sec->vma);

++				  if (htab->tls_sec != NULL)

++				    sym.st_value -= htab->tls_sec->vma;

++				  else

++				    sym.st_info

++				      = ELF_ST_INFO (ELF_ST_BIND (sym.st_info),

++						     STT_NOTYPE);

+ 				}

+ 			    }

+ 

+-- 

+2.9.3

+

@@ -1,7 +1,7 @@

 Summary:        Contains a linker, an assembler, and other tools

 Name:           binutils

 Version:        2.31

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        GPLv2+

 URL:            http://www.gnu.org/software/binutils

 Group:          System Environment/Base

@@ -9,6 +9,10 @@ Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz

 %define sha1    binutils=e1a564cd356d2126d2e9a59e8587757634e731aa

+Patch0:         binutils-CVE-2018-17794-18700-18701-18484.patch

+Patch1:         binutils-CVE-2018-18605.patch

+Patch2:         binutils-CVE-2018-18607.patch

+Patch3:         binutils-CVE-2018-18606.patch

 %description

 The Binutils package contains a linker, an assembler,

@@ -23,6 +27,10 @@ for handling compiled objects.

 %prep

 %setup -q

+%patch0 -p1

+%patch1 -p1

+%patch2 -p1

+%patch3 -p1

 %build

 install -vdm 755 ../binutils-build

@@ -111,6 +119,9 @@ make %{?_smp_mflags} check

 %{_libdir}/libopcodes.so

 %changelog

+*   Wed Jan 02 2019 Ankit Jain <ankitja@vmware.com> 2.31-2

+-   Fixes for CVE-2018-17794, CVE-2018-18700, CVE-2018-18701

+-   CVE-2018-18484, CVE-2018-18605, CVE-2018-18606, CVE-2018-18607

 *   Fri Jul 27 2018 Keerthana K <keerthanak@vmware.com> 2.31-1

 -   Update to Version 2.31.

 *   Mon Jun 25 2018 Keerthana K <keerthanak@vmware.com> 2.30-5