new file mode 100644

@@ -0,0 +1,30 @@

+From a67d66eb97e7613a38ffe6622d837303b3ecd31d Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Wed, 1 Nov 2017 15:21:46 +0000

+Subject: [PATCH] Prevent illegal memory accesses when attempting to read

+ excessively large COFF line number tables.

+

+	PR 22376

+	* coffcode.h (coff_slurp_line_table): Check for an excessively

+	large line number count.

+diff --git a/bfd/coffcode.h b/bfd/coffcode.h

+index 21308de..6da0afa 100644

+--- a/bfd/coffcode.h

+@@ -4578,6 +4578,14 @@ coff_slurp_line_table (bfd *abfd, asection *asect)

+ 

+   BFD_ASSERT (asect->lineno == NULL);

+ 

++  if (asect->lineno_count > asect->size)

++    {

++      _bfd_error_handler

++	(_("%B: warning: line number count (%#lx) exceeds section size (%#lx)"),

++	 abfd, (unsigned long) asect->lineno_count, (unsigned long) asect->size);

++      return FALSE;

++    }

++

+   amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent);

+   lineno_cache = (alent *) bfd_alloc (abfd, amt);

+   if (lineno_cache == NULL)

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,73 @@

+From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Tue, 17 Oct 2017 16:43:47 +1030

+Subject: [PATCH] PR22306, Invalid free() in slurp_symtab()

+

+	PR 22306

+	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,

+	and error for any other size that doesn't cover the header word.

+diff --git a/bfd/aoutx.h b/bfd/aoutx.h

+index 3d38fda..d096ed5 100644

+--- a/bfd/aoutx.h

+@@ -1351,27 +1351,42 @@ aout_get_external_symbols (bfd *abfd)

+ 	  || bfd_bread ((void *) string_chars, amt, abfd) != amt)

+ 	return FALSE;

+       stringsize = GET_WORD (abfd, string_chars);

++      if (stringsize == 0)

++	stringsize = 1;

++      else if (stringsize < BYTES_IN_WORD

++	       || (size_t) stringsize != stringsize)

++	{

++	  bfd_set_error (bfd_error_bad_value);

++	  return FALSE;

++	}

+ 

+ #ifdef USE_MMAP

+-      if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,

+-				 &obj_aout_string_window (abfd), TRUE))

+-	return FALSE;

+-      strings = (char *) obj_aout_string_window (abfd).data;

+-#else

+-      strings = (char *) bfd_malloc (stringsize + 1);

+-      if (strings == NULL)

+-	return FALSE;

+-

+-      /* Skip space for the string count in the buffer for convenience

+-	 when using indexes.  */

+-      amt = stringsize - BYTES_IN_WORD;

+-      if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)

++      if (stringsize >= BYTES_IN_WORD)

+ 	{

+-	  free (strings);

+-	  return FALSE;

++	  if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,

++				     &obj_aout_string_window (abfd), TRUE))

++	    return FALSE;

++	  strings = (char *) obj_aout_string_window (abfd).data;

+ 	}

++      else

+ #endif

++	{

++	  strings = (char *) bfd_malloc (stringsize);

++	  if (strings == NULL)

++	    return FALSE;

+ 

++	  if (stringsize >= BYTES_IN_WORD)

++	    {

++	      /* Keep the string count in the buffer for convenience

++		 when indexing with e_strx.  */

++	      amt = stringsize - BYTES_IN_WORD;

++	      if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)

++		{

++		  free (strings);

++		  return FALSE;

++		}

++	    }

++	}

+       /* Ensure that a zero index yields an empty string.  */

+       strings[0] = '\0';

+ 

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,182 @@

+diff -rup binutils-2.29.1/binutils/dwarf.c binutils-2.29.1-new/binutils/dwarf.c

+--- binutils-2.29.1/binutils/dwarf.c	2017-09-14 02:30:59.000000000 -0700

+@@ -6225,7 +6225,7 @@ typedef struct Frame_Chunk

+   int data_factor;

+   dwarf_vma pc_begin;

+   dwarf_vma pc_range;

+-  int cfa_reg;

++  unsigned int cfa_reg;

+   dwarf_vma cfa_offset;

+   unsigned int ra;

+   unsigned char fde_encoding;

+@@ -6568,13 +6568,13 @@ frame_display_row (Frame_Chunk *fc, int

+ static unsigned char *

+ read_cie (unsigned char *start, unsigned char *end,

+ 	  Frame_Chunk **p_cie, int *p_version,

+-	  unsigned long *p_aug_len, unsigned char **p_aug)

++	  bfd_size_type *p_aug_len, unsigned char **p_aug)

+ {

+   int version;

+   Frame_Chunk *fc;

+   unsigned int length_return;

+   unsigned char *augmentation_data = NULL;

+-  unsigned long augmentation_data_len = 0;

++  bfd_size_type augmentation_data_len = 0;

+ 

+   * p_cie = NULL;

+   /* PR 17512: file: 001-228113-0.004.  */

+@@ -6643,14 +6643,15 @@ read_cie (unsigned char *start, unsigned

+     {

+       READ_ULEB (augmentation_data_len);

+       augmentation_data = start;

+-      start += augmentation_data_len;

+       /* PR 17512: file: 11042-2589-0.004.  */

+-      if (start > end)

++      if (augmentation_data_len > (bfd_size_type) (end - start))

+ 	{

+-	  warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),

+-		augmentation_data_len, (long)((end - start) + augmentation_data_len));

++	  warn (_("Augmentation data too long: 0x%s, expected at most %#lx\n"),

++		dwarf_vmatoa ("x", augmentation_data_len),

++		(unsigned long) (end - start));

+ 	  return end;

+ 	}

++      start += augmentation_data_len;

+     }

+ 

+   if (augmentation_data_len)

+@@ -6663,14 +6664,7 @@ read_cie (unsigned char *start, unsigned

+       q = augmentation_data;

+       qend = q + augmentation_data_len;

+ 

+-      /* PR 17531: file: 015adfaa.  */

+-      if (qend < q)

+-	{

+-	  warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);

+-	  augmentation_data_len = 0;

+-	}

+-

+-      while (p < end && q < augmentation_data + augmentation_data_len)

++      while (p < end && q < qend)

+ 	{

+ 	  if (*p == 'L')

+ 	    q++;

+@@ -6699,6 +6693,31 @@ read_cie (unsigned char *start, unsigned

+   return start;

+ }

+ 

++/* Prints out the contents on the augmentation data array.

++   If do_wide is not enabled, then formats the output to fit into 80 columns.  */

++

++static void

++display_augmentation_data (const unsigned char * data, const bfd_size_type len)

++{

++  bfd_size_type i;

++

++  i = printf (_("  Augmentation data:    "));

++

++  if (do_wide || len < ((80 - i) / 3))

++    for (i = 0; i < len; ++i)

++      printf (" %02x", data[i]);

++  else

++    {

++      for (i = 0; i < len; ++i)

++	{

++	  if (i % (80 / 3) == 0)

++	    putchar ('\n');

++	  printf (" %02x", data[i]);

++	}

++    }

++  putchar ('\n');

++}

++

+ static int

+ display_debug_frames (struct dwarf_section *section,

+ 		      void *file ATTRIBUTE_UNUSED)

+@@ -6727,7 +6746,7 @@ display_debug_frames (struct dwarf_secti

+       Frame_Chunk *cie;

+       int need_col_headers = 1;

+       unsigned char *augmentation_data = NULL;

+-      unsigned long augmentation_data_len = 0;

++      bfd_size_type augmentation_data_len = 0;

+       unsigned int encoded_ptr_size = saved_eh_addr_size;

+       unsigned int offset_size;

+       unsigned int initial_length_size;

+@@ -6821,16 +6840,8 @@ display_debug_frames (struct dwarf_secti

+ 	      printf ("  Return address column: %d\n", fc->ra);

+ 

+ 	      if (augmentation_data_len)

+-		{

+-		  unsigned long i;

++		display_augmentation_data (augmentation_data, augmentation_data_len);

+ 

+-		  printf ("  Augmentation data:    ");

+-		  for (i = 0; i < augmentation_data_len; ++i)

+-		    /* FIXME: If do_wide is FALSE, then we should

+-		       add carriage returns at 80 columns...  */

+-		    printf (" %02x", augmentation_data[i]);

+-		  putchar ('\n');

+-		}

+ 	      putchar ('\n');

+ 	    }

+ 	}

+@@ -6986,11 +6997,13 @@ display_debug_frames (struct dwarf_secti

+ 	      READ_ULEB (augmentation_data_len);

+ 	      augmentation_data = start;

+ 	      start += augmentation_data_len;

+-	      /* PR 17512: file: 722-8446-0.004.  */

+-	      if (start >= end || ((signed long) augmentation_data_len) < 0)

++	      /* PR 17512 file: 722-8446-0.004 and PR 22386.  */

++	      if (start >= end

++		  || ((bfd_signed_vma) augmentation_data_len) < 0

++		  || augmentation_data > start)

+ 		{

+-		  warn (_("Corrupt augmentation data length: %lx\n"),

+-			augmentation_data_len);

++		  warn (_("Corrupt augmentation data length: 0x%s\n"),

++			dwarf_vmatoa ("x", augmentation_data_len));

+ 		  start = end;

+ 		  augmentation_data = NULL;

+ 		  augmentation_data_len = 0;

+@@ -7012,12 +7025,7 @@ display_debug_frames (struct dwarf_secti

+ 

+ 	  if (! do_debug_frames_interp && augmentation_data_len)

+ 	    {

+-	      unsigned long i;

+-

+-	      printf ("  Augmentation data:    ");

+-	      for (i = 0; i < augmentation_data_len; ++i)

+-		printf (" %02x", augmentation_data[i]);

+-	      putchar ('\n');

++	      display_augmentation_data (augmentation_data, augmentation_data_len);

+ 	      putchar ('\n');

+ 	    }

+ 	}

+@@ -7449,7 +7457,7 @@ display_debug_frames (struct dwarf_secti

+ 	      break;

+ 

+ 	    case DW_CFA_def_cfa:

+-	      READ_SLEB (fc->cfa_reg);

++	      READ_ULEB (fc->cfa_reg);

+ 	      READ_ULEB (fc->cfa_offset);

+ 	      fc->cfa_exp = 0;

+ 	      if (! do_debug_frames_interp)

+@@ -7458,7 +7466,7 @@ display_debug_frames (struct dwarf_secti

+ 	      break;

+ 

+ 	    case DW_CFA_def_cfa_register:

+-	      READ_SLEB (fc->cfa_reg);

++	      READ_ULEB (fc->cfa_reg);

+ 	      fc->cfa_exp = 0;

+ 	      if (! do_debug_frames_interp)

+ 		printf ("  DW_CFA_def_cfa_register: %s\n",

+@@ -7577,7 +7585,7 @@ display_debug_frames (struct dwarf_secti

+ 	      break;

+ 

+ 	    case DW_CFA_def_cfa_sf:

+-	      READ_SLEB (fc->cfa_reg);

++	      READ_ULEB (fc->cfa_reg);

+ 	      READ_ULEB (fc->cfa_offset);

+ 	      fc->cfa_offset = fc->cfa_offset * fc->data_factor;

+ 	      fc->cfa_exp = 0;

new file mode 100644

@@ -0,0 +1,59 @@

+From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Tue, 17 Oct 2017 21:57:29 +1030

+Subject: [PATCH] PR22307, Heap out of bounds read in

+ _bfd_elf_parse_gnu_properties

+

+When adding an unbounded increment to a pointer, you can't just check

+against the end of the buffer but also must check that overflow

+doesn't result in "negative" pointer movement.  Pointer comparisons

+are signed.  Better, check the increment against the space left using

+an unsigned comparison.

+

+	PR 22307

+	* elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz

+	against size left rather than comparing pointers.  Reorganise loop.

+diff --git a/bfd/elf-properties.c b/bfd/elf-properties.c

+index f367aa6..bfb106e 100644

+--- a/bfd/elf-properties.c

+@@ -93,15 +93,20 @@ bad_size:

+       return FALSE;

+     }

+ 

+-  while (1)

++  while (ptr != ptr_end)

+     {

+-      unsigned int type = bfd_h_get_32 (abfd, ptr);

+-      unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);

++      unsigned int type;

++      unsigned int datasz;

+       elf_property *prop;

+ 

++      if ((size_t) (ptr_end - ptr) < 8)

++	goto bad_size;

++

++      type = bfd_h_get_32 (abfd, ptr);

++      datasz = bfd_h_get_32 (abfd, ptr + 4);

+       ptr += 8;

+ 

+-      if ((ptr + datasz) > ptr_end)

++      if (datasz > (size_t) (ptr_end - ptr))

+ 	{

+ 	  _bfd_error_handler

+ 	    (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),

+@@ -183,11 +188,6 @@ bad_size:

+ 

+ next:

+       ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);

+-      if (ptr == ptr_end)

+-	break;

+-

+-      if (ptr > (ptr_end - 8))

+-	goto bad_size;

+     }

+ 

+   return TRUE;

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,69 @@

+From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001

+From: Mingi Cho <mgcho.minic@gmail.com>

+Date: Thu, 2 Nov 2017 17:01:08 +0000

+Subject: [PATCH] Work around integer overflows when readelf is checking for

+ corrupt ELF notes when run on a 32-bit host.

+

+	PR 22384

+	* readelf.c (print_gnu_property_note): Improve overflow checks so

+	that they will work on a 32-bit host.

+diff --git a/binutils/readelf.c b/binutils/readelf.c

+index 9af5d42..cfd37eb 100644

+--- a/binutils/readelf.c

+@@ -16519,15 +16519,24 @@ print_gnu_property_note (Elf_Internal_Note * pnote)

+       return;

+     }

+ 

+-  while (1)

++  while (ptr < ptr_end)

+     {

+       unsigned int j;

+-      unsigned int type = byte_get (ptr, 4);

+-      unsigned int datasz = byte_get (ptr + 4, 4);

++      unsigned int type;

++      unsigned int datasz;

++

++      if ((size_t) (ptr_end - ptr) < 8)

++	{

++	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);

++	  break;

++	}

++

++      type = byte_get (ptr, 4);

++      datasz = byte_get (ptr + 4, 4);

+ 

+       ptr += 8;

+ 

+-      if ((ptr + datasz) > ptr_end)

++      if (datasz > (size_t) (ptr_end - ptr))

+ 	{

+ 	  printf (_("<corrupt type (%#x) datasz: %#x>\n"),

+ 		  type, datasz);

+@@ -16608,19 +16617,11 @@ next:

+       ptr += ((datasz + (size - 1)) & ~ (size - 1));

+       if (ptr == ptr_end)

+ 	break;

+-      else

+-	{

+-	  if (do_wide)

+-	    printf (", ");

+-	  else

+-	    printf ("\n\t");

+-	}

+ 

+-      if (ptr > (ptr_end - 8))

+-	{

+-	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);

+-	  break;

+-	}

++      if (do_wide)

++	printf (", ");

++      else

++	printf ("\n\t");

+     }

+ 

+   printf ("\n");

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,39 @@

+diff -rup binutils-2.29.1/bfd/coffgen.c binutils-2.29.1-new/bfd/coffgen.c

+--- binutils-2.29.1/bfd/coffgen.c	2017-07-10 02:54:41.000000000 -0700

+@@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abf

+   size = obj_raw_syment_count (abfd) * symesz;

+   if (size == 0)

+     return TRUE;

++  /* Check for integer overflow and for unreasonable symbol counts.  */

++  if (size < obj_raw_syment_count (abfd)

++      || (bfd_get_file_size (abfd) > 0

++	  && size > bfd_get_file_size (abfd)))

++    

++    {

++      _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"),

++			  abfd, obj_raw_syment_count (abfd));

++      return FALSE;

++    }

+ 

+   syms = bfd_malloc (size);

+   if (syms == NULL)

+     {

+       /* PR 21013: Provide an error message when the alloc fails.  */

+-      _bfd_error_handler (_("%B: Not enough memory to allocate space for %lu symbols"),

+-			  abfd, size);

++      _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"),

++			  abfd, obj_raw_syment_count (abfd), symesz);

+       return FALSE;

+     }

+ 

+@@ -1790,6 +1800,9 @@ coff_get_normalized_symtab (bfd *abfd)

+     return NULL;

+ 

+   size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type);

++  /* Check for integer overflow.  */

++  if (size < obj_raw_syment_count (abfd))

++    return NULL;

+   internal = (combined_entry_type *) bfd_zalloc (abfd, size);

+   if (internal == NULL && size != 0)

+     return NULL;

new file mode 100644

@@ -0,0 +1,39 @@

+From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Tue, 31 Oct 2017 14:29:40 +0000

+Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary

+ with a corrupt data dictionary.

+

+	PR 22373

+	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data

+	offset values.

+diff --git a/bfd/peicode.h b/bfd/peicode.h

+index 2dffb12..f3b759c 100644

+--- a/bfd/peicode.h

+@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)

+   bfd_byte *data = 0;

+   bfd_size_type dataoff;

+   unsigned int i;

+-

+   bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;

+   bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;

+ 

+@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)

+ 

+   dataoff = addr - section->vma;

+ 

+-  /* PR 20605: Make sure that the data is really there.  */

+-  if (dataoff + size > section->size)

++  /* PR 20605 and 22373: Make sure that the data is really there.

++     Note - since we are dealing with unsigned quantities we have

++     to be careful to check for potential overflows.  */

++  if (dataoff > section->size

++      || size > section->size

++      || dataoff + size > section->size)

+     {

+       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),

+ 			  abfd);

+-- 

+2.9.3

+

@@ -1,7 +1,7 @@

 Summary:	Contains a linker, an assembler, and other tools

 Name:		binutils

 Version:	2.29.1

-Release:	3%{?dist}

+Release:	4%{?dist}

 License:	GPLv2+

 URL:		http://www.gnu.org/software/binutils

 Group:		System Environment/Base

@@ -11,6 +11,14 @@ Source0:	http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz

 %define sha1 binutils=172244a349d07ec205c39c0321cbc354c125e78e

 Patch0:         binutils-2.29.1-CVE-2017-14729.patch

 Patch1:         binutils-2.29.1-CVE-2017-15020.patch

+Patch2:         binutils-2.29.1-CVE-2017-16826.patch

+Patch3:         binutils-2.29.1-CVE-2017-16827.patch

+Patch4:         binutils-2.29.1-CVE-2017-16828.patch

+Patch5:         binutils-2.29.1-CVE-2017-16829.patch

+Patch6:         binutils-2.29.1-CVE-2017-16830.patch

+Patch7:         binutils-2.29.1-CVE-2017-16831.patch

+Patch8:         binutils-2.29.1-CVE-2017-16832.patch

+

 %description

 The Binutils package contains a linker, an assembler,

 and other tools for handling object files.

@@ -24,6 +32,14 @@ for handling compiled objects.

 %setup -q

 %patch0 -p1

 %patch1 -p1

+%patch2 -p1

+%patch3 -p1

+%patch4 -p1

+%patch5 -p1

+%patch6 -p1

+%patch7 -p1

+%patch8 -p1

+

 %build

 install -vdm 755 ../binutils-build

 cd ../binutils-build

@@ -110,6 +126,9 @@ make %{?_smp_mflags} check

 %{_libdir}/libopcodes.so

 %changelog

+*   Mon Dec 4 2017 Anish Swaminathan <anishs@vmware.com> 2.29.1-4

+-   Fix CVEs CVE-2017-16826, CVE-2017-16827, CVE-2017-16828, CVE-2017-16829,

+-   CVE-2017-16830, CVE-2017-16831, CVE-2017-16832

 *   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.29.1-3

 -   Aarch64 support

 -   Parallel build