Stop potential illegal memory access when disassembling an EFI binary.

Resolves: #1685727

binutils-CVE-2019-9073.patch

@@ -0,0 +1,13 @@
+--- binutils.orig/binutils/objdump.c	2019-02-25 16:12:30.394056901 +0000
++++ binutils-2.31.1/binutils/objdump.c	2019-02-25 16:13:07.224778005 +0000
+@@ -2993,7 +2993,9 @@ dump_bfd_header (bfd *abfd)
+ static void
+ dump_bfd_private_header (bfd *abfd)
+ {
+-  bfd_print_private_bfd_data (abfd, stdout);
++  if (!bfd_print_private_bfd_data (abfd, stdout))
++    non_fatal (_("warning: private headers incomplete: %s"),
++              bfd_errmsg (bfd_get_error ()));
+ }
+ 
+ static void

binutils-CVE-2019-9074.patch

@@ -0,0 +1,32 @@
+--- binutils.orig/bfd/pei-x86_64.c	2019-02-25 16:12:29.798061414 +0000
++++ binutils-2.31.1/bfd/pei-x86_64.c	2019-02-25 17:09:02.783425236 +0000
+@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd *abfd
+   /* virt_size might be zero for objects.  */
+   if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
+     {
+-      stop = (datasize / onaline) * onaline;
++      stop = datasize;
+       virt_size_is_zero = TRUE;
+     }
+   else if (datasize < stop)
+@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd *abfd
+ 		 _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
+ 		 pdata_section->name, (unsigned long) datasize,
+ 		 (unsigned long) stop);
+-	/* Be sure not to read passed datasize.  */
+-	stop = datasize / onaline;
++	/* Be sure not to read past datasize.  */
++	stop = datasize;
+       }
+ 
+   /* Display functions table.  */
+@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd *abfd
+ 	      altent += imagebase;
+ 
+ 	      if (altent >= pdata_vma
+-		  && (altent + PDATA_ROW_SIZE <= pdata_vma
+-		      + pei_section_data (abfd, pdata_section)->virt_size))
++		  && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
+ 		{
+ 		  pex64_get_runtime_function
+ 		    (abfd, &arf, &pdata[altent - pdata_vma]);

binutils-CVE-2019-9075.patch

@@ -0,0 +1,73 @@
+diff -rup binutils.orig/bfd/archive64.c binutils-2.31.1/bfd/archive64.c
+--- binutils.orig/bfd/archive64.c	2019-02-26 11:17:11.882530151 +0000
++++ binutils-2.31.1/bfd/archive64.c	2019-02-26 11:19:18.422488805 +0000
+@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab
+     return FALSE;
+   carsyms = ardata->symdefs;
+   stringbase = ((char *) ardata->symdefs) + carsym_size;
+-  stringbase[stringsize] = 0;
+-  stringend = stringbase + stringsize;
+ 
+   raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
+   if (raw_armap == NULL)
+@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab
+       goto release_raw_armap;
+     }
+ 
++  stringend = stringbase + stringsize;
++  *stringend = 0;
+   for (i = 0; i < nsymz; i++)
+     {
+       carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
+       carsyms->name = stringbase;
+-      if (stringbase < stringend)
+-	stringbase += strlen (stringbase) + 1;
++      stringbase += strlen (stringbase);
++      if (stringbase != stringend)
++	++stringbase;
+       ++carsyms;
+     }
+-  *stringbase = '\0';
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);
+diff -rup binutils.orig/bfd/archive.c binutils-2.31.1/bfd/archive.c
+--- binutils.orig/bfd/archive.c	2019-02-26 11:17:11.884530134 +0000
++++ binutils-2.31.1/bfd/archive.c	2019-02-26 11:18:33.354859687 +0000
+@@ -1014,6 +1014,7 @@ do_slurp_coff_armap (bfd *abfd)
+   int *raw_armap, *rawptr;
+   struct artdata *ardata = bfd_ardata (abfd);
+   char *stringbase;
++  char *stringend;
+   bfd_size_type stringsize;
+   bfd_size_type parsed_size;
+   carsym *carsyms;
+@@ -1073,22 +1074,20 @@ do_slurp_coff_armap (bfd *abfd)
+     }
+ 
+   /* OK, build the carsyms.  */
+-  for (i = 0; i < nsymz && stringsize > 0; i++)
++  stringend = stringbase + stringsize;
++  *stringend = 0;
++  for (i = 0; i < nsymz; i++)
+     {
+       bfd_size_type len;
+ 
+       rawptr = raw_armap + i;
+       carsyms->file_offset = swap ((bfd_byte *) rawptr);
+       carsyms->name = stringbase;
+-      /* PR 17512: file: 4a1d50c1.  */
+-      len = strnlen (stringbase, stringsize);
+-      if (len < stringsize)
+-	len ++;
+-      stringbase += len;
+-      stringsize -= len;
++      stringbase += strlen (stringbase);
++      if (stringbase != stringend)
++	++stringbase;
+       carsyms++;
+     }
+-  *stringbase = 0;
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);

binutils-CVE-2019-9077.patch

@@ -0,0 +1,16 @@
+--- binutils.orig/binutils/readelf.c	2019-02-26 11:17:12.414525772 +0000
++++ binutils-2.31.1/binutils/readelf.c	2019-02-26 12:11:40.642876742 +0000
+@@ -16009,6 +16009,13 @@ process_mips_specific (Filedata * fileda
+ 	  return FALSE;
+ 	}
+ 
++      /* PR 24243  */
++      if (sect->sh_size < sizeof (* eopt))
++	{
++	  error (_("The MIPS options section is too small.\n"));
++	  return FALSE;
++	}
++
+       eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1,
+                                                 sect->sh_size, _("options"));
+       if (eopt)

binutils-disassembling-efi-files.patch

@@ -0,0 +1,39 @@
+diff -rup binutils.orig/bfd/coffgen.c binutils-2.31.1/bfd/coffgen.c
+--- binutils.orig/bfd/coffgen.c	2019-03-06 08:49:19.500586870 +0000
++++ binutils-2.31.1/bfd/coffgen.c	2019-03-06 08:49:45.798394582 +0000
+@@ -2289,7 +2289,7 @@ coff_find_nearest_line_with_names (bfd *
+      information.  So try again, using a bias against the address sought.  */
+   if (coff_data (abfd)->dwarf2_find_line_info != NULL)
+     {
+-      bfd_signed_vma bias;
++      bfd_signed_vma bias = 0;
+ 
+       /* Create a cache of the result for the next call.  */
+       if (sec_data == NULL && section->owner == abfd)
+@@ -2301,10 +2301,11 @@ coff_find_nearest_line_with_names (bfd *
+ 
+       if (sec_data != NULL && sec_data->saved_bias)
+ 	bias = sec_data->saved_bias;
+-      else
++      else if (symbols)
+ 	{
+ 	  bias = _bfd_dwarf2_find_symbol_bias (symbols,
+ 					       & coff_data (abfd)->dwarf2_find_line_info);
++
+ 	  if (sec_data)
+ 	    {
+ 	      sec_data->saved_bias = TRUE;
+Only in binutils-2.31.1/bfd: coffgen.c.orig
+diff -rup binutils.orig/bfd/dwarf2.c binutils-2.31.1/bfd/dwarf2.c
+--- binutils.orig/bfd/dwarf2.c	2019-03-06 08:49:19.498586884 +0000
++++ binutils-2.31.1/bfd/dwarf2.c	2019-03-06 08:49:45.799394575 +0000
+@@ -4463,7 +4463,7 @@ _bfd_dwarf2_find_symbol_bias (asymbol **
+ 
+   stash = (struct dwarf2_debug *) *pinfo;
+ 
+-  if (stash == NULL)
++  if (stash == NULL || symbols == NULL)
+     return 0;
+ 
+   for (unit = stash->all_comp_units; unit; unit = unit->next_unit)
+Only in binutils-2.31.1/bfd: dwarf2.c.orig

binutils-ppc64-local-ifunc-relocs.patch

@@ -0,0 +1,12 @@
+--- binutils.orig/bfd/elf64-ppc.c	2019-02-20 10:58:09.700552616 +0000
++++ binutils-2.31.1/bfd/elf64-ppc.c	2019-02-20 10:59:15.989062349 +0000
+@@ -13530,7 +13530,8 @@ write_plt_relocs_for_local_syms (struct
+ 		}
+ 
+ 	      val = sym->st_value + ent->addend;
+-	      val += PPC64_LOCAL_ENTRY_OFFSET (sym->st_other);
++	      if (ELF_ST_TYPE (sym->st_info) != STT_GNU_IFUNC)
++		val += PPC64_LOCAL_ENTRY_OFFSET (sym->st_other);
+ 	      if (sym_sec != NULL && sym_sec->output_section != NULL)
+ 		val += sym_sec->output_offset + sym_sec->output_section->vma;
+ 

binutils.spec

@@ -75,7 +75,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.31.1
-Release: 23%{?dist}
+Release: 29%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils
 
@@ -225,6 +225,30 @@ Patch26: binutils-gas-input-matches-output.patch
 # Lifetime: Fixed in 2.32
 Patch27: binutils-alignment-of-decompressed-sections.patch
 
+# Purpose:  Correct the generation of relocations for local ifuncs on PowerPC64
+# Lifetime: Fixed in 2.32
+Patch28: binutils-ppc64-local-ifunc-relocs.patch
+
+# Purpose:  Improve objdump's handling of corrupt input files.
+# Lifetime: Fixed in 2.33
+Patch29: binutils-CVE-2019-9073.patch
+
+# Purpose:  Stop illegal memory access parsing corrupt PE files.
+# Lifetime: Fixed in 2.33
+Patch30: binutils-CVE-2019-9074.patch
+
+# Purpose:  Stop illegal memory access parsing corrupt archives.
+# Lifetime: Fixed in 2.33
+Patch31: binutils-CVE-2019-9075.patch
+
+# Purpose:  Stop illegal memory access parsing a corrupt MIPS binary.
+# Lifetime: Fixed in 2.33
+Patch32: binutils-CVE-2019-9077.patch
+
+# Purpose:  Stop a seg-fault when disassembling an EFI binary.
+# Lifetime: Fixed in 2.33
+Patch33: binutils-disassembling-efi-files.patch
+
 #----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
@@ -369,6 +393,12 @@ using libelf instead of BFD.
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 # FIXME - this is no longer true.  Maybe try reinstating autotool use ?
@@ -770,6 +800,24 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Wed Mar 06 2019 Nick Clifton  <nickc@redhat.com> - 2.31.1-29
+- Stop potential illegal memory access when disassembling an EFI binary.  (#1685727)
+
+* Tue Feb 26 2019 Nick Clifton  <nickc@redhat.com> - 2.32.1-28
+- Stop potential illegal memory access when parsing a corrupt MIPS binary.  (#1680676)
+
+* Tue Feb 26 2019 Nick Clifton  <nickc@redhat.com> - 2.31.1-27
+- Stop potential illegal memory access when parsing corrupt archives.  (#1680670)
+
+* Mon Feb 25 2019 Nick Clifton  <nickc@redhat.com> - 2.31.1-26
+- Stop potential illegal memory access when parsing corrupt PE files.  (#1680682)
+
+* Mon Feb 25 2019 Nick Clifton  <nickc@redhat.com> - 2.31.1-25
+- Improve objdump's handling of corrupt input files.  (#1680663)
+
+* Wed Feb 20 2019 Nick Clifton  <nickc@redhat.com> - 2.31.1-24
+- Correct the generation of relocations for PowerPC local ifuncs.  (PR 23937)
+
 * Mon Feb 18 2019 Nick Clifton  <nickc@redhat.com> - 2.31.1-23
 - Ensure that decompressed sections have the correct alignment.  (#1678204)