Squashed 'import-layers/yocto-poky/' changes from dc8508f6099..67491b0c104
Yocto 2.2.2 (Morty)
Change-Id: Id9a452e28940d9f166957de243d9cb1d8818704e
git-subtree-dir: import-layers/yocto-poky
git-subtree-split: 67491b0c104101bb9f366d697edd23c895be4302
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils-2.27.inc b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils-2.27.inc
index af1420b..0936d97 100644
--- a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -36,6 +36,15 @@
file://0014-libtool-remove-rpath.patch \
file://0015-binutils-mips-gas-pic-relax-linkonce.diff \
file://0015-Refine-.cfi_sections-check-to-only-consider-compact-.patch \
+ file://0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch \
+ file://0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch \
+ file://0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch \
+ file://CVE-2017-6965.patch \
+ file://CVE-2017-6966.patch \
+ file://CVE-2017-6969.patch \
+ file://CVE-2017-6969_2.patch \
+ file://CVE-2017-7209.patch \
+ file://CVE-2017-7210.patch \
"
S = "${WORKDIR}/git"
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch
new file mode 100644
index 0000000..d82a0b6
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0001-ppc-apuinfo-for-spe-parsed-incorrectly.patch
@@ -0,0 +1,37 @@
+From 8941017bc0226b60ce306d5271df15820ce66a53 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 30 Aug 2016 20:57:32 +0930
+Subject: [PATCH] ppc apuinfo for spe parsed incorrectly
+Organization: O.S. Systems Software LTDA.
+
+apuinfo saying SPE resulted in mach = bfd_mach_ppc_vle due to a
+missing break.
+
+ PR 20531
+ * elf32-ppc.c (_bfd_elf_ppc_set_arch): Add missing "break".
+
+
+Backport from :
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=8941017b
+
+Upstream-Status: Backport
+Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
+---
+ bfd/elf32-ppc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c
+index 95ce1dc..e42ef1c 100644
+--- a/bfd/elf32-ppc.c
++++ b/bfd/elf32-ppc.c
+@@ -2246,6 +2246,7 @@ _bfd_elf_ppc_set_arch (bfd *abfd)
+ case PPC_APUINFO_BRLOCK:
+ if (mach != bfd_mach_ppc_vle)
+ mach = bfd_mach_ppc_e500;
++ break;
+
+ case PPC_APUINFO_VLE:
+ mach = bfd_mach_ppc_vle;
+--
+2.1.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch
new file mode 100644
index 0000000..33bf1e8
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0016-Fix-seg-fault-in-ARM-linker-when-trying-to-parse-a-b.patch
@@ -0,0 +1,31 @@
+From 72b09de92cc597c53b1d762882b67a17fe56846c Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 23 Aug 2016 09:45:11 +0100
+Subject: [PATCH 16/16] Fix seg-fault in ARM linker when trying to parse a
+ binary file.
+
+ * elf32-arm.c (elf32_arm_count_additional_relocs): Return zero if
+ there is no arm data associated with the section.
+---
+Upstream-Status: Backport
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+ bfd/elf32-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/elf32-arm.c b/bfd/elf32-arm.c
+index 700bec3..3fab609 100644
+--- a/bfd/elf32-arm.c
++++ b/bfd/elf32-arm.c
+@@ -18207,7 +18207,7 @@ elf32_arm_count_additional_relocs (asection *sec)
+ {
+ struct _arm_elf_section_data *arm_data;
+ arm_data = get_arm_elf_section_data (sec);
+- return arm_data->additional_reloc_count;
++ return arm_data == NULL ? 0 : arm_data->additional_reloc_count;
+ }
+
+ /* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which
+--
+2.10.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch
new file mode 100644
index 0000000..f8b46be
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/0017-Fix-the-generation-of-alignment-frags-in-code-sectio.patch
@@ -0,0 +1,139 @@
+From 4a4286465b5d6c28968bc2b29ae08daca7f219a3 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 18 Nov 2016 11:42:48 -0800
+Subject: [PATCH] Fix the generation of alignment frags in code sections for AArch64.
+
+PR gas/20364
+* config/tc-aarch64.c (s_ltorg): Change the mapping state after
+aligning the frag.
+(aarch64_init): Treat rs_align frags in code sections as
+containing code, not data.
+* testsuite/gas/aarch64/pr20364.s: New test.
+* testsuite/gas/aarch64/pr20364.d: New test driver.
+
+Backporting the patch from binutils mainline
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7ea12e5c3ad54da440c08f32da09534e63e515ca
+
+Upstream-Status: Backport
+
+Signed-off-by: Manjukumar Matha <manjukumar.harthikote-matha@xilinx.com>
+---
+ gas/ChangeLog | 10 ++++++++++
+ gas/config/tc-aarch64.c | 10 +++++++---
+ gas/testsuite/gas/aarch64/pr20364.d | 13 +++++++++++++
+ gas/testsuite/gas/aarch64/pr20364.s | 28 ++++++++++++++++++++++++++++
+ 4 files changed, 58 insertions(+), 3 deletions(-)
+ create mode 100644 gas/testsuite/gas/aarch64/pr20364.d
+ create mode 100644 gas/testsuite/gas/aarch64/pr20364.s
+
+diff --git a/gas/ChangeLog b/gas/ChangeLog
+index a39895a..fad06dc 100644
+--- a/gas/ChangeLog
++++ b/gas/ChangeLog
+@@ -1,3 +1,13 @@
++2016-08-05 Nick Clifton <nickc@redhat.com>
++
++ PR gas/20364
++ * config/tc-aarch64.c (s_ltorg): Change the mapping state after
++ aligning the frag.
++ (aarch64_init): Treat rs_align frags in code sections as
++ containing code, not data.
++ * testsuite/gas/aarch64/pr20364.s: New test.
++ * testsuite/gas/aarch64/pr20364.d: New test driver.
++
+ 2016-08-03 Tristan Gingold <gingold@adacore.com>
+
+ * configure: Regenerate.
+diff --git a/gas/config/tc-aarch64.c b/gas/config/tc-aarch64.c
+index ddc40f2..74933cb 100644
+--- a/gas/config/tc-aarch64.c
++++ b/gas/config/tc-aarch64.c
+@@ -1736,13 +1736,13 @@ s_ltorg (int ignored ATTRIBUTE_UNUSED)
+ if (pool == NULL || pool->symbol == NULL || pool->next_free_entry == 0)
+ continue;
+
+- mapping_state (MAP_DATA);
+-
+ /* Align pool as you have word accesses.
+ Only make a frag if we have to. */
+ if (!need_pass_2)
+ frag_align (align, 0, 0);
+
++ mapping_state (MAP_DATA);
++
+ record_alignment (now_seg, align);
+
+ sprintf (sym_name, "$$lit_\002%x", pool->id);
+@@ -6373,11 +6373,15 @@ aarch64_init_frag (fragS * fragP, int max_chars)
+
+ switch (fragP->fr_type)
+ {
+- case rs_align:
+ case rs_align_test:
+ case rs_fill:
+ mapping_state_2 (MAP_DATA, max_chars);
+ break;
++ case rs_align:
++ /* PR 20364: We can get alignment frags in code sections,
++ so do not just assume that we should use the MAP_DATA state. */
++ mapping_state_2 (subseg_text_p (now_seg) ? MAP_INSN : MAP_DATA, max_chars);
++ break;
+ case rs_align_code:
+ mapping_state_2 (MAP_INSN, max_chars);
+ break;
+diff --git a/gas/testsuite/gas/aarch64/pr20364.d b/gas/testsuite/gas/aarch64/pr20364.d
+new file mode 100644
+index 0000000..babcff1
+--- /dev/null
++++ b/gas/testsuite/gas/aarch64/pr20364.d
+@@ -0,0 +1,13 @@
++# Check that ".align <size>, <fill>" does not set the mapping state to DATA, causing unnecessary frag generation.
++#name: PR20364
++#objdump: -d
++
++.*: file format .*
++
++Disassembly of section \.vectors:
++
++0+000 <.*>:
++ 0: d2800000 mov x0, #0x0 // #0
++ 4: 94000000 bl 0 <plat_report_exception>
++ 8: 17fffffe b 0 <bl1_exceptions>
++
+diff --git a/gas/testsuite/gas/aarch64/pr20364.s b/gas/testsuite/gas/aarch64/pr20364.s
+new file mode 100644
+index 0000000..594ad7c
+--- /dev/null
++++ b/gas/testsuite/gas/aarch64/pr20364.s
+@@ -0,0 +1,28 @@
++ .macro vector_base label
++ .section .vectors, "ax"
++ .align 11, 0
++ \label:
++ .endm
++
++ .macro vector_entry label
++ .section .vectors, "ax"
++ .align 7, 0
++ \label:
++ .endm
++
++ .macro check_vector_size since
++ .if (. - \since) > (32 * 4)
++ .error "Vector exceeds 32 instructions"
++ .endif
++ .endm
++
++ .globl bl1_exceptions
++
++vector_base bl1_exceptions
++
++vector_entry SynchronousExceptionSP0
++ mov x0, #0x0
++ bl plat_report_exception
++ b SynchronousExceptionSP0
++ check_vector_size SynchronousExceptionSP0
++
+--
+2.7.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
new file mode 100644
index 0000000..85f7f98
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
@@ -0,0 +1,127 @@
+From 6f898c17b1d6f6a29a05ca6de31f0fc8f52cfbfe Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 13:08:32 +0000
+Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst
+ processing corrupt input files containing symbol-difference relocations.
+
+ PR binutils/21137
+ * readelf.c (target_specific_reloc_handling): Add end parameter.
+ Check for buffer overflow before writing relocated values.
+ (apply_relocations): Pass end to target_specific_reloc_handling.
+
+(cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493)
+Upstream-Status: Backport [master]
+CVE: CVE-2017-6965
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog | 7 +++++++
+ binutils/readelf.c | 30 +++++++++++++++++++++++++-----
+ 2 files changed, 32 insertions(+), 5 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 995de87dc3..154b797a29 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -5,6 +5,13 @@
+ Check for buffer overflow before writing relocated values.
+ (apply_relocations): Pass end to target_specific_reloc_handling.
+
++2017-02-13 Nick Clifton <nickc@redhat.com>
++
++ PR binutils/21137
++ * readelf.c (target_specific_reloc_handling): Add end parameter.
++ Check for buffer overflow before writing relocated values.
++ (apply_relocations): Pass end to target_specific_reloc_handling.
++
+ 2016-08-03 Tristan Gingold <gingold@adacore.com>
+
+ * configure: Regenerate.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index d31558c3b4..220671f76f 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -11345,6 +11345,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
+ static bfd_boolean
+ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ unsigned char * start,
++ unsigned char * end,
+ Elf_Internal_Sym * symtab)
+ {
+ unsigned int reloc_type = get_reloc_type (reloc->r_info);
+@@ -11384,13 +11385,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ handle_sym_diff:
+ if (saved_sym != NULL)
+ {
++ int reloc_size = reloc_type == 1 ? 4 : 2;
+ bfd_vma value;
+
+ value = reloc->r_addend
+ + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+ - saved_sym->st_value);
+
+- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
++ if (start + reloc->r_offset + reloc_size >= end)
++ /* PR 21137 */
++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + reloc_size, end);
++ else
++ byte_put (start + reloc->r_offset, value, reloc_size);
+
+ saved_sym = NULL;
+ return TRUE;
+@@ -11421,13 +11428,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ case 2: /* R_MN10300_16 */
+ if (saved_sym != NULL)
+ {
++ int reloc_size = reloc_type == 1 ? 4 : 2;
+ bfd_vma value;
+
+ value = reloc->r_addend
+ + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+ - saved_sym->st_value);
+
+- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
++ if (start + reloc->r_offset + reloc_size >= end)
++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + reloc_size, end);
++ else
++ byte_put (start + reloc->r_offset, value, reloc_size);
+
+ saved_sym = NULL;
+ return TRUE;
+@@ -11462,12 +11474,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ break;
+
+ case 0x41: /* R_RL78_ABS32. */
+- byte_put (start + reloc->r_offset, value, 4);
++ if (start + reloc->r_offset + 4 >= end)
++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + 2, end);
++ else
++ byte_put (start + reloc->r_offset, value, 4);
+ value = 0;
+ return TRUE;
+
+ case 0x43: /* R_RL78_ABS16. */
+- byte_put (start + reloc->r_offset, value, 2);
++ if (start + reloc->r_offset + 2 >= end)
++ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + 2, end);
++ else
++ byte_put (start + reloc->r_offset, value, 2);
+ value = 0;
+ return TRUE;
+
+@@ -12074,7 +12094,7 @@ apply_relocations (void * file,
+
+ reloc_type = get_reloc_type (rp->r_info);
+
+- if (target_specific_reloc_handling (rp, start, symtab))
++ if (target_specific_reloc_handling (rp, start, end, symtab))
+ continue;
+ else if (is_none_reloc (reloc_type))
+ continue;
+--
+2.11.0
+
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
new file mode 100644
index 0000000..5e364ef
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
@@ -0,0 +1,240 @@
+From 310e2cdc0a46ef62602097f5c21c393571e76df4 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 14:03:22 +0000
+Subject: [PATCH 2/2] Fix read-after-free error in readelf when processing
+ multiple, relocated sections in an MSP430 binary.
+
+ PR binutils/21139
+ * readelf.c (target_specific_reloc_handling): Add num_syms
+ parameter. Check for symbol table overflow before accessing
+ symbol value. If reloc pointer is NULL, discard all saved state.
+ (apply_relocations): Pass num_syms to target_specific_reloc_handling.
+ Call target_specific_reloc_handling with a NULL reloc pointer
+ after processing all of the relocs.
+
+(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9)
+Upstream-Status: Backport [master]
+CVE: CVE-2017-6966
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog | 10 +++++
+ binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 94 insertions(+), 25 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 154b797a29..aef0a51f19 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,5 +1,15 @@
+ 2017-02-13 Nick Clifton <nickc@redhat.com>
+
++ PR binutils/21139
++ * readelf.c (target_specific_reloc_handling): Add num_syms
++ parameter. Check for symbol table overflow before accessing
++ symbol value. If reloc pointer is NULL, discard all saved state.
++ (apply_relocations): Pass num_syms to target_specific_reloc_handling.
++ Call target_specific_reloc_handling with a NULL reloc pointer
++ after processing all of the relocs.
++
++2017-02-13 Nick Clifton <nickc@redhat.com>
++
+ PR binutils/21137
+ * readelf.c (target_specific_reloc_handling): Add end parameter.
+ Check for buffer overflow before writing relocated values.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 220671f76f..2b6cef1638 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -11340,15 +11340,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
+
+ /* Check to see if the given reloc needs to be handled in a target specific
+ manner. If so then process the reloc and return TRUE otherwise return
+- FALSE. */
++ FALSE.
++
++ If called with reloc == NULL, then this is a signal that reloc processing
++ for the current section has finished, and any saved state should be
++ discarded. */
+
+ static bfd_boolean
+ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ unsigned char * start,
+ unsigned char * end,
+- Elf_Internal_Sym * symtab)
++ Elf_Internal_Sym * symtab,
++ unsigned long num_syms)
+ {
+- unsigned int reloc_type = get_reloc_type (reloc->r_info);
++ unsigned int reloc_type = 0;
++ unsigned long sym_index = 0;
++
++ if (reloc)
++ {
++ reloc_type = get_reloc_type (reloc->r_info);
++ sym_index = get_reloc_symindex (reloc->r_info);
++ }
+
+ switch (elf_header.e_machine)
+ {
+@@ -11357,13 +11369,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ {
+ static Elf_Internal_Sym * saved_sym = NULL;
+
++ if (reloc == NULL)
++ {
++ saved_sym = NULL;
++ return TRUE;
++ }
++
+ switch (reloc_type)
+ {
+ case 10: /* R_MSP430_SYM_DIFF */
+ if (uses_msp430x_relocs ())
+ break;
+ case 21: /* R_MSP430X_SYM_DIFF */
+- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
++ /* PR 21139. */
++ if (sym_index >= num_syms)
++ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
++ sym_index);
++ else
++ saved_sym = symtab + sym_index;
+ return TRUE;
+
+ case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
+@@ -11388,16 +11411,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ int reloc_size = reloc_type == 1 ? 4 : 2;
+ bfd_vma value;
+
+- value = reloc->r_addend
+- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+- - saved_sym->st_value);
+-
+- if (start + reloc->r_offset + reloc_size >= end)
+- /* PR 21137 */
+- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
+- start + reloc->r_offset + reloc_size, end);
++ if (sym_index >= num_syms)
++ error (_("MSP430 reloc contains invalid symbol index %lu\n"),
++ sym_index);
+ else
+- byte_put (start + reloc->r_offset, value, reloc_size);
++ {
++ value = reloc->r_addend + (symtab[sym_index].st_value
++ - saved_sym->st_value);
++
++ if (start + reloc->r_offset + reloc_size >= end)
++ /* PR 21137 */
++ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + reloc_size, end);
++ else
++ byte_put (start + reloc->r_offset, value, reloc_size);
++ }
+
+ saved_sym = NULL;
+ return TRUE;
+@@ -11417,13 +11445,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ {
+ static Elf_Internal_Sym * saved_sym = NULL;
+
++ if (reloc == NULL)
++ {
++ saved_sym = NULL;
++ return TRUE;
++ }
++
+ switch (reloc_type)
+ {
+ case 34: /* R_MN10300_ALIGN */
+ return TRUE;
+ case 33: /* R_MN10300_SYM_DIFF */
+- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
++ if (sym_index >= num_syms)
++ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
++ sym_index);
++ else
++ saved_sym = symtab + sym_index;
+ return TRUE;
++
+ case 1: /* R_MN10300_32 */
+ case 2: /* R_MN10300_16 */
+ if (saved_sym != NULL)
+@@ -11431,15 +11470,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ int reloc_size = reloc_type == 1 ? 4 : 2;
+ bfd_vma value;
+
+- value = reloc->r_addend
+- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+- - saved_sym->st_value);
+-
+- if (start + reloc->r_offset + reloc_size >= end)
+- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
+- start + reloc->r_offset + reloc_size, end);
++ if (sym_index >= num_syms)
++ error (_("MN10300 reloc contains invalid symbol index %lu\n"),
++ sym_index);
+ else
+- byte_put (start + reloc->r_offset, value, reloc_size);
++ {
++ value = reloc->r_addend + (symtab[sym_index].st_value
++ - saved_sym->st_value);
++
++ if (start + reloc->r_offset + reloc_size >= end)
++ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
++ start + reloc->r_offset + reloc_size, end);
++ else
++ byte_put (start + reloc->r_offset, value, reloc_size);
++ }
+
+ saved_sym = NULL;
+ return TRUE;
+@@ -11459,12 +11503,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+ static bfd_vma saved_sym2 = 0;
+ static bfd_vma value;
+
++ if (reloc == NULL)
++ {
++ saved_sym1 = saved_sym2 = 0;
++ return TRUE;
++ }
++
+ switch (reloc_type)
+ {
+ case 0x80: /* R_RL78_SYM. */
+ saved_sym1 = saved_sym2;
+- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
+- saved_sym2 += reloc->r_addend;
++ if (sym_index >= num_syms)
++ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
++ sym_index);
++ else
++ {
++ saved_sym2 = symtab[sym_index].st_value;
++ saved_sym2 += reloc->r_addend;
++ }
+ return TRUE;
+
+ case 0x83: /* R_RL78_OPsub. */
+@@ -12094,7 +12150,7 @@ apply_relocations (void * file,
+
+ reloc_type = get_reloc_type (rp->r_info);
+
+- if (target_specific_reloc_handling (rp, start, end, symtab))
++ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
+ continue;
+ else if (is_none_reloc (reloc_type))
+ continue;
+@@ -12190,6 +12246,9 @@ apply_relocations (void * file,
+ }
+
+ free (symtab);
++ /* Let the target specific reloc processing code know that
++ we have finished with these relocs. */
++ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
+
+ if (relocs_return)
+ {
+--
+2.11.0
+
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
new file mode 100644
index 0000000..3d036c4
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
@@ -0,0 +1,56 @@
+From 489246368e2c49a795ad5ecbc8895cbc854292fa Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 17 Feb 2017 15:59:45 +0000
+Subject: Fix illegal memory accesses in readelf when parsing a corrupt binary.
+
+ PR binutils/21156
+ * readelf.c (find_section_in_set): Test for invalid section
+ indicies.
+
+CVE: CVE-2017-6969
+Upstream-Status: Backport [master]
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/readelf.c | 10 ++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index a70bdb7a7b..dbf8eb079e 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-02-17 Nick Clifton <nickc@redhat.com>
++
++ PR binutils/21156
++ * readelf.c (find_section_in_set): Test for invalid section
++ indicies.
++
+ 2016-08-03 Tristan Gingold <gingold@adacore.com>
+
+ * configure: Regenerate.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index d31558c3b4..7f7365dbc5 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -674,8 +674,14 @@ find_section_in_set (const char * name, unsigned int * set)
+ if (set != NULL)
+ {
+ while ((i = *set++) > 0)
+- if (streq (SECTION_NAME (section_headers + i), name))
+- return section_headers + i;
++ {
++ /* See PR 21156 for a reproducer. */
++ if (i >= elf_header.e_shnum)
++ continue; /* FIXME: Should we issue an error message ? */
++
++ if (streq (SECTION_NAME (section_headers + i), name))
++ return section_headers + i;
++ }
+ }
+
+ return find_section (name);
+--
+2.11.0
+
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
new file mode 100644
index 0000000..491c708
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
@@ -0,0 +1,122 @@
+From 59fcd64fe65a89fb0acaf5463840310701189375 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 20 Feb 2017 14:40:39 +0000
+Subject: Fix another memory access error in readelf when parsing a corrupt
+ binary.
+
+ PR binutils/21156
+ * dwarf.c (cu_tu_indexes_read): Move into...
+ (load_cu_tu_indexes): ... here. Change the variable into
+ tri-state. Change the function into boolean, returning
+ false if the indicies could not be loaded.
+ (find_cu_tu_set): Return NULL if the indicies could not be
+ loaded.
+
+CVE: CVE-2017-6969
+Upstream-Status: Backport [master]
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog | 10 ++++++++++
+ binutils/dwarf.c | 34 ++++++++++++++++++++--------------
+ 2 files changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index dbf8eb079e..55d2f8ba40 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,13 @@
++2017-02-20 Nick Clifton <nickc@redhat.com>
++
++ PR binutils/21156
++ * dwarf.c (cu_tu_indexes_read): Move into...
++ (load_cu_tu_indexes): ... here. Change the variable into
++ tri-state. Change the function into boolean, returning
++ false if the indicies could not be loaded.
++ (find_cu_tu_set): Return NULL if the indicies could not be
++ loaded.
++
+ 2017-02-17 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21156
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 282e069958..a23267feb6 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -76,7 +76,6 @@ int dwarf_check = 0;
+ as a zero-terminated list of section indexes comprising one set of debug
+ sections from a .dwo file. */
+
+-static int cu_tu_indexes_read = 0;
+ static unsigned int *shndx_pool = NULL;
+ static unsigned int shndx_pool_size = 0;
+ static unsigned int shndx_pool_used = 0;
+@@ -99,7 +98,7 @@ static int tu_count = 0;
+ static struct cu_tu_set *cu_sets = NULL;
+ static struct cu_tu_set *tu_sets = NULL;
+
+-static void load_cu_tu_indexes (void *file);
++static bfd_boolean load_cu_tu_indexes (void *);
+
+ /* Values for do_debug_lines. */
+ #define FLAG_DEBUG_LINES_RAW 1
+@@ -2713,7 +2712,7 @@ load_debug_info (void * file)
+ return num_debug_info_entries;
+
+ /* If this is a DWARF package file, load the CU and TU indexes. */
+- load_cu_tu_indexes (file);
++ (void) load_cu_tu_indexes (file);
+
+ if (load_debug_section (info, file)
+ && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0))
+@@ -7302,21 +7301,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
+ section sets that we can use to associate a .debug_info.dwo section
+ with its associated .debug_abbrev.dwo section in a .dwp file. */
+
+-static void
++static bfd_boolean
+ load_cu_tu_indexes (void *file)
+ {
++ static int cu_tu_indexes_read = -1; /* Tri-state variable. */
++
+ /* If we have already loaded (or tried to load) the CU and TU indexes
+ then do not bother to repeat the task. */
+- if (cu_tu_indexes_read)
+- return;
+-
+- if (load_debug_section (dwp_cu_index, file))
+- process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0);
+-
+- if (load_debug_section (dwp_tu_index, file))
+- process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0);
++ if (cu_tu_indexes_read == -1)
++ {
++ cu_tu_indexes_read = TRUE;
++
++ if (load_debug_section (dwp_cu_index, file))
++ if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0))
++ cu_tu_indexes_read = FALSE;
++
++ if (load_debug_section (dwp_tu_index, file))
++ if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0))
++ cu_tu_indexes_read = FALSE;
++ }
+
+- cu_tu_indexes_read = 1;
++ return (bfd_boolean) cu_tu_indexes_read;
+ }
+
+ /* Find the set of sections that includes section SHNDX. */
+@@ -7326,7 +7331,8 @@ find_cu_tu_set (void *file, unsigned int shndx)
+ {
+ unsigned int i;
+
+- load_cu_tu_indexes (file);
++ if (! load_cu_tu_indexes (file))
++ return NULL;
+
+ /* Find SHNDX in the shndx pool. */
+ for (i = 0; i < shndx_pool_used; i++)
+--
+2.11.0
+
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch
new file mode 100644
index 0000000..336d72c
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7209.patch
@@ -0,0 +1,63 @@
+From 6e5e9d96b5bd7dc3147db9917d6a7a20682915cc Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 15:04:37 +0000
+Subject: Fix invalid read of section contents whilst processing a corrupt
+ binary.
+
+ PR binutils/21135
+ * readelf.c (dump_section_as_bytes): Handle the case where
+ uncompress_section_contents returns false.
+
+CVE: CVE-2017-7209
+Upstream-Status: Backport[master]
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/readelf.c | 16 ++++++++++++----
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 55d2f8ba40..c4d8e60eca 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-02-13 Nick Clifton <nickc@redhat.com>
++
++ PR binutils/21135
++ * readelf.c (dump_section_as_bytes): Handle the case where
++ uncompress_section_contents returns false.
++
+ 2017-02-20 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21156
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 7f7365dbc5..bc4e92fa81 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -12473,10 +12473,18 @@ dump_section_as_bytes (Elf_Internal_Shdr * section,
+ new_size -= 12;
+ }
+
+- if (uncompressed_size
+- && uncompress_section_contents (& start, uncompressed_size,
+- & new_size))
+- section_size = new_size;
++ if (uncompressed_size)
++ {
++ if (uncompress_section_contents (& start, uncompressed_size,
++ & new_size))
++ section_size = new_size;
++ else
++ {
++ error (_("Unable to decompress section %s\n"),
++ printable_section_name (section));
++ return;
++ }
++ }
+ }
+
+ if (relocate)
+--
+2.11.0
+
diff --git a/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch
new file mode 100644
index 0000000..211d2bf
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch
@@ -0,0 +1,71 @@
+From 80958b04c91edcd41c42807225a7ad1b2a4ce0e6 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 14 Feb 2017 14:07:29 +0000
+Subject: Fix handling of corrupt STABS enum type strings.
+
+ PR binutils/21157
+ * stabs.c (parse_stab_enum_type): Check for corrupt NAME:VALUE
+ pairs.
+ (parse_number): Exit early if passed an empty string.
+
+CVE: CVE-2017-7210
+Upstream-Status: Backport [master]
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog | 7 +++++++
+ binutils/stabs.c | 14 +++++++++++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index c4d8e60eca..2bae9ec587 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,10 @@
++2017-02-14 Nick Clifton <nickc@redhat.com>
++
++ PR binutils/21157
++ * stabs.c (parse_stab_enum_type): Check for corrupt NAME:VALUE
++ pairs.
++ (parse_number): Exit early if passed an empty string.
++
+ 2017-02-13 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21135
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index aebde7afe9..c425afe98e 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -232,6 +232,10 @@ parse_number (const char **pp, bfd_boolean *poverflow)
+
+ orig = *pp;
+
++ /* Stop early if we are passed an empty string. */
++ if (*orig == 0)
++ return (bfd_vma) 0;
++
+ errno = 0;
+ ul = strtoul (*pp, (char **) pp, 0);
+ if (ul + 1 != 0 || errno == 0)
+@@ -1975,9 +1979,17 @@ parse_stab_enum_type (void *dhandle, const char **pp)
+ bfd_signed_vma val;
+
+ p = *pp;
+- while (*p != ':')
++ while (*p != ':' && *p != 0)
+ ++p;
+
++ if (*p == 0)
++ {
++ bad_stab (orig);
++ free (names);
++ free (values);
++ return DEBUG_TYPE_NULL;
++ }
++
+ name = savestring (*pp, p - *pp);
+
+ *pp = p + 1;
+--
+2.11.0
+