From bd8d2c25f595e30a3fdcad8a2409913bb8af7c5c Mon Sep 17 00:00:00 2001 From: Hongxu Jia Date: Fri, 2 Nov 2018 17:52:51 +0800 Subject: elfutils: fix CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310 These CVE fixes come from upstream master branch and no new version released, so backport rather than upgrade. Signed-off-by: Hongxu Jia Signed-off-by: Richard Purdie --- meta/recipes-devtools/elfutils/elfutils_0.174.bb | 3 ++ ...01-arlib-Check-that-sh_entsize-isn-t-zero.patch | 36 +++++++++++++ ...Sanity-check-partial-core-file-data-reads.patch | 60 ++++++++++++++++++++++ .../0001-size-Handle-recursive-ELF-ar-files.patch | 40 +++++++++++++++ 4 files changed, 139 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch create mode 100644 meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch create mode 100644 meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch (limited to 'meta/recipes-devtools/elfutils') diff --git a/meta/recipes-devtools/elfutils/elfutils_0.174.bb b/meta/recipes-devtools/elfutils/elfutils_0.174.bb index 88add7b4cc..c30265b539 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.174.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.174.bb @@ -17,6 +17,9 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \ file://0001-libasm-may-link-with-libbz2-if-found.patch \ file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \ + file://0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch \ + file://0001-size-Handle-recursive-ELF-ar-files.patch \ + file://0001-arlib-Check-that-sh_entsize-isn-t-zero.patch \ file://debian/0001-hppa_backend.patch \ file://debian/0001-arm_backend.patch \ file://debian/0001-mips_backend.patch \ diff --git a/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch new file mode 100644 index 0000000000..86cf7c8d50 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch @@ -0,0 +1,36 @@ +From b518841fbc1431d7c5baa016e35f10fb647b5958 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 18 Oct 2018 19:01:52 +0200 +Subject: [PATCH] arlib: Check that sh_entsize isn't zero. + +A bogus ELF file could have sh_entsize as zero. Don't divide by zero, +but just assume there are no symbols in the section. + +https://sourceware.org/bugzilla/show_bug.cgi?id=23786 + +Signed-off-by: Mark Wielaard + +CVE: CVE-2018-18521 +Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] +Signed-off-by: Hongxu Jia +--- + src/arlib.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/arlib.c b/src/arlib.c +index 778e087..a6521e3 100644 +--- a/src/arlib.c ++++ b/src/arlib.c +@@ -252,6 +252,9 @@ arlib_add_symbols (Elf *elf, const char *arfname, const char *membername, + if (data == NULL) + continue; + ++ if (shdr->sh_entsize == 0) ++ continue; ++ + int nsyms = shdr->sh_size / shdr->sh_entsize; + for (int ndx = shdr->sh_info; ndx < nsyms; ++ndx) + { +-- +2.7.4 + diff --git a/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch new file mode 100644 index 0000000000..2c74a8d5d7 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch @@ -0,0 +1,60 @@ +From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Fri, 2 Nov 2018 14:22:31 +0800 +Subject: [PATCH] libdwfl: Sanity check partial core file data reads. + +There were two issues when reading note data from a core file. +We didn't check if the data we already had in a buffer was big +enough. And if we did get the data, we should check if we got +everything, or just a part of the data. + +https://sourceware.org/bugzilla/show_bug.cgi?id=23752 + +Signed-off-by: Mark Wielaard + +CVE: CVE-2018-18310 +Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] +Signed-off-by: Hongxu Jia +--- + libdwfl/dwfl_segment_report_module.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c +index 36e5c82..8749884 100644 +--- a/libdwfl/dwfl_segment_report_module.c ++++ b/libdwfl/dwfl_segment_report_module.c +@@ -1,5 +1,5 @@ + /* Sniff out modules from ELF headers visible in memory segments. +- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc. ++ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc. + This file is part of elfutils. + + This file is free software; you can redistribute it and/or modify +@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, + inline bool read_portion (void **data, size_t *data_size, + GElf_Addr vaddr, size_t filesz) + { +- if (vaddr - start + filesz > buffer_available ++ /* Check whether we will have to read the segment data, or if it ++ can be returned from the existing buffer. */ ++ if (filesz > buffer_available ++ || vaddr - start > buffer_available - filesz + /* If we're in string mode, then don't consider the buffer we have + sufficient unless it contains the terminator of the string. */ + || (filesz == 0 && memchr (vaddr - start + buffer, '\0', +@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, + if (read_portion (&data, &data_size, vaddr, filesz)) + return; + ++ /* data_size will be zero if we got everything from the initial ++ buffer, otherwise it will be the size of the new buffer that ++ could be read. */ ++ if (data_size != 0) ++ filesz = data_size; ++ + assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr)); + + void *notes; +-- +2.7.4 + diff --git a/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch new file mode 100644 index 0000000000..6fed82692c --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch @@ -0,0 +1,40 @@ +From 440d34d0ee37964453245895d38d7fc31bcf3d7d Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 18 Oct 2018 23:15:48 +0200 +Subject: [PATCH] size: Handle recursive ELF ar files. + +eu-size didn't handle an ELF ar file that contained an ar file itself +correctly. handle_ar would recursively call itself but close the ELF +file before returning. Only close the ELF file at the top-level. + +https://sourceware.org/bugzilla/show_bug.cgi?id=23787 + +Signed-off-by: Mark Wielaard + +CVE: CVE-2018-18520 +Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] +Signed-off-by: Hongxu Jia +--- + src/size.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/size.c b/src/size.c +index 5ff3f2a..f01fd88 100644 +--- a/src/size.c ++++ b/src/size.c +@@ -374,8 +374,10 @@ handle_ar (int fd, Elf *elf, const char *prefix, const char *fname) + INTERNAL_ERROR (fname); + } + +- if (unlikely (elf_end (elf) != 0)) +- INTERNAL_ERROR (fname); ++ /* Only close ELF handle if this was a "top level" ar file. */ ++ if (prefix == NULL) ++ if (unlikely (elf_end (elf) != 0)) ++ INTERNAL_ERROR (fname); + + return result; + } +-- +2.7.4 + -- cgit 1.2.3-korg