blob: e55dc5a05430fdff8765bd74e314888301f57398 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Wed, 16 Jan 2019 12:25:57 +0100
Subject: [PATCH] CVE: CVE-2019-7664
Upstream-Status: Backport
libelf: Correct overflow check in note_xlate.
We want to make sure the note_len doesn't overflow and becomes shorter
than the note header. But the namesz and descsz checks got the note header
size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
https://sourceware.org/bugzilla/show_bug.cgi?id=24084
Signed-off-by: Mark Wielaard <mark@klomp.org>
Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
---
libelf/ChangeLog | 13 +++++++++++++
libelf/note_xlate.h | 4 ++--
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 68c4fbd..892e6e7 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,16 @@
+<<<<<<< HEAD
+=======
+2019-01-16 Mark Wielaard <mark@klomp.org>
+
+ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
+ overflow note_len into note header.
+
+2018-11-17 Mark Wielaard <mark@klomp.org>
+
+ * elf32_updatefile.c (updatemmap): Make sure to call convert
+ function on a properly aligned destination.
+
+>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
2018-11-16 Mark Wielaard <mark@klomp.org>
* libebl.h (__elf32_msize): Mark with const attribute.
diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
index 9bdc3e2..bc9950f 100644
--- a/libelf/note_xlate.h
+++ b/libelf/note_xlate.h
@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
/* desc needs to be aligned. */
note_len += n->n_namesz;
note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
- if (note_len > len || note_len < 8)
+ if (note_len > len || note_len < sizeof *n)
break;
/* data as a whole needs to be aligned. */
note_len += n->n_descsz;
note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
- if (note_len > len || note_len < 8)
+ if (note_len > len || note_len < sizeof *n)
break;
/* Copy or skip the note data. */
--
2.7.4
|
