1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Wed, 16 Jan 2019 15:41:31 +0100
Subject: [PATCH] CVE: CVE-2019-7665
Upstream-Status: Backport
Sign off: Shubham Agrawal <shuagr@microsoft.com>
libebl: Check NT_PLATFORM core notes contain a zero terminated string.
Most strings in core notes are fixed size. But NT_PLATFORM contains just
a variable length string. Check that it is actually zero terminated
before passing to readelf to print.
https://sourceware.org/bugzilla/show_bug.cgi?id=24089
Signed-off-by: Mark Wielaard <mark@klomp.org>
Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
---
libdwfl/linux-core-attach.c | 9 +++++----
libebl/eblcorenote.c | 39 +++++++++++++++++++--------------------
libebl/libebl.h | 3 ++-
src/readelf.c | 2 +-
4 files changed, 27 insertions(+), 26 deletions(-)
diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
index 6c99b9e..c0f1b0d 100644
--- a/libdwfl/linux-core-attach.c
+++ b/libdwfl/linux-core-attach.c
@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
const Ebl_Register_Location *reglocs;
size_t nitems;
const Ebl_Core_Item *items;
- if (! ebl_core_note (core_arg->ebl, &nhdr, name,
+ if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
®s_offset, &nregloc, ®locs, &nitems, &items))
{
/* This note may be just not recognized, skip it. */
@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
const Ebl_Register_Location *reglocs;
size_t nitems;
const Ebl_Core_Item *items;
- int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, ®s_offset,
- &nregloc, ®locs, &nitems, &items);
+ int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs,
+ &nitems, &items);
/* __libdwfl_attach_state_for_core already verified the note is there. */
assert (core_note_err != 0);
assert (nhdr.n_type == NT_PRSTATUS);
@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
const Ebl_Register_Location *reglocs;
size_t nitems;
const Ebl_Core_Item *items;
- if (! ebl_core_note (ebl, &nhdr, name,
+ if (! ebl_core_note (ebl, &nhdr, name, desc,
®s_offset, &nregloc, ®locs, &nitems, &items))
{
/* This note may be just not recognized, skip it. */
diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
index 783f981..7fab397 100644
--- a/libebl/eblcorenote.c
+++ b/libebl/eblcorenote.c
@@ -36,11 +36,13 @@
#include <inttypes.h>
#include <stdio.h>
#include <stddef.h>
+#include <string.h>
#include <libeblP.h>
int
ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+ const char *desc,
GElf_Word *regs_offset, size_t *nregloc,
const Ebl_Register_Location **reglocs, size_t *nitems,
const Ebl_Core_Item **items)
@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
{
/* The machine specific function did not know this type. */
- *regs_offset = 0;
- *nregloc = 0;
- *reglocs = NULL;
- switch (nhdr->n_type)
+ /* NT_PLATFORM is kind of special since it needs a zero terminated
+ string (other notes often have a fixed size string). */
+ static const Ebl_Core_Item platform[] =
{
-#define ITEMS(type, table) \
- case type: \
- *items = table; \
- *nitems = sizeof table / sizeof table[0]; \
- result = 1; \
- break
+ {
+ .name = "Platform",
+ .type = ELF_T_BYTE, .count = 0, .format = 's'
+ }
+ };
- static const Ebl_Core_Item platform[] =
- {
- {
- .name = "Platform",
- .type = ELF_T_BYTE, .count = 0, .format = 's'
- }
- };
- ITEMS (NT_PLATFORM, platform);
-
-#undef ITEMS
+ if (nhdr->n_type == NT_PLATFORM
+ && memchr (desc, '\0', nhdr->n_descsz) != NULL)
+ {
+ *regs_offset = 0;
+ *nregloc = 0;
+ *reglocs = NULL;
+ *items = platform;
+ *nitems = 1;
+ result = 1;
}
}
diff --git a/libebl/libebl.h b/libebl/libebl.h
index ca9b9fe..24922eb 100644
--- a/libebl/libebl.h
+++ b/libebl/libebl.h
@@ -319,7 +319,8 @@ typedef struct
/* Describe the format of a core file note with the given header and NAME.
NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */
-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
+ const char *name, const char *desc,
GElf_Word *regs_offset, size_t *nregloc,
const Ebl_Register_Location **reglocs,
size_t *nitems, const Ebl_Core_Item **items)
diff --git a/src/readelf.c b/src/readelf.c
index 3a73710..71651e0 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
size_t nitems;
const Ebl_Core_Item *items;
- if (! ebl_core_note (ebl, nhdr, name,
+ if (! ebl_core_note (ebl, nhdr, name, desc,
®s_offset, &nregloc, ®locs, &nitems, &items))
return;
--
2.7.4
|
