From bcca86fca317c16a8f6c138c7df369b944e50700 Mon Sep 17 00:00:00 2001 From: Zhixiong Chi Date: Tue, 4 Sep 2018 19:42:46 -0700 Subject: elfutils: CVE-2018-16062 Backport the CVE patch from the upstream: https://sourceware.org/git/?p=elfutils.git;a=commit; h=29e31978ba51c1051743a503ee325b5ebc03d7e9 Signed-off-by: Zhixiong Chi Signed-off-by: Richard Purdie --- meta/recipes-devtools/elfutils/elfutils_0.173.bb | 1 + .../elfutils/files/CVE-2018-16062.patch | 79 ++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2018-16062.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.173.bb b/meta/recipes-devtools/elfutils/elfutils_0.173.bb index 03144dc842..2fec73dbdb 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.173.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.173.bb @@ -28,6 +28,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://debian/ignore_strmerge.diff \ file://debian/0001-fix-gcc7-ftbfs.patch \ file://debian/0001-disable_werror.patch \ + file://CVE-2018-16062.patch \ " SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch" diff --git a/meta/recipes-devtools/elfutils/files/CVE-2018-16062.patch b/meta/recipes-devtools/elfutils/files/CVE-2018-16062.patch new file mode 100644 index 0000000000..cfeb1ca13c --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2018-16062.patch @@ -0,0 +1,79 @@ +From 29e31978ba51c1051743a503ee325b5ebc03d7e9 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sat, 18 Aug 2018 13:27:48 +0200 +Subject: [PATCH] libdw, readelf: Make sure there is enough data to read full + aranges header. + +dwarf_getaranges didn't check if there was enough data left to read both +the address and segment size. readelf didn't check there was enough data +left to read the segment size. + +https://sourceware.org/bugzilla/show_bug.cgi?id=23541 + +CVE: CVE-2018-16062 +Upstream-Status: Backport + +Signed-off-by: Mark Wielaard +--- + libdw/ChangeLog | 5 +++++ + libdw/dwarf_getaranges.c | 4 ++++ + src/ChangeLog | 5 +++++ + src/readelf.c | 2 ++ + 4 files changed, 16 insertions(+) + +diff --git a/libdw/ChangeLog b/libdw/ChangeLog +index cb4f34e..472d922 100644 +--- a/libdw/ChangeLog ++++ b/libdw/ChangeLog +@@ -1,3 +1,8 @@ ++2018-08-18 Mark Wielaard ++ ++ * dwarf_getaranges.c (dwarf_getaranges.c): Make sure there is enough ++ data to read the address and segment size. ++ + 2018-06-28 Mark Wielaard + + * dwarf_next_cfi.c (dwarf_next_cfi): Check whether length is zero. +diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c +index bff9c86..de5b81b 100644 +--- a/libdw/dwarf_getaranges.c ++++ b/libdw/dwarf_getaranges.c +@@ -148,6 +148,10 @@ dwarf_getaranges (Dwarf *dbg, Dwarf_Aranges **aranges, size_t *naranges) + length_bytes, &offset, IDX_debug_info, 4)) + goto fail; + ++ /* Next up two bytes for address and segment size. */ ++ if (readp + 2 > readendp) ++ goto invalid; ++ + unsigned int address_size = *readp++; + if (unlikely (address_size != 4 && address_size != 8)) + goto invalid; +diff --git a/src/ChangeLog b/src/ChangeLog +index 8c89f83..2f9f774 100644 +--- a/src/ChangeLog ++++ b/src/ChangeLog +@@ -1,3 +1,8 @@ ++2018-08-18 Mark Wielaard ++ ++ * readelf.c (print_debug_aranges_section): Make sure there is enough ++ data to read the header segment size. ++ + 2018-06-25 Mark Wielaard + + * readelf.c (print_decoded_line_section): Use dwarf_next_lines +diff --git a/src/readelf.c b/src/readelf.c +index 7b5707f..7b488ac 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -5447,6 +5447,8 @@ print_debug_aranges_section (Dwfl_Module *dwflmod __attribute__ ((unused)), + goto next_table; + } + ++ if (readp + 1 > readendp) ++ goto invalid_data; + unsigned int segment_size = *readp++; + printf (gettext (" Segment size: %6" PRIu64 "\n\n"), + (uint64_t) segment_size); +-- +2.9.3 -- cgit 1.2.3-korg