From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Wed, 16 Jan 2019 12:25:57 +0100 Subject: [PATCH] CVE: CVE-2019-7664 Upstream-Status: Backport libelf: Correct overflow check in note_xlate. We want to make sure the note_len doesn't overflow and becomes shorter than the note header. But the namesz and descsz checks got the note header size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12). https://sourceware.org/bugzilla/show_bug.cgi?id=24084 Signed-off-by: Mark Wielaard Signed-off-by: Ubuntu --- libelf/ChangeLog | 13 +++++++++++++ libelf/note_xlate.h | 4 ++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/libelf/ChangeLog b/libelf/ChangeLog index 68c4fbd..892e6e7 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,16 @@ +<<<<<<< HEAD +======= +2019-01-16 Mark Wielaard + + * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't + overflow note_len into note header. + +2018-11-17 Mark Wielaard + + * elf32_updatefile.c (updatemmap): Make sure to call convert + function on a properly aligned destination. + +>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate. 2018-11-16 Mark Wielaard * libebl.h (__elf32_msize): Mark with const attribute. diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h index 9bdc3e2..bc9950f 100644 --- a/libelf/note_xlate.h +++ b/libelf/note_xlate.h @@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode, /* desc needs to be aligned. */ note_len += n->n_namesz; note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len); - if (note_len > len || note_len < 8) + if (note_len > len || note_len < sizeof *n) break; /* data as a whole needs to be aligned. */ note_len += n->n_descsz; note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len); - if (note_len > len || note_len < 8) + if (note_len > len || note_len < sizeof *n) break; /* Copy or skip the note data. */ -- 2.7.4