elfutils: CVE-2018-16062

Backport the CVE patch from the upstream: https://sourceware.org/git/?p=elfutils.git;a=commit; h=29e31978ba51c1051743a503ee325b5ebc03d7e9 (From OE-Core rev: bcca86fca317c16a8f6c138c7df369b944e50700) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-03-19 05:39:39 +01:00 · 2018-09-04 19:42:46 -07:00
parent c05304f1ea
commit a33c82de39
2 changed files with 80 additions and 0 deletions
--- a/meta/recipes-devtools/elfutils/elfutils_0.173.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.173.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
           file://debian/ignore_strmerge.diff \
           file://debian/0001-fix-gcc7-ftbfs.patch \
           file://debian/0001-disable_werror.patch \
+           file://CVE-2018-16062.patch \
           "
 SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"

--- a/meta/recipes-devtools/elfutils/files/CVE-2018-16062.patch
+++ b/meta/recipes-devtools/elfutils/files/CVE-2018-16062.patch
@@ -0,0 +1,79 @@
+From 29e31978ba51c1051743a503ee325b5ebc03d7e9 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sat, 18 Aug 2018 13:27:48 +0200
+Subject: [PATCH] libdw, readelf: Make sure there is enough data to read full
+ aranges header.
+
+dwarf_getaranges didn't check if there was enough data left to read both
+the address and segment size. readelf didn't check there was enough data
+left to read the segment size.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=23541
+
+CVE: CVE-2018-16062
+Upstream-Status: Backport
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+---
+ libdw/ChangeLog          | 5 +++++
+ libdw/dwarf_getaranges.c | 4 ++++
+ src/ChangeLog            | 5 +++++
+ src/readelf.c            | 2 ++
+ 4 files changed, 16 insertions(+)
+
+diff --git a/libdw/ChangeLog b/libdw/ChangeLog
+index cb4f34e..472d922 100644
+--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
+@@ -1,3 +1,8 @@
+2018-08-18  Mark Wielaard  <mark@klomp.org>
+
+	* dwarf_getaranges.c (dwarf_getaranges.c): Make sure there is enough
+	data to read the address and segment size.
+
+ 2018-06-28  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* dwarf_next_cfi.c (dwarf_next_cfi): Check whether length is zero.
+diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
+index bff9c86..de5b81b 100644
+--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
+@@ -148,6 +148,10 @@ dwarf_getaranges (Dwarf *dbg, Dwarf_Aranges **aranges, size_t *naranges)
+ 				   length_bytes, &offset, IDX_debug_info, 4))
+ 	goto fail;
+ 
+      /* Next up two bytes for address and segment size.  */
+      if (readp + 2 > readendp)
+	goto invalid;
+
+       unsigned int address_size = *readp++;
+       if (unlikely (address_size != 4 && address_size != 8))
+ 	goto invalid;
+diff --git a/src/ChangeLog b/src/ChangeLog
+index 8c89f83..2f9f774 100644
+--- a/src/ChangeLog
+++ b/src/ChangeLog
+@@ -1,3 +1,8 @@
+2018-08-18  Mark Wielaard  <mark@klomp.org>
+
+	* readelf.c (print_debug_aranges_section): Make sure there is enough
+	data to read the header segment size.
+
+ 2018-06-25  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* readelf.c (print_decoded_line_section): Use dwarf_next_lines
+diff --git a/src/readelf.c b/src/readelf.c
+index 7b5707f..7b488ac 100644
+--- a/src/readelf.c
+++ b/src/readelf.c
+@@ -5447,6 +5447,8 @@ print_debug_aranges_section (Dwfl_Module *dwflmod __attribute__ ((unused)),
+ 	  goto next_table;
+ 	}
+ 
+      if (readp + 1 > readendp)
+	goto invalid_data;
+       unsigned int segment_size = *readp++;
+       printf (gettext (" Segment size:  %6" PRIu64 "\n\n"),
+ 	      (uint64_t) segment_size);
+-- 
+2.9.3