mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-02 09:32:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
9cedaa67400513f5aecddcd5f3d9fffcd31da0a1
poky/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
Hongxu Jia 918c8a13b6 elfutils: fix CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310 
These CVE fixes come from upstream master branch and no
new version released, so backport rather than upgrade.

(From OE-Core rev: bd8d2c25f595e30a3fdcad8a2409913bb8af7c5c)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2018-11-07 23:08:54 +00:00

61 lines
2.4 KiB
Diff
Raw Blame History

From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Fri, 2 Nov 2018 14:22:31 +0800
Subject: [PATCH] libdwfl: Sanity check partial core file data reads.
There were two issues when reading note data from a core file.
We didn't check if the data we already had in a buffer was big
enough. And if we did get the data, we should check if we got
everything, or just a part of the data.
https://sourceware.org/bugzilla/show_bug.cgi?id=23752
Signed-off-by: Mark Wielaard <mark@klomp.org>
CVE: CVE-2018-18310
Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
libdwfl/dwfl_segment_report_module.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
index 36e5c82..8749884 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -1,5 +1,5 @@
/* Sniff out modules from ELF headers visible in memory segments.
- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
+ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
This file is part of elfutils.
This file is free software; you can redistribute it and/or modify
@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
inline bool read_portion (void **data, size_t *data_size,
GElf_Addr vaddr, size_t filesz)
{
- if (vaddr - start + filesz > buffer_available
+ /* Check whether we will have to read the segment data, or if it
+ can be returned from the existing buffer. */
+ if (filesz > buffer_available
+ || vaddr - start > buffer_available - filesz
/* If we're in string mode, then don't consider the buffer we have
sufficient unless it contains the terminator of the string. */
|| (filesz == 0 && memchr (vaddr - start + buffer, '\0',
@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
if (read_portion (&data, &data_size, vaddr, filesz))
return;
+ /* data_size will be zero if we got everything from the initial
+ buffer, otherwise it will be the size of the new buffer that
+ could be read. */
+ if (data_size != 0)
+ filesz = data_size;
+
assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
void *notes;
--
2.7.4
Reference in New Issue View Git Blame Copy Permalink