diff options
author | Hongxu Jia <hongxu.jia@windriver.com> | 2018-11-02 17:52:51 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-11-07 23:08:54 +0000 |
commit | 918c8a13b67b0eece6fcdf4dad43ad032acacca5 (patch) | |
tree | c93f1c2b80a451a78d2466e3021d2f83cf179fd9 /meta/recipes-devtools/elfutils | |
parent | 4f6bb406d0834ae7e6b376fa18958c6089635ae9 (diff) | |
download | poky-918c8a13b67b0eece6fcdf4dad43ad032acacca5.tar.gz |
elfutils: fix CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310
These CVE fixes come from upstream master branch and no
new version released, so backport rather than upgrade.
(From OE-Core rev: bd8d2c25f595e30a3fdcad8a2409913bb8af7c5c)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/elfutils')
4 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.174.bb b/meta/recipes-devtools/elfutils/elfutils_0.174.bb index 88add7b4cc..c30265b539 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.174.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.174.bb | |||
@@ -17,6 +17,9 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ | |||
17 | file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \ | 17 | file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \ |
18 | file://0001-libasm-may-link-with-libbz2-if-found.patch \ | 18 | file://0001-libasm-may-link-with-libbz2-if-found.patch \ |
19 | file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \ | 19 | file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \ |
20 | file://0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch \ | ||
21 | file://0001-size-Handle-recursive-ELF-ar-files.patch \ | ||
22 | file://0001-arlib-Check-that-sh_entsize-isn-t-zero.patch \ | ||
20 | file://debian/0001-hppa_backend.patch \ | 23 | file://debian/0001-hppa_backend.patch \ |
21 | file://debian/0001-arm_backend.patch \ | 24 | file://debian/0001-arm_backend.patch \ |
22 | file://debian/0001-mips_backend.patch \ | 25 | file://debian/0001-mips_backend.patch \ |
diff --git a/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch new file mode 100644 index 0000000000..86cf7c8d50 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From b518841fbc1431d7c5baa016e35f10fb647b5958 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Wielaard <mark@klomp.org> | ||
3 | Date: Thu, 18 Oct 2018 19:01:52 +0200 | ||
4 | Subject: [PATCH] arlib: Check that sh_entsize isn't zero. | ||
5 | |||
6 | A bogus ELF file could have sh_entsize as zero. Don't divide by zero, | ||
7 | but just assume there are no symbols in the section. | ||
8 | |||
9 | https://sourceware.org/bugzilla/show_bug.cgi?id=23786 | ||
10 | |||
11 | Signed-off-by: Mark Wielaard <mark@klomp.org> | ||
12 | |||
13 | CVE: CVE-2018-18521 | ||
14 | Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] | ||
15 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
16 | --- | ||
17 | src/arlib.c | 3 +++ | ||
18 | 1 file changed, 3 insertions(+) | ||
19 | |||
20 | diff --git a/src/arlib.c b/src/arlib.c | ||
21 | index 778e087..a6521e3 100644 | ||
22 | --- a/src/arlib.c | ||
23 | +++ b/src/arlib.c | ||
24 | @@ -252,6 +252,9 @@ arlib_add_symbols (Elf *elf, const char *arfname, const char *membername, | ||
25 | if (data == NULL) | ||
26 | continue; | ||
27 | |||
28 | + if (shdr->sh_entsize == 0) | ||
29 | + continue; | ||
30 | + | ||
31 | int nsyms = shdr->sh_size / shdr->sh_entsize; | ||
32 | for (int ndx = shdr->sh_info; ndx < nsyms; ++ndx) | ||
33 | { | ||
34 | -- | ||
35 | 2.7.4 | ||
36 | |||
diff --git a/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch new file mode 100644 index 0000000000..2c74a8d5d7 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001 | ||
2 | From: Hongxu Jia <hongxu.jia@windriver.com> | ||
3 | Date: Fri, 2 Nov 2018 14:22:31 +0800 | ||
4 | Subject: [PATCH] libdwfl: Sanity check partial core file data reads. | ||
5 | |||
6 | There were two issues when reading note data from a core file. | ||
7 | We didn't check if the data we already had in a buffer was big | ||
8 | enough. And if we did get the data, we should check if we got | ||
9 | everything, or just a part of the data. | ||
10 | |||
11 | https://sourceware.org/bugzilla/show_bug.cgi?id=23752 | ||
12 | |||
13 | Signed-off-by: Mark Wielaard <mark@klomp.org> | ||
14 | |||
15 | CVE: CVE-2018-18310 | ||
16 | Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] | ||
17 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
18 | --- | ||
19 | libdwfl/dwfl_segment_report_module.c | 13 +++++++++++-- | ||
20 | 1 file changed, 11 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c | ||
23 | index 36e5c82..8749884 100644 | ||
24 | --- a/libdwfl/dwfl_segment_report_module.c | ||
25 | +++ b/libdwfl/dwfl_segment_report_module.c | ||
26 | @@ -1,5 +1,5 @@ | ||
27 | /* Sniff out modules from ELF headers visible in memory segments. | ||
28 | - Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc. | ||
29 | + Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc. | ||
30 | This file is part of elfutils. | ||
31 | |||
32 | This file is free software; you can redistribute it and/or modify | ||
33 | @@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, | ||
34 | inline bool read_portion (void **data, size_t *data_size, | ||
35 | GElf_Addr vaddr, size_t filesz) | ||
36 | { | ||
37 | - if (vaddr - start + filesz > buffer_available | ||
38 | + /* Check whether we will have to read the segment data, or if it | ||
39 | + can be returned from the existing buffer. */ | ||
40 | + if (filesz > buffer_available | ||
41 | + || vaddr - start > buffer_available - filesz | ||
42 | /* If we're in string mode, then don't consider the buffer we have | ||
43 | sufficient unless it contains the terminator of the string. */ | ||
44 | || (filesz == 0 && memchr (vaddr - start + buffer, '\0', | ||
45 | @@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, | ||
46 | if (read_portion (&data, &data_size, vaddr, filesz)) | ||
47 | return; | ||
48 | |||
49 | + /* data_size will be zero if we got everything from the initial | ||
50 | + buffer, otherwise it will be the size of the new buffer that | ||
51 | + could be read. */ | ||
52 | + if (data_size != 0) | ||
53 | + filesz = data_size; | ||
54 | + | ||
55 | assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr)); | ||
56 | |||
57 | void *notes; | ||
58 | -- | ||
59 | 2.7.4 | ||
60 | |||
diff --git a/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch new file mode 100644 index 0000000000..6fed82692c --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 440d34d0ee37964453245895d38d7fc31bcf3d7d Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Wielaard <mark@klomp.org> | ||
3 | Date: Thu, 18 Oct 2018 23:15:48 +0200 | ||
4 | Subject: [PATCH] size: Handle recursive ELF ar files. | ||
5 | |||
6 | eu-size didn't handle an ELF ar file that contained an ar file itself | ||
7 | correctly. handle_ar would recursively call itself but close the ELF | ||
8 | file before returning. Only close the ELF file at the top-level. | ||
9 | |||
10 | https://sourceware.org/bugzilla/show_bug.cgi?id=23787 | ||
11 | |||
12 | Signed-off-by: Mark Wielaard <mark@klomp.org> | ||
13 | |||
14 | CVE: CVE-2018-18520 | ||
15 | Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] | ||
16 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
17 | --- | ||
18 | src/size.c | 6 ++++-- | ||
19 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/src/size.c b/src/size.c | ||
22 | index 5ff3f2a..f01fd88 100644 | ||
23 | --- a/src/size.c | ||
24 | +++ b/src/size.c | ||
25 | @@ -374,8 +374,10 @@ handle_ar (int fd, Elf *elf, const char *prefix, const char *fname) | ||
26 | INTERNAL_ERROR (fname); | ||
27 | } | ||
28 | |||
29 | - if (unlikely (elf_end (elf) != 0)) | ||
30 | - INTERNAL_ERROR (fname); | ||
31 | + /* Only close ELF handle if this was a "top level" ar file. */ | ||
32 | + if (prefix == NULL) | ||
33 | + if (unlikely (elf_end (elf) != 0)) | ||
34 | + INTERNAL_ERROR (fname); | ||
35 | |||
36 | return result; | ||
37 | } | ||
38 | -- | ||
39 | 2.7.4 | ||
40 | |||