summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2018-11-02 17:52:51 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-11-07 23:08:54 +0000
commit918c8a13b67b0eece6fcdf4dad43ad032acacca5 (patch)
treec93f1c2b80a451a78d2466e3021d2f83cf179fd9 /meta
parent4f6bb406d0834ae7e6b376fa18958c6089635ae9 (diff)
downloadpoky-918c8a13b67b0eece6fcdf4dad43ad032acacca5.tar.gz
elfutils: fix CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310
These CVE fixes come from upstream master branch and no new version released, so backport rather than upgrade. (From OE-Core rev: bd8d2c25f595e30a3fdcad8a2409913bb8af7c5c) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/elfutils/elfutils_0.174.bb3
-rw-r--r--meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch36
-rw-r--r--meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch60
-rw-r--r--meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch40
4 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.174.bb b/meta/recipes-devtools/elfutils/elfutils_0.174.bb
index 88add7b4cc..c30265b539 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.174.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.174.bb
@@ -17,6 +17,9 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
17 file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \ 17 file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \
18 file://0001-libasm-may-link-with-libbz2-if-found.patch \ 18 file://0001-libasm-may-link-with-libbz2-if-found.patch \
19 file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \ 19 file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \
20 file://0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch \
21 file://0001-size-Handle-recursive-ELF-ar-files.patch \
22 file://0001-arlib-Check-that-sh_entsize-isn-t-zero.patch \
20 file://debian/0001-hppa_backend.patch \ 23 file://debian/0001-hppa_backend.patch \
21 file://debian/0001-arm_backend.patch \ 24 file://debian/0001-arm_backend.patch \
22 file://debian/0001-mips_backend.patch \ 25 file://debian/0001-mips_backend.patch \
diff --git a/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
new file mode 100644
index 0000000000..86cf7c8d50
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
@@ -0,0 +1,36 @@
1From b518841fbc1431d7c5baa016e35f10fb647b5958 Mon Sep 17 00:00:00 2001
2From: Mark Wielaard <mark@klomp.org>
3Date: Thu, 18 Oct 2018 19:01:52 +0200
4Subject: [PATCH] arlib: Check that sh_entsize isn't zero.
5
6A bogus ELF file could have sh_entsize as zero. Don't divide by zero,
7but just assume there are no symbols in the section.
8
9https://sourceware.org/bugzilla/show_bug.cgi?id=23786
10
11Signed-off-by: Mark Wielaard <mark@klomp.org>
12
13CVE: CVE-2018-18521
14Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
15Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
16---
17 src/arlib.c | 3 +++
18 1 file changed, 3 insertions(+)
19
20diff --git a/src/arlib.c b/src/arlib.c
21index 778e087..a6521e3 100644
22--- a/src/arlib.c
23+++ b/src/arlib.c
24@@ -252,6 +252,9 @@ arlib_add_symbols (Elf *elf, const char *arfname, const char *membername,
25 if (data == NULL)
26 continue;
27
28+ if (shdr->sh_entsize == 0)
29+ continue;
30+
31 int nsyms = shdr->sh_size / shdr->sh_entsize;
32 for (int ndx = shdr->sh_info; ndx < nsyms; ++ndx)
33 {
34--
352.7.4
36
diff --git a/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
new file mode 100644
index 0000000000..2c74a8d5d7
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
@@ -0,0 +1,60 @@
1From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001
2From: Hongxu Jia <hongxu.jia@windriver.com>
3Date: Fri, 2 Nov 2018 14:22:31 +0800
4Subject: [PATCH] libdwfl: Sanity check partial core file data reads.
5
6There were two issues when reading note data from a core file.
7We didn't check if the data we already had in a buffer was big
8enough. And if we did get the data, we should check if we got
9everything, or just a part of the data.
10
11https://sourceware.org/bugzilla/show_bug.cgi?id=23752
12
13Signed-off-by: Mark Wielaard <mark@klomp.org>
14
15CVE: CVE-2018-18310
16Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
17Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
18---
19 libdwfl/dwfl_segment_report_module.c | 13 +++++++++++--
20 1 file changed, 11 insertions(+), 2 deletions(-)
21
22diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
23index 36e5c82..8749884 100644
24--- a/libdwfl/dwfl_segment_report_module.c
25+++ b/libdwfl/dwfl_segment_report_module.c
26@@ -1,5 +1,5 @@
27 /* Sniff out modules from ELF headers visible in memory segments.
28- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
29+ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
30 This file is part of elfutils.
31
32 This file is free software; you can redistribute it and/or modify
33@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
34 inline bool read_portion (void **data, size_t *data_size,
35 GElf_Addr vaddr, size_t filesz)
36 {
37- if (vaddr - start + filesz > buffer_available
38+ /* Check whether we will have to read the segment data, or if it
39+ can be returned from the existing buffer. */
40+ if (filesz > buffer_available
41+ || vaddr - start > buffer_available - filesz
42 /* If we're in string mode, then don't consider the buffer we have
43 sufficient unless it contains the terminator of the string. */
44 || (filesz == 0 && memchr (vaddr - start + buffer, '\0',
45@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
46 if (read_portion (&data, &data_size, vaddr, filesz))
47 return;
48
49+ /* data_size will be zero if we got everything from the initial
50+ buffer, otherwise it will be the size of the new buffer that
51+ could be read. */
52+ if (data_size != 0)
53+ filesz = data_size;
54+
55 assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
56
57 void *notes;
58--
592.7.4
60
diff --git a/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
new file mode 100644
index 0000000000..6fed82692c
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
@@ -0,0 +1,40 @@
1From 440d34d0ee37964453245895d38d7fc31bcf3d7d Mon Sep 17 00:00:00 2001
2From: Mark Wielaard <mark@klomp.org>
3Date: Thu, 18 Oct 2018 23:15:48 +0200
4Subject: [PATCH] size: Handle recursive ELF ar files.
5
6eu-size didn't handle an ELF ar file that contained an ar file itself
7correctly. handle_ar would recursively call itself but close the ELF
8file before returning. Only close the ELF file at the top-level.
9
10https://sourceware.org/bugzilla/show_bug.cgi?id=23787
11
12Signed-off-by: Mark Wielaard <mark@klomp.org>
13
14CVE: CVE-2018-18520
15Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
17---
18 src/size.c | 6 ++++--
19 1 file changed, 4 insertions(+), 2 deletions(-)
20
21diff --git a/src/size.c b/src/size.c
22index 5ff3f2a..f01fd88 100644
23--- a/src/size.c
24+++ b/src/size.c
25@@ -374,8 +374,10 @@ handle_ar (int fd, Elf *elf, const char *prefix, const char *fname)
26 INTERNAL_ERROR (fname);
27 }
28
29- if (unlikely (elf_end (elf) != 0))
30- INTERNAL_ERROR (fname);
31+ /* Only close ELF handle if this was a "top level" ar file. */
32+ if (prefix == NULL)
33+ if (unlikely (elf_end (elf) != 0))
34+ INTERNAL_ERROR (fname);
35
36 return result;
37 }
38--
392.7.4
40