elfutils: Security fixes CVE-2019-7146,7149,7150

Source: http://sourceware.org/git/elfutils.git MR: 97563, 97568, 97558 Type: Security Fix Disposition: Backport from http://sourceware.org/git/elfutils.git ChangeID: 6183c2a25d5e32eec1846a428dd165e1de659f24 Description: Affects <= 0.175 Fixes: CVE-2019-7146 CVE-2019-7149 CVE-2019-7150 (From OE-Core rev: ac5dca7dc68519b36aa976dfd25d8efa76af74ec) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-05-28 16:11:08 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:17 +0100
commit: cd7f7bf38584be1df287e77e78bbdf659a07c385 (patch)
tree: 9773ee2cc32ef6d50e7479a9ddda1df69c618b0f /meta
parent: 2c225a199d441b52698eb094dadf2b98dba58244 (diff)
download: poky-cd7f7bf38584be1df287e77e78bbdf659a07c385.tar.gz
5 files changed, 320 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index b0b9ddc736..e94a48efa5 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -27,6 +27,10 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
           file://debian/hurd_path.patch \
           file://debian/ignore_strmerge.diff \
           file://debian/disable_werror.patch \
+           file://CVE-2019-7149.patch \
+           file://CVE-2019-7150.patch \
+           file://CVE-2019-7146_p1.patch \
+           file://CVE-2019-7146_p2.patch \
           "
 SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
new file mode 100644
index 0000000000..b6cd29af1a
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
@@ -0,0 +1,52 @@
+From 012018907ca05eb0ab51d424a596ef38fc87cae1 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 11:57:35 +0100
+Subject: [PATCH] libebl: Check GNU property note pr_datasz fits inside note
+ description.
+Before printing the data values, make sure pr_datasz doesn't go beyond
+the end of the note description data.
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libebl/ChangeLog    | 4 ++++
+ libebl/eblobjnote.c | 7 +++++++
+ 2 files changed, 11 insertions(+)
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
+++ elfutils-0.175/libebl/eblobjnote.c
+@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t name
+                  desc += 8;
+                  descsz -= 8;
+ 
+                 if (prop.pr_datasz > descsz)
+                   {
+                     printf ("BAD property datasz: %" PRId32 "\n",
+                             prop.pr_datasz);
+                     return;
+                   }
+
+                  int elfclass = gelf_getclass (ebl->elf);
+                  char *elfident = elf_getident (ebl->elf, NULL);
+                  GElf_Ehdr ehdr;
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
+++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,7 @@
+2019-01-16  Mark Wielaard  <mark@klomp.org>
+
+       * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+
+ 2018-11-15  Mark Wielaard  <mark@klomp.org>
+ 
+        * eblobjnotetypename.c (ebl_object_note_type_name): Don't update
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
new file mode 100644
index 0000000000..4434b36579
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
@@ -0,0 +1,65 @@
+From cd7ded3df43f655af945c869976401a602e46fcd Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 30 Jan 2019 00:04:11 +0100
+Subject: [PATCH] libebl: Check GNU property note data padding fits inside
+ note.
+The GNU property note data is padded. Make sure the extra padding
+still fits in the note description.
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libebl/ChangeLog    |  5 +++++
+ libebl/eblobjnote.c | 17 +++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
+++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,8 @@
+2019-01-29  Mark Wielaard  <mark@klomp.org>
+
+       * eblobjnote.c (ebl_object_note): Check pr_datasz padding doesn't
+       overflow descsz.
+
+ 2019-01-16  Mark Wielaard  <mark@klomp.org>
+ 
+        * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
+++ elfutils-0.175/libebl/eblobjnote.c
+@@ -486,16 +486,17 @@ ebl_object_note (Ebl *ebl, uint32_t name
+                          printf ("%02" PRIx8 "\n", (uint8_t) desc[i]);
+                        }
+                    }
+
+                  if (elfclass == ELFCLASS32)
+-                   {
+-                     desc += NOTE_ALIGN4 (prop.pr_datasz);
+-                     descsz -= NOTE_ALIGN4 (prop.pr_datasz);
+-                   }
+                   prop.pr_datasz = NOTE_ALIGN4 (prop.pr_datasz);
+                  else
+-                   {
+-                     desc += NOTE_ALIGN8 (prop.pr_datasz);
+-                     descsz -= NOTE_ALIGN8 (prop.pr_datasz);
+-                   }
+                   prop.pr_datasz = NOTE_ALIGN8 (prop.pr_datasz);
+
+                 desc += prop.pr_datasz;
+                 if (descsz > prop.pr_datasz)
+                   descsz -= prop.pr_datasz;
+                 else
+                   descsz = 0;
+                }
+            }
+          break;
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
new file mode 100644
index 0000000000..215a1715bf
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
@@ -0,0 +1,148 @@
+From 2562759d6fe5b364fe224852e64e8bda39eb2e35 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 22:10:18 +0100
+Subject: [PATCH] libdw: Check terminating NUL byte in dwarf_getsrclines for
+ dir/file table.
+For DWARF version < 5 the .debug_line directory and file tables consist
+of a terminating NUL byte after all strings. The code used to just skip
+this without checking it actually existed. This could case a spurious
+read past the end of data.
+Fix the same issue in readelf.
+https://sourceware.org/bugzilla/show_bug.cgi?id=24102
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Upstream-Status: Backport
+CVE: CVE-2019-7149
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libdw/ChangeLog           |  5 +++++
+ libdw/dwarf_getsrclines.c | 11 ++++++++---
+ src/ChangeLog             |  5 +++++
+ src/readelf.c             |  8 ++++++--
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+Index: elfutils-0.175/libdw/dwarf_getsrclines.c
+===================================================================
+--- elfutils-0.175.orig/libdw/dwarf_getsrclines.c
+++ elfutils-0.175/libdw/dwarf_getsrclines.c
+@@ -315,7 +315,7 @@ read_srclines (Dwarf *dbg,
+   if (version < 5)
+     {
+       const unsigned char *dirp = linep;
+-      while (*dirp != 0)
+      while (dirp < lineendp && *dirp != 0)
+        {
+          uint8_t *endp = memchr (dirp, '\0', lineendp - dirp);
+          if (endp == NULL)
+@@ -323,6 +323,8 @@ read_srclines (Dwarf *dbg,
+          ++ndirs;
+          dirp = endp + 1;
+        }
+      if (dirp >= lineendp || *dirp != '\0')
+       goto invalid_data;
+       ndirs = ndirs + 1; /* There is always the "unknown" dir.  */
+     }
+   else
+@@ -392,11 +394,12 @@ read_srclines (Dwarf *dbg,
+        {
+          dirarray[n].dir = (char *) linep;
+          uint8_t *endp = memchr (linep, '\0', lineendp - linep);
+-         assert (endp != NULL);
+         assert (endp != NULL); // Checked above when calculating ndirlist.
+          dirarray[n].len = endp - linep;
+          linep = endp + 1;
+        }
+       /* Skip the final NUL byte.  */
+      assert (*linep == '\0'); // Checked above when calculating ndirlist.
+       ++linep;
+     }
+   else
+@@ -471,7 +474,7 @@ read_srclines (Dwarf *dbg,
+     {
+       if (unlikely (linep >= lineendp))
+        goto invalid_data;
+-      while (*linep != 0)
+      while (linep < lineendp && *linep != '\0')
+        {
+          struct filelist *new_file = NEW_FILE ();
+ 
+@@ -527,6 +530,8 @@ read_srclines (Dwarf *dbg,
+            goto invalid_data;
+          get_uleb128 (new_file->info.length, linep, lineendp);
+        }
+      if (linep >= lineendp || *linep != '\0')
+       goto invalid_data;
+       /* Skip the final NUL byte.  */
+       ++linep;
+     }
+Index: elfutils-0.175/src/readelf.c
+===================================================================
+--- elfutils-0.175.orig/src/readelf.c
+++ elfutils-0.175/src/readelf.c
+@@ -8444,7 +8444,7 @@ print_debug_line_section (Dwfl_Module *d
+        }
+       else
+        {
+-         while (*linep != 0)
+         while (linep < lineendp && *linep != 0)
+            {
+              unsigned char *endp = memchr (linep, '\0', lineendp - linep);
+              if (unlikely (endp == NULL))
+@@ -8454,6 +8454,8 @@ print_debug_line_section (Dwfl_Module *d
+ 
+              linep = endp + 1;
+            }
+         if (linep >= lineendp || *linep != 0)
+           goto invalid_unit;
+          /* Skip the final NUL byte.  */
+          ++linep;
+        }
+@@ -8523,7 +8525,7 @@ print_debug_line_section (Dwfl_Module *d
+       else
+        {
+          puts (gettext (" Entry Dir   Time      Size      Name"));
+-         for (unsigned int cnt = 1; *linep != 0; ++cnt)
+         for (unsigned int cnt = 1; linep < lineendp && *linep != 0; ++cnt)
+            {
+              /* First comes the file name.  */
+              char *fname = (char *) linep;
+@@ -8553,6 +8555,8 @@ print_debug_line_section (Dwfl_Module *d
+              printf (" %-5u %-5u %-9u %-9u %s\n",
+                      cnt, diridx, mtime, fsize, fname);
+            }
+         if (linep >= lineendp || *linep != '\0')
+           goto invalid_unit;
+          /* Skip the final NUL byte.  */
+          ++linep;
+        }
+Index: elfutils-0.175/libdw/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdw/ChangeLog
+++ elfutils-0.175/libdw/ChangeLog
+@@ -1,3 +1,8 @@
+2019-01-20  Mark Wielaard  <mark@klomp.org>
+
+       * dwarf_getsrclines.c (read_srclines): Check terminating NUL byte
+       for dir and file lists.
+
+ 2018-10-20  Mark Wielaard  <mark@klomp.org>
+ 
+        * libdw.map (ELFUTILS_0.175): New section. Add dwelf_elf_begin.
+Index: elfutils-0.175/src/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/src/ChangeLog
+++ elfutils-0.175/src/ChangeLog
+@@ -1,3 +1,8 @@
+2019-01-20  Mark Wielaard  <mark@klomp.org>
+
+       * readelf.c (print_debug_line_section): Check terminating NUL byte
+       for dir and file tables.
+
+ 2018-11-10  Mark Wielaard  <mark@klomp.org>
+ 
+        * elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
new file mode 100644
index 0000000000..01a4fb1562
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
@@ -0,0 +1,51 @@
+From da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 23:05:56 +0100
+Subject: [PATCH] libdwfl: Sanity check partial core file dyn data read.
+When reading the dyn data from the core file check if we got everything,
+or just part of the data.
+https://sourceware.org/bugzilla/show_bug.cgi?id=24103
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Upstream-Status: Backport
+CVE: CVE-2019-7150
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libdwfl/ChangeLog                    | 5 +++++
+ libdwfl/dwfl_segment_report_module.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+Index: elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+===================================================================
+--- elfutils-0.175.orig/libdwfl/dwfl_segment_report_module.c
+++ elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+@@ -783,6 +783,12 @@ dwfl_segment_report_module (Dwfl *dwfl,
+   if (dyn_filesz != 0 && dyn_filesz % dyn_entsize == 0
+       && ! read_portion (&dyn_data, &dyn_data_size, dyn_vaddr, dyn_filesz))
+     {
+      /* dyn_data_size will be zero if we got everything from the initial
+         buffer, otherwise it will be the size of the new buffer that
+         could be read.  */
+      if (dyn_data_size != 0)
+       dyn_filesz = dyn_data_size;
+
+       void *dyns = malloc (dyn_filesz);
+       Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = dyns;
+       Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = dyns;
+Index: elfutils-0.175/libdwfl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdwfl/ChangeLog
+++ elfutils-0.175/libdwfl/ChangeLog
+@@ -1,3 +1,8 @@
+2019-01-20  Mark Wielaard  <mark@klomp.org>
+
+       * dwfl_segment_report_module.c (dwfl_segment_report_module): Check
+       dyn_filesz vs dyn_data_size after read_portion call.
+
+ 2018-10-20  Mark Wielaard  <mark@klomp.org>
+ 
+        * libdwflP.h (__libdw_open_elf): New internal function declaration.
author	Armin Kuster <akuster@mvista.com>	2019-05-28 16:11:08 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:17 +0100
commit	cd7f7bf38584be1df287e77e78bbdf659a07c385 (patch)
tree	9773ee2cc32ef6d50e7479a9ddda1df69c618b0f /meta
parent	2c225a199d441b52698eb094dadf2b98dba58244 (diff)
download	poky-cd7f7bf38584be1df287e77e78bbdf659a07c385.tar.gz

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb index b0b9ddc736..e94a48efa5 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -27,6 +27,10 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
27	file://debian/hurd_path.patch \	27	file://debian/hurd_path.patch \
28	file://debian/ignore_strmerge.diff \	28	file://debian/ignore_strmerge.diff \
29	file://debian/disable_werror.patch \	29	file://debian/disable_werror.patch \
		30	file://CVE-2019-7149.patch \
		31	file://CVE-2019-7150.patch \
		32	file://CVE-2019-7146_p1.patch \
		33	file://CVE-2019-7146_p2.patch \
30	"	34	"
31	SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"	35	SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
32		36


diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch new file mode 100644 index 0000000000..b6cd29af1a --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
@@ -0,0 +1,52 @@
		1	From 012018907ca05eb0ab51d424a596ef38fc87cae1 Mon Sep 17 00:00:00 2001
		2	From: Mark Wielaard <mark@klomp.org>
		3	Date: Wed, 16 Jan 2019 11:57:35 +0100
		4	Subject: [PATCH] libebl: Check GNU property note pr_datasz fits inside note
		5	description.
		6
		7	Before printing the data values, make sure pr_datasz doesn't go beyond
		8	the end of the note description data.
		9
		10	https://sourceware.org/bugzilla/show_bug.cgi?id=24075
		11
		12	Signed-off-by: Mark Wielaard <mark@klomp.org>
		13
		14	Upstream-Status: Backport
		15	CVE: CVE-2019-7146 patch #1
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	libebl/ChangeLog \| 4 ++++
		20	libebl/eblobjnote.c \| 7 +++++++
		21	2 files changed, 11 insertions(+)
		22
		23	Index: elfutils-0.175/libebl/eblobjnote.c
		24	===================================================================
		25	--- elfutils-0.175.orig/libebl/eblobjnote.c
		26	+++ elfutils-0.175/libebl/eblobjnote.c
		27	@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t name
		28	desc += 8;
		29	descsz -= 8;
		30
		31	+ if (prop.pr_datasz > descsz)
		32	+ {
		33	+ printf ("BAD property datasz: %" PRId32 "\n",
		34	+ prop.pr_datasz);
		35	+ return;
		36	+ }
		37	+
		38	int elfclass = gelf_getclass (ebl->elf);
		39	char *elfident = elf_getident (ebl->elf, NULL);
		40	GElf_Ehdr ehdr;
		41	Index: elfutils-0.175/libebl/ChangeLog
		42	===================================================================
		43	--- elfutils-0.175.orig/libebl/ChangeLog
		44	+++ elfutils-0.175/libebl/ChangeLog
		45	@@ -1,3 +1,7 @@
		46	+2019-01-16 Mark Wielaard <mark@klomp.org>
		47	+
		48	+ * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
		49	+
		50	2018-11-15 Mark Wielaard <mark@klomp.org>
		51
		52	* eblobjnotetypename.c (ebl_object_note_type_name): Don't update


diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch new file mode 100644 index 0000000000..4434b36579 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
@@ -0,0 +1,65 @@
		1	From cd7ded3df43f655af945c869976401a602e46fcd Mon Sep 17 00:00:00 2001
		2	From: Mark Wielaard <mark@klomp.org>
		3	Date: Wed, 30 Jan 2019 00:04:11 +0100
		4	Subject: [PATCH] libebl: Check GNU property note data padding fits inside
		5	note.
		6
		7	The GNU property note data is padded. Make sure the extra padding
		8	still fits in the note description.
		9
		10	https://sourceware.org/bugzilla/show_bug.cgi?id=24075
		11
		12	Signed-off-by: Mark Wielaard <mark@klomp.org>
		13
		14	Upstream-Status: Backport
		15	CVE: CVE-2019-7146 patch #2
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	libebl/ChangeLog \| 5 +++++
		20	libebl/eblobjnote.c \| 17 +++++++++--------
		21	2 files changed, 14 insertions(+), 8 deletions(-)
		22
		23	Index: elfutils-0.175/libebl/ChangeLog
		24	===================================================================
		25	--- elfutils-0.175.orig/libebl/ChangeLog
		26	+++ elfutils-0.175/libebl/ChangeLog
		27	@@ -1,3 +1,8 @@
		28	+2019-01-29 Mark Wielaard <mark@klomp.org>
		29	+
		30	+ * eblobjnote.c (ebl_object_note): Check pr_datasz padding doesn't
		31	+ overflow descsz.
		32	+
		33	2019-01-16 Mark Wielaard <mark@klomp.org>
		34
		35	* eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
		36	Index: elfutils-0.175/libebl/eblobjnote.c
		37	===================================================================
		38	--- elfutils-0.175.orig/libebl/eblobjnote.c
		39	+++ elfutils-0.175/libebl/eblobjnote.c
		40	@@ -486,16 +486,17 @@ ebl_object_note (Ebl *ebl, uint32_t name
		41	printf ("%02" PRIx8 "\n", (uint8_t) desc[i]);
		42	}
		43	}
		44	+
		45	if (elfclass == ELFCLASS32)
		46	- {
		47	- desc += NOTE_ALIGN4 (prop.pr_datasz);
		48	- descsz -= NOTE_ALIGN4 (prop.pr_datasz);
		49	- }
		50	+ prop.pr_datasz = NOTE_ALIGN4 (prop.pr_datasz);
		51	else
		52	- {
		53	- desc += NOTE_ALIGN8 (prop.pr_datasz);
		54	- descsz -= NOTE_ALIGN8 (prop.pr_datasz);
		55	- }
		56	+ prop.pr_datasz = NOTE_ALIGN8 (prop.pr_datasz);
		57	+
		58	+ desc += prop.pr_datasz;
		59	+ if (descsz > prop.pr_datasz)
		60	+ descsz -= prop.pr_datasz;
		61	+ else
		62	+ descsz = 0;
		63	}
		64	}
		65	break;


diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch new file mode 100644 index 0000000000..215a1715bf --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
@@ -0,0 +1,148 @@
		1	From 2562759d6fe5b364fe224852e64e8bda39eb2e35 Mon Sep 17 00:00:00 2001
		2	From: Mark Wielaard <mark@klomp.org>
		3	Date: Sun, 20 Jan 2019 22:10:18 +0100
		4	Subject: [PATCH] libdw: Check terminating NUL byte in dwarf_getsrclines for
		5	dir/file table.
		6
		7	For DWARF version < 5 the .debug_line directory and file tables consist
		8	of a terminating NUL byte after all strings. The code used to just skip
		9	this without checking it actually existed. This could case a spurious
		10	read past the end of data.
		11
		12	Fix the same issue in readelf.
		13
		14	https://sourceware.org/bugzilla/show_bug.cgi?id=24102
		15
		16	Signed-off-by: Mark Wielaard <mark@klomp.org>
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2019-7149
		20	Signed-off-by: Armin Kuster <akuster@mvista.com>
		21
		22	---
		23	libdw/ChangeLog \| 5 +++++
		24	libdw/dwarf_getsrclines.c \| 11 ++++++++---
		25	src/ChangeLog \| 5 +++++
		26	src/readelf.c \| 8 ++++++--
		27	4 files changed, 24 insertions(+), 5 deletions(-)
		28
		29	Index: elfutils-0.175/libdw/dwarf_getsrclines.c
		30	===================================================================
		31	--- elfutils-0.175.orig/libdw/dwarf_getsrclines.c
		32	+++ elfutils-0.175/libdw/dwarf_getsrclines.c
		33	@@ -315,7 +315,7 @@ read_srclines (Dwarf *dbg,
		34	if (version < 5)
		35	{
		36	const unsigned char *dirp = linep;
		37	- while (*dirp != 0)
		38	+ while (dirp < lineendp && *dirp != 0)
		39	{
		40	uint8_t *endp = memchr (dirp, '\0', lineendp - dirp);
		41	if (endp == NULL)
		42	@@ -323,6 +323,8 @@ read_srclines (Dwarf *dbg,
		43	++ndirs;
		44	dirp = endp + 1;
		45	}
		46	+ if (dirp >= lineendp \|\| *dirp != '\0')
		47	+ goto invalid_data;
		48	ndirs = ndirs + 1; /* There is always the "unknown" dir. */
		49	}
		50	else
		51	@@ -392,11 +394,12 @@ read_srclines (Dwarf *dbg,
		52	{
		53	dirarray[n].dir = (char *) linep;
		54	uint8_t *endp = memchr (linep, '\0', lineendp - linep);
		55	- assert (endp != NULL);
		56	+ assert (endp != NULL); // Checked above when calculating ndirlist.
		57	dirarray[n].len = endp - linep;
		58	linep = endp + 1;
		59	}
		60	/* Skip the final NUL byte. */
		61	+ assert (*linep == '\0'); // Checked above when calculating ndirlist.
		62	++linep;
		63	}
		64	else
		65	@@ -471,7 +474,7 @@ read_srclines (Dwarf *dbg,
		66	{
		67	if (unlikely (linep >= lineendp))
		68	goto invalid_data;
		69	- while (*linep != 0)
		70	+ while (linep < lineendp && *linep != '\0')
		71	{
		72	struct filelist *new_file = NEW_FILE ();
		73
		74	@@ -527,6 +530,8 @@ read_srclines (Dwarf *dbg,
		75	goto invalid_data;
		76	get_uleb128 (new_file->info.length, linep, lineendp);
		77	}
		78	+ if (linep >= lineendp \|\| *linep != '\0')
		79	+ goto invalid_data;
		80	/* Skip the final NUL byte. */
		81	++linep;
		82	}
		83	Index: elfutils-0.175/src/readelf.c
		84	===================================================================
		85	--- elfutils-0.175.orig/src/readelf.c
		86	+++ elfutils-0.175/src/readelf.c
		87	@@ -8444,7 +8444,7 @@ print_debug_line_section (Dwfl_Module *d
		88	}
		89	else
		90	{
		91	- while (*linep != 0)
		92	+ while (linep < lineendp && *linep != 0)
		93	{
		94	unsigned char *endp = memchr (linep, '\0', lineendp - linep);
		95	if (unlikely (endp == NULL))
		96	@@ -8454,6 +8454,8 @@ print_debug_line_section (Dwfl_Module *d
		97
		98	linep = endp + 1;
		99	}
		100	+ if (linep >= lineendp \|\| *linep != 0)
		101	+ goto invalid_unit;
		102	/* Skip the final NUL byte. */
		103	++linep;
		104	}
		105	@@ -8523,7 +8525,7 @@ print_debug_line_section (Dwfl_Module *d
		106	else
		107	{
		108	puts (gettext (" Entry Dir Time Size Name"));
		109	- for (unsigned int cnt = 1; *linep != 0; ++cnt)
		110	+ for (unsigned int cnt = 1; linep < lineendp && *linep != 0; ++cnt)
		111	{
		112	/* First comes the file name. */
		113	char fname = (char ) linep;
		114	@@ -8553,6 +8555,8 @@ print_debug_line_section (Dwfl_Module *d
		115	printf (" %-5u %-5u %-9u %-9u %s\n",
		116	cnt, diridx, mtime, fsize, fname);
		117	}
		118	+ if (linep >= lineendp \|\| *linep != '\0')
		119	+ goto invalid_unit;
		120	/* Skip the final NUL byte. */
		121	++linep;
		122	}
		123	Index: elfutils-0.175/libdw/ChangeLog
		124	===================================================================
		125	--- elfutils-0.175.orig/libdw/ChangeLog
		126	+++ elfutils-0.175/libdw/ChangeLog
		127	@@ -1,3 +1,8 @@
		128	+2019-01-20 Mark Wielaard <mark@klomp.org>
		129	+
		130	+ * dwarf_getsrclines.c (read_srclines): Check terminating NUL byte
		131	+ for dir and file lists.
		132	+
		133	2018-10-20 Mark Wielaard <mark@klomp.org>
		134
		135	* libdw.map (ELFUTILS_0.175): New section. Add dwelf_elf_begin.
		136	Index: elfutils-0.175/src/ChangeLog
		137	===================================================================
		138	--- elfutils-0.175.orig/src/ChangeLog
		139	+++ elfutils-0.175/src/ChangeLog
		140	@@ -1,3 +1,8 @@
		141	+2019-01-20 Mark Wielaard <mark@klomp.org>
		142	+
		143	+ * readelf.c (print_debug_line_section): Check terminating NUL byte
		144	+ for dir and file tables.
		145	+
		146	2018-11-10 Mark Wielaard <mark@klomp.org>
		147
		148	* elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment


diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch new file mode 100644 index 0000000000..01a4fb1562 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
@@ -0,0 +1,51 @@
		1	From da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 Mon Sep 17 00:00:00 2001
		2	From: Mark Wielaard <mark@klomp.org>
		3	Date: Sun, 20 Jan 2019 23:05:56 +0100
		4	Subject: [PATCH] libdwfl: Sanity check partial core file dyn data read.
		5
		6	When reading the dyn data from the core file check if we got everything,
		7	or just part of the data.
		8
		9	https://sourceware.org/bugzilla/show_bug.cgi?id=24103
		10
		11	Signed-off-by: Mark Wielaard <mark@klomp.org>
		12
		13	Upstream-Status: Backport
		14	CVE: CVE-2019-7150
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	libdwfl/ChangeLog \| 5 +++++
		19	libdwfl/dwfl_segment_report_module.c \| 6 ++++++
		20	2 files changed, 11 insertions(+)
		21
		22	Index: elfutils-0.175/libdwfl/dwfl_segment_report_module.c
		23	===================================================================
		24	--- elfutils-0.175.orig/libdwfl/dwfl_segment_report_module.c
		25	+++ elfutils-0.175/libdwfl/dwfl_segment_report_module.c
		26	@@ -783,6 +783,12 @@ dwfl_segment_report_module (Dwfl *dwfl,
		27	if (dyn_filesz != 0 && dyn_filesz % dyn_entsize == 0
		28	&& ! read_portion (&dyn_data, &dyn_data_size, dyn_vaddr, dyn_filesz))
		29	{
		30	+ /* dyn_data_size will be zero if we got everything from the initial
		31	+ buffer, otherwise it will be the size of the new buffer that
		32	+ could be read. */
		33	+ if (dyn_data_size != 0)
		34	+ dyn_filesz = dyn_data_size;
		35	+
		36	void *dyns = malloc (dyn_filesz);
		37	Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = dyns;
		38	Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = dyns;
		39	Index: elfutils-0.175/libdwfl/ChangeLog
		40	===================================================================
		41	--- elfutils-0.175.orig/libdwfl/ChangeLog
		42	+++ elfutils-0.175/libdwfl/ChangeLog
		43	@@ -1,3 +1,8 @@
		44	+2019-01-20 Mark Wielaard <mark@klomp.org>
		45	+
		46	+ * dwfl_segment_report_module.c (dwfl_segment_report_module): Check
		47	+ dyn_filesz vs dyn_data_size after read_portion call.
		48	+
		49	2018-10-20 Mark Wielaard <mark@klomp.org>
		50
		51	* libdwflP.h (__libdw_open_elf): New internal function declaration.