elfutils: fix CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310

These CVE fixes come from upstream master branch and no new version released, so backport rather than upgrade. (From OE-Core rev: bd8d2c25f595e30a3fdcad8a2409913bb8af7c5c) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2018-11-02 17:52:51 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-07 23:08:54 +0000
commit: 918c8a13b67b0eece6fcdf4dad43ad032acacca5 (patch)
tree: c93f1c2b80a451a78d2466e3021d2f83cf179fd9 /meta
parent: 4f6bb406d0834ae7e6b376fa18958c6089635ae9 (diff)
download: poky-918c8a13b67b0eece6fcdf4dad43ad032acacca5.tar.gz
4 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.174.bb b/meta/recipes-devtools/elfutils/elfutils_0.174.bb
index 88add7b4cc..c30265b539 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.174.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.174.bb
@@ -17,6 +17,9 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
           file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \
           file://0001-libasm-may-link-with-libbz2-if-found.patch \
           file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \
+           file://0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch \
+           file://0001-size-Handle-recursive-ELF-ar-files.patch \
+           file://0001-arlib-Check-that-sh_entsize-isn-t-zero.patch \
           file://debian/0001-hppa_backend.patch \
           file://debian/0001-arm_backend.patch \
           file://debian/0001-mips_backend.patch \
diff --git a/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
new file mode 100644
index 0000000000..86cf7c8d50
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
@@ -0,0 +1,36 @@
+From b518841fbc1431d7c5baa016e35f10fb647b5958 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 18 Oct 2018 19:01:52 +0200
+Subject: [PATCH] arlib: Check that sh_entsize isn't zero.
+A bogus ELF file could have sh_entsize as zero. Don't divide by zero,
+but just assume there are no symbols in the section.
+https://sourceware.org/bugzilla/show_bug.cgi?id=23786
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+CVE: CVE-2018-18521
+Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ src/arlib.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/arlib.c b/src/arlib.c
+index 778e087..a6521e3 100644
+--- a/src/arlib.c
+++ b/src/arlib.c
+@@ -252,6 +252,9 @@ arlib_add_symbols (Elf *elf, const char *arfname, const char *membername,
+       if (data == NULL)
+        continue;
+ 
+      if (shdr->sh_entsize == 0)
+       continue;
+
+       int nsyms = shdr->sh_size / shdr->sh_entsize;
+       for (int ndx = shdr->sh_info; ndx < nsyms; ++ndx)
+        {
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
new file mode 100644
index 0000000000..2c74a8d5d7
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
@@ -0,0 +1,60 @@
+From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Fri, 2 Nov 2018 14:22:31 +0800
+Subject: [PATCH] libdwfl: Sanity check partial core file data reads.
+There were two issues when reading note data from a core file.
+We didn't check if the data we already had in a buffer was big
+enough. And if we did get the data, we should check if we got
+everything, or just a part of the data.
+https://sourceware.org/bugzilla/show_bug.cgi?id=23752
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+CVE: CVE-2018-18310
+Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ libdwfl/dwfl_segment_report_module.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
+index 36e5c82..8749884 100644
+--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
+@@ -1,5 +1,5 @@
+ /* Sniff out modules from ELF headers visible in memory segments.
+-   Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
+   Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
+    This file is part of elfutils.
+ 
+    This file is free software; you can redistribute it and/or modify
+@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
+   inline bool read_portion (void **data, size_t *data_size,
+                            GElf_Addr vaddr, size_t filesz)
+   {
+-    if (vaddr - start + filesz > buffer_available
+    /* Check whether we will have to read the segment data, or if it
+       can be returned from the existing buffer.  */
+    if (filesz > buffer_available
+       || vaddr - start > buffer_available - filesz
+        /* If we're in string mode, then don't consider the buffer we have
+           sufficient unless it contains the terminator of the string.  */
+        || (filesz == 0 && memchr (vaddr - start + buffer, '\0',
+@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
+     if (read_portion (&data, &data_size, vaddr, filesz))
+       return;
+ 
+    /* data_size will be zero if we got everything from the initial
+       buffer, otherwise it will be the size of the new buffer that
+       could be read.  */
+    if (data_size != 0)
+      filesz = data_size;
+
+     assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
+ 
+     void *notes;
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
new file mode 100644
index 0000000000..6fed82692c
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
@@ -0,0 +1,40 @@
+From 440d34d0ee37964453245895d38d7fc31bcf3d7d Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 18 Oct 2018 23:15:48 +0200
+Subject: [PATCH] size: Handle recursive ELF ar files.
+eu-size didn't handle an ELF ar file that contained an ar file itself
+correctly. handle_ar would recursively call itself but close the ELF
+file before returning. Only close the ELF file at the top-level.
+https://sourceware.org/bugzilla/show_bug.cgi?id=23787
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+CVE: CVE-2018-18520
+Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ src/size.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/src/size.c b/src/size.c
+index 5ff3f2a..f01fd88 100644
+--- a/src/size.c
+++ b/src/size.c
+@@ -374,8 +374,10 @@ handle_ar (int fd, Elf *elf, const char *prefix, const char *fname)
+        INTERNAL_ERROR (fname);
+     }
+ 
+-  if (unlikely (elf_end (elf) != 0))
+-    INTERNAL_ERROR (fname);
+  /* Only close ELF handle if this was a "top level" ar file.  */
+  if (prefix == NULL)
+    if (unlikely (elf_end (elf) != 0))
+      INTERNAL_ERROR (fname);
+ 
+   return result;
+ }
+-- 
+2.7.4
author	Hongxu Jia <hongxu.jia@windriver.com>	2018-11-02 17:52:51 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-11-07 23:08:54 +0000
commit	918c8a13b67b0eece6fcdf4dad43ad032acacca5 (patch)
tree	c93f1c2b80a451a78d2466e3021d2f83cf179fd9 /meta
parent	4f6bb406d0834ae7e6b376fa18958c6089635ae9 (diff)
download	poky-918c8a13b67b0eece6fcdf4dad43ad032acacca5.tar.gz

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.174.bb b/meta/recipes-devtools/elfutils/elfutils_0.174.bb index 88add7b4cc..c30265b539 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.174.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.174.bb
@@ -17,6 +17,9 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
17	file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \	17	file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \
18	file://0001-libasm-may-link-with-libbz2-if-found.patch \	18	file://0001-libasm-may-link-with-libbz2-if-found.patch \
19	file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \	19	file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \
		20	file://0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch \
		21	file://0001-size-Handle-recursive-ELF-ar-files.patch \
		22	file://0001-arlib-Check-that-sh_entsize-isn-t-zero.patch \
20	file://debian/0001-hppa_backend.patch \	23	file://debian/0001-hppa_backend.patch \
21	file://debian/0001-arm_backend.patch \	24	file://debian/0001-arm_backend.patch \
22	file://debian/0001-mips_backend.patch \	25	file://debian/0001-mips_backend.patch \


diff --git a/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch new file mode 100644 index 0000000000..86cf7c8d50 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
@@ -0,0 +1,36 @@
		1	From b518841fbc1431d7c5baa016e35f10fb647b5958 Mon Sep 17 00:00:00 2001
		2	From: Mark Wielaard <mark@klomp.org>
		3	Date: Thu, 18 Oct 2018 19:01:52 +0200
		4	Subject: [PATCH] arlib: Check that sh_entsize isn't zero.
		5
		6	A bogus ELF file could have sh_entsize as zero. Don't divide by zero,
		7	but just assume there are no symbols in the section.
		8
		9	https://sourceware.org/bugzilla/show_bug.cgi?id=23786
		10
		11	Signed-off-by: Mark Wielaard <mark@klomp.org>
		12
		13	CVE: CVE-2018-18521
		14	Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
		15	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		16	---
		17	src/arlib.c \| 3 +++
		18	1 file changed, 3 insertions(+)
		19
		20	diff --git a/src/arlib.c b/src/arlib.c
		21	index 778e087..a6521e3 100644
		22	--- a/src/arlib.c
		23	+++ b/src/arlib.c
		24	@@ -252,6 +252,9 @@ arlib_add_symbols (Elf elf, const char arfname, const char *membername,
		25	if (data == NULL)
		26	continue;
		27
		28	+ if (shdr->sh_entsize == 0)
		29	+ continue;
		30	+
		31	int nsyms = shdr->sh_size / shdr->sh_entsize;
		32	for (int ndx = shdr->sh_info; ndx < nsyms; ++ndx)
		33	{
		34	--
		35	2.7.4
		36


diff --git a/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch new file mode 100644 index 0000000000..2c74a8d5d7 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
@@ -0,0 +1,60 @@
		1	From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001
		2	From: Hongxu Jia <hongxu.jia@windriver.com>
		3	Date: Fri, 2 Nov 2018 14:22:31 +0800
		4	Subject: [PATCH] libdwfl: Sanity check partial core file data reads.
		5
		6	There were two issues when reading note data from a core file.
		7	We didn't check if the data we already had in a buffer was big
		8	enough. And if we did get the data, we should check if we got
		9	everything, or just a part of the data.
		10
		11	https://sourceware.org/bugzilla/show_bug.cgi?id=23752
		12
		13	Signed-off-by: Mark Wielaard <mark@klomp.org>
		14
		15	CVE: CVE-2018-18310
		16	Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
		17	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		18	---
		19	libdwfl/dwfl_segment_report_module.c \| 13 +++++++++++--
		20	1 file changed, 11 insertions(+), 2 deletions(-)
		21
		22	diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
		23	index 36e5c82..8749884 100644
		24	--- a/libdwfl/dwfl_segment_report_module.c
		25	+++ b/libdwfl/dwfl_segment_report_module.c
		26	@@ -1,5 +1,5 @@
		27	/* Sniff out modules from ELF headers visible in memory segments.
		28	- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
		29	+ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
		30	This file is part of elfutils.
		31
		32	This file is free software; you can redistribute it and/or modify
		33	@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl dwfl, int ndx, const char name,
		34	inline bool read_portion (void *data, size_t data_size,
		35	GElf_Addr vaddr, size_t filesz)
		36	{
		37	- if (vaddr - start + filesz > buffer_available
		38	+ /* Check whether we will have to read the segment data, or if it
		39	+ can be returned from the existing buffer. */
		40	+ if (filesz > buffer_available
		41	+ \|\| vaddr - start > buffer_available - filesz
		42	/* If we're in string mode, then don't consider the buffer we have
		43	sufficient unless it contains the terminator of the string. */
		44	\|\| (filesz == 0 && memchr (vaddr - start + buffer, '\0',
		45	@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl dwfl, int ndx, const char name,
		46	if (read_portion (&data, &data_size, vaddr, filesz))
		47	return;
		48
		49	+ /* data_size will be zero if we got everything from the initial
		50	+ buffer, otherwise it will be the size of the new buffer that
		51	+ could be read. */
		52	+ if (data_size != 0)
		53	+ filesz = data_size;
		54	+
		55	assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
		56
		57	void *notes;
		58	--
		59	2.7.4
		60


diff --git a/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch new file mode 100644 index 0000000000..6fed82692c --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
@@ -0,0 +1,40 @@
		1	From 440d34d0ee37964453245895d38d7fc31bcf3d7d Mon Sep 17 00:00:00 2001
		2	From: Mark Wielaard <mark@klomp.org>
		3	Date: Thu, 18 Oct 2018 23:15:48 +0200
		4	Subject: [PATCH] size: Handle recursive ELF ar files.
		5
		6	eu-size didn't handle an ELF ar file that contained an ar file itself
		7	correctly. handle_ar would recursively call itself but close the ELF
		8	file before returning. Only close the ELF file at the top-level.
		9
		10	https://sourceware.org/bugzilla/show_bug.cgi?id=23787
		11
		12	Signed-off-by: Mark Wielaard <mark@klomp.org>
		13
		14	CVE: CVE-2018-18520
		15	Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
		16	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		17	---
		18	src/size.c \| 6 ++++--
		19	1 file changed, 4 insertions(+), 2 deletions(-)
		20
		21	diff --git a/src/size.c b/src/size.c
		22	index 5ff3f2a..f01fd88 100644
		23	--- a/src/size.c
		24	+++ b/src/size.c
		25	@@ -374,8 +374,10 @@ handle_ar (int fd, Elf elf, const char prefix, const char *fname)
		26	INTERNAL_ERROR (fname);
		27	}
		28
		29	- if (unlikely (elf_end (elf) != 0))
		30	- INTERNAL_ERROR (fname);
		31	+ /* Only close ELF handle if this was a "top level" ar file. */
		32	+ if (prefix == NULL)
		33	+ if (unlikely (elf_end (elf) != 0))
		34	+ INTERNAL_ERROR (fname);
		35
		36	return result;
		37	}
		38	--
		39	2.7.4
		40