diff options
Diffstat (limited to 'meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch')
-rw-r--r-- | meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch new file mode 100644 index 0000000000..2c74a8d5d7 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001 | ||
2 | From: Hongxu Jia <hongxu.jia@windriver.com> | ||
3 | Date: Fri, 2 Nov 2018 14:22:31 +0800 | ||
4 | Subject: [PATCH] libdwfl: Sanity check partial core file data reads. | ||
5 | |||
6 | There were two issues when reading note data from a core file. | ||
7 | We didn't check if the data we already had in a buffer was big | ||
8 | enough. And if we did get the data, we should check if we got | ||
9 | everything, or just a part of the data. | ||
10 | |||
11 | https://sourceware.org/bugzilla/show_bug.cgi?id=23752 | ||
12 | |||
13 | Signed-off-by: Mark Wielaard <mark@klomp.org> | ||
14 | |||
15 | CVE: CVE-2018-18310 | ||
16 | Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] | ||
17 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
18 | --- | ||
19 | libdwfl/dwfl_segment_report_module.c | 13 +++++++++++-- | ||
20 | 1 file changed, 11 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c | ||
23 | index 36e5c82..8749884 100644 | ||
24 | --- a/libdwfl/dwfl_segment_report_module.c | ||
25 | +++ b/libdwfl/dwfl_segment_report_module.c | ||
26 | @@ -1,5 +1,5 @@ | ||
27 | /* Sniff out modules from ELF headers visible in memory segments. | ||
28 | - Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc. | ||
29 | + Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc. | ||
30 | This file is part of elfutils. | ||
31 | |||
32 | This file is free software; you can redistribute it and/or modify | ||
33 | @@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, | ||
34 | inline bool read_portion (void **data, size_t *data_size, | ||
35 | GElf_Addr vaddr, size_t filesz) | ||
36 | { | ||
37 | - if (vaddr - start + filesz > buffer_available | ||
38 | + /* Check whether we will have to read the segment data, or if it | ||
39 | + can be returned from the existing buffer. */ | ||
40 | + if (filesz > buffer_available | ||
41 | + || vaddr - start > buffer_available - filesz | ||
42 | /* If we're in string mode, then don't consider the buffer we have | ||
43 | sufficient unless it contains the terminator of the string. */ | ||
44 | || (filesz == 0 && memchr (vaddr - start + buffer, '\0', | ||
45 | @@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, | ||
46 | if (read_portion (&data, &data_size, vaddr, filesz)) | ||
47 | return; | ||
48 | |||
49 | + /* data_size will be zero if we got everything from the initial | ||
50 | + buffer, otherwise it will be the size of the new buffer that | ||
51 | + could be read. */ | ||
52 | + if (data_size != 0) | ||
53 | + filesz = data_size; | ||
54 | + | ||
55 | assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr)); | ||
56 | |||
57 | void *notes; | ||
58 | -- | ||
59 | 2.7.4 | ||
60 | |||