1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
new file mode 100644
index 0000000000..4434b36579
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
@@ -0,0 +1,65 @@
+From cd7ded3df43f655af945c869976401a602e46fcd Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 30 Jan 2019 00:04:11 +0100
+Subject: [PATCH] libebl: Check GNU property note data padding fits inside
+ note.
+The GNU property note data is padded. Make sure the extra padding
+still fits in the note description.
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libebl/ChangeLog    |  5 +++++
+ libebl/eblobjnote.c | 17 +++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
+++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,8 @@
+2019-01-29  Mark Wielaard  <mark@klomp.org>
+
+       * eblobjnote.c (ebl_object_note): Check pr_datasz padding doesn't
+       overflow descsz.
+
+ 2019-01-16  Mark Wielaard  <mark@klomp.org>
+ 
+        * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
+++ elfutils-0.175/libebl/eblobjnote.c
+@@ -486,16 +486,17 @@ ebl_object_note (Ebl *ebl, uint32_t name
+                          printf ("%02" PRIx8 "\n", (uint8_t) desc[i]);
+                        }
+                    }
+
+                  if (elfclass == ELFCLASS32)
+-                   {
+-                     desc += NOTE_ALIGN4 (prop.pr_datasz);
+-                     descsz -= NOTE_ALIGN4 (prop.pr_datasz);
+-                   }
+                   prop.pr_datasz = NOTE_ALIGN4 (prop.pr_datasz);
+                  else
+-                   {
+-                     desc += NOTE_ALIGN8 (prop.pr_datasz);
+-                     descsz -= NOTE_ALIGN8 (prop.pr_datasz);
+-                   }
+                   prop.pr_datasz = NOTE_ALIGN8 (prop.pr_datasz);
+
+                 desc += prop.pr_datasz;
+                 if (descsz > prop.pr_datasz)
+                   descsz -= prop.pr_datasz;
+                 else
+                   descsz = 0;
+                }
+            }
+          break;

diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch new file mode 100644 index 0000000000..4434b36579 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
@@ -0,0 +1,65 @@
	1	From cd7ded3df43f655af945c869976401a602e46fcd Mon Sep 17 00:00:00 2001
	2	From: Mark Wielaard <mark@klomp.org>
	3	Date: Wed, 30 Jan 2019 00:04:11 +0100
	4	Subject: [PATCH] libebl: Check GNU property note data padding fits inside
	5	note.
	6
	7	The GNU property note data is padded. Make sure the extra padding
	8	still fits in the note description.
	9
	10	https://sourceware.org/bugzilla/show_bug.cgi?id=24075
	11
	12	Signed-off-by: Mark Wielaard <mark@klomp.org>
	13
	14	Upstream-Status: Backport
	15	CVE: CVE-2019-7146 patch #2
	16	Signed-off-by: Armin Kuster <akuster@mvista.com>
	17
	18	---
	19	libebl/ChangeLog \| 5 +++++
	20	libebl/eblobjnote.c \| 17 +++++++++--------
	21	2 files changed, 14 insertions(+), 8 deletions(-)
	22
	23	Index: elfutils-0.175/libebl/ChangeLog
	24	===================================================================
	25	--- elfutils-0.175.orig/libebl/ChangeLog
	26	+++ elfutils-0.175/libebl/ChangeLog
	27	@@ -1,3 +1,8 @@
	28	+2019-01-29 Mark Wielaard <mark@klomp.org>
	29	+
	30	+ * eblobjnote.c (ebl_object_note): Check pr_datasz padding doesn't
	31	+ overflow descsz.
	32	+
	33	2019-01-16 Mark Wielaard <mark@klomp.org>
	34
	35	* eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
	36	Index: elfutils-0.175/libebl/eblobjnote.c
	37	===================================================================
	38	--- elfutils-0.175.orig/libebl/eblobjnote.c
	39	+++ elfutils-0.175/libebl/eblobjnote.c
	40	@@ -486,16 +486,17 @@ ebl_object_note (Ebl *ebl, uint32_t name
	41	printf ("%02" PRIx8 "\n", (uint8_t) desc[i]);
	42	}
	43	}
	44	+
	45	if (elfclass == ELFCLASS32)
	46	- {
	47	- desc += NOTE_ALIGN4 (prop.pr_datasz);
	48	- descsz -= NOTE_ALIGN4 (prop.pr_datasz);
	49	- }
	50	+ prop.pr_datasz = NOTE_ALIGN4 (prop.pr_datasz);
	51	else
	52	- {
	53	- desc += NOTE_ALIGN8 (prop.pr_datasz);
	54	- descsz -= NOTE_ALIGN8 (prop.pr_datasz);
	55	- }
	56	+ prop.pr_datasz = NOTE_ALIGN8 (prop.pr_datasz);
	57	+
	58	+ desc += prop.pr_datasz;
	59	+ if (descsz > prop.pr_datasz)
	60	+ descsz -= prop.pr_datasz;
	61	+ else
	62	+ descsz = 0;
	63	}
	64	}
	65	break;