1 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
new file mode 100644
index 0000000000..215a1715bf
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
@@ -0,0 +1,148 @@
+From 2562759d6fe5b364fe224852e64e8bda39eb2e35 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 22:10:18 +0100
+Subject: [PATCH] libdw: Check terminating NUL byte in dwarf_getsrclines for
+ dir/file table.
+For DWARF version < 5 the .debug_line directory and file tables consist
+of a terminating NUL byte after all strings. The code used to just skip
+this without checking it actually existed. This could case a spurious
+read past the end of data.
+Fix the same issue in readelf.
+https://sourceware.org/bugzilla/show_bug.cgi?id=24102
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Upstream-Status: Backport
+CVE: CVE-2019-7149
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libdw/ChangeLog           |  5 +++++
+ libdw/dwarf_getsrclines.c | 11 ++++++++---
+ src/ChangeLog             |  5 +++++
+ src/readelf.c             |  8 ++++++--
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+Index: elfutils-0.175/libdw/dwarf_getsrclines.c
+===================================================================
+--- elfutils-0.175.orig/libdw/dwarf_getsrclines.c
+++ elfutils-0.175/libdw/dwarf_getsrclines.c
+@@ -315,7 +315,7 @@ read_srclines (Dwarf *dbg,
+   if (version < 5)
+     {
+       const unsigned char *dirp = linep;
+-      while (*dirp != 0)
+      while (dirp < lineendp && *dirp != 0)
+        {
+          uint8_t *endp = memchr (dirp, '\0', lineendp - dirp);
+          if (endp == NULL)
+@@ -323,6 +323,8 @@ read_srclines (Dwarf *dbg,
+          ++ndirs;
+          dirp = endp + 1;
+        }
+      if (dirp >= lineendp || *dirp != '\0')
+       goto invalid_data;
+       ndirs = ndirs + 1; /* There is always the "unknown" dir.  */
+     }
+   else
+@@ -392,11 +394,12 @@ read_srclines (Dwarf *dbg,
+        {
+          dirarray[n].dir = (char *) linep;
+          uint8_t *endp = memchr (linep, '\0', lineendp - linep);
+-         assert (endp != NULL);
+         assert (endp != NULL); // Checked above when calculating ndirlist.
+          dirarray[n].len = endp - linep;
+          linep = endp + 1;
+        }
+       /* Skip the final NUL byte.  */
+      assert (*linep == '\0'); // Checked above when calculating ndirlist.
+       ++linep;
+     }
+   else
+@@ -471,7 +474,7 @@ read_srclines (Dwarf *dbg,
+     {
+       if (unlikely (linep >= lineendp))
+        goto invalid_data;
+-      while (*linep != 0)
+      while (linep < lineendp && *linep != '\0')
+        {
+          struct filelist *new_file = NEW_FILE ();
+ 
+@@ -527,6 +530,8 @@ read_srclines (Dwarf *dbg,
+            goto invalid_data;
+          get_uleb128 (new_file->info.length, linep, lineendp);
+        }
+      if (linep >= lineendp || *linep != '\0')
+       goto invalid_data;
+       /* Skip the final NUL byte.  */
+       ++linep;
+     }
+Index: elfutils-0.175/src/readelf.c
+===================================================================
+--- elfutils-0.175.orig/src/readelf.c
+++ elfutils-0.175/src/readelf.c
+@@ -8444,7 +8444,7 @@ print_debug_line_section (Dwfl_Module *d
+        }
+       else
+        {
+-         while (*linep != 0)
+         while (linep < lineendp && *linep != 0)
+            {
+              unsigned char *endp = memchr (linep, '\0', lineendp - linep);
+              if (unlikely (endp == NULL))
+@@ -8454,6 +8454,8 @@ print_debug_line_section (Dwfl_Module *d
+ 
+              linep = endp + 1;
+            }
+         if (linep >= lineendp || *linep != 0)
+           goto invalid_unit;
+          /* Skip the final NUL byte.  */
+          ++linep;
+        }
+@@ -8523,7 +8525,7 @@ print_debug_line_section (Dwfl_Module *d
+       else
+        {
+          puts (gettext (" Entry Dir   Time      Size      Name"));
+-         for (unsigned int cnt = 1; *linep != 0; ++cnt)
+         for (unsigned int cnt = 1; linep < lineendp && *linep != 0; ++cnt)
+            {
+              /* First comes the file name.  */
+              char *fname = (char *) linep;
+@@ -8553,6 +8555,8 @@ print_debug_line_section (Dwfl_Module *d
+              printf (" %-5u %-5u %-9u %-9u %s\n",
+                      cnt, diridx, mtime, fsize, fname);
+            }
+         if (linep >= lineendp || *linep != '\0')
+           goto invalid_unit;
+          /* Skip the final NUL byte.  */
+          ++linep;
+        }
+Index: elfutils-0.175/libdw/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdw/ChangeLog
+++ elfutils-0.175/libdw/ChangeLog
+@@ -1,3 +1,8 @@
+2019-01-20  Mark Wielaard  <mark@klomp.org>
+
+       * dwarf_getsrclines.c (read_srclines): Check terminating NUL byte
+       for dir and file lists.
+
+ 2018-10-20  Mark Wielaard  <mark@klomp.org>
+ 
+        * libdw.map (ELFUTILS_0.175): New section. Add dwelf_elf_begin.
+Index: elfutils-0.175/src/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/src/ChangeLog
+++ elfutils-0.175/src/ChangeLog
+@@ -1,3 +1,8 @@
+2019-01-20  Mark Wielaard  <mark@klomp.org>
+
+       * readelf.c (print_debug_line_section): Check terminating NUL byte
+       for dir and file tables.
+
+ 2018-11-10  Mark Wielaard  <mark@klomp.org>
+ 
+        * elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment

diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch new file mode 100644 index 0000000000..215a1715bf --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
@@ -0,0 +1,148 @@
	1	From 2562759d6fe5b364fe224852e64e8bda39eb2e35 Mon Sep 17 00:00:00 2001
	2	From: Mark Wielaard <mark@klomp.org>
	3	Date: Sun, 20 Jan 2019 22:10:18 +0100
	4	Subject: [PATCH] libdw: Check terminating NUL byte in dwarf_getsrclines for
	5	dir/file table.
	6
	7	For DWARF version < 5 the .debug_line directory and file tables consist
	8	of a terminating NUL byte after all strings. The code used to just skip
	9	this without checking it actually existed. This could case a spurious
	10	read past the end of data.
	11
	12	Fix the same issue in readelf.
	13
	14	https://sourceware.org/bugzilla/show_bug.cgi?id=24102
	15
	16	Signed-off-by: Mark Wielaard <mark@klomp.org>
	17
	18	Upstream-Status: Backport
	19	CVE: CVE-2019-7149
	20	Signed-off-by: Armin Kuster <akuster@mvista.com>
	21
	22	---
	23	libdw/ChangeLog \| 5 +++++
	24	libdw/dwarf_getsrclines.c \| 11 ++++++++---
	25	src/ChangeLog \| 5 +++++
	26	src/readelf.c \| 8 ++++++--
	27	4 files changed, 24 insertions(+), 5 deletions(-)
	28
	29	Index: elfutils-0.175/libdw/dwarf_getsrclines.c
	30	===================================================================
	31	--- elfutils-0.175.orig/libdw/dwarf_getsrclines.c
	32	+++ elfutils-0.175/libdw/dwarf_getsrclines.c
	33	@@ -315,7 +315,7 @@ read_srclines (Dwarf *dbg,
	34	if (version < 5)
	35	{
	36	const unsigned char *dirp = linep;
	37	- while (*dirp != 0)
	38	+ while (dirp < lineendp && *dirp != 0)
	39	{
	40	uint8_t *endp = memchr (dirp, '\0', lineendp - dirp);
	41	if (endp == NULL)
	42	@@ -323,6 +323,8 @@ read_srclines (Dwarf *dbg,
	43	++ndirs;
	44	dirp = endp + 1;
	45	}
	46	+ if (dirp >= lineendp \|\| *dirp != '\0')
	47	+ goto invalid_data;
	48	ndirs = ndirs + 1; /* There is always the "unknown" dir. */
	49	}
	50	else
	51	@@ -392,11 +394,12 @@ read_srclines (Dwarf *dbg,
	52	{
	53	dirarray[n].dir = (char *) linep;
	54	uint8_t *endp = memchr (linep, '\0', lineendp - linep);
	55	- assert (endp != NULL);
	56	+ assert (endp != NULL); // Checked above when calculating ndirlist.
	57	dirarray[n].len = endp - linep;
	58	linep = endp + 1;
	59	}
	60	/* Skip the final NUL byte. */
	61	+ assert (*linep == '\0'); // Checked above when calculating ndirlist.
	62	++linep;
	63	}
	64	else
	65	@@ -471,7 +474,7 @@ read_srclines (Dwarf *dbg,
	66	{
	67	if (unlikely (linep >= lineendp))
	68	goto invalid_data;
	69	- while (*linep != 0)
	70	+ while (linep < lineendp && *linep != '\0')
	71	{
	72	struct filelist *new_file = NEW_FILE ();
	73
	74	@@ -527,6 +530,8 @@ read_srclines (Dwarf *dbg,
	75	goto invalid_data;
	76	get_uleb128 (new_file->info.length, linep, lineendp);
	77	}
	78	+ if (linep >= lineendp \|\| *linep != '\0')
	79	+ goto invalid_data;
	80	/* Skip the final NUL byte. */
	81	++linep;
	82	}
	83	Index: elfutils-0.175/src/readelf.c
	84	===================================================================
	85	--- elfutils-0.175.orig/src/readelf.c
	86	+++ elfutils-0.175/src/readelf.c
	87	@@ -8444,7 +8444,7 @@ print_debug_line_section (Dwfl_Module *d
	88	}
	89	else
	90	{
	91	- while (*linep != 0)
	92	+ while (linep < lineendp && *linep != 0)
	93	{
	94	unsigned char *endp = memchr (linep, '\0', lineendp - linep);
	95	if (unlikely (endp == NULL))
	96	@@ -8454,6 +8454,8 @@ print_debug_line_section (Dwfl_Module *d
	97
	98	linep = endp + 1;
	99	}
	100	+ if (linep >= lineendp \|\| *linep != 0)
	101	+ goto invalid_unit;
	102	/* Skip the final NUL byte. */
	103	++linep;
	104	}
	105	@@ -8523,7 +8525,7 @@ print_debug_line_section (Dwfl_Module *d
	106	else
	107	{
	108	puts (gettext (" Entry Dir Time Size Name"));
	109	- for (unsigned int cnt = 1; *linep != 0; ++cnt)
	110	+ for (unsigned int cnt = 1; linep < lineendp && *linep != 0; ++cnt)
	111	{
	112	/* First comes the file name. */
	113	char fname = (char ) linep;
	114	@@ -8553,6 +8555,8 @@ print_debug_line_section (Dwfl_Module *d
	115	printf (" %-5u %-5u %-9u %-9u %s\n",
	116	cnt, diridx, mtime, fsize, fname);
	117	}
	118	+ if (linep >= lineendp \|\| *linep != '\0')
	119	+ goto invalid_unit;
	120	/* Skip the final NUL byte. */
	121	++linep;
	122	}
	123	Index: elfutils-0.175/libdw/ChangeLog
	124	===================================================================
	125	--- elfutils-0.175.orig/libdw/ChangeLog
	126	+++ elfutils-0.175/libdw/ChangeLog
	127	@@ -1,3 +1,8 @@
	128	+2019-01-20 Mark Wielaard <mark@klomp.org>
	129	+
	130	+ * dwarf_getsrclines.c (read_srclines): Check terminating NUL byte
	131	+ for dir and file lists.
	132	+
	133	2018-10-20 Mark Wielaard <mark@klomp.org>
	134
	135	* libdw.map (ELFUTILS_0.175): New section. Add dwelf_elf_begin.
	136	Index: elfutils-0.175/src/ChangeLog
	137	===================================================================
	138	--- elfutils-0.175.orig/src/ChangeLog
	139	+++ elfutils-0.175/src/ChangeLog
	140	@@ -1,3 +1,8 @@
	141	+2019-01-20 Mark Wielaard <mark@klomp.org>
	142	+
	143	+ * readelf.c (print_debug_line_section): Check terminating NUL byte
	144	+ for dir and file tables.
	145	+
	146	2018-11-10 Mark Wielaard <mark@klomp.org>
	147
	148	* elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment