2 files changed, 219 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
new file mode 100644
index 0000000000..e55dc5a054
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
@@ -0,0 +1,65 @@
+From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 12:25:57 +0100
+Subject: [PATCH] CVE: CVE-2019-7664
+Upstream-Status: Backport
+libelf: Correct overflow check in note_xlate.
+We want to make sure the note_len doesn't overflow and becomes shorter
+than the note header. But the namesz and descsz checks got the note header
+size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
+https://sourceware.org/bugzilla/show_bug.cgi?id=24084
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libelf/ChangeLog    | 13 +++++++++++++
+ libelf/note_xlate.h |  4 ++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 68c4fbd..892e6e7 100644
+--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
+@@ -1,3 +1,16 @@
+<<<<<<< HEAD
+=======
+2019-01-16  Mark Wielaard  <mark@klomp.org>
+
+       * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
+       overflow note_len into note header.
+
+2018-11-17  Mark Wielaard  <mark@klomp.org>
+
+       * elf32_updatefile.c (updatemmap): Make sure to call convert
+       function on a properly aligned destination.
+
+>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
+ 2018-11-16  Mark Wielaard  <mark@klomp.org>
+ 
+        * libebl.h (__elf32_msize): Mark with const attribute.
+diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
+index 9bdc3e2..bc9950f 100644
+--- a/libelf/note_xlate.h
+++ b/libelf/note_xlate.h
+@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
+       /* desc needs to be aligned.  */
+       note_len += n->n_namesz;
+       note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+-      if (note_len > len || note_len < 8)
+      if (note_len > len || note_len < sizeof *n)
+        break;
+ 
+       /* data as a whole needs to be aligned.  */
+       note_len += n->n_descsz;
+       note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+-      if (note_len > len || note_len < 8)
+      if (note_len > len || note_len < sizeof *n)
+        break;
+ 
+       /* Copy or skip the note data.  */
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
new file mode 100644
index 0000000000..a1bb30979d
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
@@ -0,0 +1,154 @@
+From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 15:41:31 +0100
+Subject: [PATCH] CVE: CVE-2019-7665
+Upstream-Status: Backport
+Sign off: Shubham Agrawal <shuagr@microsoft.com>
+libebl: Check NT_PLATFORM core notes contain a zero terminated string.
+Most strings in core notes are fixed size. But NT_PLATFORM contains just
+a variable length string. Check that it is actually zero terminated
+before passing to readelf to print.
+https://sourceware.org/bugzilla/show_bug.cgi?id=24089
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libdwfl/linux-core-attach.c |  9 +++++----
+ libebl/eblcorenote.c        | 39 +++++++++++++++++++--------------------
+ libebl/libebl.h             |  3 ++-
+ src/readelf.c               |  2 +-
+ 4 files changed, 27 insertions(+), 26 deletions(-)
+diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
+index 6c99b9e..c0f1b0d 100644
+--- a/libdwfl/linux-core-attach.c
+++ b/libdwfl/linux-core-attach.c
+@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
+       const Ebl_Register_Location *reglocs;
+       size_t nitems;
+       const Ebl_Core_Item *items;
+-      if (! ebl_core_note (core_arg->ebl, &nhdr, name,
+      if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
+                           &regs_offset, &nregloc, &reglocs, &nitems, &items))
+        {
+          /* This note may be just not recognized, skip it.  */
+@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
+   const Ebl_Register_Location *reglocs;
+   size_t nitems;
+   const Ebl_Core_Item *items;
+-  int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, &regs_offset,
+-                                    &nregloc, &reglocs, &nitems, &items);
+  int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
+                                    &regs_offset, &nregloc, &reglocs,
+                                    &nitems, &items);
+   /* __libdwfl_attach_state_for_core already verified the note is there.  */
+   assert (core_note_err != 0);
+   assert (nhdr.n_type == NT_PRSTATUS);
+@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
+       const Ebl_Register_Location *reglocs;
+       size_t nitems;
+       const Ebl_Core_Item *items;
+-      if (! ebl_core_note (ebl, &nhdr, name,
+      if (! ebl_core_note (ebl, &nhdr, name, desc,
+                           &regs_offset, &nregloc, &reglocs, &nitems, &items))
+        {
+          /* This note may be just not recognized, skip it.  */
+diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
+index 783f981..7fab397 100644
+--- a/libebl/eblcorenote.c
+++ b/libebl/eblcorenote.c
+@@ -36,11 +36,13 @@
+ #include <inttypes.h>
+ #include <stdio.h>
+ #include <stddef.h>
+#include <string.h>
+ #include <libeblP.h>
+ 
+ 
+ int
+ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+              const char *desc,
+               GElf_Word *regs_offset, size_t *nregloc,
+               const Ebl_Register_Location **reglocs, size_t *nitems,
+               const Ebl_Core_Item **items)
+@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+     {
+       /* The machine specific function did not know this type.  */
+ 
+-      *regs_offset = 0;
+-      *nregloc = 0;
+-      *reglocs = NULL;
+-      switch (nhdr->n_type)
+      /* NT_PLATFORM is kind of special since it needs a zero terminated
+         string (other notes often have a fixed size string).  */
+      static const Ebl_Core_Item platform[] =
+        {
+-#define ITEMS(type, table)                             \
+-         case type:                                    \
+-           *items = table;                             \
+-           *nitems = sizeof table / sizeof table[0];   \
+-           result = 1;                                 \
+-           break
+         {
+           .name = "Platform",
+           .type = ELF_T_BYTE, .count = 0, .format = 's'
+         }
+       };
+ 
+-         static const Ebl_Core_Item platform[] =
+-           {
+-             {
+-               .name = "Platform",
+-               .type = ELF_T_BYTE, .count = 0, .format = 's'
+-             }
+-           };
+-         ITEMS (NT_PLATFORM, platform);
+-
+-#undef ITEMS
+      if (nhdr->n_type == NT_PLATFORM
+         && memchr (desc, '\0', nhdr->n_descsz) != NULL)
+        {
+         *regs_offset = 0;
+         *nregloc = 0;
+         *reglocs = NULL;
+         *items = platform;
+         *nitems = 1;
+         result = 1;
+        }
+     }
+ 
+diff --git a/libebl/libebl.h b/libebl/libebl.h
+index ca9b9fe..24922eb 100644
+--- a/libebl/libebl.h
+++ b/libebl/libebl.h
+@@ -319,7 +319,8 @@ typedef struct
+ 
+ /* Describe the format of a core file note with the given header and NAME.
+    NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes.  */
+-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
+                         const char *name, const char *desc,
+                          GElf_Word *regs_offset, size_t *nregloc,
+                          const Ebl_Register_Location **reglocs,
+                          size_t *nitems, const Ebl_Core_Item **items)
+diff --git a/src/readelf.c b/src/readelf.c
+index 3a73710..71651e0 100644
+--- a/src/readelf.c
+++ b/src/readelf.c
+@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
+   size_t nitems;
+   const Ebl_Core_Item *items;
+ 
+-  if (! ebl_core_note (ebl, nhdr, name,
+  if (! ebl_core_note (ebl, nhdr, name, desc,
+                       &regs_offset, &nregloc, &reglocs, &nitems, &items))
+     return;
+ 
+-- 
+2.7.4

diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch new file mode 100644 index 0000000000..e55dc5a054 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
@@ -0,0 +1,65 @@
	1	From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
	2	From: Mark Wielaard <mark@klomp.org>
	3	Date: Wed, 16 Jan 2019 12:25:57 +0100
	4	Subject: [PATCH] CVE: CVE-2019-7664
	5
	6	Upstream-Status: Backport
	7	libelf: Correct overflow check in note_xlate.
	8
	9	We want to make sure the note_len doesn't overflow and becomes shorter
	10	than the note header. But the namesz and descsz checks got the note header
	11	size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
	12
	13	https://sourceware.org/bugzilla/show_bug.cgi?id=24084
	14
	15	Signed-off-by: Mark Wielaard <mark@klomp.org>
	16	Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
	17	---
	18	libelf/ChangeLog \| 13 +++++++++++++
	19	libelf/note_xlate.h \| 4 ++--
	20	2 files changed, 15 insertions(+), 2 deletions(-)
	21
	22	diff --git a/libelf/ChangeLog b/libelf/ChangeLog
	23	index 68c4fbd..892e6e7 100644
	24	--- a/libelf/ChangeLog
	25	+++ b/libelf/ChangeLog
	26	@@ -1,3 +1,16 @@
	27	+<<<<<<< HEAD
	28	+=======
	29	+2019-01-16 Mark Wielaard <mark@klomp.org>
	30	+
	31	+ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
	32	+ overflow note_len into note header.
	33	+
	34	+2018-11-17 Mark Wielaard <mark@klomp.org>
	35	+
	36	+ * elf32_updatefile.c (updatemmap): Make sure to call convert
	37	+ function on a properly aligned destination.
	38	+
	39	+>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
	40	2018-11-16 Mark Wielaard <mark@klomp.org>
	41
	42	* libebl.h (__elf32_msize): Mark with const attribute.
	43	diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
	44	index 9bdc3e2..bc9950f 100644
	45	--- a/libelf/note_xlate.h
	46	+++ b/libelf/note_xlate.h
	47	@@ -46,13 +46,13 @@ elf_cvt_note (void dest, const void src, size_t len, int encode,
	48	/* desc needs to be aligned. */
	49	note_len += n->n_namesz;
	50	note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
	51	- if (note_len > len \|\| note_len < 8)
	52	+ if (note_len > len \|\| note_len < sizeof *n)
	53	break;
	54
	55	/* data as a whole needs to be aligned. */
	56	note_len += n->n_descsz;
	57	note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
	58	- if (note_len > len \|\| note_len < 8)
	59	+ if (note_len > len \|\| note_len < sizeof *n)
	60	break;
	61
	62	/* Copy or skip the note data. */
	63	--
	64	2.7.4
	65


diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch new file mode 100644 index 0000000000..a1bb30979d --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
@@ -0,0 +1,154 @@
	1	From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
	2	From: Mark Wielaard <mark@klomp.org>
	3	Date: Wed, 16 Jan 2019 15:41:31 +0100
	4	Subject: [PATCH] CVE: CVE-2019-7665
	5
	6	Upstream-Status: Backport
	7
	8	Sign off: Shubham Agrawal <shuagr@microsoft.com>
	9
	10	libebl: Check NT_PLATFORM core notes contain a zero terminated string.
	11
	12	Most strings in core notes are fixed size. But NT_PLATFORM contains just
	13	a variable length string. Check that it is actually zero terminated
	14	before passing to readelf to print.
	15
	16	https://sourceware.org/bugzilla/show_bug.cgi?id=24089
	17
	18	Signed-off-by: Mark Wielaard <mark@klomp.org>
	19	Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
	20	---
	21	libdwfl/linux-core-attach.c \| 9 +++++----
	22	libebl/eblcorenote.c \| 39 +++++++++++++++++++--------------------
	23	libebl/libebl.h \| 3 ++-
	24	src/readelf.c \| 2 +-
	25	4 files changed, 27 insertions(+), 26 deletions(-)
	26
	27	diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
	28	index 6c99b9e..c0f1b0d 100644
	29	--- a/libdwfl/linux-core-attach.c
	30	+++ b/libdwfl/linux-core-attach.c
	31	@@ -137,7 +137,7 @@ core_next_thread (Dwfl dwfl __attribute__ ((unused)), void dwfl_arg,
	32	const Ebl_Register_Location *reglocs;
	33	size_t nitems;
	34	const Ebl_Core_Item *items;
	35	- if (! ebl_core_note (core_arg->ebl, &nhdr, name,
	36	+ if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
	37	&regs_offset, &nregloc, &reglocs, &nitems, &items))
	38	{
	39	/* This note may be just not recognized, skip it. */
	40	@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread thread, void thread_arg_voidp)
	41	const Ebl_Register_Location *reglocs;
	42	size_t nitems;
	43	const Ebl_Core_Item *items;
	44	- int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, &regs_offset,
	45	- &nregloc, &reglocs, &nitems, &items);
	46	+ int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
	47	+ &regs_offset, &nregloc, &reglocs,
	48	+ &nitems, &items);
	49	/* __libdwfl_attach_state_for_core already verified the note is there. */
	50	assert (core_note_err != 0);
	51	assert (nhdr.n_type == NT_PRSTATUS);
	52	@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl dwfl, Elf core)
	53	const Ebl_Register_Location *reglocs;
	54	size_t nitems;
	55	const Ebl_Core_Item *items;
	56	- if (! ebl_core_note (ebl, &nhdr, name,
	57	+ if (! ebl_core_note (ebl, &nhdr, name, desc,
	58	&regs_offset, &nregloc, &reglocs, &nitems, &items))
	59	{
	60	/* This note may be just not recognized, skip it. */
	61	diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
	62	index 783f981..7fab397 100644
	63	--- a/libebl/eblcorenote.c
	64	+++ b/libebl/eblcorenote.c
	65	@@ -36,11 +36,13 @@
	66	#include <inttypes.h>
	67	#include <stdio.h>
	68	#include <stddef.h>
	69	+#include <string.h>
	70	#include <libeblP.h>
	71
	72
	73	int
	74	ebl_core_note (Ebl ebl, const GElf_Nhdr nhdr, const char *name,
	75	+ const char *desc,
	76	GElf_Word regs_offset, size_t nregloc,
	77	const Ebl_Register_Location *reglocs, size_t nitems,
	78	const Ebl_Core_Item **items)
	79	@@ -51,28 +53,25 @@ ebl_core_note (Ebl ebl, const GElf_Nhdr nhdr, const char *name,
	80	{
	81	/* The machine specific function did not know this type. */
	82
	83	- *regs_offset = 0;
	84	- *nregloc = 0;
	85	- *reglocs = NULL;
	86	- switch (nhdr->n_type)
	87	+ /* NT_PLATFORM is kind of special since it needs a zero terminated
	88	+ string (other notes often have a fixed size string). */
	89	+ static const Ebl_Core_Item platform[] =
	90	{
	91	-#define ITEMS(type, table) \
	92	- case type: \
	93	- *items = table; \
	94	- *nitems = sizeof table / sizeof table[0]; \
	95	- result = 1; \
	96	- break
	97	+ {
	98	+ .name = "Platform",
	99	+ .type = ELF_T_BYTE, .count = 0, .format = 's'
	100	+ }
	101	+ };
	102
	103	- static const Ebl_Core_Item platform[] =
	104	- {
	105	- {
	106	- .name = "Platform",
	107	- .type = ELF_T_BYTE, .count = 0, .format = 's'
	108	- }
	109	- };
	110	- ITEMS (NT_PLATFORM, platform);
	111	-
	112	-#undef ITEMS
	113	+ if (nhdr->n_type == NT_PLATFORM
	114	+ && memchr (desc, '\0', nhdr->n_descsz) != NULL)
	115	+ {
	116	+ *regs_offset = 0;
	117	+ *nregloc = 0;
	118	+ *reglocs = NULL;
	119	+ *items = platform;
	120	+ *nitems = 1;
	121	+ result = 1;
	122	}
	123	}
	124
	125	diff --git a/libebl/libebl.h b/libebl/libebl.h
	126	index ca9b9fe..24922eb 100644
	127	--- a/libebl/libebl.h
	128	+++ b/libebl/libebl.h
	129	@@ -319,7 +319,8 @@ typedef struct
	130
	131	/* Describe the format of a core file note with the given header and NAME.
	132	NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */
	133	-extern int ebl_core_note (Ebl ebl, const GElf_Nhdr nhdr, const char *name,
	134	+extern int ebl_core_note (Ebl ebl, const GElf_Nhdr nhdr,
	135	+ const char name, const char desc,
	136	GElf_Word regs_offset, size_t nregloc,
	137	const Ebl_Register_Location **reglocs,
	138	size_t nitems, const Ebl_Core_Item *items)
	139	diff --git a/src/readelf.c b/src/readelf.c
	140	index 3a73710..71651e0 100644
	141	--- a/src/readelf.c
	142	+++ b/src/readelf.c
	143	@@ -12153,7 +12153,7 @@ handle_core_note (Ebl ebl, const GElf_Nhdr nhdr,
	144	size_t nitems;
	145	const Ebl_Core_Item *items;
	146
	147	- if (! ebl_core_note (ebl, nhdr, name,
	148	+ if (! ebl_core_note (ebl, nhdr, name, desc,
	149	&regs_offset, &nregloc, &reglocs, &nitems, &items))
	150	return;
	151
	152	--
	153	2.7.4
	154