From cd7f7bf38584be1df287e77e78bbdf659a07c385 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Tue, 28 May 2019 16:11:08 -0700
Subject: elfutils: Security fixes CVE-2019-7146,7149,7150

Source: http://sourceware.org/git/elfutils.git
MR: 97563, 97568, 97558
Type: Security Fix
Disposition: Backport from http://sourceware.org/git/elfutils.git
ChangeID: 6183c2a25d5e32eec1846a428dd165e1de659f24
Description:

Affects <= 0.175

Fixes:
CVE-2019-7146
CVE-2019-7149
CVE-2019-7150

(From OE-Core rev: ac5dca7dc68519b36aa976dfd25d8efa76af74ec)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-devtools/elfutils/elfutils_0.175.bb   |   4 +
 .../elfutils/files/CVE-2019-7146_p1.patch          |  52 ++++++++
 .../elfutils/files/CVE-2019-7146_p2.patch          |  65 +++++++++
 .../elfutils/files/CVE-2019-7149.patch             | 148 +++++++++++++++++++++
 .../elfutils/files/CVE-2019-7150.patch             |  51 +++++++
 5 files changed, 320 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch

(limited to 'meta/recipes-devtools')

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index b0b9ddc736..e94a48efa5 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -27,6 +27,10 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://debian/hurd_path.patch \
            file://debian/ignore_strmerge.diff \
            file://debian/disable_werror.patch \
+           file://CVE-2019-7149.patch \
+           file://CVE-2019-7150.patch \
+           file://CVE-2019-7146_p1.patch \
+           file://CVE-2019-7146_p2.patch \
            "
 SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
 
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
new file mode 100644
index 0000000000..b6cd29af1a
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
@@ -0,0 +1,52 @@
+From 012018907ca05eb0ab51d424a596ef38fc87cae1 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 11:57:35 +0100
+Subject: [PATCH] libebl: Check GNU property note pr_datasz fits inside note
+ description.
+
+Before printing the data values, make sure pr_datasz doesn't go beyond
+the end of the note description data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libebl/ChangeLog    | 4 ++++
+ libebl/eblobjnote.c | 7 +++++++
+ 2 files changed, 11 insertions(+)
+
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
++++ elfutils-0.175/libebl/eblobjnote.c
+@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t name
+ 		  desc += 8;
+ 		  descsz -= 8;
+ 
++		  if (prop.pr_datasz > descsz)
++		    {
++		      printf ("BAD property datasz: %" PRId32 "\n",
++			      prop.pr_datasz);
++		      return;
++		    }
++
+ 		  int elfclass = gelf_getclass (ebl->elf);
+ 		  char *elfident = elf_getident (ebl->elf, NULL);
+ 		  GElf_Ehdr ehdr;
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
++++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,7 @@
++2019-01-16  Mark Wielaard  <mark@klomp.org>
++
++       * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
++
+ 2018-11-15  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* eblobjnotetypename.c (ebl_object_note_type_name): Don't update
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
new file mode 100644
index 0000000000..4434b36579
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
@@ -0,0 +1,65 @@
+From cd7ded3df43f655af945c869976401a602e46fcd Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 30 Jan 2019 00:04:11 +0100
+Subject: [PATCH] libebl: Check GNU property note data padding fits inside
+ note.
+
+The GNU property note data is padded. Make sure the extra padding
+still fits in the note description.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libebl/ChangeLog    |  5 +++++
+ libebl/eblobjnote.c | 17 +++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
++++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-29  Mark Wielaard  <mark@klomp.org>
++
++	* eblobjnote.c (ebl_object_note): Check pr_datasz padding doesn't
++	overflow descsz.
++
+ 2019-01-16  Mark Wielaard  <mark@klomp.org>
+ 
+        * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
++++ elfutils-0.175/libebl/eblobjnote.c
+@@ -486,16 +486,17 @@ ebl_object_note (Ebl *ebl, uint32_t name
+ 			  printf ("%02" PRIx8 "\n", (uint8_t) desc[i]);
+ 			}
+ 		    }
++
+ 		  if (elfclass == ELFCLASS32)
+-		    {
+-		      desc += NOTE_ALIGN4 (prop.pr_datasz);
+-		      descsz -= NOTE_ALIGN4 (prop.pr_datasz);
+-		    }
++		    prop.pr_datasz = NOTE_ALIGN4 (prop.pr_datasz);
+ 		  else
+-		    {
+-		      desc += NOTE_ALIGN8 (prop.pr_datasz);
+-		      descsz -= NOTE_ALIGN8 (prop.pr_datasz);
+-		    }
++		    prop.pr_datasz = NOTE_ALIGN8 (prop.pr_datasz);
++
++		  desc += prop.pr_datasz;
++		  if (descsz > prop.pr_datasz)
++		    descsz -= prop.pr_datasz;
++		  else
++		    descsz = 0;
+ 		}
+ 	    }
+ 	  break;
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
new file mode 100644
index 0000000000..215a1715bf
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
@@ -0,0 +1,148 @@
+From 2562759d6fe5b364fe224852e64e8bda39eb2e35 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 22:10:18 +0100
+Subject: [PATCH] libdw: Check terminating NUL byte in dwarf_getsrclines for
+ dir/file table.
+
+For DWARF version < 5 the .debug_line directory and file tables consist
+of a terminating NUL byte after all strings. The code used to just skip
+this without checking it actually existed. This could case a spurious
+read past the end of data.
+
+Fix the same issue in readelf.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24102
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7149
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libdw/ChangeLog           |  5 +++++
+ libdw/dwarf_getsrclines.c | 11 ++++++++---
+ src/ChangeLog             |  5 +++++
+ src/readelf.c             |  8 ++++++--
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+
+Index: elfutils-0.175/libdw/dwarf_getsrclines.c
+===================================================================
+--- elfutils-0.175.orig/libdw/dwarf_getsrclines.c
++++ elfutils-0.175/libdw/dwarf_getsrclines.c
+@@ -315,7 +315,7 @@ read_srclines (Dwarf *dbg,
+   if (version < 5)
+     {
+       const unsigned char *dirp = linep;
+-      while (*dirp != 0)
++      while (dirp < lineendp && *dirp != 0)
+ 	{
+ 	  uint8_t *endp = memchr (dirp, '\0', lineendp - dirp);
+ 	  if (endp == NULL)
+@@ -323,6 +323,8 @@ read_srclines (Dwarf *dbg,
+ 	  ++ndirs;
+ 	  dirp = endp + 1;
+ 	}
++      if (dirp >= lineendp || *dirp != '\0')
++	goto invalid_data;
+       ndirs = ndirs + 1; /* There is always the "unknown" dir.  */
+     }
+   else
+@@ -392,11 +394,12 @@ read_srclines (Dwarf *dbg,
+ 	{
+ 	  dirarray[n].dir = (char *) linep;
+ 	  uint8_t *endp = memchr (linep, '\0', lineendp - linep);
+-	  assert (endp != NULL);
++	  assert (endp != NULL); // Checked above when calculating ndirlist.
+ 	  dirarray[n].len = endp - linep;
+ 	  linep = endp + 1;
+ 	}
+       /* Skip the final NUL byte.  */
++      assert (*linep == '\0'); // Checked above when calculating ndirlist.
+       ++linep;
+     }
+   else
+@@ -471,7 +474,7 @@ read_srclines (Dwarf *dbg,
+     {
+       if (unlikely (linep >= lineendp))
+ 	goto invalid_data;
+-      while (*linep != 0)
++      while (linep < lineendp && *linep != '\0')
+ 	{
+ 	  struct filelist *new_file = NEW_FILE ();
+ 
+@@ -527,6 +530,8 @@ read_srclines (Dwarf *dbg,
+ 	    goto invalid_data;
+ 	  get_uleb128 (new_file->info.length, linep, lineendp);
+ 	}
++      if (linep >= lineendp || *linep != '\0')
++	goto invalid_data;
+       /* Skip the final NUL byte.  */
+       ++linep;
+     }
+Index: elfutils-0.175/src/readelf.c
+===================================================================
+--- elfutils-0.175.orig/src/readelf.c
++++ elfutils-0.175/src/readelf.c
+@@ -8444,7 +8444,7 @@ print_debug_line_section (Dwfl_Module *d
+ 	}
+       else
+ 	{
+-	  while (*linep != 0)
++	  while (linep < lineendp && *linep != 0)
+ 	    {
+ 	      unsigned char *endp = memchr (linep, '\0', lineendp - linep);
+ 	      if (unlikely (endp == NULL))
+@@ -8454,6 +8454,8 @@ print_debug_line_section (Dwfl_Module *d
+ 
+ 	      linep = endp + 1;
+ 	    }
++	  if (linep >= lineendp || *linep != 0)
++	    goto invalid_unit;
+ 	  /* Skip the final NUL byte.  */
+ 	  ++linep;
+ 	}
+@@ -8523,7 +8525,7 @@ print_debug_line_section (Dwfl_Module *d
+       else
+ 	{
+ 	  puts (gettext (" Entry Dir   Time      Size      Name"));
+-	  for (unsigned int cnt = 1; *linep != 0; ++cnt)
++	  for (unsigned int cnt = 1; linep < lineendp && *linep != 0; ++cnt)
+ 	    {
+ 	      /* First comes the file name.  */
+ 	      char *fname = (char *) linep;
+@@ -8553,6 +8555,8 @@ print_debug_line_section (Dwfl_Module *d
+ 	      printf (" %-5u %-5u %-9u %-9u %s\n",
+ 		      cnt, diridx, mtime, fsize, fname);
+ 	    }
++	  if (linep >= lineendp || *linep != '\0')
++	    goto invalid_unit;
+ 	  /* Skip the final NUL byte.  */
+ 	  ++linep;
+ 	}
+Index: elfutils-0.175/libdw/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdw/ChangeLog
++++ elfutils-0.175/libdw/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20  Mark Wielaard  <mark@klomp.org>
++
++       * dwarf_getsrclines.c (read_srclines): Check terminating NUL byte
++       for dir and file lists.
++
+ 2018-10-20  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* libdw.map (ELFUTILS_0.175): New section. Add dwelf_elf_begin.
+Index: elfutils-0.175/src/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/src/ChangeLog
++++ elfutils-0.175/src/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20  Mark Wielaard  <mark@klomp.org>
++
++       * readelf.c (print_debug_line_section): Check terminating NUL byte
++       for dir and file tables.
++
+ 2018-11-10  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
new file mode 100644
index 0000000000..01a4fb1562
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
@@ -0,0 +1,51 @@
+From da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 23:05:56 +0100
+Subject: [PATCH] libdwfl: Sanity check partial core file dyn data read.
+
+When reading the dyn data from the core file check if we got everything,
+or just part of the data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24103
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7150
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libdwfl/ChangeLog                    | 5 +++++
+ libdwfl/dwfl_segment_report_module.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+Index: elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+===================================================================
+--- elfutils-0.175.orig/libdwfl/dwfl_segment_report_module.c
++++ elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+@@ -783,6 +783,12 @@ dwfl_segment_report_module (Dwfl *dwfl,
+   if (dyn_filesz != 0 && dyn_filesz % dyn_entsize == 0
+       && ! read_portion (&dyn_data, &dyn_data_size, dyn_vaddr, dyn_filesz))
+     {
++      /* dyn_data_size will be zero if we got everything from the initial
++         buffer, otherwise it will be the size of the new buffer that
++         could be read.  */
++      if (dyn_data_size != 0)
++	dyn_filesz = dyn_data_size;
++
+       void *dyns = malloc (dyn_filesz);
+       Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = dyns;
+       Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = dyns;
+Index: elfutils-0.175/libdwfl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdwfl/ChangeLog
++++ elfutils-0.175/libdwfl/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20  Mark Wielaard  <mark@klomp.org>
++
++       * dwfl_segment_report_module.c (dwfl_segment_report_module): Check
++       dyn_filesz vs dyn_data_size after read_portion call.
++
+ 2018-10-20  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* libdwflP.h (__libdw_open_elf): New internal function declaration.
-- 
cgit v1.2.3-54-g00ecf