1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
From 29e31978ba51c1051743a503ee325b5ebc03d7e9 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Sat, 18 Aug 2018 13:27:48 +0200
Subject: [PATCH] libdw, readelf: Make sure there is enough data to read full
aranges header.
dwarf_getaranges didn't check if there was enough data left to read both
the address and segment size. readelf didn't check there was enough data
left to read the segment size.
https://sourceware.org/bugzilla/show_bug.cgi?id=23541
CVE: CVE-2018-16062
Upstream-Status: Backport
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
libdw/ChangeLog | 5 +++++
libdw/dwarf_getaranges.c | 4 ++++
src/ChangeLog | 5 +++++
src/readelf.c | 2 ++
4 files changed, 16 insertions(+)
diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index cb4f34e..472d922 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2018-08-18 Mark Wielaard <mark@klomp.org>
+
+ * dwarf_getaranges.c (dwarf_getaranges.c): Make sure there is enough
+ data to read the address and segment size.
+
2018-06-28 Mark Wielaard <mark@klomp.org>
* dwarf_next_cfi.c (dwarf_next_cfi): Check whether length is zero.
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index bff9c86..de5b81b 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -148,6 +148,10 @@ dwarf_getaranges (Dwarf *dbg, Dwarf_Aranges **aranges, size_t *naranges)
length_bytes, &offset, IDX_debug_info, 4))
goto fail;
+ /* Next up two bytes for address and segment size. */
+ if (readp + 2 > readendp)
+ goto invalid;
+
unsigned int address_size = *readp++;
if (unlikely (address_size != 4 && address_size != 8))
goto invalid;
diff --git a/src/ChangeLog b/src/ChangeLog
index 8c89f83..2f9f774 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-08-18 Mark Wielaard <mark@klomp.org>
+
+ * readelf.c (print_debug_aranges_section): Make sure there is enough
+ data to read the header segment size.
+
2018-06-25 Mark Wielaard <mark@klomp.org>
* readelf.c (print_decoded_line_section): Use dwarf_next_lines
diff --git a/src/readelf.c b/src/readelf.c
index 7b5707f..7b488ac 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -5447,6 +5447,8 @@ print_debug_aranges_section (Dwfl_Module *dwflmod __attribute__ ((unused)),
goto next_table;
}
+ if (readp + 1 > readendp)
+ goto invalid_data;
unsigned int segment_size = *readp++;
printf (gettext (" Segment size: %6" PRIu64 "\n\n"),
(uint64_t) segment_size);
--
2.9.3
|