diff options
Diffstat (limited to 'poky/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch')
-rw-r--r-- | poky/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch b/poky/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch new file mode 100644 index 000000000..2c74a8d5d --- /dev/null +++ b/poky/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch @@ -0,0 +1,60 @@ +From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Fri, 2 Nov 2018 14:22:31 +0800 +Subject: [PATCH] libdwfl: Sanity check partial core file data reads. + +There were two issues when reading note data from a core file. +We didn't check if the data we already had in a buffer was big +enough. And if we did get the data, we should check if we got +everything, or just a part of the data. + +https://sourceware.org/bugzilla/show_bug.cgi?id=23752 + +Signed-off-by: Mark Wielaard <mark@klomp.org> + +CVE: CVE-2018-18310 +Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + libdwfl/dwfl_segment_report_module.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c +index 36e5c82..8749884 100644 +--- a/libdwfl/dwfl_segment_report_module.c ++++ b/libdwfl/dwfl_segment_report_module.c +@@ -1,5 +1,5 @@ + /* Sniff out modules from ELF headers visible in memory segments. +- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc. ++ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc. + This file is part of elfutils. + + This file is free software; you can redistribute it and/or modify +@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, + inline bool read_portion (void **data, size_t *data_size, + GElf_Addr vaddr, size_t filesz) + { +- if (vaddr - start + filesz > buffer_available ++ /* Check whether we will have to read the segment data, or if it ++ can be returned from the existing buffer. */ ++ if (filesz > buffer_available ++ || vaddr - start > buffer_available - filesz + /* If we're in string mode, then don't consider the buffer we have + sufficient unless it contains the terminator of the string. */ + || (filesz == 0 && memchr (vaddr - start + buffer, '\0', +@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, + if (read_portion (&data, &data_size, vaddr, filesz)) + return; + ++ /* data_size will be zero if we got everything from the initial ++ buffer, otherwise it will be the size of the new buffer that ++ could be read. */ ++ if (data_size != 0) ++ filesz = data_size; ++ + assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr)); + + void *notes; +-- +2.7.4 + |