[OE-core] [thud] 02/30] elfutils: Security fixes CVE-2019-7146, 7149, 7150
Armin Kuster
akuster808 at gmail.com
Sun Jul 21 14:24:51 UTC 2019
From: Armin Kuster <akuster at mvista.com>
Source: http://sourceware.org/git/elfutils.git
MR: 97563, 97568, 97558
Type: Security Fix
Disposition: Backport from http://sourceware.org/git/elfutils.git
ChangeID: 6183c2a25d5e32eec1846a428dd165e1de659f24
Description:
Affects <= 0.175
Fixes:
CVE-2019-7146
CVE-2019-7149
CVE-2019-7150
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-devtools/elfutils/elfutils_0.175.bb | 4 +
.../elfutils/files/CVE-2019-7146_p1.patch | 52 ++++++++
.../elfutils/files/CVE-2019-7146_p2.patch | 65 +++++++++
.../elfutils/files/CVE-2019-7149.patch | 148 +++++++++++++++++++++
.../elfutils/files/CVE-2019-7150.patch | 51 +++++++
5 files changed, 320 insertions(+)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index b0b9ddc..e94a48e 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -27,6 +27,10 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
file://debian/hurd_path.patch \
file://debian/ignore_strmerge.diff \
file://debian/disable_werror.patch \
+ file://CVE-2019-7149.patch \
+ file://CVE-2019-7150.patch \
+ file://CVE-2019-7146_p1.patch \
+ file://CVE-2019-7146_p2.patch \
"
SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
new file mode 100644
index 0000000..b6cd29a
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
@@ -0,0 +1,52 @@
+From 012018907ca05eb0ab51d424a596ef38fc87cae1 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark at klomp.org>
+Date: Wed, 16 Jan 2019 11:57:35 +0100
+Subject: [PATCH] libebl: Check GNU property note pr_datasz fits inside note
+ description.
+
+Before printing the data values, make sure pr_datasz doesn't go beyond
+the end of the note description data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+
+Signed-off-by: Mark Wielaard <mark at klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #1
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ libebl/ChangeLog | 4 ++++
+ libebl/eblobjnote.c | 7 +++++++
+ 2 files changed, 11 insertions(+)
+
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
++++ elfutils-0.175/libebl/eblobjnote.c
+@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t name
+ desc += 8;
+ descsz -= 8;
+
++ if (prop.pr_datasz > descsz)
++ {
++ printf ("BAD property datasz: %" PRId32 "\n",
++ prop.pr_datasz);
++ return;
++ }
++
+ int elfclass = gelf_getclass (ebl->elf);
+ char *elfident = elf_getident (ebl->elf, NULL);
+ GElf_Ehdr ehdr;
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
++++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,7 @@
++2019-01-16 Mark Wielaard <mark at klomp.org>
++
++ * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
++
+ 2018-11-15 Mark Wielaard <mark at klomp.org>
+
+ * eblobjnotetypename.c (ebl_object_note_type_name): Don't update
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
new file mode 100644
index 0000000..4434b36
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
@@ -0,0 +1,65 @@
+From cd7ded3df43f655af945c869976401a602e46fcd Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark at klomp.org>
+Date: Wed, 30 Jan 2019 00:04:11 +0100
+Subject: [PATCH] libebl: Check GNU property note data padding fits inside
+ note.
+
+The GNU property note data is padded. Make sure the extra padding
+still fits in the note description.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+
+Signed-off-by: Mark Wielaard <mark at klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #2
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ libebl/ChangeLog | 5 +++++
+ libebl/eblobjnote.c | 17 +++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
++++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-29 Mark Wielaard <mark at klomp.org>
++
++ * eblobjnote.c (ebl_object_note): Check pr_datasz padding doesn't
++ overflow descsz.
++
+ 2019-01-16 Mark Wielaard <mark at klomp.org>
+
+ * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
++++ elfutils-0.175/libebl/eblobjnote.c
+@@ -486,16 +486,17 @@ ebl_object_note (Ebl *ebl, uint32_t name
+ printf ("%02" PRIx8 "\n", (uint8_t) desc[i]);
+ }
+ }
++
+ if (elfclass == ELFCLASS32)
+- {
+- desc += NOTE_ALIGN4 (prop.pr_datasz);
+- descsz -= NOTE_ALIGN4 (prop.pr_datasz);
+- }
++ prop.pr_datasz = NOTE_ALIGN4 (prop.pr_datasz);
+ else
+- {
+- desc += NOTE_ALIGN8 (prop.pr_datasz);
+- descsz -= NOTE_ALIGN8 (prop.pr_datasz);
+- }
++ prop.pr_datasz = NOTE_ALIGN8 (prop.pr_datasz);
++
++ desc += prop.pr_datasz;
++ if (descsz > prop.pr_datasz)
++ descsz -= prop.pr_datasz;
++ else
++ descsz = 0;
+ }
+ }
+ break;
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
new file mode 100644
index 0000000..215a171
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
@@ -0,0 +1,148 @@
+From 2562759d6fe5b364fe224852e64e8bda39eb2e35 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark at klomp.org>
+Date: Sun, 20 Jan 2019 22:10:18 +0100
+Subject: [PATCH] libdw: Check terminating NUL byte in dwarf_getsrclines for
+ dir/file table.
+
+For DWARF version < 5 the .debug_line directory and file tables consist
+of a terminating NUL byte after all strings. The code used to just skip
+this without checking it actually existed. This could case a spurious
+read past the end of data.
+
+Fix the same issue in readelf.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24102
+
+Signed-off-by: Mark Wielaard <mark at klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7149
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ libdw/ChangeLog | 5 +++++
+ libdw/dwarf_getsrclines.c | 11 ++++++++---
+ src/ChangeLog | 5 +++++
+ src/readelf.c | 8 ++++++--
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+
+Index: elfutils-0.175/libdw/dwarf_getsrclines.c
+===================================================================
+--- elfutils-0.175.orig/libdw/dwarf_getsrclines.c
++++ elfutils-0.175/libdw/dwarf_getsrclines.c
+@@ -315,7 +315,7 @@ read_srclines (Dwarf *dbg,
+ if (version < 5)
+ {
+ const unsigned char *dirp = linep;
+- while (*dirp != 0)
++ while (dirp < lineendp && *dirp != 0)
+ {
+ uint8_t *endp = memchr (dirp, '\0', lineendp - dirp);
+ if (endp == NULL)
+@@ -323,6 +323,8 @@ read_srclines (Dwarf *dbg,
+ ++ndirs;
+ dirp = endp + 1;
+ }
++ if (dirp >= lineendp || *dirp != '\0')
++ goto invalid_data;
+ ndirs = ndirs + 1; /* There is always the "unknown" dir. */
+ }
+ else
+@@ -392,11 +394,12 @@ read_srclines (Dwarf *dbg,
+ {
+ dirarray[n].dir = (char *) linep;
+ uint8_t *endp = memchr (linep, '\0', lineendp - linep);
+- assert (endp != NULL);
++ assert (endp != NULL); // Checked above when calculating ndirlist.
+ dirarray[n].len = endp - linep;
+ linep = endp + 1;
+ }
+ /* Skip the final NUL byte. */
++ assert (*linep == '\0'); // Checked above when calculating ndirlist.
+ ++linep;
+ }
+ else
+@@ -471,7 +474,7 @@ read_srclines (Dwarf *dbg,
+ {
+ if (unlikely (linep >= lineendp))
+ goto invalid_data;
+- while (*linep != 0)
++ while (linep < lineendp && *linep != '\0')
+ {
+ struct filelist *new_file = NEW_FILE ();
+
+@@ -527,6 +530,8 @@ read_srclines (Dwarf *dbg,
+ goto invalid_data;
+ get_uleb128 (new_file->info.length, linep, lineendp);
+ }
++ if (linep >= lineendp || *linep != '\0')
++ goto invalid_data;
+ /* Skip the final NUL byte. */
+ ++linep;
+ }
+Index: elfutils-0.175/src/readelf.c
+===================================================================
+--- elfutils-0.175.orig/src/readelf.c
++++ elfutils-0.175/src/readelf.c
+@@ -8444,7 +8444,7 @@ print_debug_line_section (Dwfl_Module *d
+ }
+ else
+ {
+- while (*linep != 0)
++ while (linep < lineendp && *linep != 0)
+ {
+ unsigned char *endp = memchr (linep, '\0', lineendp - linep);
+ if (unlikely (endp == NULL))
+@@ -8454,6 +8454,8 @@ print_debug_line_section (Dwfl_Module *d
+
+ linep = endp + 1;
+ }
++ if (linep >= lineendp || *linep != 0)
++ goto invalid_unit;
+ /* Skip the final NUL byte. */
+ ++linep;
+ }
+@@ -8523,7 +8525,7 @@ print_debug_line_section (Dwfl_Module *d
+ else
+ {
+ puts (gettext (" Entry Dir Time Size Name"));
+- for (unsigned int cnt = 1; *linep != 0; ++cnt)
++ for (unsigned int cnt = 1; linep < lineendp && *linep != 0; ++cnt)
+ {
+ /* First comes the file name. */
+ char *fname = (char *) linep;
+@@ -8553,6 +8555,8 @@ print_debug_line_section (Dwfl_Module *d
+ printf (" %-5u %-5u %-9u %-9u %s\n",
+ cnt, diridx, mtime, fsize, fname);
+ }
++ if (linep >= lineendp || *linep != '\0')
++ goto invalid_unit;
+ /* Skip the final NUL byte. */
+ ++linep;
+ }
+Index: elfutils-0.175/libdw/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdw/ChangeLog
++++ elfutils-0.175/libdw/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20 Mark Wielaard <mark at klomp.org>
++
++ * dwarf_getsrclines.c (read_srclines): Check terminating NUL byte
++ for dir and file lists.
++
+ 2018-10-20 Mark Wielaard <mark at klomp.org>
+
+ * libdw.map (ELFUTILS_0.175): New section. Add dwelf_elf_begin.
+Index: elfutils-0.175/src/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/src/ChangeLog
++++ elfutils-0.175/src/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20 Mark Wielaard <mark at klomp.org>
++
++ * readelf.c (print_debug_line_section): Check terminating NUL byte
++ for dir and file tables.
++
+ 2018-11-10 Mark Wielaard <mark at klomp.org>
+
+ * elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
new file mode 100644
index 0000000..01a4fb1
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
@@ -0,0 +1,51 @@
+From da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark at klomp.org>
+Date: Sun, 20 Jan 2019 23:05:56 +0100
+Subject: [PATCH] libdwfl: Sanity check partial core file dyn data read.
+
+When reading the dyn data from the core file check if we got everything,
+or just part of the data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24103
+
+Signed-off-by: Mark Wielaard <mark at klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7150
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ libdwfl/ChangeLog | 5 +++++
+ libdwfl/dwfl_segment_report_module.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+Index: elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+===================================================================
+--- elfutils-0.175.orig/libdwfl/dwfl_segment_report_module.c
++++ elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+@@ -783,6 +783,12 @@ dwfl_segment_report_module (Dwfl *dwfl,
+ if (dyn_filesz != 0 && dyn_filesz % dyn_entsize == 0
+ && ! read_portion (&dyn_data, &dyn_data_size, dyn_vaddr, dyn_filesz))
+ {
++ /* dyn_data_size will be zero if we got everything from the initial
++ buffer, otherwise it will be the size of the new buffer that
++ could be read. */
++ if (dyn_data_size != 0)
++ dyn_filesz = dyn_data_size;
++
+ void *dyns = malloc (dyn_filesz);
+ Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = dyns;
+ Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = dyns;
+Index: elfutils-0.175/libdwfl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdwfl/ChangeLog
++++ elfutils-0.175/libdwfl/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20 Mark Wielaard <mark at klomp.org>
++
++ * dwfl_segment_report_module.c (dwfl_segment_report_module): Check
++ dyn_filesz vs dyn_data_size after read_portion call.
++
+ 2018-10-20 Mark Wielaard <mark at klomp.org>
+
+ * libdwflP.h (__libdw_open_elf): New internal function declaration.
--
2.7.4
More information about the Openembedded-core
mailing list