[OE-core] [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
Shubham Agrawal
shuagr at microsoft.com
Mon Sep 23 21:28:32 UTC 2019
The patches are all same. There was an error in the subject due to which it wasn’t reflecting in the submitted patches on open embedded core.
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
________________________________
From: akuster808 <akuster808 at gmail.com>
Sent: Monday, September 23, 2019 2:19:15 PM
To: Shubham Agrawal <shuagr at microsoft.com>; openembedded-core at lists.openembedded.org <openembedded-core at lists.openembedded.org>
Subject: Re: [OE-core] [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
On 9/23/19 2:14 PM, shuagr97 at gmail.com wrote:
> From: Shubham Agrawal <shuagr at microsoft.com>
>
> CVE: CVE-2019-7664.patch
> CVE: CVE-2019-7665.patch
This is the third email patch on the same issues. Are they different?
regards,
Armin
>
> Sign off: Shubham Agrawal <shuagr at microsoft.com>
> ---
> meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
> .../elfutils/files/CVE-2019-7664.patch | 65 +++++++++
> .../elfutils/files/CVE-2019-7665.patch | 154 +++++++++++++++++++++
> 3 files changed, 221 insertions(+)
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
>
> diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> index e94a48e..862a9b6 100644
> --- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> +++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> @@ -31,6 +31,8 @@ SRC_URI = "https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Felfutils%2Fftp%2F%24&data=02%7C01%7Cshuagr%40microsoft.com%7C0a3b7e85865a440119d508d7406bb255%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048703613961219&sdata=J1z7WGLoV1xEpBxRaWekNFf0HDIvmCtUMpLYUb1nR%2Fk%3D&reserved=0{PV}/${BP}.tar.bz2 \
> file://CVE-2019-7150.patch \
> file://CVE-2019-7146_p1.patch \
> file://CVE-2019-7146_p2.patch \
> + file://CVE-2019-7664.patch \
> + file://CVE-2019-7665.patch \
> "
> SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
>
> diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> new file mode 100644
> index 0000000..e55dc5a
> --- /dev/null
> +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> @@ -0,0 +1,65 @@
> +From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
> +From: Mark Wielaard <mark at klomp.org>
> +Date: Wed, 16 Jan 2019 12:25:57 +0100
> +Subject: [PATCH] CVE: CVE-2019-7664
> +
> +Upstream-Status: Backport
> +libelf: Correct overflow check in note_xlate.
> +
> +We want to make sure the note_len doesn't overflow and becomes shorter
> +than the note header. But the namesz and descsz checks got the note header
> +size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
> +
> +https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D24084&data=02%7C01%7Cshuagr%40microsoft.com%7C0a3b7e85865a440119d508d7406bb255%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048703613961219&sdata=XDpI1uUOmF4w%2FdtsO%2BspaDCLIOEdoGQr6PNxaJh3u%2Fc%3D&reserved=0
> +
> +Signed-off-by: Mark Wielaard <mark at klomp.org>
> +Signed-off-by: Ubuntu <lisa at shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
> +---
> + libelf/ChangeLog | 13 +++++++++++++
> + libelf/note_xlate.h | 4 ++--
> + 2 files changed, 15 insertions(+), 2 deletions(-)
> +
> +diff --git a/libelf/ChangeLog b/libelf/ChangeLog
> +index 68c4fbd..892e6e7 100644
> +--- a/libelf/ChangeLog
> ++++ b/libelf/ChangeLog
> +@@ -1,3 +1,16 @@
> ++<<<<<<< HEAD
> ++=======
> ++2019-01-16 Mark Wielaard <mark at klomp.org>
> ++
> ++ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
> ++ overflow note_len into note header.
> ++
> ++2018-11-17 Mark Wielaard <mark at klomp.org>
> ++
> ++ * elf32_updatefile.c (updatemmap): Make sure to call convert
> ++ function on a properly aligned destination.
> ++
> ++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
> + 2018-11-16 Mark Wielaard <mark at klomp.org>
> +
> + * libebl.h (__elf32_msize): Mark with const attribute.
> +diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
> +index 9bdc3e2..bc9950f 100644
> +--- a/libelf/note_xlate.h
> ++++ b/libelf/note_xlate.h
> +@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
> + /* desc needs to be aligned. */
> + note_len += n->n_namesz;
> + note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
> +- if (note_len > len || note_len < 8)
> ++ if (note_len > len || note_len < sizeof *n)
> + break;
> +
> + /* data as a whole needs to be aligned. */
> + note_len += n->n_descsz;
> + note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
> +- if (note_len > len || note_len < 8)
> ++ if (note_len > len || note_len < sizeof *n)
> + break;
> +
> + /* Copy or skip the note data. */
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
> new file mode 100644
> index 0000000..a1bb309
> --- /dev/null
> +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
> @@ -0,0 +1,154 @@
> +From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
> +From: Mark Wielaard <mark at klomp.org>
> +Date: Wed, 16 Jan 2019 15:41:31 +0100
> +Subject: [PATCH] CVE: CVE-2019-7665
> +
> +Upstream-Status: Backport
> +
> +Sign off: Shubham Agrawal <shuagr at microsoft.com>
> +
> +libebl: Check NT_PLATFORM core notes contain a zero terminated string.
> +
> +Most strings in core notes are fixed size. But NT_PLATFORM contains just
> +a variable length string. Check that it is actually zero terminated
> +before passing to readelf to print.
> +
> +https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D24089&data=02%7C01%7Cshuagr%40microsoft.com%7C0a3b7e85865a440119d508d7406bb255%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048703613961219&sdata=WQe4updGnCdqEq%2FgiVbXZT%2FWc4sUd%2FoBef7x9f7jGE8%3D&reserved=0
> +
> +Signed-off-by: Mark Wielaard <mark at klomp.org>
> +Signed-off-by: Ubuntu <lisa at shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
> +---
> + libdwfl/linux-core-attach.c | 9 +++++----
> + libebl/eblcorenote.c | 39 +++++++++++++++++++--------------------
> + libebl/libebl.h | 3 ++-
> + src/readelf.c | 2 +-
> + 4 files changed, 27 insertions(+), 26 deletions(-)
> +
> +diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
> +index 6c99b9e..c0f1b0d 100644
> +--- a/libdwfl/linux-core-attach.c
> ++++ b/libdwfl/linux-core-attach.c
> +@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- if (! ebl_core_note (core_arg->ebl, &nhdr, name,
> ++ if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + {
> + /* This note may be just not recognized, skip it. */
> +@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, ®s_offset,
> +- &nregloc, ®locs, &nitems, &items);
> ++ int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
> ++ ®s_offset, &nregloc, ®locs,
> ++ &nitems, &items);
> + /* __libdwfl_attach_state_for_core already verified the note is there. */
> + assert (core_note_err != 0);
> + assert (nhdr.n_type == NT_PRSTATUS);
> +@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- if (! ebl_core_note (ebl, &nhdr, name,
> ++ if (! ebl_core_note (ebl, &nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + {
> + /* This note may be just not recognized, skip it. */
> +diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
> +index 783f981..7fab397 100644
> +--- a/libebl/eblcorenote.c
> ++++ b/libebl/eblcorenote.c
> +@@ -36,11 +36,13 @@
> + #include <inttypes.h>
> + #include <stdio.h>
> + #include <stddef.h>
> ++#include <string.h>
> + #include <libeblP.h>
> +
> +
> + int
> + ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> ++ const char *desc,
> + GElf_Word *regs_offset, size_t *nregloc,
> + const Ebl_Register_Location **reglocs, size_t *nitems,
> + const Ebl_Core_Item **items)
> +@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> + {
> + /* The machine specific function did not know this type. */
> +
> +- *regs_offset = 0;
> +- *nregloc = 0;
> +- *reglocs = NULL;
> +- switch (nhdr->n_type)
> ++ /* NT_PLATFORM is kind of special since it needs a zero terminated
> ++ string (other notes often have a fixed size string). */
> ++ static const Ebl_Core_Item platform[] =
> + {
> +-#define ITEMS(type, table) \
> +- case type: \
> +- *items = table; \
> +- *nitems = sizeof table / sizeof table[0]; \
> +- result = 1; \
> +- break
> ++ {
> ++ .name = "Platform",
> ++ .type = ELF_T_BYTE, .count = 0, .format = 's'
> ++ }
> ++ };
> +
> +- static const Ebl_Core_Item platform[] =
> +- {
> +- {
> +- .name = "Platform",
> +- .type = ELF_T_BYTE, .count = 0, .format = 's'
> +- }
> +- };
> +- ITEMS (NT_PLATFORM, platform);
> +-
> +-#undef ITEMS
> ++ if (nhdr->n_type == NT_PLATFORM
> ++ && memchr (desc, '\0', nhdr->n_descsz) != NULL)
> ++ {
> ++ *regs_offset = 0;
> ++ *nregloc = 0;
> ++ *reglocs = NULL;
> ++ *items = platform;
> ++ *nitems = 1;
> ++ result = 1;
> + }
> + }
> +
> +diff --git a/libebl/libebl.h b/libebl/libebl.h
> +index ca9b9fe..24922eb 100644
> +--- a/libebl/libebl.h
> ++++ b/libebl/libebl.h
> +@@ -319,7 +319,8 @@ typedef struct
> +
> + /* Describe the format of a core file note with the given header and NAME.
> + NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */
> +-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> ++extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
> ++ const char *name, const char *desc,
> + GElf_Word *regs_offset, size_t *nregloc,
> + const Ebl_Register_Location **reglocs,
> + size_t *nitems, const Ebl_Core_Item **items)
> +diff --git a/src/readelf.c b/src/readelf.c
> +index 3a73710..71651e0 100644
> +--- a/src/readelf.c
> ++++ b/src/readelf.c
> +@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +
> +- if (! ebl_core_note (ebl, nhdr, name,
> ++ if (! ebl_core_note (ebl, nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + return;
> +
> +--
> +2.7.4
> +
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20190923/14ee45fc/attachment-0001.html>
More information about the Openembedded-core
mailing list