Commit 4a45ace1 authored by Leonardo Arena's avatar Leonardo Arena

main/elfutils: security fixes #7160

parent dce69ea8
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=elfutils
pkgver=0.168
pkgrel=0
pkgrel=1
pkgdesc="A collection of utilities and DSOs to handle ELF files and DWARF data"
url="http://elfutils.org/"
arch="all"
......@@ -22,9 +22,16 @@ source="https://sourceware.org/elfutils/ftp/$pkgver/elfutils-$pkgver.tar.bz2
musl-qsort_r.patch
musl-strerror_r.patch
no-werror.patch
CVE-2017-7607.patch
CVE-2017-7608.patch
"
builddir="$srcdir/elfutils-$pkgver"
# secfixes:
# 0.168-r1:
# - CVE-2017-7607
# - CVE-2017-7608
prepare() {
cd "$builddir"
default_prepare || return 1
......@@ -106,4 +113,6 @@ b9ba55e1b56a8abf694b6d02f022d9a3a0ae6ab53a8c4a71e49552e32411ef410d3a7512fbd1a729
886ab23301f1872d94bcfc3590621196c811252c9a993738e5e480e666c7c3359f25e94c0e873c8fe16dc283e193dba0532a7ced3951e673185dcbb1d062b7c6 musl-macros.patch
f025d6479c8782275090783ff4dd09eb70a7c3eec1126d3176c02d01124f22864d81e08cb96ac4d255e0316205658459b617f5b661b16dbaf1636591720605f4 musl-qsort_r.patch
a0d986100c8ff2ef0595645ec1b2eeb1d517b7442aef5f349ebf27fcb66c76e51fadeda25bed5f04b4bb16a61aa23ac6e86a1f34a0087d2136acf0f64c3fa4d1 musl-strerror_r.patch
26aff757de8c0c67ae7922888c4a842939fb9b4022f3d2fa916591b44921c109f74154175afd431a0e31cf7c876f6d4fbaae26ef283985ae98d96854ea02dce0 no-werror.patch"
26aff757de8c0c67ae7922888c4a842939fb9b4022f3d2fa916591b44921c109f74154175afd431a0e31cf7c876f6d4fbaae26ef283985ae98d96854ea02dce0 no-werror.patch
81c6f19ed3e39aa6f2437e2da09be2952627efccda4769cccdd2616c728205ecdac1ece8a97ead7614a528d161c3885a050980a07436de7bdbc6f2988b348784 CVE-2017-7607.patch
20088019a3cb17d1d9155c421b20e47907d2bdbea31fdd0e469f02c03f8dfe1e7da5c29f0bb0a35be79470a40d7c2df92d2402e32b20d090526bb1f8a71e0707 CVE-2017-7608.patch"
From: Mark Wielaard <mark at klomp dot org>
To: elfutils-devel at sourceware dot org
Cc: Mark Wielaard <mark at klomp dot org>
Subject: [PATCH] readelf: Fix off by one sanity check in handle_gnu_hash.
Date: Fri, 24 Mar 2017 12:15:02 +0100
Message-Id: <1490354102-21353-1-git-send-email-mark@klomp.org>
X-Mailer: git-send-email 1.8.3.1
We sanity check to make sure we don't index outside the chain array
by testing inner > max_nsyms. But inner is a zero-based index, while
max_nsyms is the maximum number. Change the check to inner >= max_nsyms.
https://sourceware.org/bugzilla/show_bug.cgi?id=21299
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
src/readelf.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
++nsyms;
if (maxlength < ++lengths[cnt])
++maxlength;
- if (inner > max_nsyms)
+ if (inner >= max_nsyms)
goto invalid_data;
}
while ((chain[inner++] & 1) == 0);
--
1.8.3.1
From: Mark Wielaard <mark at klomp dot org>
To: elfutils-devel at sourceware dot org
Cc: Mark Wielaard <mark at klomp dot org>
Subject: [PATCH] Use the empty string for note names with zero size (without any data).
Date: Fri, 24 Mar 2017 14:10:26 +0100
Message-Id: <1490361026-7608-1-git-send-email-mark@klomp.org>
X-Mailer: git-send-email 1.8.3.1
ELF notes can have a zero sized name. In which case there is no data at
all (so also no zero terminator). Make sure to use the empty string for
such notes if the code does not otherwise explicitly check n_namesz.
https://sourceware.org/bugzilla/show_bug.cgi?id=21300
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
libdwfl/linux-core-attach.c | 9 ++++++---
src/elfcmp.c | 6 ++++--
src/readelf.c | 2 +-
5 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
index 93d0e46..f82ed03 100644
--- a/libdwfl/linux-core-attach.c
+++ b/libdwfl/linux-core-attach.c
@@ -125,7 +125,8 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
&desc_offset)) > 0)
{
/* Do not check NAME for now, help broken Linux kernels. */
- const char *name = note_data->d_buf + name_offset;
+ const char *name = (nhdr.n_namesz == 0
+ ? "" : note_data->d_buf + name_offset);
const char *desc = note_data->d_buf + desc_offset;
GElf_Word regs_offset;
size_t nregloc;
@@ -178,7 +179,8 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
/* __libdwfl_attach_state_for_core already verified the note is there. */
assert (getnote_err != 0);
/* Do not check NAME for now, help broken Linux kernels. */
- const char *name = note_data->d_buf + name_offset;
+ const char *name = (nhdr.n_namesz == 0
+ ? "" : note_data->d_buf + name_offset);
const char *desc = note_data->d_buf + desc_offset;
GElf_Word regs_offset;
size_t nregloc;
@@ -367,7 +369,8 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
&nhdr, &name_offset, &desc_offset)) > 0)
{
/* Do not check NAME for now, help broken Linux kernels. */
- const char *name = note_data->d_buf + name_offset;
+ const char *name = (nhdr.n_namesz == 0
+ ? "" : note_data->d_buf + name_offset);
const char *desc = note_data->d_buf + desc_offset;
GElf_Word regs_offset;
size_t nregloc;
diff --git a/src/elfcmp.c b/src/elfcmp.c
index 7673cf2..5046420 100644
--- a/src/elfcmp.c
+++ b/src/elfcmp.c
@@ -419,7 +419,8 @@ main (int argc, char *argv[])
&& (off1 = gelf_getnote (data1, off1, &note1,
&name_offset, &desc_offset)) > 0)
{
- const char *name1 = data1->d_buf + name_offset;
+ const char *name1 = (note1.n_namesz == 0
+ ? "" : data1->d_buf + name_offset);
const void *desc1 = data1->d_buf + desc_offset;
if (off2 >= data2->d_size)
{
@@ -435,7 +436,8 @@ main (int argc, char *argv[])
error (2, 0, gettext ("\
cannot read note section [%zu] '%s' in '%s': %s"),
elf_ndxscn (scn2), sname2, fname2, elf_errmsg (-1));
- const char *name2 = data2->d_buf + name_offset;
+ const char *name2 = (note2.n_namesz == 0
+ ? "" : data2->d_buf + name_offset);
const void *desc2 = data2->d_buf + desc_offset;
if (note1.n_namesz != note2.n_namesz
diff --git a/src/readelf.c b/src/readelf.c
index 490b6d5..97a43b0 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -9365,7 +9365,7 @@ handle_notes_data (Ebl *ebl, const GElf_Ehdr *ehdr,
&& (offset = gelf_getnote (data, offset,
&nhdr, &name_offset, &desc_offset)) > 0)
{
- const char *name = data->d_buf + name_offset;
+ const char *name = nhdr.n_namesz == 0 ? "" : data->d_buf + name_offset;
const char *desc = data->d_buf + desc_offset;
char buf[100];
--
1.8.3.1
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment