Commit e6866032 authored by Sören Tempel's avatar Sören Tempel

main/elfutils: security fix for CVE-2018-18310

parent 40635ea8
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=elfutils
pkgver=0.168
pkgrel=1
pkgrel=2
pkgdesc="A collection of utilities and DSOs to handle ELF files and DWARF data"
url="http://elfutils.org/"
arch="all"
......@@ -24,6 +24,7 @@ source="https://sourceware.org/elfutils/ftp/$pkgver/elfutils-$pkgver.tar.bz2
no-werror.patch
CVE-2017-7607.patch
CVE-2017-7608.patch
CVE-2018-18310.patch
"
builddir="$srcdir/elfutils-$pkgver"
......@@ -115,4 +116,5 @@ f025d6479c8782275090783ff4dd09eb70a7c3eec1126d3176c02d01124f22864d81e08cb96ac4d2
a0d986100c8ff2ef0595645ec1b2eeb1d517b7442aef5f349ebf27fcb66c76e51fadeda25bed5f04b4bb16a61aa23ac6e86a1f34a0087d2136acf0f64c3fa4d1 musl-strerror_r.patch
26aff757de8c0c67ae7922888c4a842939fb9b4022f3d2fa916591b44921c109f74154175afd431a0e31cf7c876f6d4fbaae26ef283985ae98d96854ea02dce0 no-werror.patch
81c6f19ed3e39aa6f2437e2da09be2952627efccda4769cccdd2616c728205ecdac1ece8a97ead7614a528d161c3885a050980a07436de7bdbc6f2988b348784 CVE-2017-7607.patch
20088019a3cb17d1d9155c421b20e47907d2bdbea31fdd0e469f02c03f8dfe1e7da5c29f0bb0a35be79470a40d7c2df92d2402e32b20d090526bb1f8a71e0707 CVE-2017-7608.patch"
20088019a3cb17d1d9155c421b20e47907d2bdbea31fdd0e469f02c03f8dfe1e7da5c29f0bb0a35be79470a40d7c2df92d2402e32b20d090526bb1f8a71e0707 CVE-2017-7608.patch
f8654b29eea3777f0a1c752ec927a09163dc711ad52520e01b64e5976f2943b7141868cbe4ce4b8af8cc2fbfba4a98e8d4840d605067186532f4142298c1fc73 CVE-2018-18310.patch"
From b6e1a48cca51aa246cba78e99f7e2dfa200b9d26 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Sun, 14 Oct 2018 16:45:48 +0200
Subject: [PATCH] libdwfl: Sanity check partial core file data reads.
There were two issues when reading note data from a core file.
We didn't check if the data we already had in a buffer was big
enough. And if we did get the data, we should check if we got
everything, or just a part of the data.
https://sourceware.org/bugzilla/show_bug.cgi?id=23752
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
libdwfl/dwfl_segment_report_module.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
index 36e5c823..87498846 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -1,5 +1,5 @@
/* Sniff out modules from ELF headers visible in memory segments.
- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
+ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
This file is part of elfutils.
This file is free software; you can redistribute it and/or modify
@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
inline bool read_portion (void **data, size_t *data_size,
GElf_Addr vaddr, size_t filesz)
{
- if (vaddr - start + filesz > buffer_available
+ /* Check whether we will have to read the segment data, or if it
+ can be returned from the existing buffer. */
+ if (filesz > buffer_available
+ || vaddr - start > buffer_available - filesz
/* If we're in string mode, then don't consider the buffer we have
sufficient unless it contains the terminator of the string. */
|| (filesz == 0 && memchr (vaddr - start + buffer, '\0',
@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
if (read_portion (&data, &data_size, vaddr, filesz))
return;
+ /* data_size will be zero if we got everything from the initial
+ buffer, otherwise it will be the size of the new buffer that
+ could be read. */
+ if (data_size != 0)
+ filesz = data_size;
+
assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
void *notes;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment