Add elfutils-0.174-libdwfl-sanity-check-core-reads.patch

CVE-2018-18310 (#1642605)
2018-11-02 20:57:30 +01:00 · 2018-11-02 20:57:30 +01:00 · cdc732d657
commit cdc732d657
parent 7522b5a5b6
2 changed files with 58 additions and 1 deletions
--- a/elfutils-0.174-libdwfl-sanity-check-core-reads.patch
+++ b/elfutils-0.174-libdwfl-sanity-check-core-reads.patch
@ -0,0 +1,51 @@
 commit 20f9de9b5f704cec55df92406a50bcbcfca96acd
 Author: Mark Wielaard <mark@klomp.org>
 Date:   Sun Oct 14 16:45:48 2018 +0200
    libdwfl: Sanity check partial core file data reads.
    There were two issues when reading note data from a core file.
    We didn't check if the data we already had in a buffer was big
    enough. And if we did get the data, we should check if we got
    everything, or just a part of the data.
    https://sourceware.org/bugzilla/show_bug.cgi?id=23752
    Signed-off-by: Mark Wielaard <mark@klomp.org>
 diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
 index 36e5c82..8749884 100644
 --- a/libdwfl/dwfl_segment_report_module.c
 +++ b/libdwfl/dwfl_segment_report_module.c
@@ -1,5 +1,5 @@
 /* Sniff out modules from ELF headers visible in memory segments.
 -   Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
 +   Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
    This file is part of elfutils.
    This file is free software; you can redistribute it and/or modify
@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
   inline bool read_portion (void **data, size_t *data_size,
 			    GElf_Addr vaddr, size_t filesz)
   {
 -    if (vaddr - start + filesz > buffer_available
 +    /* Check whether we will have to read the segment data, or if it
 +       can be returned from the existing buffer.  */
 +    if (filesz > buffer_available
 +	|| vaddr - start > buffer_available - filesz
 	/* If we're in string mode, then don't consider the buffer we have
 	   sufficient unless it contains the terminator of the string.  */
 	|| (filesz == 0 && memchr (vaddr - start + buffer, '\0',
@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
     if (read_portion (&data, &data_size, vaddr, filesz))
       return;
 +    /* data_size will be zero if we got everything from the initial
 +       buffer, otherwise it will be the size of the new buffer that
 +       could be read.  */
 +    if (data_size != 0)
 +      filesz = data_size;
 +
     assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
     void *notes;
--- a/elfutils.spec
+++ b/elfutils.spec
@ -1,7 +1,7 @@
 Name: elfutils
 Summary: A collection of utilities and DSOs to handle ELF files and DWARF data
 Version: 0.174
-%global baserelease 2
+%global baserelease 3
 URL: http://elfutils.org/
 %global source_url ftp://sourceware.org/pub/elfutils/%{version}/
 License: GPLv3+ and (GPLv2+ or LGPLv3+)
@ -22,6 +22,7 @@ Source: %{?source_url}%{name}-%{version}.tar.bz2
 # Patches
 Patch1: elfutils-0.173-new-notes-hack.patch
 Patch2: elfutils-0.174-strip-unstrip-group.patch
 Patch3: elfutils-0.174-libdwfl-sanity-check-core-reads.patch
 Requires: elfutils-libelf%{depsuffix} = %{version}-%{release}
 Requires: elfutils-libs%{depsuffix} = %{version}-%{release}
@ -192,6 +193,7 @@ profiling) of processes.
 # Apply patches
 %patch1 -p1 -b .notes_hack
 %patch2 -p1 -b .strip_unstrip_group
 %patch3 -p1 -b .sanity_check_core_reads
 # In case the above patches added any new test scripts, make sure they
 # are executable.
@ -324,6 +326,10 @@ fi
 %endif
 %changelog
 * Fri Nov  2 2018 Mark Wielaard <mjw@fedoraproject.org> - 0.174-3
 - Add elfutils-0.174-libdwfl-sanity-check-core-reads.patch
  CVE-2018-18310 (#1642605)
 * Wed Oct 17 2018 Mark Wielaard <mjw@fedoraproject.org> - 0.174-2
 - Add elfutils-0.174-strip-unstrip-group.patch.