Add elfutils-0.174-libdwfl-sanity-check-core-reads.patch

CVE-2018-18310 (#1642605)
2018-11-02 20:57:30 +01:00 · 2018-11-02 20:57:30 +01:00 · cdc732d657
parent 7522b5a5b6
commit cdc732d657
2 changed files with 58 additions and 1 deletions
--- a/elfutils-0.174-libdwfl-sanity-check-core-reads.patch
+++ b/elfutils-0.174-libdwfl-sanity-check-core-reads.patch
@ -0,0 +1,51 @@
+commit 20f9de9b5f704cec55df92406a50bcbcfca96acd
+Author: Mark Wielaard <mark@klomp.org>
+Date:   Sun Oct 14 16:45:48 2018 +0200
+
+    libdwfl: Sanity check partial core file data reads.
+    
+    There were two issues when reading note data from a core file.
+    We didn't check if the data we already had in a buffer was big
+    enough. And if we did get the data, we should check if we got
+    everything, or just a part of the data.
+    
+    https://sourceware.org/bugzilla/show_bug.cgi?id=23752
+    
+    Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
+index 36e5c82..8749884 100644
+--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
+@@ -1,5 +1,5 @@
+ /* Sniff out modules from ELF headers visible in memory segments.
+-   Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
+   Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
+    This file is part of elfutils.
+ 
+    This file is free software; you can redistribute it and/or modify
+@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
+   inline bool read_portion (void **data, size_t *data_size,
+ 			    GElf_Addr vaddr, size_t filesz)
+   {
+-    if (vaddr - start + filesz > buffer_available
+    /* Check whether we will have to read the segment data, or if it
+       can be returned from the existing buffer.  */
+    if (filesz > buffer_available
+	|| vaddr - start > buffer_available - filesz
+ 	/* If we're in string mode, then don't consider the buffer we have
+ 	   sufficient unless it contains the terminator of the string.  */
+ 	|| (filesz == 0 && memchr (vaddr - start + buffer, '\0',
+@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
+     if (read_portion (&data, &data_size, vaddr, filesz))
+       return;
+ 
+    /* data_size will be zero if we got everything from the initial
+       buffer, otherwise it will be the size of the new buffer that
+       could be read.  */
+    if (data_size != 0)
+      filesz = data_size;
+
+     assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
+ 
+     void *notes;
--- a/elfutils.spec
+++ b/elfutils.spec
@ -1,7 +1,7 @@
 Name: elfutils
 Summary: A collection of utilities and DSOs to handle ELF files and DWARF data
 Version: 0.174
-%global baserelease 2
+%global baserelease 3
 URL: http://elfutils.org/
 %global source_url ftp://sourceware.org/pub/elfutils/%{version}/
 License: GPLv3+ and (GPLv2+ or LGPLv3+)
@ -22,6 +22,7 @@ Source: %{?source_url}%{name}-%{version}.tar.bz2
 # Patches
 Patch1: elfutils-0.173-new-notes-hack.patch
 Patch2: elfutils-0.174-strip-unstrip-group.patch
+Patch3: elfutils-0.174-libdwfl-sanity-check-core-reads.patch

 Requires: elfutils-libelf%{depsuffix} = %{version}-%{release}
 Requires: elfutils-libs%{depsuffix} = %{version}-%{release}
@ -192,6 +193,7 @@ profiling) of processes.
 # Apply patches
 %patch1 -p1 -b .notes_hack
 %patch2 -p1 -b .strip_unstrip_group
+%patch3 -p1 -b .sanity_check_core_reads

 # In case the above patches added any new test scripts, make sure they
 # are executable.
@ -324,6 +326,10 @@ fi
 %endif

 %changelog
+* Fri Nov  2 2018 Mark Wielaard <mjw@fedoraproject.org> - 0.174-3
+- Add elfutils-0.174-libdwfl-sanity-check-core-reads.patch
+  CVE-2018-18310 (#1642605)
+
 * Wed Oct 17 2018 Mark Wielaard <mjw@fedoraproject.org> - 0.174-2
 - Add elfutils-0.174-strip-unstrip-group.patch.