diff --git a/elfutils-0.174-libdwfl-sanity-check-core-reads.patch b/elfutils-0.174-libdwfl-sanity-check-core-reads.patch new file mode 100644 index 0000000..19dda87 --- /dev/null +++ b/elfutils-0.174-libdwfl-sanity-check-core-reads.patch @@ -0,0 +1,51 @@ +commit 20f9de9b5f704cec55df92406a50bcbcfca96acd +Author: Mark Wielaard +Date: Sun Oct 14 16:45:48 2018 +0200 + + libdwfl: Sanity check partial core file data reads. + + There were two issues when reading note data from a core file. + We didn't check if the data we already had in a buffer was big + enough. And if we did get the data, we should check if we got + everything, or just a part of the data. + + https://sourceware.org/bugzilla/show_bug.cgi?id=23752 + + Signed-off-by: Mark Wielaard + +diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c +index 36e5c82..8749884 100644 +--- a/libdwfl/dwfl_segment_report_module.c ++++ b/libdwfl/dwfl_segment_report_module.c +@@ -1,5 +1,5 @@ + /* Sniff out modules from ELF headers visible in memory segments. +- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc. ++ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc. + This file is part of elfutils. + + This file is free software; you can redistribute it and/or modify +@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, + inline bool read_portion (void **data, size_t *data_size, + GElf_Addr vaddr, size_t filesz) + { +- if (vaddr - start + filesz > buffer_available ++ /* Check whether we will have to read the segment data, or if it ++ can be returned from the existing buffer. */ ++ if (filesz > buffer_available ++ || vaddr - start > buffer_available - filesz + /* If we're in string mode, then don't consider the buffer we have + sufficient unless it contains the terminator of the string. */ + || (filesz == 0 && memchr (vaddr - start + buffer, '\0', +@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, + if (read_portion (&data, &data_size, vaddr, filesz)) + return; + ++ /* data_size will be zero if we got everything from the initial ++ buffer, otherwise it will be the size of the new buffer that ++ could be read. */ ++ if (data_size != 0) ++ filesz = data_size; ++ + assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr)); + + void *notes; diff --git a/elfutils.spec b/elfutils.spec index f31fe7d..c0dbcbe 100644 --- a/elfutils.spec +++ b/elfutils.spec @@ -1,7 +1,7 @@ Name: elfutils Summary: A collection of utilities and DSOs to handle ELF files and DWARF data Version: 0.174 -%global baserelease 2 +%global baserelease 3 URL: http://elfutils.org/ %global source_url ftp://sourceware.org/pub/elfutils/%{version}/ License: GPLv3+ and (GPLv2+ or LGPLv3+) @@ -22,6 +22,7 @@ Source: %{?source_url}%{name}-%{version}.tar.bz2 # Patches Patch1: elfutils-0.173-new-notes-hack.patch Patch2: elfutils-0.174-strip-unstrip-group.patch +Patch3: elfutils-0.174-libdwfl-sanity-check-core-reads.patch Requires: elfutils-libelf%{depsuffix} = %{version}-%{release} Requires: elfutils-libs%{depsuffix} = %{version}-%{release} @@ -192,6 +193,7 @@ profiling) of processes. # Apply patches %patch1 -p1 -b .notes_hack %patch2 -p1 -b .strip_unstrip_group +%patch3 -p1 -b .sanity_check_core_reads # In case the above patches added any new test scripts, make sure they # are executable. @@ -324,6 +326,10 @@ fi %endif %changelog +* Fri Nov 2 2018 Mark Wielaard - 0.174-3 +- Add elfutils-0.174-libdwfl-sanity-check-core-reads.patch + CVE-2018-18310 (#1642605) + * Wed Oct 17 2018 Mark Wielaard - 0.174-2 - Add elfutils-0.174-strip-unstrip-group.patch.