| Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001 |
| 2 | From: Hongxu Jia <hongxu.jia@windriver.com> |
| 3 | Date: Fri, 2 Nov 2018 14:22:31 +0800 |
| 4 | Subject: [PATCH] libdwfl: Sanity check partial core file data reads. |
| 5 | |
| 6 | There were two issues when reading note data from a core file. |
| 7 | We didn't check if the data we already had in a buffer was big |
| 8 | enough. And if we did get the data, we should check if we got |
| 9 | everything, or just a part of the data. |
| 10 | |
| 11 | https://sourceware.org/bugzilla/show_bug.cgi?id=23752 |
| 12 | |
| 13 | Signed-off-by: Mark Wielaard <mark@klomp.org> |
| 14 | |
| 15 | CVE: CVE-2018-18310 |
| 16 | Upstream-Status: Backport [http://sourceware.org/git/elfutils.git] |
| 17 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> |
| 18 | --- |
| 19 | libdwfl/dwfl_segment_report_module.c | 13 +++++++++++-- |
| 20 | 1 file changed, 11 insertions(+), 2 deletions(-) |
| 21 | |
| 22 | diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c |
| 23 | index 36e5c82..8749884 100644 |
| 24 | --- a/libdwfl/dwfl_segment_report_module.c |
| 25 | +++ b/libdwfl/dwfl_segment_report_module.c |
| 26 | @@ -1,5 +1,5 @@ |
| 27 | /* Sniff out modules from ELF headers visible in memory segments. |
| 28 | - Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc. |
| 29 | + Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc. |
| 30 | This file is part of elfutils. |
| 31 | |
| 32 | This file is free software; you can redistribute it and/or modify |
| 33 | @@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, |
| 34 | inline bool read_portion (void **data, size_t *data_size, |
| 35 | GElf_Addr vaddr, size_t filesz) |
| 36 | { |
| 37 | - if (vaddr - start + filesz > buffer_available |
| 38 | + /* Check whether we will have to read the segment data, or if it |
| 39 | + can be returned from the existing buffer. */ |
| 40 | + if (filesz > buffer_available |
| 41 | + || vaddr - start > buffer_available - filesz |
| 42 | /* If we're in string mode, then don't consider the buffer we have |
| 43 | sufficient unless it contains the terminator of the string. */ |
| 44 | || (filesz == 0 && memchr (vaddr - start + buffer, '\0', |
| 45 | @@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, |
| 46 | if (read_portion (&data, &data_size, vaddr, filesz)) |
| 47 | return; |
| 48 | |
| 49 | + /* data_size will be zero if we got everything from the initial |
| 50 | + buffer, otherwise it will be the size of the new buffer that |
| 51 | + could be read. */ |
| 52 | + if (data_size != 0) |
| 53 | + filesz = data_size; |
| 54 | + |
| 55 | assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr)); |
| 56 | |
| 57 | void *notes; |
| 58 | -- |
| 59 | 2.7.4 |
| 60 | |