* [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
@ 2019-09-23 21:14 shuagr97
2019-09-23 21:19 ` akuster808
2019-09-23 21:23 ` Martin Jansa
0 siblings, 2 replies; 5+ messages in thread
From: shuagr97 @ 2019-09-23 21:14 UTC (permalink / raw)
To: openembedded-core
From: Shubham Agrawal <shuagr@microsoft.com>
CVE: CVE-2019-7664.patch
CVE: CVE-2019-7665.patch
Sign off: Shubham Agrawal <shuagr@microsoft.com>
---
meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
.../elfutils/files/CVE-2019-7664.patch | 65 +++++++++
.../elfutils/files/CVE-2019-7665.patch | 154 +++++++++++++++++++++
3 files changed, 221 insertions(+)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index e94a48e..862a9b6 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -31,6 +31,8 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
file://CVE-2019-7150.patch \
file://CVE-2019-7146_p1.patch \
file://CVE-2019-7146_p2.patch \
+ file://CVE-2019-7664.patch \
+ file://CVE-2019-7665.patch \
"
SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
new file mode 100644
index 0000000..e55dc5a
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
@@ -0,0 +1,65 @@
+From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 12:25:57 +0100
+Subject: [PATCH] CVE: CVE-2019-7664
+
+Upstream-Status: Backport
+libelf: Correct overflow check in note_xlate.
+
+We want to make sure the note_len doesn't overflow and becomes shorter
+than the note header. But the namesz and descsz checks got the note header
+size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24084
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libelf/ChangeLog | 13 +++++++++++++
+ libelf/note_xlate.h | 4 ++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 68c4fbd..892e6e7 100644
+--- a/libelf/ChangeLog
++++ b/libelf/ChangeLog
+@@ -1,3 +1,16 @@
++<<<<<<< HEAD
++=======
++2019-01-16 Mark Wielaard <mark@klomp.org>
++
++ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
++ overflow note_len into note header.
++
++2018-11-17 Mark Wielaard <mark@klomp.org>
++
++ * elf32_updatefile.c (updatemmap): Make sure to call convert
++ function on a properly aligned destination.
++
++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
+ 2018-11-16 Mark Wielaard <mark@klomp.org>
+
+ * libebl.h (__elf32_msize): Mark with const attribute.
+diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
+index 9bdc3e2..bc9950f 100644
+--- a/libelf/note_xlate.h
++++ b/libelf/note_xlate.h
+@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
+ /* desc needs to be aligned. */
+ note_len += n->n_namesz;
+ note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+- if (note_len > len || note_len < 8)
++ if (note_len > len || note_len < sizeof *n)
+ break;
+
+ /* data as a whole needs to be aligned. */
+ note_len += n->n_descsz;
+ note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+- if (note_len > len || note_len < 8)
++ if (note_len > len || note_len < sizeof *n)
+ break;
+
+ /* Copy or skip the note data. */
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
new file mode 100644
index 0000000..a1bb309
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
@@ -0,0 +1,154 @@
+From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 15:41:31 +0100
+Subject: [PATCH] CVE: CVE-2019-7665
+
+Upstream-Status: Backport
+
+Sign off: Shubham Agrawal <shuagr@microsoft.com>
+
+libebl: Check NT_PLATFORM core notes contain a zero terminated string.
+
+Most strings in core notes are fixed size. But NT_PLATFORM contains just
+a variable length string. Check that it is actually zero terminated
+before passing to readelf to print.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24089
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libdwfl/linux-core-attach.c | 9 +++++----
+ libebl/eblcorenote.c | 39 +++++++++++++++++++--------------------
+ libebl/libebl.h | 3 ++-
+ src/readelf.c | 2 +-
+ 4 files changed, 27 insertions(+), 26 deletions(-)
+
+diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
+index 6c99b9e..c0f1b0d 100644
+--- a/libdwfl/linux-core-attach.c
++++ b/libdwfl/linux-core-attach.c
+@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- if (! ebl_core_note (core_arg->ebl, &nhdr, name,
++ if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ {
+ /* This note may be just not recognized, skip it. */
+@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, ®s_offset,
+- &nregloc, ®locs, &nitems, &items);
++ int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
++ ®s_offset, &nregloc, ®locs,
++ &nitems, &items);
+ /* __libdwfl_attach_state_for_core already verified the note is there. */
+ assert (core_note_err != 0);
+ assert (nhdr.n_type == NT_PRSTATUS);
+@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- if (! ebl_core_note (ebl, &nhdr, name,
++ if (! ebl_core_note (ebl, &nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ {
+ /* This note may be just not recognized, skip it. */
+diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
+index 783f981..7fab397 100644
+--- a/libebl/eblcorenote.c
++++ b/libebl/eblcorenote.c
+@@ -36,11 +36,13 @@
+ #include <inttypes.h>
+ #include <stdio.h>
+ #include <stddef.h>
++#include <string.h>
+ #include <libeblP.h>
+
+
+ int
+ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
++ const char *desc,
+ GElf_Word *regs_offset, size_t *nregloc,
+ const Ebl_Register_Location **reglocs, size_t *nitems,
+ const Ebl_Core_Item **items)
+@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+ {
+ /* The machine specific function did not know this type. */
+
+- *regs_offset = 0;
+- *nregloc = 0;
+- *reglocs = NULL;
+- switch (nhdr->n_type)
++ /* NT_PLATFORM is kind of special since it needs a zero terminated
++ string (other notes often have a fixed size string). */
++ static const Ebl_Core_Item platform[] =
+ {
+-#define ITEMS(type, table) \
+- case type: \
+- *items = table; \
+- *nitems = sizeof table / sizeof table[0]; \
+- result = 1; \
+- break
++ {
++ .name = "Platform",
++ .type = ELF_T_BYTE, .count = 0, .format = 's'
++ }
++ };
+
+- static const Ebl_Core_Item platform[] =
+- {
+- {
+- .name = "Platform",
+- .type = ELF_T_BYTE, .count = 0, .format = 's'
+- }
+- };
+- ITEMS (NT_PLATFORM, platform);
+-
+-#undef ITEMS
++ if (nhdr->n_type == NT_PLATFORM
++ && memchr (desc, '\0', nhdr->n_descsz) != NULL)
++ {
++ *regs_offset = 0;
++ *nregloc = 0;
++ *reglocs = NULL;
++ *items = platform;
++ *nitems = 1;
++ result = 1;
+ }
+ }
+
+diff --git a/libebl/libebl.h b/libebl/libebl.h
+index ca9b9fe..24922eb 100644
+--- a/libebl/libebl.h
++++ b/libebl/libebl.h
+@@ -319,7 +319,8 @@ typedef struct
+
+ /* Describe the format of a core file note with the given header and NAME.
+ NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */
+-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
++extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
++ const char *name, const char *desc,
+ GElf_Word *regs_offset, size_t *nregloc,
+ const Ebl_Register_Location **reglocs,
+ size_t *nitems, const Ebl_Core_Item **items)
+diff --git a/src/readelf.c b/src/readelf.c
+index 3a73710..71651e0 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
+ size_t nitems;
+ const Ebl_Core_Item *items;
+
+- if (! ebl_core_note (ebl, nhdr, name,
++ if (! ebl_core_note (ebl, nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ return;
+
+--
+2.7.4
+
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
2019-09-23 21:14 [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils shuagr97
@ 2019-09-23 21:19 ` akuster808
2019-09-23 21:28 ` Shubham Agrawal
2019-09-23 21:23 ` Martin Jansa
1 sibling, 1 reply; 5+ messages in thread
From: akuster808 @ 2019-09-23 21:19 UTC (permalink / raw)
To: shuagr, openembedded-core
On 9/23/19 2:14 PM, shuagr97@gmail.com wrote:
> From: Shubham Agrawal <shuagr@microsoft.com>
>
> CVE: CVE-2019-7664.patch
> CVE: CVE-2019-7665.patch
This is the third email patch on the same issues. Are they different?
regards,
Armin
>
> Sign off: Shubham Agrawal <shuagr@microsoft.com>
> ---
> meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
> .../elfutils/files/CVE-2019-7664.patch | 65 +++++++++
> .../elfutils/files/CVE-2019-7665.patch | 154 +++++++++++++++++++++
> 3 files changed, 221 insertions(+)
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
>
> diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> index e94a48e..862a9b6 100644
> --- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> +++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> @@ -31,6 +31,8 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
> file://CVE-2019-7150.patch \
> file://CVE-2019-7146_p1.patch \
> file://CVE-2019-7146_p2.patch \
> + file://CVE-2019-7664.patch \
> + file://CVE-2019-7665.patch \
> "
> SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
>
> diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> new file mode 100644
> index 0000000..e55dc5a
> --- /dev/null
> +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> @@ -0,0 +1,65 @@
> +From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
> +From: Mark Wielaard <mark@klomp.org>
> +Date: Wed, 16 Jan 2019 12:25:57 +0100
> +Subject: [PATCH] CVE: CVE-2019-7664
> +
> +Upstream-Status: Backport
> +libelf: Correct overflow check in note_xlate.
> +
> +We want to make sure the note_len doesn't overflow and becomes shorter
> +than the note header. But the namesz and descsz checks got the note header
> +size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
> +
> +https://sourceware.org/bugzilla/show_bug.cgi?id=24084
> +
> +Signed-off-by: Mark Wielaard <mark@klomp.org>
> +Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
> +---
> + libelf/ChangeLog | 13 +++++++++++++
> + libelf/note_xlate.h | 4 ++--
> + 2 files changed, 15 insertions(+), 2 deletions(-)
> +
> +diff --git a/libelf/ChangeLog b/libelf/ChangeLog
> +index 68c4fbd..892e6e7 100644
> +--- a/libelf/ChangeLog
> ++++ b/libelf/ChangeLog
> +@@ -1,3 +1,16 @@
> ++<<<<<<< HEAD
> ++=======
> ++2019-01-16 Mark Wielaard <mark@klomp.org>
> ++
> ++ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
> ++ overflow note_len into note header.
> ++
> ++2018-11-17 Mark Wielaard <mark@klomp.org>
> ++
> ++ * elf32_updatefile.c (updatemmap): Make sure to call convert
> ++ function on a properly aligned destination.
> ++
> ++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
> + 2018-11-16 Mark Wielaard <mark@klomp.org>
> +
> + * libebl.h (__elf32_msize): Mark with const attribute.
> +diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
> +index 9bdc3e2..bc9950f 100644
> +--- a/libelf/note_xlate.h
> ++++ b/libelf/note_xlate.h
> +@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
> + /* desc needs to be aligned. */
> + note_len += n->n_namesz;
> + note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
> +- if (note_len > len || note_len < 8)
> ++ if (note_len > len || note_len < sizeof *n)
> + break;
> +
> + /* data as a whole needs to be aligned. */
> + note_len += n->n_descsz;
> + note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
> +- if (note_len > len || note_len < 8)
> ++ if (note_len > len || note_len < sizeof *n)
> + break;
> +
> + /* Copy or skip the note data. */
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
> new file mode 100644
> index 0000000..a1bb309
> --- /dev/null
> +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
> @@ -0,0 +1,154 @@
> +From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
> +From: Mark Wielaard <mark@klomp.org>
> +Date: Wed, 16 Jan 2019 15:41:31 +0100
> +Subject: [PATCH] CVE: CVE-2019-7665
> +
> +Upstream-Status: Backport
> +
> +Sign off: Shubham Agrawal <shuagr@microsoft.com>
> +
> +libebl: Check NT_PLATFORM core notes contain a zero terminated string.
> +
> +Most strings in core notes are fixed size. But NT_PLATFORM contains just
> +a variable length string. Check that it is actually zero terminated
> +before passing to readelf to print.
> +
> +https://sourceware.org/bugzilla/show_bug.cgi?id=24089
> +
> +Signed-off-by: Mark Wielaard <mark@klomp.org>
> +Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
> +---
> + libdwfl/linux-core-attach.c | 9 +++++----
> + libebl/eblcorenote.c | 39 +++++++++++++++++++--------------------
> + libebl/libebl.h | 3 ++-
> + src/readelf.c | 2 +-
> + 4 files changed, 27 insertions(+), 26 deletions(-)
> +
> +diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
> +index 6c99b9e..c0f1b0d 100644
> +--- a/libdwfl/linux-core-attach.c
> ++++ b/libdwfl/linux-core-attach.c
> +@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- if (! ebl_core_note (core_arg->ebl, &nhdr, name,
> ++ if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + {
> + /* This note may be just not recognized, skip it. */
> +@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, ®s_offset,
> +- &nregloc, ®locs, &nitems, &items);
> ++ int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
> ++ ®s_offset, &nregloc, ®locs,
> ++ &nitems, &items);
> + /* __libdwfl_attach_state_for_core already verified the note is there. */
> + assert (core_note_err != 0);
> + assert (nhdr.n_type == NT_PRSTATUS);
> +@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- if (! ebl_core_note (ebl, &nhdr, name,
> ++ if (! ebl_core_note (ebl, &nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + {
> + /* This note may be just not recognized, skip it. */
> +diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
> +index 783f981..7fab397 100644
> +--- a/libebl/eblcorenote.c
> ++++ b/libebl/eblcorenote.c
> +@@ -36,11 +36,13 @@
> + #include <inttypes.h>
> + #include <stdio.h>
> + #include <stddef.h>
> ++#include <string.h>
> + #include <libeblP.h>
> +
> +
> + int
> + ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> ++ const char *desc,
> + GElf_Word *regs_offset, size_t *nregloc,
> + const Ebl_Register_Location **reglocs, size_t *nitems,
> + const Ebl_Core_Item **items)
> +@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> + {
> + /* The machine specific function did not know this type. */
> +
> +- *regs_offset = 0;
> +- *nregloc = 0;
> +- *reglocs = NULL;
> +- switch (nhdr->n_type)
> ++ /* NT_PLATFORM is kind of special since it needs a zero terminated
> ++ string (other notes often have a fixed size string). */
> ++ static const Ebl_Core_Item platform[] =
> + {
> +-#define ITEMS(type, table) \
> +- case type: \
> +- *items = table; \
> +- *nitems = sizeof table / sizeof table[0]; \
> +- result = 1; \
> +- break
> ++ {
> ++ .name = "Platform",
> ++ .type = ELF_T_BYTE, .count = 0, .format = 's'
> ++ }
> ++ };
> +
> +- static const Ebl_Core_Item platform[] =
> +- {
> +- {
> +- .name = "Platform",
> +- .type = ELF_T_BYTE, .count = 0, .format = 's'
> +- }
> +- };
> +- ITEMS (NT_PLATFORM, platform);
> +-
> +-#undef ITEMS
> ++ if (nhdr->n_type == NT_PLATFORM
> ++ && memchr (desc, '\0', nhdr->n_descsz) != NULL)
> ++ {
> ++ *regs_offset = 0;
> ++ *nregloc = 0;
> ++ *reglocs = NULL;
> ++ *items = platform;
> ++ *nitems = 1;
> ++ result = 1;
> + }
> + }
> +
> +diff --git a/libebl/libebl.h b/libebl/libebl.h
> +index ca9b9fe..24922eb 100644
> +--- a/libebl/libebl.h
> ++++ b/libebl/libebl.h
> +@@ -319,7 +319,8 @@ typedef struct
> +
> + /* Describe the format of a core file note with the given header and NAME.
> + NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */
> +-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> ++extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
> ++ const char *name, const char *desc,
> + GElf_Word *regs_offset, size_t *nregloc,
> + const Ebl_Register_Location **reglocs,
> + size_t *nitems, const Ebl_Core_Item **items)
> +diff --git a/src/readelf.c b/src/readelf.c
> +index 3a73710..71651e0 100644
> +--- a/src/readelf.c
> ++++ b/src/readelf.c
> +@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +
> +- if (! ebl_core_note (ebl, nhdr, name,
> ++ if (! ebl_core_note (ebl, nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + return;
> +
> +--
> +2.7.4
> +
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
2019-09-23 21:14 [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils shuagr97
2019-09-23 21:19 ` akuster808
@ 2019-09-23 21:23 ` Martin Jansa
2019-09-23 21:28 ` Shubham Agrawal
1 sibling, 1 reply; 5+ messages in thread
From: Martin Jansa @ 2019-09-23 21:23 UTC (permalink / raw)
To: shuagr; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1481 bytes --]
On Mon, Sep 23, 2019 at 09:14:11PM +0000, shuagr97@gmail.com wrote:
> From: Shubham Agrawal <shuagr@microsoft.com>
Drop the quotes in the e-mail subject.
>
> CVE: CVE-2019-7664.patch
> CVE: CVE-2019-7665.patch
>
> Sign off: Shubham Agrawal <shuagr@microsoft.com>
> ---
> meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
> .../elfutils/files/CVE-2019-7664.patch | 65 +++++++++
> .../elfutils/files/CVE-2019-7665.patch | 154 +++++++++++++++++++++
> 3 files changed, 221 insertions(+)
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
....
> +diff --git a/libelf/ChangeLog b/libelf/ChangeLog
> +index 68c4fbd..892e6e7 100644
> +--- a/libelf/ChangeLog
> ++++ b/libelf/ChangeLog
> +@@ -1,3 +1,16 @@
> ++<<<<<<< HEAD
> ++=======
> ++2019-01-16 Mark Wielaard <mark@klomp.org>
> ++
> ++ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
> ++ overflow note_len into note header.
> ++
> ++2018-11-17 Mark Wielaard <mark@klomp.org>
> ++
> ++ * elf32_updatefile.c (updatemmap): Make sure to call convert
> ++ function on a properly aligned destination.
> ++
> ++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
You should resolve these conflicts (or drop the ChangeLog updates
completely from the backports as they will conflict with any other
backport as well.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
2019-09-23 21:19 ` akuster808
@ 2019-09-23 21:28 ` Shubham Agrawal
0 siblings, 0 replies; 5+ messages in thread
From: Shubham Agrawal @ 2019-09-23 21:28 UTC (permalink / raw)
To: akuster808, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 12260 bytes --]
The patches are all same. There was an error in the subject due to which it wasn’t reflecting in the submitted patches on open embedded core.
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
________________________________
From: akuster808 <akuster808@gmail.com>
Sent: Monday, September 23, 2019 2:19:15 PM
To: Shubham Agrawal <shuagr@microsoft.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
On 9/23/19 2:14 PM, shuagr97@gmail.com wrote:
> From: Shubham Agrawal <shuagr@microsoft.com>
>
> CVE: CVE-2019-7664.patch
> CVE: CVE-2019-7665.patch
This is the third email patch on the same issues. Are they different?
regards,
Armin
>
> Sign off: Shubham Agrawal <shuagr@microsoft.com>
> ---
> meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
> .../elfutils/files/CVE-2019-7664.patch | 65 +++++++++
> .../elfutils/files/CVE-2019-7665.patch | 154 +++++++++++++++++++++
> 3 files changed, 221 insertions(+)
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
>
> diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> index e94a48e..862a9b6 100644
> --- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> +++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
> @@ -31,6 +31,8 @@ SRC_URI = "https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Felfutils%2Fftp%2F%24&data=02%7C01%7Cshuagr%40microsoft.com%7C0a3b7e85865a440119d508d7406bb255%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048703613961219&sdata=J1z7WGLoV1xEpBxRaWekNFf0HDIvmCtUMpLYUb1nR%2Fk%3D&reserved=0{PV}/${BP}.tar.bz2 \
> file://CVE-2019-7150.patch \
> file://CVE-2019-7146_p1.patch \
> file://CVE-2019-7146_p2.patch \
> + file://CVE-2019-7664.patch \
> + file://CVE-2019-7665.patch \
> "
> SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
>
> diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> new file mode 100644
> index 0000000..e55dc5a
> --- /dev/null
> +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> @@ -0,0 +1,65 @@
> +From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
> +From: Mark Wielaard <mark@klomp.org>
> +Date: Wed, 16 Jan 2019 12:25:57 +0100
> +Subject: [PATCH] CVE: CVE-2019-7664
> +
> +Upstream-Status: Backport
> +libelf: Correct overflow check in note_xlate.
> +
> +We want to make sure the note_len doesn't overflow and becomes shorter
> +than the note header. But the namesz and descsz checks got the note header
> +size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
> +
> +https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D24084&data=02%7C01%7Cshuagr%40microsoft.com%7C0a3b7e85865a440119d508d7406bb255%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048703613961219&sdata=XDpI1uUOmF4w%2FdtsO%2BspaDCLIOEdoGQr6PNxaJh3u%2Fc%3D&reserved=0
> +
> +Signed-off-by: Mark Wielaard <mark@klomp.org>
> +Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
> +---
> + libelf/ChangeLog | 13 +++++++++++++
> + libelf/note_xlate.h | 4 ++--
> + 2 files changed, 15 insertions(+), 2 deletions(-)
> +
> +diff --git a/libelf/ChangeLog b/libelf/ChangeLog
> +index 68c4fbd..892e6e7 100644
> +--- a/libelf/ChangeLog
> ++++ b/libelf/ChangeLog
> +@@ -1,3 +1,16 @@
> ++<<<<<<< HEAD
> ++=======
> ++2019-01-16 Mark Wielaard <mark@klomp.org>
> ++
> ++ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
> ++ overflow note_len into note header.
> ++
> ++2018-11-17 Mark Wielaard <mark@klomp.org>
> ++
> ++ * elf32_updatefile.c (updatemmap): Make sure to call convert
> ++ function on a properly aligned destination.
> ++
> ++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
> + 2018-11-16 Mark Wielaard <mark@klomp.org>
> +
> + * libebl.h (__elf32_msize): Mark with const attribute.
> +diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
> +index 9bdc3e2..bc9950f 100644
> +--- a/libelf/note_xlate.h
> ++++ b/libelf/note_xlate.h
> +@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
> + /* desc needs to be aligned. */
> + note_len += n->n_namesz;
> + note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
> +- if (note_len > len || note_len < 8)
> ++ if (note_len > len || note_len < sizeof *n)
> + break;
> +
> + /* data as a whole needs to be aligned. */
> + note_len += n->n_descsz;
> + note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
> +- if (note_len > len || note_len < 8)
> ++ if (note_len > len || note_len < sizeof *n)
> + break;
> +
> + /* Copy or skip the note data. */
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
> new file mode 100644
> index 0000000..a1bb309
> --- /dev/null
> +++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
> @@ -0,0 +1,154 @@
> +From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
> +From: Mark Wielaard <mark@klomp.org>
> +Date: Wed, 16 Jan 2019 15:41:31 +0100
> +Subject: [PATCH] CVE: CVE-2019-7665
> +
> +Upstream-Status: Backport
> +
> +Sign off: Shubham Agrawal <shuagr@microsoft.com>
> +
> +libebl: Check NT_PLATFORM core notes contain a zero terminated string.
> +
> +Most strings in core notes are fixed size. But NT_PLATFORM contains just
> +a variable length string. Check that it is actually zero terminated
> +before passing to readelf to print.
> +
> +https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D24089&data=02%7C01%7Cshuagr%40microsoft.com%7C0a3b7e85865a440119d508d7406bb255%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048703613961219&sdata=WQe4updGnCdqEq%2FgiVbXZT%2FWc4sUd%2FoBef7x9f7jGE8%3D&reserved=0
> +
> +Signed-off-by: Mark Wielaard <mark@klomp.org>
> +Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
> +---
> + libdwfl/linux-core-attach.c | 9 +++++----
> + libebl/eblcorenote.c | 39 +++++++++++++++++++--------------------
> + libebl/libebl.h | 3 ++-
> + src/readelf.c | 2 +-
> + 4 files changed, 27 insertions(+), 26 deletions(-)
> +
> +diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
> +index 6c99b9e..c0f1b0d 100644
> +--- a/libdwfl/linux-core-attach.c
> ++++ b/libdwfl/linux-core-attach.c
> +@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- if (! ebl_core_note (core_arg->ebl, &nhdr, name,
> ++ if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + {
> + /* This note may be just not recognized, skip it. */
> +@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, ®s_offset,
> +- &nregloc, ®locs, &nitems, &items);
> ++ int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
> ++ ®s_offset, &nregloc, ®locs,
> ++ &nitems, &items);
> + /* __libdwfl_attach_state_for_core already verified the note is there. */
> + assert (core_note_err != 0);
> + assert (nhdr.n_type == NT_PRSTATUS);
> +@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
> + const Ebl_Register_Location *reglocs;
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +- if (! ebl_core_note (ebl, &nhdr, name,
> ++ if (! ebl_core_note (ebl, &nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + {
> + /* This note may be just not recognized, skip it. */
> +diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
> +index 783f981..7fab397 100644
> +--- a/libebl/eblcorenote.c
> ++++ b/libebl/eblcorenote.c
> +@@ -36,11 +36,13 @@
> + #include <inttypes.h>
> + #include <stdio.h>
> + #include <stddef.h>
> ++#include <string.h>
> + #include <libeblP.h>
> +
> +
> + int
> + ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> ++ const char *desc,
> + GElf_Word *regs_offset, size_t *nregloc,
> + const Ebl_Register_Location **reglocs, size_t *nitems,
> + const Ebl_Core_Item **items)
> +@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> + {
> + /* The machine specific function did not know this type. */
> +
> +- *regs_offset = 0;
> +- *nregloc = 0;
> +- *reglocs = NULL;
> +- switch (nhdr->n_type)
> ++ /* NT_PLATFORM is kind of special since it needs a zero terminated
> ++ string (other notes often have a fixed size string). */
> ++ static const Ebl_Core_Item platform[] =
> + {
> +-#define ITEMS(type, table) \
> +- case type: \
> +- *items = table; \
> +- *nitems = sizeof table / sizeof table[0]; \
> +- result = 1; \
> +- break
> ++ {
> ++ .name = "Platform",
> ++ .type = ELF_T_BYTE, .count = 0, .format = 's'
> ++ }
> ++ };
> +
> +- static const Ebl_Core_Item platform[] =
> +- {
> +- {
> +- .name = "Platform",
> +- .type = ELF_T_BYTE, .count = 0, .format = 's'
> +- }
> +- };
> +- ITEMS (NT_PLATFORM, platform);
> +-
> +-#undef ITEMS
> ++ if (nhdr->n_type == NT_PLATFORM
> ++ && memchr (desc, '\0', nhdr->n_descsz) != NULL)
> ++ {
> ++ *regs_offset = 0;
> ++ *nregloc = 0;
> ++ *reglocs = NULL;
> ++ *items = platform;
> ++ *nitems = 1;
> ++ result = 1;
> + }
> + }
> +
> +diff --git a/libebl/libebl.h b/libebl/libebl.h
> +index ca9b9fe..24922eb 100644
> +--- a/libebl/libebl.h
> ++++ b/libebl/libebl.h
> +@@ -319,7 +319,8 @@ typedef struct
> +
> + /* Describe the format of a core file note with the given header and NAME.
> + NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */
> +-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
> ++extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
> ++ const char *name, const char *desc,
> + GElf_Word *regs_offset, size_t *nregloc,
> + const Ebl_Register_Location **reglocs,
> + size_t *nitems, const Ebl_Core_Item **items)
> +diff --git a/src/readelf.c b/src/readelf.c
> +index 3a73710..71651e0 100644
> +--- a/src/readelf.c
> ++++ b/src/readelf.c
> +@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
> + size_t nitems;
> + const Ebl_Core_Item *items;
> +
> +- if (! ebl_core_note (ebl, nhdr, name,
> ++ if (! ebl_core_note (ebl, nhdr, name, desc,
> + ®s_offset, &nregloc, ®locs, &nitems, &items))
> + return;
> +
> +--
> +2.7.4
> +
[-- Attachment #2: Type: text/html, Size: 23057 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
2019-09-23 21:23 ` Martin Jansa
@ 2019-09-23 21:28 ` Shubham Agrawal
0 siblings, 0 replies; 5+ messages in thread
From: Shubham Agrawal @ 2019-09-23 21:28 UTC (permalink / raw)
To: Martin Jansa; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1912 bytes --]
Thanks
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
From: Martin Jansa<mailto:martin.jansa@gmail.com>
Sent: Monday, September 23, 2019 2:23 PM
To: Shubham Agrawal<mailto:shuagr@microsoft.com>
Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils
On Mon, Sep 23, 2019 at 09:14:11PM +0000, shuagr97@gmail.com wrote:
> From: Shubham Agrawal <shuagr@microsoft.com>
Drop the quotes in the e-mail subject.
>
> CVE: CVE-2019-7664.patch
> CVE: CVE-2019-7665.patch
>
> Sign off: Shubham Agrawal <shuagr@microsoft.com>
> ---
> meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
> .../elfutils/files/CVE-2019-7664.patch | 65 +++++++++
> .../elfutils/files/CVE-2019-7665.patch | 154 +++++++++++++++++++++
> 3 files changed, 221 insertions(+)
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
> create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
....
> +diff --git a/libelf/ChangeLog b/libelf/ChangeLog
> +index 68c4fbd..892e6e7 100644
> +--- a/libelf/ChangeLog
> ++++ b/libelf/ChangeLog
> +@@ -1,3 +1,16 @@
> ++<<<<<<< HEAD
> ++=======
> ++2019-01-16 Mark Wielaard <mark@klomp.org>
> ++
> ++ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
> ++ overflow note_len into note header.
> ++
> ++2018-11-17 Mark Wielaard <mark@klomp.org>
> ++
> ++ * elf32_updatefile.c (updatemmap): Make sure to call convert
> ++ function on a properly aligned destination.
> ++
> ++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
You should resolve these conflicts (or drop the ChangeLog updates
completely from the backports as they will conflict with any other
backport as well.
[-- Attachment #2: Type: text/html, Size: 5370 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-09-23 21:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-23 21:14 [”OE-core][thud][PATCH”] elfutils: CVE fix for elfutils shuagr97
2019-09-23 21:19 ` akuster808
2019-09-23 21:28 ` Shubham Agrawal
2019-09-23 21:23 ` Martin Jansa
2019-09-23 21:28 ` Shubham Agrawal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.