[PATCH] elfutils: CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310

[PATCH] elfutils: CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310

[Hongxu Jia]

These CVE fixes come from upstream master branch and no
new version released, so backport rather than upgrade.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 meta/recipes-devtools/elfutils/elfutils_0.174.bb   |  3 ++
 ...01-arlib-Check-that-sh_entsize-isn-t-zero.patch | 36 +++++++++++++
 ...Sanity-check-partial-core-file-data-reads.patch | 60 ++++++++++++++++++++++
 .../0001-size-Handle-recursive-ELF-ar-files.patch  | 40 +++++++++++++++
 4 files changed, 139 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.174.bb b/meta/recipes-devtools/elfutils/elfutils_0.174.bb
index 88add7b..c30265b 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.174.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.174.bb
@@ -17,6 +17,9 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \
            file://0001-libasm-may-link-with-libbz2-if-found.patch \
            file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \
+           file://0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch \
+           file://0001-size-Handle-recursive-ELF-ar-files.patch \
+           file://0001-arlib-Check-that-sh_entsize-isn-t-zero.patch \
            file://debian/0001-hppa_backend.patch \
            file://debian/0001-arm_backend.patch \
            file://debian/0001-mips_backend.patch \
diff --git a/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
new file mode 100644
index 0000000..86cf7c8
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
@@ -0,0 +1,36 @@
+From b518841fbc1431d7c5baa016e35f10fb647b5958 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 18 Oct 2018 19:01:52 +0200
+Subject: [PATCH] arlib: Check that sh_entsize isn't zero.
+
+A bogus ELF file could have sh_entsize as zero. Don't divide by zero,
+but just assume there are no symbols in the section.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=23786
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+CVE: CVE-2018-18521
+Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ src/arlib.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/arlib.c b/src/arlib.c
+index 778e087..a6521e3 100644
+--- a/src/arlib.c
++++ b/src/arlib.c
+@@ -252,6 +252,9 @@ arlib_add_symbols (Elf *elf, const char *arfname, const char *membername,
+       if (data == NULL)
+ 	continue;
+ 
++      if (shdr->sh_entsize == 0)
++	continue;
++
+       int nsyms = shdr->sh_size / shdr->sh_entsize;
+       for (int ndx = shdr->sh_info; ndx < nsyms; ++ndx)
+ 	{
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
new file mode 100644
index 0000000..2c74a8d
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
@@ -0,0 +1,60 @@
+From 8cbb2f8de89d65ca52d4242f213a6206b48d2c8d Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Fri, 2 Nov 2018 14:22:31 +0800
+Subject: [PATCH] libdwfl: Sanity check partial core file data reads.
+
+There were two issues when reading note data from a core file.
+We didn't check if the data we already had in a buffer was big
+enough. And if we did get the data, we should check if we got
+everything, or just a part of the data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=23752
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+CVE: CVE-2018-18310
+Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ libdwfl/dwfl_segment_report_module.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
+index 36e5c82..8749884 100644
+--- a/libdwfl/dwfl_segment_report_module.c
++++ b/libdwfl/dwfl_segment_report_module.c
+@@ -1,5 +1,5 @@
+ /* Sniff out modules from ELF headers visible in memory segments.
+-   Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
++   Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
+    This file is part of elfutils.
+ 
+    This file is free software; you can redistribute it and/or modify
+@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
+   inline bool read_portion (void **data, size_t *data_size,
+ 			    GElf_Addr vaddr, size_t filesz)
+   {
+-    if (vaddr - start + filesz > buffer_available
++    /* Check whether we will have to read the segment data, or if it
++       can be returned from the existing buffer.  */
++    if (filesz > buffer_available
++	|| vaddr - start > buffer_available - filesz
+ 	/* If we're in string mode, then don't consider the buffer we have
+ 	   sufficient unless it contains the terminator of the string.  */
+ 	|| (filesz == 0 && memchr (vaddr - start + buffer, '\0',
+@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
+     if (read_portion (&data, &data_size, vaddr, filesz))
+       return;
+ 
++    /* data_size will be zero if we got everything from the initial
++       buffer, otherwise it will be the size of the new buffer that
++       could be read.  */
++    if (data_size != 0)
++      filesz = data_size;
++
+     assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
+ 
+     void *notes;
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
new file mode 100644
index 0000000..6fed826
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
@@ -0,0 +1,40 @@
+From 440d34d0ee37964453245895d38d7fc31bcf3d7d Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Thu, 18 Oct 2018 23:15:48 +0200
+Subject: [PATCH] size: Handle recursive ELF ar files.
+
+eu-size didn't handle an ELF ar file that contained an ar file itself
+correctly. handle_ar would recursively call itself but close the ELF
+file before returning. Only close the ELF file at the top-level.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=23787
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+CVE: CVE-2018-18520
+Upstream-Status: Backport [http://sourceware.org/git/elfutils.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ src/size.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/size.c b/src/size.c
+index 5ff3f2a..f01fd88 100644
+--- a/src/size.c
++++ b/src/size.c
+@@ -374,8 +374,10 @@ handle_ar (int fd, Elf *elf, const char *prefix, const char *fname)
+ 	INTERNAL_ERROR (fname);
+     }
+ 
+-  if (unlikely (elf_end (elf) != 0))
+-    INTERNAL_ERROR (fname);
++  /* Only close ELF handle if this was a "top level" ar file.  */
++  if (prefix == NULL)
++    if (unlikely (elf_end (elf) != 0))
++      INTERNAL_ERROR (fname);
+ 
+   return result;
+ }
+-- 
+2.7.4
+
-- 
2.7.4

✗ patchtest: failure for elfutils: CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310

[Patchwork]

== Series Details ==

Series: elfutils: CVE-2018-18520 & CVE-2018-18521 & CVE-2018-18310
Revision: 1
URL   : https://patchwork.openembedded.org/series/14770/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  master (currently at 14b5854d50)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe