* [thud][PATCH] elfutils: CVE fix for elfutils
@ 2019-09-23 21:26 shuagr97
2019-09-23 21:32 ` ✗ patchtest: failure for " Patchwork
0 siblings, 1 reply; 2+ messages in thread
From: shuagr97 @ 2019-09-23 21:26 UTC (permalink / raw)
To: openembedded-core
From: Shubham Agrawal <shuagr@microsoft.com>
CVE: CVE-2019-7664.patch
CVE: CVE-2019-7665.patch
Sign off: Shubham Agrawal <shuagr@microsoft.com>
---
meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
.../elfutils/files/CVE-2019-7664.patch | 65 +++++++++
.../elfutils/files/CVE-2019-7665.patch | 154 +++++++++++++++++++++
3 files changed, 221 insertions(+)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index e94a48e..862a9b6 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -31,6 +31,8 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
file://CVE-2019-7150.patch \
file://CVE-2019-7146_p1.patch \
file://CVE-2019-7146_p2.patch \
+ file://CVE-2019-7664.patch \
+ file://CVE-2019-7665.patch \
"
SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
new file mode 100644
index 0000000..e55dc5a
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
@@ -0,0 +1,65 @@
+From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 12:25:57 +0100
+Subject: [PATCH] CVE: CVE-2019-7664
+
+Upstream-Status: Backport
+libelf: Correct overflow check in note_xlate.
+
+We want to make sure the note_len doesn't overflow and becomes shorter
+than the note header. But the namesz and descsz checks got the note header
+size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24084
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libelf/ChangeLog | 13 +++++++++++++
+ libelf/note_xlate.h | 4 ++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 68c4fbd..892e6e7 100644
+--- a/libelf/ChangeLog
++++ b/libelf/ChangeLog
+@@ -1,3 +1,16 @@
++<<<<<<< HEAD
++=======
++2019-01-16 Mark Wielaard <mark@klomp.org>
++
++ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
++ overflow note_len into note header.
++
++2018-11-17 Mark Wielaard <mark@klomp.org>
++
++ * elf32_updatefile.c (updatemmap): Make sure to call convert
++ function on a properly aligned destination.
++
++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
+ 2018-11-16 Mark Wielaard <mark@klomp.org>
+
+ * libebl.h (__elf32_msize): Mark with const attribute.
+diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
+index 9bdc3e2..bc9950f 100644
+--- a/libelf/note_xlate.h
++++ b/libelf/note_xlate.h
+@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
+ /* desc needs to be aligned. */
+ note_len += n->n_namesz;
+ note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+- if (note_len > len || note_len < 8)
++ if (note_len > len || note_len < sizeof *n)
+ break;
+
+ /* data as a whole needs to be aligned. */
+ note_len += n->n_descsz;
+ note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+- if (note_len > len || note_len < 8)
++ if (note_len > len || note_len < sizeof *n)
+ break;
+
+ /* Copy or skip the note data. */
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
new file mode 100644
index 0000000..a1bb309
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
@@ -0,0 +1,154 @@
+From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 15:41:31 +0100
+Subject: [PATCH] CVE: CVE-2019-7665
+
+Upstream-Status: Backport
+
+Sign off: Shubham Agrawal <shuagr@microsoft.com>
+
+libebl: Check NT_PLATFORM core notes contain a zero terminated string.
+
+Most strings in core notes are fixed size. But NT_PLATFORM contains just
+a variable length string. Check that it is actually zero terminated
+before passing to readelf to print.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24089
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libdwfl/linux-core-attach.c | 9 +++++----
+ libebl/eblcorenote.c | 39 +++++++++++++++++++--------------------
+ libebl/libebl.h | 3 ++-
+ src/readelf.c | 2 +-
+ 4 files changed, 27 insertions(+), 26 deletions(-)
+
+diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
+index 6c99b9e..c0f1b0d 100644
+--- a/libdwfl/linux-core-attach.c
++++ b/libdwfl/linux-core-attach.c
+@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- if (! ebl_core_note (core_arg->ebl, &nhdr, name,
++ if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ {
+ /* This note may be just not recognized, skip it. */
+@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, ®s_offset,
+- &nregloc, ®locs, &nitems, &items);
++ int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
++ ®s_offset, &nregloc, ®locs,
++ &nitems, &items);
+ /* __libdwfl_attach_state_for_core already verified the note is there. */
+ assert (core_note_err != 0);
+ assert (nhdr.n_type == NT_PRSTATUS);
+@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- if (! ebl_core_note (ebl, &nhdr, name,
++ if (! ebl_core_note (ebl, &nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ {
+ /* This note may be just not recognized, skip it. */
+diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
+index 783f981..7fab397 100644
+--- a/libebl/eblcorenote.c
++++ b/libebl/eblcorenote.c
+@@ -36,11 +36,13 @@
+ #include <inttypes.h>
+ #include <stdio.h>
+ #include <stddef.h>
++#include <string.h>
+ #include <libeblP.h>
+
+
+ int
+ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
++ const char *desc,
+ GElf_Word *regs_offset, size_t *nregloc,
+ const Ebl_Register_Location **reglocs, size_t *nitems,
+ const Ebl_Core_Item **items)
+@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+ {
+ /* The machine specific function did not know this type. */
+
+- *regs_offset = 0;
+- *nregloc = 0;
+- *reglocs = NULL;
+- switch (nhdr->n_type)
++ /* NT_PLATFORM is kind of special since it needs a zero terminated
++ string (other notes often have a fixed size string). */
++ static const Ebl_Core_Item platform[] =
+ {
+-#define ITEMS(type, table) \
+- case type: \
+- *items = table; \
+- *nitems = sizeof table / sizeof table[0]; \
+- result = 1; \
+- break
++ {
++ .name = "Platform",
++ .type = ELF_T_BYTE, .count = 0, .format = 's'
++ }
++ };
+
+- static const Ebl_Core_Item platform[] =
+- {
+- {
+- .name = "Platform",
+- .type = ELF_T_BYTE, .count = 0, .format = 's'
+- }
+- };
+- ITEMS (NT_PLATFORM, platform);
+-
+-#undef ITEMS
++ if (nhdr->n_type == NT_PLATFORM
++ && memchr (desc, '\0', nhdr->n_descsz) != NULL)
++ {
++ *regs_offset = 0;
++ *nregloc = 0;
++ *reglocs = NULL;
++ *items = platform;
++ *nitems = 1;
++ result = 1;
+ }
+ }
+
+diff --git a/libebl/libebl.h b/libebl/libebl.h
+index ca9b9fe..24922eb 100644
+--- a/libebl/libebl.h
++++ b/libebl/libebl.h
+@@ -319,7 +319,8 @@ typedef struct
+
+ /* Describe the format of a core file note with the given header and NAME.
+ NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */
+-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
++extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
++ const char *name, const char *desc,
+ GElf_Word *regs_offset, size_t *nregloc,
+ const Ebl_Register_Location **reglocs,
+ size_t *nitems, const Ebl_Core_Item **items)
+diff --git a/src/readelf.c b/src/readelf.c
+index 3a73710..71651e0 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
+ size_t nitems;
+ const Ebl_Core_Item *items;
+
+- if (! ebl_core_note (ebl, nhdr, name,
++ if (! ebl_core_note (ebl, nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ return;
+
+--
+2.7.4
+
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* ✗ patchtest: failure for elfutils: CVE fix for elfutils
2019-09-23 21:26 [thud][PATCH] elfutils: CVE fix for elfutils shuagr97
@ 2019-09-23 21:32 ` Patchwork
0 siblings, 0 replies; 2+ messages in thread
From: Patchwork @ 2019-09-23 21:32 UTC (permalink / raw)
To: shuagr97; +Cc: openembedded-core
== Series Details ==
Series: elfutils: CVE fix for elfutils
Revision: 1
URL : https://patchwork.openembedded.org/series/20124/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Patch [thud] elfutils: CVE fix for elfutils
Issue Patch is missing Signed-off-by [test_signed_off_by_presence]
Suggested fix Sign off the patch (either manually or with "git commit --amend -s")
* Patch [thud] elfutils: CVE fix for elfutils
Issue Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format]
Suggested fix Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-09-23 21:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-23 21:26 [thud][PATCH] elfutils: CVE fix for elfutils shuagr97
2019-09-23 21:32 ` ✗ patchtest: failure for " Patchwork
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox