From da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Sun, 20 Jan 2019 23:05:56 +0100
Subject: [PATCH] libdwfl: Sanity check partial core file dyn data read.

When reading the dyn data from the core file check if we got everything,
or just part of the data.

https://sourceware.org/bugzilla/show_bug.cgi?id=24103

Signed-off-by: Mark Wielaard <mark@klomp.org>

Upstream-Status: Backport
CVE: CVE-2019-7150
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 libdwfl/ChangeLog                    | 5 +++++
 libdwfl/dwfl_segment_report_module.c | 6 ++++++
 2 files changed, 11 insertions(+)

Index: elfutils-0.175/libdwfl/dwfl_segment_report_module.c
===================================================================
--- elfutils-0.175.orig/libdwfl/dwfl_segment_report_module.c
+++ elfutils-0.175/libdwfl/dwfl_segment_report_module.c
@@ -783,6 +783,12 @@ dwfl_segment_report_module (Dwfl *dwfl,
   if (dyn_filesz != 0 && dyn_filesz % dyn_entsize == 0
       && ! read_portion (&dyn_data, &dyn_data_size, dyn_vaddr, dyn_filesz))
     {
+      /* dyn_data_size will be zero if we got everything from the initial
+         buffer, otherwise it will be the size of the new buffer that
+         could be read.  */
+      if (dyn_data_size != 0)
+	dyn_filesz = dyn_data_size;
+
       void *dyns = malloc (dyn_filesz);
       Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = dyns;
       Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = dyns;
Index: elfutils-0.175/libdwfl/ChangeLog
===================================================================
--- elfutils-0.175.orig/libdwfl/ChangeLog
+++ elfutils-0.175/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2019-01-20  Mark Wielaard  <mark@klomp.org>
+
+       * dwfl_segment_report_module.c (dwfl_segment_report_module): Check
+       dyn_filesz vs dyn_data_size after read_portion call.
+
 2018-10-20  Mark Wielaard  <mark@klomp.org>
 
 	* libdwflP.h (__libdw_open_elf): New internal function declaration.