blob: b6cd29af1ad542e307acb360445d59d8cef83e51 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
From 012018907ca05eb0ab51d424a596ef38fc87cae1 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Wed, 16 Jan 2019 11:57:35 +0100
Subject: [PATCH] libebl: Check GNU property note pr_datasz fits inside note
description.
Before printing the data values, make sure pr_datasz doesn't go beyond
the end of the note description data.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Signed-off-by: Mark Wielaard <mark@klomp.org>
Upstream-Status: Backport
CVE: CVE-2019-7146 patch #1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
libebl/ChangeLog | 4 ++++
libebl/eblobjnote.c | 7 +++++++
2 files changed, 11 insertions(+)
Index: elfutils-0.175/libebl/eblobjnote.c
===================================================================
--- elfutils-0.175.orig/libebl/eblobjnote.c
+++ elfutils-0.175/libebl/eblobjnote.c
@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t name
desc += 8;
descsz -= 8;
+ if (prop.pr_datasz > descsz)
+ {
+ printf ("BAD property datasz: %" PRId32 "\n",
+ prop.pr_datasz);
+ return;
+ }
+
int elfclass = gelf_getclass (ebl->elf);
char *elfident = elf_getident (ebl->elf, NULL);
GElf_Ehdr ehdr;
Index: elfutils-0.175/libebl/ChangeLog
===================================================================
--- elfutils-0.175.orig/libebl/ChangeLog
+++ elfutils-0.175/libebl/ChangeLog
@@ -1,3 +1,7 @@
+2019-01-16 Mark Wielaard <mark@klomp.org>
+
+ * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+
2018-11-15 Mark Wielaard <mark@klomp.org>
* eblobjnotetypename.c (ebl_object_note_type_name): Don't update
|
