crispAudio
/
poky
mirror of git://git.yoctoproject.org/poky


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154
							From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Wed, 16 Jan 2019 15:41:31 +0100
Subject: [PATCH] CVE: CVE-2019-7665

Upstream-Status: Backport

Sign off: Shubham Agrawal <shuagr@microsoft.com>

libebl: Check NT_PLATFORM core notes contain a zero terminated string.

Most strings in core notes are fixed size. But NT_PLATFORM contains just
a variable length string. Check that it is actually zero terminated
before passing to readelf to print.

https://sourceware.org/bugzilla/show_bug.cgi?id=24089

Signed-off-by: Mark Wielaard <mark@klomp.org>
Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
---
 libdwfl/linux-core-attach.c |  9 +++++----
 libebl/eblcorenote.c        | 39 +++++++++++++++++++--------------------
 libebl/libebl.h             |  3 ++-
 src/readelf.c               |  2 +-
 4 files changed, 27 insertions(+), 26 deletions(-)

diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
index 6c99b9e..c0f1b0d 100644
--- a/libdwfl/linux-core-attach.c
+++ b/libdwfl/linux-core-attach.c
@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
       const Ebl_Register_Location *reglocs;
       size_t nitems;
       const Ebl_Core_Item *items;
-      if (! ebl_core_note (core_arg->ebl, &nhdr, name,
+      if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
 			   &regs_offset, &nregloc, &reglocs, &nitems, &items))
 	{
 	  /* This note may be just not recognized, skip it.  */
@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
   const Ebl_Register_Location *reglocs;
   size_t nitems;
   const Ebl_Core_Item *items;
-  int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, &regs_offset,
-				     &nregloc, &reglocs, &nitems, &items);
+  int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
+				     &regs_offset, &nregloc, &reglocs,
+				     &nitems, &items);
   /* __libdwfl_attach_state_for_core already verified the note is there.  */
   assert (core_note_err != 0);
   assert (nhdr.n_type == NT_PRSTATUS);
@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
       const Ebl_Register_Location *reglocs;
       size_t nitems;
       const Ebl_Core_Item *items;
-      if (! ebl_core_note (ebl, &nhdr, name,
+      if (! ebl_core_note (ebl, &nhdr, name, desc,
 			   &regs_offset, &nregloc, &reglocs, &nitems, &items))
 	{
 	  /* This note may be just not recognized, skip it.  */
diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
index 783f981..7fab397 100644
--- a/libebl/eblcorenote.c
+++ b/libebl/eblcorenote.c
@@ -36,11 +36,13 @@
 #include <inttypes.h>
 #include <stdio.h>
 #include <stddef.h>
+#include <string.h>
 #include <libeblP.h>
 
 
 int
 ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+	       const char *desc,
 	       GElf_Word *regs_offset, size_t *nregloc,
 	       const Ebl_Register_Location **reglocs, size_t *nitems,
 	       const Ebl_Core_Item **items)
@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
     {
       /* The machine specific function did not know this type.  */
 
-      *regs_offset = 0;
-      *nregloc = 0;
-      *reglocs = NULL;
-      switch (nhdr->n_type)
+      /* NT_PLATFORM is kind of special since it needs a zero terminated
+         string (other notes often have a fixed size string).  */
+      static const Ebl_Core_Item platform[] =
 	{
-#define ITEMS(type, table)				\
-	  case type:					\
-	    *items = table;				\
-	    *nitems = sizeof table / sizeof table[0];	\
-	    result = 1;					\
-	    break
+	  {
+	    .name = "Platform",
+	    .type = ELF_T_BYTE, .count = 0, .format = 's'
+	  }
+	};
 
-	  static const Ebl_Core_Item platform[] =
-	    {
-	      {
-		.name = "Platform",
-		.type = ELF_T_BYTE, .count = 0, .format = 's'
-	      }
-	    };
-	  ITEMS (NT_PLATFORM, platform);
-
-#undef	ITEMS
+      if (nhdr->n_type == NT_PLATFORM
+	  && memchr (desc, '\0', nhdr->n_descsz) != NULL)
+        {
+	  *regs_offset = 0;
+	  *nregloc = 0;
+	  *reglocs = NULL;
+	  *items = platform;
+	  *nitems = 1;
+	  result = 1;
 	}
     }
 
diff --git a/libebl/libebl.h b/libebl/libebl.h
index ca9b9fe..24922eb 100644
--- a/libebl/libebl.h
+++ b/libebl/libebl.h
@@ -319,7 +319,8 @@ typedef struct
 
 /* Describe the format of a core file note with the given header and NAME.
    NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes.  */
-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
+			  const char *name, const char *desc,
 			  GElf_Word *regs_offset, size_t *nregloc,
 			  const Ebl_Register_Location **reglocs,
 			  size_t *nitems, const Ebl_Core_Item **items)
diff --git a/src/readelf.c b/src/readelf.c
index 3a73710..71651e0 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
   size_t nitems;
   const Ebl_Core_Item *items;
 
-  if (! ebl_core_note (ebl, nhdr, name,
+  if (! ebl_core_note (ebl, nhdr, name, desc,
 		       &regs_offset, &nregloc, &reglocs, &nitems, &items))
     return;
 
-- 
2.7.4