Blame elfutils-0.158-CVE-2014-0172.patch
|
Mark Wielaard |
561f4c0 |
commit 7f1eec317db79627b473c5b149a22a1b20d1f68f
|
|
Mark Wielaard |
561f4c0 |
Author: Mark Wielaard <mjw@redhat.com>
|
|
Mark Wielaard |
561f4c0 |
Date: Wed Apr 9 11:33:23 2014 +0200
|
|
Mark Wielaard |
561f4c0 |
|
|
Mark Wielaard |
561f4c0 |
CVE-2014-0172 Check for overflow before calling malloc to uncompress data.
|
|
Mark Wielaard |
561f4c0 |
|
|
Mark Wielaard |
561f4c0 |
https://bugzilla.redhat.com/show_bug.cgi?id=1085663
|
|
Mark Wielaard |
561f4c0 |
|
|
Mark Wielaard |
561f4c0 |
Reported-by: Florian Weimer <fweimer@redhat.com>
|
|
Mark Wielaard |
561f4c0 |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
|
Mark Wielaard |
561f4c0 |
|
|
Mark Wielaard |
561f4c0 |
diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
|
|
Mark Wielaard |
561f4c0 |
index 79daeac..34ea373 100644
|
|
Mark Wielaard |
561f4c0 |
--- a/libdw/dwarf_begin_elf.c
|
|
Mark Wielaard |
561f4c0 |
+++ b/libdw/dwarf_begin_elf.c
|
|
Mark Wielaard |
561f4c0 |
@@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
|
|
Mark Wielaard |
561f4c0 |
memcpy (&size, data->d_buf + 4, sizeof size);
|
|
Mark Wielaard |
561f4c0 |
size = be64toh (size);
|
|
Mark Wielaard |
561f4c0 |
|
|
Mark Wielaard |
561f4c0 |
+ /* Check for unsigned overflow so malloc always allocated
|
|
Mark Wielaard |
561f4c0 |
+ enough memory for both the Elf_Data header and the
|
|
Mark Wielaard |
561f4c0 |
+ uncompressed section data. */
|
|
Mark Wielaard |
561f4c0 |
+ if (unlikely (sizeof (Elf_Data) + size < size))
|
|
Mark Wielaard |
561f4c0 |
+ break;
|
|
Mark Wielaard |
561f4c0 |
+
|
|
Mark Wielaard |
561f4c0 |
Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
|
|
Mark Wielaard |
561f4c0 |
if (unlikely (zdata == NULL))
|
|
Mark Wielaard |
561f4c0 |
break;
|