git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: bf7f1a126a
Branches Tags
file
/
debian
/
patches
/
CVE-2014-9653.1.1231e6e.patch

CVE-2014-9653.1.1231e6e.patch 5.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245 
  1. Subject: PR/134: Don't seek all overr the place when reading elf files, homogenize (...)
    2. 

  2. Upstream-Author: Christos Zoulas <christos@zoulas.com>
    3. 

  3. Date: Wed Aug 17 11:34:39 2011 +0000
    4. 

  4. Origin: FILE5_08-7-g1231e6e
    5. 

  5. Last-Update: 2015-04-19
    6. 

  6. 

  7.     PR/134: Don't seek all overr the place when reading elf files, homogenize
    8. 

  8.     the seeking to seek to the proper offset for each header structure reading
    9. 

  9.     instead of saving and restoring offsets in random places.
    10. 

  10. 

  11. (prequisite for CVE-2014-9653)
    12. 

  12. 

  13. --- a/src/elfclass.h
    14. 

  14. +++ b/src/elfclass.h
    15. 

  15. @@ -66,8 +66,7 @@
    16. 

  16.  		if (doshn(ms, clazz, swap, fd,
    17. 

  17.  		    (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
    18. 

  18.  		    (size_t)elf_getu16(swap, elfhdr.e_shentsize),
    19. 

  19. -		    &flags,
    20. 

  20. -		    elf_getu16(swap, elfhdr.e_machine)) == -1)
    21. 

  21. +		    fsize, &flags, elf_getu16(swap, elfhdr.e_machine)) == -1)
    22. 

  22.  			return -1;
    23. 

  23.  		break;
    24. 

  24.  
    25. 

  25. --- a/src/readelf.c
    26. 

  26. +++ b/src/readelf.c
    27. 

  27. @@ -47,8 +47,8 @@
    28. 

  28.  #endif
    29. 

  29.  private int dophn_exec(struct magic_set *, int, int, int, off_t, int, size_t,
    30. 

  30.      off_t, int *, int);
    31. 

  31. -private int doshn(struct magic_set *, int, int, int, off_t, int, size_t, int *,
    32. 

  32. -    int);
    33. 

  33. +private int doshn(struct magic_set *, int, int, int, off_t, int, size_t,
    34. 

  34. +    off_t, int *, int);
    35. 

  35.  private size_t donote(struct magic_set *, void *, size_t, size_t, int,
    36. 

  36.      int, size_t, int *);
    37. 

  37.  
    38. 

  38. @@ -156,7 +156,7 @@
    39. 

  39.  #define xsh_size	(clazz == ELFCLASS32			\
    40. 

  40.  			 ? elf_getu32(swap, sh32.sh_size)	\
    41. 

  41.  			 : elf_getu64(swap, sh64.sh_size))
    42. 

  42. -#define xsh_offset	(clazz == ELFCLASS32			\
    43. 

  43. +#define xsh_offset	(off_t)(clazz == ELFCLASS32		\
    44. 

  44.  			 ? elf_getu32(swap, sh32.sh_offset)	\
    45. 

  45.  			 : elf_getu64(swap, sh64.sh_offset))
    46. 

  46.  #define xsh_type	(clazz == ELFCLASS32			\
    47. 

  47. @@ -308,13 +308,6 @@
    48. 

  48.  	size_t offset;
    49. 

  49.  	unsigned char nbuf[BUFSIZ];
    50. 

  50.  	ssize_t bufsize;
    51. 

  51. -	off_t savedoffset;
    52. 

  52. - 	struct stat st;
    53. 

  53. -
    54. 

  54. -	if (fstat(fd, &st) < 0) {
    55. 

  55. -		file_badread(ms);
    56. 

  56. -		return -1;
    57. 

  57. -	}
    58. 

  58.  
    59. 

  59.  	if (size != xph_sizeof) {
    60. 

  60.  		if (file_printf(ms, ", corrupted program header size") == -1)
    61. 

  61. @@ -326,7 +319,7 @@
    62. 

  62.  	 * Loop through all the program headers.
    63. 

  63.  	 */
    64. 

  64.  	for ( ; num; num--) {
    65. 

  65. -		if ((savedoffset = lseek(fd, off, SEEK_SET)) == (off_t)-1) {
    66. 

  66. +		if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
    67. 

  67.  			file_badseek(ms);
    68. 

  68.  			return -1;
    69. 

  69.  		}
    70. 

  70. @@ -334,15 +327,13 @@
    71. 

  71.  			file_badread(ms);
    72. 

  72.  			return -1;
    73. 

  73.  		}
    74. 

  74. +		off += size;
    75. 

  75. +
    76. 

  76.  		if (xph_offset > fsize) {
    77. 

  77. -			if (lseek(fd, savedoffset, SEEK_SET) == (off_t)-1) {
    78. 

  78. -				file_badseek(ms);
    79. 

  79. -				return -1;
    80. 

  80. -			}
    81. 

  81. +			/* Perhaps warn here */
    82. 

  82.  			continue;
    83. 

  83.  		}
    84. 

  84.  
    85. 

  85. -		off += size;
    86. 

  86.  		if (xph_type != PT_NOTE)
    87. 

  87.  			continue;
    88. 

  88.  
    89. 

  89. @@ -854,7 +845,7 @@
    90. 

  90.  
    91. 

  91.  private int
    92. 

  92.  doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
    93. 

  93. -    size_t size, int *flags, int mach)
    94. 

  94. +    size_t size, off_t fsize, int *flags, int mach)
    95. 

  95.  {
    96. 

  96.  	Elf32_Shdr sh32;
    97. 

  97.  	Elf64_Shdr sh64;
    98. 

  98. @@ -871,16 +862,22 @@
    99. 

  99.  		return 0;
    100. 

  100.  	}
    101. 

  101.  
    102. 

  102. -	if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
    103. 

  103. -		file_badseek(ms);
    104. 

  104. -		return -1;
    105. 

  105. -	}
    106. 

  106. -
    107. 

  107.  	for ( ; num; num--) {
    108. 

  108. +		if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
    109. 

  109. +			file_badseek(ms);
    110. 

  110. +			return -1;
    111. 

  111. +		}
    112. 

  112.  		if (read(fd, xsh_addr, xsh_sizeof) == -1) {
    113. 

  113.  			file_badread(ms);
    114. 

  114.  			return -1;
    115. 

  115.  		}
    116. 

  116. +		off += size;
    117. 

  117. +
    118. 

  118. +		if (xsh_offset > fsize) {
    119. 

  119. +			/* Perhaps warn here */
    120. 

  120. +			continue;
    121. 

  121. +		}
    122. 

  122. +
    123. 

  123.  		switch (xsh_type) {
    124. 

  124.  		case SHT_SYMTAB:
    125. 

  125.  #if 0
    126. 

  126. @@ -889,11 +886,6 @@
    127. 

  127.  			stripped = 0;
    128. 

  128.  			break;
    129. 

  129.  		case SHT_NOTE:
    130. 

  130. -			if ((off = lseek(fd, (off_t)0, SEEK_CUR)) ==
    131. 

  131. -			    (off_t)-1) {
    132. 

  132. -				file_badread(ms);
    133. 

  133. -				return -1;
    134. 

  134. -			}
    135. 

  135.  			if ((nbuf = malloc((size_t)xsh_size)) == NULL) {
    136. 

  136.  				file_error(ms, errno, "Cannot allocate memory"
    137. 

  137.  				    " for note");
    138. 

  138. @@ -922,11 +914,6 @@
    139. 

  139.  				if (noff == 0)
    140. 

  140.  					break;
    141. 

  141.  			}
    142. 

  142. -			if ((lseek(fd, off, SEEK_SET)) == (off_t)-1) {
    143. 

  143. -				free(nbuf);
    144. 

  144. -				file_badread(ms);
    145. 

  145. -				return -1;
    146. 

  146. -			}
    147. 

  147.  			free(nbuf);
    148. 

  148.  			break;
    149. 

  149.  		case SHT_SUNW_cap:
    150. 

  150. @@ -941,7 +928,7 @@
    151. 

  151.  				break;
    152. 

  152.  			if (lseek(fd, (off_t)xsh_offset, SEEK_SET) ==
    153. 

  153.  			    (off_t)-1) {
    154. 

  154. -				file_badread(ms);
    155. 

  155. +				file_badseek(ms);
    156. 

  156.  				return -1;
    157. 

  157.  			}
    158. 

  158.  			coff = 0;
    159. 

  159. @@ -979,10 +966,6 @@
    160. 

  160.  					break;
    161. 

  161.  				}
    162. 

  162.  			}
    163. 

  163. -			if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
    164. 

  164. -				file_badread(ms);
    165. 

  165. -				return -1;
    166. 

  166. -			}
    167. 

  167.  			break;
    168. 

  168.  		    }
    169. 

  169.  		}
    170. 

  170. @@ -1064,13 +1047,6 @@
    171. 

  171.  	unsigned char nbuf[BUFSIZ];
    172. 

  172.  	ssize_t bufsize;
    173. 

  173.  	size_t offset, align;
    174. 

  174. -	off_t savedoffset = (off_t)-1;
    175. 

  175. -	struct stat st;
    176. 

  176. -
    177. 

  177. -	if (fstat(fd, &st) < 0) {
    178. 

  178. -		file_badread(ms);
    179. 

  179. -		return -1;
    180. 

  180. -	}
    181. 

  181.  	
    182. 

  182.  	if (size != xph_sizeof) {
    183. 

  183.  		if (file_printf(ms, ", corrupted program header size") == -1)
    184. 

  184. @@ -1078,34 +1054,20 @@
    185. 

  185.  		return 0;
    186. 

  186.  	}
    187. 

  187.  
    188. 

  188. -	if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
    189. 

  189. -		file_badseek(ms);
    190. 

  190. -		return -1;
    191. 

  191. -	}
    192. 

  192. -
    193. 

  193.    	for ( ; num; num--) {
    194. 

  194. -  		if (read(fd, xph_addr, xph_sizeof) == -1) {
    195. 

  195. -  			file_badread(ms);
    196. 

  196. +		if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
    197. 

  197. +			file_badseek(ms);
    198. 

  198.  			return -1;
    199. 

  199.  		}
    200. 

  200. -		if (xph_offset > st.st_size && savedoffset != (off_t)-1) {
    201. 

  201. -			if (lseek(fd, savedoffset, SEEK_SET) == (off_t)-1) {
    202. 

  202. -				file_badseek(ms);
    203. 

  203. -				return -1;
    204. 

  204. -			}
    205. 

  205. -			continue;
    206. 

  206. -		}
    207. 

  207.  
    208. 

  208. -		if ((savedoffset = lseek(fd, (off_t)0, SEEK_CUR)) == (off_t)-1) {
    209. 

  209. -  			file_badseek(ms);
    210. 

  210. +  		if (read(fd, xph_addr, xph_sizeof) == -1) {
    211. 

  211. +  			file_badread(ms);
    212. 

  212.  			return -1;
    213. 

  213.  		}
    214. 

  214.  
    215. 

  215. +		off += size;
    216. 

  216.  		if (xph_offset > fsize) {
    217. 

  217. -			if (lseek(fd, savedoffset, SEEK_SET) == (off_t)-1) {
    218. 

  218. -				file_badseek(ms);
    219. 

  219. -				return -1;
    220. 

  220. -			}
    221. 

  221. +			/* Maybe warn here? */
    222. 

  222.  			continue;
    223. 

  223.  		}
    224. 

  224.  
    225. 

  225. @@ -1130,8 +1092,7 @@
    226. 

  226.  			 * This is a PT_NOTE section; loop through all the notes
    227. 

  227.  			 * in the section.
    228. 

  228.  			 */
    229. 

  229. -			if (lseek(fd, xph_offset, SEEK_SET)
    230. 

  230. -			    == (off_t)-1) {
    231. 

  231. +			if (lseek(fd, xph_offset, SEEK_SET) == (off_t)-1) {
    232. 

  232.  				file_badseek(ms);
    233. 

  233.  				return -1;
    234. 

  234.  			}
    235. 

  235. @@ -1151,10 +1112,6 @@
    236. 

  236.  				if (offset == 0)
    237. 

  237.  					break;
    238. 

  238.  			}
    239. 

  239. -			if (lseek(fd, savedoffset, SEEK_SET) == (off_t)-1) {
    240. 

  240. -				file_badseek(ms);
    241. 

  241. -				return -1;
    242. 

  242. -			}
    243. 

  243.  			break;
    244. 

  244.  		default:
    245. 

  245.  			break;
    246.