git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: bf7f1a126a
Branches Tags
file
/
debian
/
patches
/
CVE-2014-9653.5.445c8fb.patch

CVE-2014-9653.5.445c8fb.patch 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. Subject: Bail out on partial reads, from Alexander Cherepanov
    2. 

  2. ID: CVE-2014-9653
    3. 

  3. Upstream-Author: Christos Zoulas <christos@zoulas.com>
    4. 

  4. Date: Tue Dec 16 20:53:05 2014 +0000
    5. 

  5. Origin: FILE5_21-10-g445c8fb
    6. 

  6. Last-Update: 2015-04-19
    7. 

  7. 

  8. --- a/src/readelf.c
    9. 

  9. +++ b/src/readelf.c
    10. 

  10. @@ -324,7 +324,7 @@
    11. 

  11.  	 * Loop through all the program headers.
    12. 

  12.  	 */
    13. 

  13.  	for ( ; num; num--) {
    14. 

  14. -		if (pread(fd, xph_addr, xph_sizeof, off) == -1) {
    15. 

  15. +		if (pread(fd, xph_addr, xph_sizeof, off) < (ssize_t)xph_sizeof) {
    16. 

  16.  			file_badread(ms);
    17. 

  17.  			return -1;
    18. 

  18.  		}
    19. 

  19. @@ -852,6 +852,7 @@
    20. 

  20.  	uint64_t cap_hw1 = 0;	/* SunOS 5.x hardware capabilites */
    21. 

  21.  	uint64_t cap_sf1 = 0;	/* SunOS 5.x software capabilites */
    22. 

  22.  	char name[50];
    23. 

  23. +	ssize_t namesize;
    24. 

  24.  
    25. 

  25.  	if (size != xsh_sizeof) {
    26. 

  26.  		if (file_printf(ms, ", corrupted section header size") == -1)
    27. 

  27. @@ -860,7 +861,7 @@
    28. 

  28.  	}
    29. 

  29.  
    30. 

  30.  	/* Read offset of name section to be able to read section names later */
    31. 

  31. -	if (pread(fd, xsh_addr, xsh_sizeof, off + size * strtab) == -1) {
    32. 

  32. +	if (pread(fd, xsh_addr, xsh_sizeof, off + size * strtab) < (ssize_t)xsh_sizeof) {
    33. 

  33.  		file_badread(ms);
    34. 

  34.  		return -1;
    35. 

  35.  	}
    36. 

  36. @@ -868,15 +869,15 @@
    37. 

  37.  
    38. 

  38.  	for ( ; num; num--) {
    39. 

  39.  		/* Read the name of this section. */
    40. 

  40. -		if (pread(fd, name, sizeof(name), name_off + xsh_name) == -1) {
    41. 

  41. +		if ((namesize = pread(fd, name, sizeof(name) - 1, name_off + xsh_name)) == -1) {
    42. 

  42.  			file_badread(ms);
    43. 

  43.  			return -1;
    44. 

  44.  		}
    45. 

  45. -		name[sizeof(name) - 1] = '\0';
    46. 

  46. +		name[namesize] = '\0';
    47. 

  47.  		if (strcmp(name, ".debug_info") == 0)
    48. 

  48.  			stripped = 0;
    49. 

  49.  
    50. 

  50. -		if (pread(fd, xsh_addr, xsh_sizeof, off) == -1) {
    51. 

  51. +		if (pread(fd, xsh_addr, xsh_sizeof, off) < (ssize_t)xsh_sizeof) {
    52. 

  52.  			file_badread(ms);
    53. 

  53.  			return -1;
    54. 

  54.  		}
    55. 

  55. @@ -900,7 +901,7 @@
    56. 

  56.  				    " for note");
    57. 

  57.  				return -1;
    58. 

  58.  			}
    59. 

  59. -			if (pread(fd, nbuf, xsh_size, xsh_offset) == -1) {
    60. 

  60. +			if (pread(fd, nbuf, xsh_size, xsh_offset) < (ssize_t)xsh_size) {
    61. 

  61.  				file_badread(ms);
    62. 

  62.  				free(nbuf);
    63. 

  63.  				return -1;
    64. 

  64. @@ -1056,7 +1057,7 @@
    65. 

  65.  	}
    66. 

  66.  
    67. 

  67.    	for ( ; num; num--) {
    68. 

  68. -		if (pread(fd, xph_addr, xph_sizeof, off) == -1) {
    69. 

  69. +		if (pread(fd, xph_addr, xph_sizeof, off) < (ssize_t)xph_sizeof) {
    70. 

  70.  			file_badread(ms);
    71. 

  71.  			return -1;
    72. 

  72.  		}
    73.