* Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.
@ 2014-04-09 21:26 Mark Wielaard
0 siblings, 0 replies; 5+ messages in thread
From: Mark Wielaard @ 2014-04-09 21:26 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 513 bytes --]
On Wed, 2014-04-09 at 21:47 +0200, Kurt Roeckx wrote:
> Is there a plan to make a new release?
I wasn't planning one for just this fix. The patch is small enough for
people to apply if they want it right now. But it is about time to push
for 0.159. I was planning to do the dwz/alt-debug changes that have been
talked about recently on the list first. That will take a bit of time
since it will add a new interface. So maybe in 2 weeks. Lets aim for the
weekend of 26/27 of April?
Cheers,
Mark
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.
@ 2014-04-09 21:10 Mark Wielaard
0 siblings, 0 replies; 5+ messages in thread
From: Mark Wielaard @ 2014-04-09 21:10 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 455 bytes --]
On Wed, 2014-04-09 at 17:07 +0200, Florian Weimer wrote:
> On 04/09/2014 01:57 PM, Mark Wielaard wrote:
>
> > + /* Check for unsigned overflow so malloc always allocated
> > + enough memory for both the Elf_Data header and the
> > + uncompressed section data. */
> > + if (unlikely (sizeof (Elf_Data) + size < size))
> > + break;
> > +
>
> Looks good to me.
Thanks for checking. I pushed it to master now.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.
@ 2014-04-09 19:47 Kurt Roeckx
0 siblings, 0 replies; 5+ messages in thread
From: Kurt Roeckx @ 2014-04-09 19:47 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 52 bytes --]
Is there a plan to make a new release?
Kurt
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.
@ 2014-04-09 15:07 Florian Weimer
0 siblings, 0 replies; 5+ messages in thread
From: Florian Weimer @ 2014-04-09 15:07 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 377 bytes --]
On 04/09/2014 01:57 PM, Mark Wielaard wrote:
> + /* Check for unsigned overflow so malloc always allocated
> + enough memory for both the Elf_Data header and the
> + uncompressed section data. */
> + if (unlikely (sizeof (Elf_Data) + size < size))
> + break;
> +
Looks good to me.
--
Florian Weimer / Red Hat Product Security Team
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.
@ 2014-04-09 11:57 Mark Wielaard
0 siblings, 0 replies; 5+ messages in thread
From: Mark Wielaard @ 2014-04-09 11:57 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 1683 bytes --]
https://bugzilla.redhat.com/show_bug.cgi?id=1085663
Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libdw/ChangeLog | 5 +++++
libdw/dwarf_begin_elf.c | 8 +++++++-
2 files changed, 12 insertions(+), 1 deletions(-)
diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 1d9b9a3..e8f0eb8 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2014-04-09 Mark Wielaard <mjw@redhat.com>
+
+ * dwarf_begin_elf.c (check_section): Check for unsigned overflow
+ before calling malloc to uncompress data.
+
2014-03-03 Jan Kratochvil <jan.kratochvil@redhat.com>
Fix abort() on missing section headers.
diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
index 79daeac..34ea373 100644
--- a/libdw/dwarf_begin_elf.c
+++ b/libdw/dwarf_begin_elf.c
@@ -1,5 +1,5 @@
/* Create descriptor from ELF descriptor for processing file.
- Copyright (C) 2002-2011 Red Hat, Inc.
+ Copyright (C) 2002-2011, 2014 Red Hat, Inc.
This file is part of elfutils.
Written by Ulrich Drepper <drepper@redhat.com>, 2002.
@@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
memcpy (&size, data->d_buf + 4, sizeof size);
size = be64toh (size);
+ /* Check for unsigned overflow so malloc always allocated
+ enough memory for both the Elf_Data header and the
+ uncompressed section data. */
+ if (unlikely (sizeof (Elf_Data) + size < size))
+ break;
+
Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
if (unlikely (zdata == NULL))
break;
--
1.7.1
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-04-09 21:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-09 21:26 [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data Mark Wielaard
-- strict thread matches above, loose matches on Subject: below --
2014-04-09 21:10 Mark Wielaard
2014-04-09 19:47 Kurt Roeckx
2014-04-09 15:07 Florian Weimer
2014-04-09 11:57 Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).