Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.

Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.

[Florian Weimer]

[-- Attachment #1: Type: text/plain, Size: 377 bytes --]

On 04/09/2014 01:57 PM, Mark Wielaard wrote:

> +	    /* Check for unsigned overflow so malloc always allocated
> +	       enough memory for both the Elf_Data header and the
> +	       uncompressed section data.  */
> +	    if (unlikely (sizeof (Elf_Data) + size < size))
> +	      break;
> +

Looks good to me.

-- 
Florian Weimer / Red Hat Product Security Team

Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 513 bytes --]

On Wed, 2014-04-09 at 21:47 +0200, Kurt Roeckx wrote:
> Is there a plan to make a new release?

I wasn't planning one for just this fix. The patch is small enough for
people to apply if they want it right now. But it is about time to push
for 0.159. I was planning to do the dwz/alt-debug changes that have been
talked about recently on the list first. That will take a bit of time
since it will add a new interface. So maybe in 2 weeks. Lets aim for the
weekend of 26/27 of April? 

Cheers,

Mark

Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 455 bytes --]

On Wed, 2014-04-09 at 17:07 +0200, Florian Weimer wrote:
> On 04/09/2014 01:57 PM, Mark Wielaard wrote:
> 
> > +	    /* Check for unsigned overflow so malloc always allocated
> > +	       enough memory for both the Elf_Data header and the
> > +	       uncompressed section data.  */
> > +	    if (unlikely (sizeof (Elf_Data) + size < size))
> > +	      break;
> > +
> 
> Looks good to me.

Thanks for checking. I pushed it to master now.

Re: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.

[Kurt Roeckx]

[-- Attachment #1: Type: text/plain, Size: 52 bytes --]

Is there a plan to make a new release?


Kurt

[PATCH] CVE-2014-0172 Check for overflow before calling malloc to uncompress data.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 1683 bytes --]

https://bugzilla.redhat.com/show_bug.cgi?id=1085663

Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libdw/ChangeLog         |    5 +++++
 libdw/dwarf_begin_elf.c |    8 +++++++-
 2 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 1d9b9a3..e8f0eb8 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2014-04-09  Mark Wielaard  <mjw@redhat.com>
+
+	* dwarf_begin_elf.c (check_section): Check for unsigned overflow
+	before calling malloc to uncompress data.
+
 2014-03-03  Jan Kratochvil  <jan.kratochvil@redhat.com>
 
 	Fix abort() on missing section headers.
diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
index 79daeac..34ea373 100644
--- a/libdw/dwarf_begin_elf.c
+++ b/libdw/dwarf_begin_elf.c
@@ -1,5 +1,5 @@
 /* Create descriptor from ELF descriptor for processing file.
-   Copyright (C) 2002-2011 Red Hat, Inc.
+   Copyright (C) 2002-2011, 2014 Red Hat, Inc.
    This file is part of elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 2002.
 
@@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
 	    memcpy (&size, data->d_buf + 4, sizeof size);
 	    size = be64toh (size);
 
+	    /* Check for unsigned overflow so malloc always allocated
+	       enough memory for both the Elf_Data header and the
+	       uncompressed section data.  */
+	    if (unlikely (sizeof (Elf_Data) + size < size))
+	      break;
+
 	    Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
 	    if (unlikely (zdata == NULL))
 	      break;
-- 
1.7.1