From 4e05195d8891e9182750831a0c0e29b79b7fae64 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Sun, 16 Feb 2025 08:57:23 +0800 Subject: [PATCH] fix CVE-2025-1352 CVE-2025-1372 CVE-2025-1376 CVE-2025-1377 (cherry picked from commit 5588b680dd8afed07d779f378223623c477d3755) --- backport-CVE-2025-1352.patch | 149 +++++++++++++++++++++++++++++++++++ backport-CVE-2025-1372.patch | 46 +++++++++++ backport-CVE-2025-1376.patch | 53 +++++++++++++ backport-CVE-2025-1377.patch | 63 +++++++++++++++ elfutils.spec | 13 ++- 5 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-1352.patch create mode 100644 backport-CVE-2025-1372.patch create mode 100644 backport-CVE-2025-1376.patch create mode 100644 backport-CVE-2025-1377.patch diff --git a/backport-CVE-2025-1352.patch b/backport-CVE-2025-1352.patch new file mode 100644 index 0000000..cbe691f --- /dev/null +++ b/backport-CVE-2025-1352.patch @@ -0,0 +1,149 @@ +From 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sat, 8 Feb 2025 20:00:12 +0100 +Subject: [PATCH] libdw: Simplify __libdw_getabbrev and fix dwarf_offabbrev + issue + +__libdw_getabbrev could crash on reading a bad abbrev by trying to +deallocate memory it didn't allocate itself. This could happen because +dwarf_offabbrev would supply its own memory when calling +__libdw_getabbrev. No other caller did this. + +Simplify the __libdw_getabbrev common code by not taking external +memory to put the abbrev result in (this would also not work correctly +if the abbrev was already cached). And make dwarf_offabbrev explicitly +copy the result (if there was no error or end of abbrev). + + * libdw/dwarf_getabbrev.c (__libdw_getabbrev): Don't take + Dwarf_Abbrev result argument. Always just allocate abb when + abbrev not found in cache. + (dwarf_getabbrev): Don't pass NULL as last argument to + __libdw_getabbrev. + * libdw/dwarf_tag.c (__libdw_findabbrev): Likewise. + * libdw/dwarf_offabbrev.c (dwarf_offabbrev): Likewise. And copy + abbrev into abbrevp on success. + * libdw/libdw.h (dwarf_offabbrev): Document return values. + * libdw/libdwP.h (__libdw_getabbrev): Don't take Dwarf_Abbrev + result argument. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32650 + +Signed-off-by: Mark Wielaard +--- + libdw/dwarf_getabbrev.c | 12 ++++-------- + libdw/dwarf_offabbrev.c | 10 +++++++--- + libdw/dwarf_tag.c | 3 +-- + libdw/libdw.h | 4 +++- + libdw/libdwP.h | 3 +-- + 5 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/libdw/dwarf_getabbrev.c b/libdw/dwarf_getabbrev.c +index 5b02333f..d9a6c022 100644 +--- a/libdw/dwarf_getabbrev.c ++++ b/libdw/dwarf_getabbrev.c +@@ -1,5 +1,6 @@ + /* Get abbreviation at given offset. + Copyright (C) 2003, 2004, 2005, 2006, 2014, 2017 Red Hat, Inc. ++ Copyright (C) 2025 Mark J. Wielaard + This file is part of elfutils. + Written by Ulrich Drepper , 2003. + +@@ -38,7 +39,7 @@ + Dwarf_Abbrev * + internal_function + __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset, +- size_t *lengthp, Dwarf_Abbrev *result) ++ size_t *lengthp) + { + /* Don't fail if there is not .debug_abbrev section. */ + if (dbg->sectiondata[IDX_debug_abbrev] == NULL) +@@ -85,12 +86,7 @@ __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset, + Dwarf_Abbrev *abb = NULL; + if (cu == NULL + || (abb = Dwarf_Abbrev_Hash_find (&cu->abbrev_hash, code)) == NULL) +- { +- if (result == NULL) +- abb = libdw_typed_alloc (dbg, Dwarf_Abbrev); +- else +- abb = result; +- } ++ abb = libdw_typed_alloc (dbg, Dwarf_Abbrev); + else + { + foundit = true; +@@ -183,5 +179,5 @@ dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, size_t *lengthp) + return NULL; + } + +- return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp, NULL); ++ return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp); + } +diff --git a/libdw/dwarf_offabbrev.c b/libdw/dwarf_offabbrev.c +index 27cdad64..41df69bf 100644 +--- a/libdw/dwarf_offabbrev.c ++++ b/libdw/dwarf_offabbrev.c +@@ -41,11 +41,15 @@ dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp, + if (dbg == NULL) + return -1; + +- Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp, +- abbrevp); ++ Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp); + + if (abbrev == NULL) + return -1; + +- return abbrev == DWARF_END_ABBREV ? 1 : 0; ++ if (abbrev == DWARF_END_ABBREV) ++ return 1; ++ ++ *abbrevp = *abbrev; ++ ++ return 0; + } +diff --git a/libdw/dwarf_tag.c b/libdw/dwarf_tag.c +index d784970c..218382a1 100644 +--- a/libdw/dwarf_tag.c ++++ b/libdw/dwarf_tag.c +@@ -53,8 +53,7 @@ __libdw_findabbrev (struct Dwarf_CU *cu, unsigned int code) + + /* Find the next entry. It gets automatically added to the + hash table. */ +- abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length, +- NULL); ++ abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length); + if (abb == NULL || abb == DWARF_END_ABBREV) + { + /* Make sure we do not try to search for it again. */ +diff --git a/libdw/libdw.h b/libdw/libdw.h +index d53dc787..ec4713a6 100644 +--- a/libdw/libdw.h ++++ b/libdw/libdw.h +@@ -587,7 +587,9 @@ extern int dwarf_srclang (Dwarf_Die *die); + extern Dwarf_Abbrev *dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, + size_t *lengthp); + +-/* Get abbreviation at given offset in .debug_abbrev section. */ ++/* Get abbreviation at given offset in .debug_abbrev section. On ++ success return zero and fills in ABBREVP. When there is no (more) ++ abbrev at offset returns one. On error returns a negative value. */ + extern int dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp, + Dwarf_Abbrev *abbrevp) + __nonnull_attribute__ (4); +diff --git a/libdw/libdwP.h b/libdw/libdwP.h +index d6bab606..0cff5c26 100644 +--- a/libdw/libdwP.h ++++ b/libdw/libdwP.h +@@ -795,8 +795,7 @@ extern Dwarf_Abbrev *__libdw_findabbrev (struct Dwarf_CU *cu, + + /* Get abbreviation at given offset. */ + extern Dwarf_Abbrev *__libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, +- Dwarf_Off offset, size_t *lengthp, +- Dwarf_Abbrev *result) ++ Dwarf_Off offset, size_t *lengthp) + __nonnull_attribute__ (1) internal_function; + + /* Get abbreviation of given DIE, and optionally set *READP to the DIE memory +-- +2.27.0 + diff --git a/backport-CVE-2025-1372.patch b/backport-CVE-2025-1372.patch new file mode 100644 index 0000000..acf25ce --- /dev/null +++ b/backport-CVE-2025-1372.patch @@ -0,0 +1,46 @@ +From 73db9d2021cab9e23fd734b0a76a612d52a6f1db Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Sun, 9 Feb 2025 00:07:39 +0100 +Subject: [PATCH] readelf: Skip trying to uncompress sections without a name + +When combining eu-readelf -z with -x or -p to dump the data or strings +in an (corrupted ELF) unnamed numbered section eu-readelf could crash +trying to check whether the section name starts with .zdebug. Fix this +by skipping sections without a name. + + * src/readelf.c (dump_data_section): Don't try to gnu decompress a + section without a name. + (print_string_section): Likewise. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32656 + +Signed-off-by: Mark Wielaard +--- + src/readelf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/readelf.c b/src/readelf.c +index c19b0a5..8af6520 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -12647,7 +12647,7 @@ dump_data_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name) + _("Couldn't uncompress section"), + elf_ndxscn (scn)); + } +- else if (startswith (name, ".zdebug")) ++ else if (name && startswith (name, ".zdebug")) + { + if (elf_compress_gnu (scn, 0, 0) < 0) + printf ("WARNING: %s [%zd]\n", +@@ -12698,7 +12698,7 @@ print_string_section (Elf_Scn *scn, const GElf_Shdr *shdr, const char *name) + _("Couldn't uncompress section"), + elf_ndxscn (scn)); + } +- else if (startswith (name, ".zdebug")) ++ else if (name && startswith (name, ".zdebug")) + { + if (elf_compress_gnu (scn, 0, 0) < 0) + printf ("WARNING: %s [%zd]\n", +-- +2.27.0 + diff --git a/backport-CVE-2025-1376.patch b/backport-CVE-2025-1376.patch new file mode 100644 index 0000000..3b191c5 --- /dev/null +++ b/backport-CVE-2025-1376.patch @@ -0,0 +1,53 @@ +From b16f441cca0a4841050e3215a9f120a6d8aea918 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 13 Feb 2025 00:02:32 +0100 +Subject: [PATCH] libelf: Handle elf_strptr on section without any data + +In the unlikely situation that elf_strptr was called on a section with +sh_size already set, but that doesn't have any data yet we could crash +trying to verify the string to return. + +This could happen for example when a new section was created with +elf_newscn, but no data having been added yet. + + * libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base + is not NULL. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32672 + +Signed-off-by: Mark Wielaard +--- + libelf/elf_strptr.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c +index c5a94f82..7be7f5e8 100644 +--- a/libelf/elf_strptr.c ++++ b/libelf/elf_strptr.c +@@ -1,5 +1,6 @@ + /* Return string pointer from string section. + Copyright (C) 1998-2002, 2004, 2008, 2009, 2015 Red Hat, Inc. ++ Copyright (C) 2025 Mark J. Wielaard + This file is part of elfutils. + Contributed by Ulrich Drepper , 1998. + +@@ -183,9 +184,12 @@ elf_strptr (Elf *elf, size_t idx, size_t offset) + // initialized yet (when data_read is zero). So we cannot just + // look at the rawdata.d.d_size. + +- /* Make sure the string is NUL terminated. Start from the end, +- which very likely is a NUL char. */ +- if (likely (validate_str (strscn->rawdata_base, offset, sh_size))) ++ /* First check there actually is any data. This could be a new ++ section which hasn't had any data set yet. Then make sure ++ the string is at a valid offset and NUL terminated. */ ++ if (unlikely (strscn->rawdata_base == NULL)) ++ __libelf_seterrno (ELF_E_INVALID_SECTION); ++ else if (likely (validate_str (strscn->rawdata_base, offset, sh_size))) + result = &strscn->rawdata_base[offset]; + else + __libelf_seterrno (ELF_E_INVALID_INDEX); +-- +2.33.0 + + diff --git a/backport-CVE-2025-1377.patch b/backport-CVE-2025-1377.patch new file mode 100644 index 0000000..f317adc --- /dev/null +++ b/backport-CVE-2025-1377.patch @@ -0,0 +1,63 @@ +From fbf1df9ca286de3323ae541973b08449f8d03aba Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 13 Feb 2025 14:59:34 +0100 +Subject: [PATCH] strip: Verify symbol table is a real symbol table + +We didn't check the symbol table referenced from the relocation table +was a real symbol table. This could cause a crash if that section +happened to be an SHT_NOBITS section without any data. Fix this by +adding an explicit check. + +* src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a +message string to display. +(INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1). +(remove_debug_relocations): Check the sh_link referenced +section is real and isn't a SHT_NOBITS section. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32673 + +Signed-off-by: Mark Wielaard +--- + src/strip.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/strip.c b/src/strip.c +index 70fc8c0..f06492f 100644 +--- a/src/strip.c ++++ b/src/strip.c +@@ -127,13 +127,14 @@ static char *tmp_debug_fname = NULL; + /* Close debug file descriptor, if opened. And remove temporary debug file. */ + static void cleanup_debug (void); + +-#define INTERNAL_ERROR(fname) \ ++#define INTERNAL_ERROR_MSG(fname, msg) \ + do { \ + cleanup_debug (); \ + error (EXIT_FAILURE, 0, _("%s: INTERNAL ERROR %d (%s): %s"), \ +- fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1)); \ ++ fname, __LINE__, PACKAGE_VERSION, msg); \ + } while (0) + ++#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1)) + + /* Name of the output file. */ + static const char *output_fname; +@@ -632,7 +633,14 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr *ehdr, + resolve relocation symbol indexes. */ + Elf64_Word symt = shdr->sh_link; + Elf_Data *symdata, *xndxdata; +- Elf_Scn * symscn = elf_getscn (elf, symt); ++ Elf_Scn *symscn = elf_getscn (elf, symt); ++ GElf_Shdr symshdr_mem; ++ GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem); ++ if (symshdr == NULL) ++ INTERNAL_ERROR (fname); ++ if (symshdr->sh_type == SHT_NOBITS) ++ INTERNAL_ERROR_MSG (fname, "NOBITS section"); ++ + symdata = elf_getdata (symscn, NULL); + xndxdata = get_xndxdata (elf, symscn); + if (symdata == NULL) +-- +2.27.0 + diff --git a/elfutils.spec b/elfutils.spec index d74da54..45f4e3e 100644 --- a/elfutils.spec +++ b/elfutils.spec @@ -1,7 +1,7 @@ # -*- rpm-spec from http://elfutils.org/ -*- Name: elfutils Version: 0.185 -Release: 19 +Release: 20 Summary: A collection of utilities and DSOs to handle ELF files and DWARF data URL: http://elfutils.org/ License: GPLv3+ and (GPLv2+ or LGPLv3+) @@ -15,6 +15,10 @@ Patch4: Get-instance-correctly-for-eu-ar-N-option.patch Patch5: backport-readelf-Handle-DW_LLE_GNU_view_pair.patch Patch6: elfutils-Add-sw64-architecture.patch Patch7: backport-libdwfl-Fix-overflow-check-in-link_map.c-read_addrs.patch +Patch6000: backport-CVE-2025-1352.patch +Patch6001: backport-CVE-2025-1372.patch +Patch6002: backport-CVE-2025-1376.patch +Patch6003: backport-CVE-2025-1377.patch Provides: elfutils-libelf elfutils-default-yama-scope default-yama-scope elfutils-libs Obsoletes: elfutils-libelf < %{version}-%{release} elfutils-default-yama-scope < %{version}-%{release} elfutils-libs < %{version}-%{release} @@ -134,6 +138,10 @@ such servers to download those files on demand. %patch6 -p1 %endif %patch7 -p1 +%patch6000 -p1 +%patch6001 -p1 +%patch6002 -p1 +%patch6003 -p1 %build %configure --program-prefix=%{_programprefix} @@ -268,6 +276,9 @@ exit 0 %systemd_postun_with_restart debuginfod.service %changelog +* Sun Feb 16 2025 shixuantong - 0.185-20 +- fix CVE-2025-1352 CVE-2025-1372 CVE-2025-1376 CVE-2025-1377 + * Wed Feb 05 2025 Funda Wang - 0.185-19 - correctly fix libdebuginfod.so requirement -- Gitee