diff --git a/elfutils-0.158-CVE-2014-0172.patch b/elfutils-0.158-CVE-2014-0172.patch new file mode 100644 index 0000000..3b76360 --- /dev/null +++ b/elfutils-0.158-CVE-2014-0172.patch @@ -0,0 +1,28 @@ +commit 7f1eec317db79627b473c5b149a22a1b20d1f68f +Author: Mark Wielaard <mjw@redhat.com> +Date: Wed Apr 9 11:33:23 2014 +0200 + + CVE-2014-0172 Check for overflow before calling malloc to uncompress data. + + https://bugzilla.redhat.com/show_bug.cgi?id=1085663 + + Reported-by: Florian Weimer <fweimer@redhat.com> + Signed-off-by: Mark Wielaard <mjw@redhat.com> + +diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c +index 79daeac..34ea373 100644 +--- a/libdw/dwarf_begin_elf.c ++++ b/libdw/dwarf_begin_elf.c +@@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp) + memcpy (&size, data->d_buf + 4, sizeof size); + size = be64toh (size); + ++ /* Check for unsigned overflow so malloc always allocated ++ enough memory for both the Elf_Data header and the ++ uncompressed section data. */ ++ if (unlikely (sizeof (Elf_Data) + size < size)) ++ break; ++ + Elf_Data *zdata = malloc (sizeof (Elf_Data) + size); + if (unlikely (zdata == NULL)) + break;