This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file
- From: Mark Wielaard <mjw at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Fri, 07 Nov 2014 12:51:15 +0100
- Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file
On Thu, 2014-11-06 at 10:25 -0800, Roland McGrath wrote:
> > /* First see whether the information in the section header is
> > valid and it does not ask for too much. */
> > if (unlikely (offset + size > elf->maximum_size))
>
> This is not overflow-proof.
Missed that one. So the full fix would be as attached.
From 996a4373aeab8ffe397cb7e66cfdf56144c4b817 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Fri, 7 Nov 2014 12:47:16 +0100
Subject: [PATCH] libelf: Correct shdr size check for (raw) getdata.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libelf/ChangeLog | 6 ++++++
libelf/elf_begin.c | 8 ++++----
libelf/elf_getdata.c | 7 +++++--
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 5ad20a6..dd0a755 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,9 @@
+2014-11-07 Mark Wielaard <mjw@redhat.com>
+
+ * elf_begin.c (file_read_elf): Correct sh_size check.
+ * elf_getdata.c (__libelf_set_rawdata_wrlock): Check for unsigned
+ overflow.
+
2014-09-10 Petr Machata <pmachata@redhat.com>
* elf_begin (read_unmmaped_file): Call __libelf_seterrno if the
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index c3ad140..5525a3b 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -337,8 +337,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
elf->state.elf32.scns.data[cnt].shdr.e32 =
&elf->state.elf32.shdr[cnt];
if (likely (elf->state.elf32.shdr[cnt].sh_offset < maxsize)
- && likely (maxsize - elf->state.elf32.shdr[cnt].sh_offset
- <= elf->state.elf32.shdr[cnt].sh_size))
+ && likely (elf->state.elf32.shdr[cnt].sh_size
+ <= maxsize - elf->state.elf32.shdr[cnt].sh_offset))
elf->state.elf32.scns.data[cnt].rawdata_base =
elf->state.elf32.scns.data[cnt].data_base =
((char *) map_address + offset
@@ -428,8 +428,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
elf->state.elf64.scns.data[cnt].shdr.e64 =
&elf->state.elf64.shdr[cnt];
if (likely (elf->state.elf64.shdr[cnt].sh_offset < maxsize)
- && likely (maxsize - elf->state.elf64.shdr[cnt].sh_offset
- <= elf->state.elf64.shdr[cnt].sh_size))
+ && likely (elf->state.elf64.shdr[cnt].sh_size
+ <= maxsize - elf->state.elf64.shdr[cnt].sh_offset))
elf->state.elf64.scns.data[cnt].rawdata_base =
elf->state.elf64.scns.data[cnt].data_base =
((char *) map_address + offset
diff --git a/libelf/elf_getdata.c b/libelf/elf_getdata.c
index bc9f26a..33d35d6 100644
--- a/libelf/elf_getdata.c
+++ b/libelf/elf_getdata.c
@@ -243,8 +243,11 @@ __libelf_set_rawdata_wrlock (Elf_Scn *scn)
if (elf->map_address != NULL)
{
/* First see whether the information in the section header is
- valid and it does not ask for too much. */
- if (unlikely (offset + size > elf->maximum_size))
+ valid and it does not ask for too much. Check for unsigned
+ overflow. */
+ if (unlikely (offset + size > elf->maximum_size
+ || (offset + size + elf->maximum_size
+ < elf->maximum_size)))
{
/* Something is wrong. */
__libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
--
1.9.3