This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] x86/CET: Don't parse beyond the note end
- From: "H.J. Lu" <hjl dot tools at gmail dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, "Carlos O'Donell" <carlos at redhat dot com>
- Date: Fri, 27 Jul 2018 11:47:07 -0700
- Subject: Re: [PATCH] x86/CET: Don't parse beyond the note end
- References: <CAMe9rOoAQgbtMzftq6UOG_dMvUL3EtAu2Gk3bu_7=Rdt27F+qw@mail.gmail.com> <0349e9ae-b452-f358-ed8d-889866ce0767@redhat.com>
On Fri, Jul 27, 2018 at 11:26 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 07/27/2018 08:22 PM, H.J. Lu wrote:
>>
>> - while (1)
>> + while (ptr < ptr_end)
>> {
>> unsigned int type = *(unsigned int *) ptr;
>> unsigned int datasz = *(unsigned int *) (ptr + 4);
>
>
> You need 1 byte, but 8 bytes. Why is checking for at least 1 byte
> sufficient here?
>
There is:
/* Check for invalid property. */
if (note->n_descsz < 8
|| (note->n_descsz % sizeof (ElfW(Addr))) != 0)
break;
before that. n_descsz should be correct.
--
H.J.