This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug backends/24084] Negative-size-param when when calling memcpy function in elf_cvt_note function in libelf

From: "mark at klomp dot org" <sourceware-bugzilla at sourceware dot org>
To: elfutils-devel at sourceware dot org
Date: Wed, 16 Jan 2019 11:35:38 +0000
Subject: [Bug backends/24084] Negative-size-param when when calling memcpy function in elf_cvt_note function in libelf
Auto-submitted: auto-generated
References: <bug-24084-10460@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=24084

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |mark at klomp dot org
         Resolution|---                         |FIXED

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
(In reply to wcventure from comment #0)
> Negative-size-param when calling memcpy function in elf_cvt_note function in
> libelf the latest elfutils-0.174 code base, this inputs will cause the
> segment faults and I have confirmed them with address sanitizer too. 

Nice find. Replicated under valgrind with the reproducer.
The root cause is a wrong overflow check.
The code wanted to make sure we had at least enough room for the header,
but got the size of the header wrong. It had hardcoded the size as 8 bytes,
but it should have been 12 bytes.

Fixed as follows:

commit e65d91d21cb09d83b001fef9435e576ba447db32
Author: Mark Wielaard <mark@klomp.org>
Date:   Wed Jan 16 12:25:57 2019 +0100

    libelf: Correct overflow check in note_xlate.

    We want to make sure the note_len doesn't overflow and becomes shorter
    than the note header. But the namesz and descsz checks got the note header
    size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).

    https://sourceware.org/bugzilla/show_bug.cgi?id=24084

    Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 5923c85..5783f0c 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2019-01-16  Mark Wielaard  <mark@klomp.org>
+
+       * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
+       overflow note_len into note header.
+
 2018-11-17  Mark Wielaard  <mark@klomp.org>

        * elf32_updatefile.c (updatemmap): Make sure to call convert
diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
index 9bdc3e2..bc9950f 100644
--- a/libelf/note_xlate.h
+++ b/libelf/note_xlate.h
@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int
encode,
       /* desc needs to be aligned.  */
       note_len += n->n_namesz;
       note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
-      if (note_len > len || note_len < 8)
+      if (note_len > len || note_len < sizeof *n)
        break;

       /* data as a whole needs to be aligned.  */
       note_len += n->n_descsz;
       note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
-      if (note_len > len || note_len < 8)
+      if (note_len > len || note_len < sizeof *n)
        break;

       /* Copy or skip the note data.  */

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug backends/24084] New: Negative-size-param when when calling memcpy function in elf_cvt_note function in libelf the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the ".//eu-elflint -
  - From: wcventure at 126 dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]