This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH 2/3] libelf: Fix possible unbounded stack usage in getphdr_wrlock.


When a copy needs to be made of the phdrs, allocate with malloc and free
after conversion instead of calling alloca.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libelf/ChangeLog       |  5 +++++
 libelf/elf32_getphdr.c | 18 ++++++++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 4fd3f9f..65f9112 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,5 +1,10 @@
 2015-05-31  Mark Wielaard  <mjw@redhat.com>
 
+	* elf32_getphdr.c (getphdr_wrlock): Allocate phdrs with malloc, not
+	alloca and free after conversion when a copy needs to be made.
+
+2015-05-31  Mark Wielaard  <mjw@redhat.com>
+
 	* elf_getarsym.c (elf_getarsym): Allocate temporary file_date with
 	malloc, not alloca also in !ALLOW_UNALIGNED case.
 
diff --git a/libelf/elf32_getphdr.c b/libelf/elf32_getphdr.c
index 1b82a48..38e489d 100644
--- a/libelf/elf32_getphdr.c
+++ b/libelf/elf32_getphdr.c
@@ -141,13 +141,20 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
 		}
 	      else
 		{
-		  if (ALLOW_UNALIGNED
-		      || ((uintptr_t) file_phdr
-			  & (__alignof__ (ElfW2(LIBELFBITS,Phdr)) - 1)) == 0)
+		  bool copy = ! (ALLOW_UNALIGNED
+				 || ((uintptr_t) file_phdr
+				     & (__alignof__ (ElfW2(LIBELFBITS,Phdr))
+					- 1)) == 0);
+		  if (! copy)
 		    notcvt = file_phdr;
 		  else
 		    {
-		      notcvt = (ElfW2(LIBELFBITS,Phdr) *) alloca (size);
+		      notcvt = (ElfW2(LIBELFBITS,Phdr) *) malloc (size);
+		      if (unlikely (notcvt == NULL))
+			{
+			  __libelf_seterrno (ELF_E_NOMEM);
+			  goto out;
+			}
 		      memcpy (notcvt, file_phdr, size);
 		    }
 
@@ -162,6 +169,9 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
 		      CONVERT_TO (phdr[cnt].p_flags, notcvt[cnt].p_flags);
 		      CONVERT_TO (phdr[cnt].p_align, notcvt[cnt].p_align);
 		    }
+
+		  if (copy)
+		    free (notcvt);
 		}
 	    }
 	}
-- 
2.4.2


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]