[PATCH] libelf: Add n_namesz offset overflow check to gelf_get_note.
Mark Wielaard
mark@klomp.org
Wed May 1 13:56:00 GMT 2019
During fuzzing of the new xlate_notes testcase I noticed that
gelf_get_note didn't check whether the n_namesz of a note was
too big. This could lead to offset wrapping around. Causing an
infinite loop going over all ELF notes. Fix by adding an overflow
check before updating offset.
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
libelf/ChangeLog | 5 +++++
libelf/gelf_getnote.c | 5 +++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 5eadaf7..924ff59 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2019-05-01 Mark Wielaard <mark@klomp.org>
+
+ * gelf_getnote.c (gelf_getnote): Check n_namesz doesn't overflow
+ offset.
+
2019-04-30 Mark Wielaard <mark@klomp.org>
* note_xlate.h (elf_cvt_note): Indicate we only translated the note
diff --git a/libelf/gelf_getnote.c b/libelf/gelf_getnote.c
index 6d33b35..0f7b9d6 100644
--- a/libelf/gelf_getnote.c
+++ b/libelf/gelf_getnote.c
@@ -80,11 +80,12 @@ gelf_getnote (Elf_Data *data, size_t offset, GElf_Nhdr *result,
the offset, after adding the namesz, and include padding
in descsz to get to the end. */
*name_offset = offset;
- offset += n->n_namesz;
- if (offset > data->d_size)
+ if (n->n_namesz > data->d_size
+ || offset > data->d_size - n->n_namesz)
offset = 0;
else
{
+ offset += n->n_namesz;
/* Include padding. Check below for overflow. */
GElf_Word descsz = (data->d_type == ELF_T_NHDR8
? NOTE_ALIGN8 (n->n_descsz)
--
1.8.3.1
More information about the Elfutils-devel
mailing list