* [committed] Fix dynamic-stack-buffer-overflow (write_dso, sorted_section_numbers)
@ 2019-01-01 0:00 Tom de Vries
0 siblings, 0 replies; only message in thread
From: Tom de Vries @ 2019-01-01 0:00 UTC (permalink / raw)
To: dwz, jakub
Hi,
We're currently using an idiom:
...
for (i = 1, j = sorted_section_numbers[i];
i < (dso->ehdr.e_shnum + 1);
++i, j = sorted_section_numbers[i])
...
When the loop increment sets i to (dso->ehdr.e_shnum + 1), we access
sorted_section_numbers[dso->ehdr.e_shnum + 1] (just before failing the loop
test and exiting the loop), which means we load a value past the end of the
array (although we do not use the value).
Fix the dynamic-stack-buffer-overflow by rewriting to:
...
for (i = 1; i < (dso->ehdr.e_shnum + 1); ++i)
{
j = sorted_section_numbers[i];
...
Committed to trunk.
Thanks,
- Tom
Fix dynamic-stack-buffer-overflow (write_dso, sorted_section_numbers)
2019-06-27 Tom de Vries <tdevries@suse.de>
* dwz.c (verify_sections, calculate_section_distance, write_dso):
Don't read past end of sorted_section_numbers.
---
dwz.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/dwz.c b/dwz.c
index dd6da31..342a742 100644
--- a/dwz.c
+++ b/dwz.c
@@ -10434,10 +10434,10 @@ verify_sections (DSO *dso, unsigned int *sorted_section_numbers,
= dso->ehdr.e_shentsize * ehdr.e_shnum;
prev = -1;
- for (i = 1, j = sorted_section_numbers[i];
- i < (dso->ehdr.e_shnum + 1);
- ++i, j = sorted_section_numbers[i], prev = update_prev)
+ for (i = 1; i < (dso->ehdr.e_shnum + 1); ++i, prev = update_prev)
{
+ j = sorted_section_numbers[i];
+
if (j != dso->ehdr.e_shnum && dso->shdr[j].sh_type == SHT_NOBITS)
{
update_prev = prev;
@@ -10484,10 +10484,10 @@ calculate_section_distance (DSO *dso, unsigned int *sorted_section_numbers,
= dso->ehdr.e_shentsize * dso->ehdr.e_shnum;
prev = -1;
- for (i = 1, j = sorted_section_numbers[i];
- i < (dso->ehdr.e_shnum + 1);
- ++i, j = sorted_section_numbers[i], prev = update_prev)
+ for (i = 1; i < (dso->ehdr.e_shnum + 1); ++i, prev = update_prev)
{
+ j = sorted_section_numbers[i];
+
if (j != dso->ehdr.e_shnum && dso->shdr[j].sh_type == SHT_NOBITS)
{
update_prev = prev;
@@ -10668,9 +10668,9 @@ write_dso (DSO *dso, const char *file, struct stat *st)
GElf_Off last_shoff = 0;
int k = -1;
int l;
- for (l = 1, j = sorted_section_numbers[l]; l <= dso->ehdr.e_shnum;
- ++l, j = sorted_section_numbers[l])
+ for (l = 1; l <= dso->ehdr.e_shnum; ++l)
{
+ j = sorted_section_numbers[l];
if (j == dso->ehdr.e_shnum)
continue;
else if (dso->shdr[j].sh_offset < min_shoff && !last_shoff)
@@ -10691,9 +10691,9 @@ write_dso (DSO *dso, const char *file, struct stat *st)
}
}
last_shoff = min_shoff;
- for (l = k, j = sorted_section_numbers[l]; l <= dso->ehdr.e_shnum;
- ++l, j = sorted_section_numbers[l])
+ for (l = k; l <= dso->ehdr.e_shnum; ++l)
{
+ j = sorted_section_numbers[l];
if (j == dso->ehdr.e_shnum)
{
if (ehdr.e_ident[EI_CLASS] == ELFCLASS64)
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-06-27 16:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-01 0:00 [committed] Fix dynamic-stack-buffer-overflow (write_dso, sorted_section_numbers) Tom de Vries
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).