From: Mark Wielaard <mjw@redhat.com>
To: elfutils-devel@lists.fedorahosted.org
Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file
Date: Fri, 07 Nov 2014 12:51:15 +0100 [thread overview]
Message-ID: <1415361075.19702.24.camel@bordewijk.wildebeest.org> (raw)
In-Reply-To: 20141106182543.A7A5E2C3AC8@topped-with-meat.com
[-- Attachment #1: Type: text/plain, Size: 355 bytes --]
On Thu, 2014-11-06 at 10:25 -0800, Roland McGrath wrote:
> > /* First see whether the information in the section header is
> > valid and it does not ask for too much. */
> > if (unlikely (offset + size > elf->maximum_size))
>
> This is not overflow-proof.
Missed that one. So the full fix would be as attached.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-libelf-Correct-shdr-size-check-for-raw-getdata.patch --]
[-- Type: text/x-patch, Size: 3146 bytes --]
From 996a4373aeab8ffe397cb7e66cfdf56144c4b817 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Fri, 7 Nov 2014 12:47:16 +0100
Subject: [PATCH] libelf: Correct shdr size check for (raw) getdata.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libelf/ChangeLog | 6 ++++++
libelf/elf_begin.c | 8 ++++----
libelf/elf_getdata.c | 7 +++++--
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 5ad20a6..dd0a755 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,9 @@
+2014-11-07 Mark Wielaard <mjw@redhat.com>
+
+ * elf_begin.c (file_read_elf): Correct sh_size check.
+ * elf_getdata.c (__libelf_set_rawdata_wrlock): Check for unsigned
+ overflow.
+
2014-09-10 Petr Machata <pmachata@redhat.com>
* elf_begin (read_unmmaped_file): Call __libelf_seterrno if the
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index c3ad140..5525a3b 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -337,8 +337,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
elf->state.elf32.scns.data[cnt].shdr.e32 =
&elf->state.elf32.shdr[cnt];
if (likely (elf->state.elf32.shdr[cnt].sh_offset < maxsize)
- && likely (maxsize - elf->state.elf32.shdr[cnt].sh_offset
- <= elf->state.elf32.shdr[cnt].sh_size))
+ && likely (elf->state.elf32.shdr[cnt].sh_size
+ <= maxsize - elf->state.elf32.shdr[cnt].sh_offset))
elf->state.elf32.scns.data[cnt].rawdata_base =
elf->state.elf32.scns.data[cnt].data_base =
((char *) map_address + offset
@@ -428,8 +428,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
elf->state.elf64.scns.data[cnt].shdr.e64 =
&elf->state.elf64.shdr[cnt];
if (likely (elf->state.elf64.shdr[cnt].sh_offset < maxsize)
- && likely (maxsize - elf->state.elf64.shdr[cnt].sh_offset
- <= elf->state.elf64.shdr[cnt].sh_size))
+ && likely (elf->state.elf64.shdr[cnt].sh_size
+ <= maxsize - elf->state.elf64.shdr[cnt].sh_offset))
elf->state.elf64.scns.data[cnt].rawdata_base =
elf->state.elf64.scns.data[cnt].data_base =
((char *) map_address + offset
diff --git a/libelf/elf_getdata.c b/libelf/elf_getdata.c
index bc9f26a..33d35d6 100644
--- a/libelf/elf_getdata.c
+++ b/libelf/elf_getdata.c
@@ -243,8 +243,11 @@ __libelf_set_rawdata_wrlock (Elf_Scn *scn)
if (elf->map_address != NULL)
{
/* First see whether the information in the section header is
- valid and it does not ask for too much. */
- if (unlikely (offset + size > elf->maximum_size))
+ valid and it does not ask for too much. Check for unsigned
+ overflow. */
+ if (unlikely (offset + size > elf->maximum_size
+ || (offset + size + elf->maximum_size
+ < elf->maximum_size)))
{
/* Something is wrong. */
__libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
--
1.9.3
next reply other threads:[~2014-11-07 11:51 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-07 11:51 Mark Wielaard [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-11-13 21:55
2014-11-13 21:51 Mark Wielaard
2014-11-13 19:39
2014-11-13 14:45 Mark Wielaard
2014-11-11 16:57 Mark Wielaard
2014-11-11 13:57
2014-11-11 13:53 Mark Wielaard
2014-11-11 13:49 Petr Machata
2014-11-11 13:40
2014-11-11 13:30 Petr Machata
2014-11-11 13:15 Mark Wielaard
2014-11-11 10:31
2014-11-10 20:58 Mark Wielaard
2014-11-09 21:59
2014-11-09 16:57 Mark Wielaard
2014-11-08 16:10
2014-11-08 15:32 Mark Wielaard
2014-11-08 14:04 Mark Wielaard
2014-11-07 16:13
2014-11-07 15:45 Mark Wielaard
2014-11-07 15:32
2014-11-07 11:58 Mark Wielaard
2014-11-07 0:27
2014-11-06 18:25 Roland McGrath
2014-11-06 16:05 Mark Wielaard
2014-11-06 15:11 Mark Wielaard
2014-10-31 16:13
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1415361075.19702.24.camel@bordewijk.wildebeest.org \
--to=mjw@redhat.com \
--cc=elfutils-devel@lists.fedorahosted.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).