From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============5192112892125445239==" MIME-Version: 1.0 From: Mark Wielaard To: elfutils-devel@lists.fedorahosted.org Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file Date: Fri, 07 Nov 2014 12:51:15 +0100 Message-ID: <1415361075.19702.24.camel@bordewijk.wildebeest.org> In-Reply-To: 20141106182543.A7A5E2C3AC8@topped-with-meat.com --===============5192112892125445239== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Thu, 2014-11-06 at 10:25 -0800, Roland McGrath wrote: > > /* First see whether the information in the section header is > > valid and it does not ask for too much. */ > > if (unlikely (offset + size > elf->maximum_size)) > = > This is not overflow-proof. Missed that one. So the full fix would be as attached. --===============5192112892125445239== Content-Type: text/x-patch MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="0001-libelf-Correct-shdr-size-check-for-raw-getdata.patch" RnJvbSA5OTZhNDM3M2FlYWI4ZmZlMzk3Y2I3ZTY2Y2ZkZjU2MTQ0YzRiODE3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQ0KRnJvbTogTWFyayBXaWVsYWFyZCA8bWp3QHJlZGhhdC5jb20+DQpEYXRl OiBGcmksIDcgTm92IDIwMTQgMTI6NDc6MTYgKzAxMDANClN1YmplY3Q6IFtQQVRDSF0gbGliZWxm OiBDb3JyZWN0IHNoZHIgc2l6ZSBjaGVjayBmb3IgKHJhdykgZ2V0ZGF0YS4NCk1JTUUtVmVyc2lv bjogMS4wDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9VVRGLTgNCkNvbnRlbnQt VHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQNCg0KUmVwb3J0ZWQtYnk6IEhhbm5vIELDtmNrIDxoYW5u b0BoYm9lY2suZGU+DQpTaWduZWQtb2ZmLWJ5OiBNYXJrIFdpZWxhYXJkIDxtandAcmVkaGF0LmNv bT4NCi0tLQ0KIGxpYmVsZi9DaGFuZ2VMb2cgICAgIHwgNiArKysrKysNCiBsaWJlbGYvZWxmX2Jl Z2luLmMgICB8IDggKysrKy0tLS0NCiBsaWJlbGYvZWxmX2dldGRhdGEuYyB8IDcgKysrKystLQ0K IDMgZmlsZXMgY2hhbmdlZCwgMTUgaW5zZXJ0aW9ucygrKSwgNiBkZWxldGlvbnMoLSkNCg0KZGlm ZiAtLWdpdCBhL2xpYmVsZi9DaGFuZ2VMb2cgYi9saWJlbGYvQ2hhbmdlTG9nDQppbmRleCA1YWQy MGE2Li5kZDBhNzU1IDEwMDY0NA0KLS0tIGEvbGliZWxmL0NoYW5nZUxvZw0KKysrIGIvbGliZWxm L0NoYW5nZUxvZw0KQEAgLTEsMyArMSw5IEBADQorMjAxNC0xMS0wNyAgTWFyayBXaWVsYWFyZCAg PG1qd0ByZWRoYXQuY29tPg0KKw0KKwkqIGVsZl9iZWdpbi5jIChmaWxlX3JlYWRfZWxmKTogQ29y cmVjdCBzaF9zaXplIGNoZWNrLg0KKwkqIGVsZl9nZXRkYXRhLmMgKF9fbGliZWxmX3NldF9yYXdk YXRhX3dybG9jayk6IENoZWNrIGZvciB1bnNpZ25lZA0KKwlvdmVyZmxvdy4NCisNCiAyMDE0LTA5 LTEwICBQZXRyIE1hY2hhdGEgIDxwbWFjaGF0YUByZWRoYXQuY29tPg0KIA0KIAkqIGVsZl9iZWdp biAocmVhZF91bm1tYXBlZF9maWxlKTogQ2FsbCBfX2xpYmVsZl9zZXRlcnJubyBpZiB0aGUNCmRp ZmYgLS1naXQgYS9saWJlbGYvZWxmX2JlZ2luLmMgYi9saWJlbGYvZWxmX2JlZ2luLmMNCmluZGV4 IGMzYWQxNDAuLjU1MjVhM2IgMTAwNjQ0DQotLS0gYS9saWJlbGYvZWxmX2JlZ2luLmMNCisrKyBi L2xpYmVsZi9lbGZfYmVnaW4uYw0KQEAgLTMzNyw4ICszMzcsOCBAQCBmaWxlX3JlYWRfZWxmIChp bnQgZmlsZGVzLCB2b2lkICptYXBfYWRkcmVzcywgdW5zaWduZWQgY2hhciAqZV9pZGVudCwNCiAJ ICAgICAgZWxmLT5zdGF0ZS5lbGYzMi5zY25zLmRhdGFbY250XS5zaGRyLmUzMiA9DQogCQkmZWxm LT5zdGF0ZS5lbGYzMi5zaGRyW2NudF07DQogCSAgICAgIGlmIChsaWtlbHkgKGVsZi0+c3RhdGUu ZWxmMzIuc2hkcltjbnRdLnNoX29mZnNldCA8IG1heHNpemUpDQotCQkgICYmIGxpa2VseSAobWF4 c2l6ZSAtIGVsZi0+c3RhdGUuZWxmMzIuc2hkcltjbnRdLnNoX29mZnNldA0KLQkJCSAgICAgPD0g ZWxmLT5zdGF0ZS5lbGYzMi5zaGRyW2NudF0uc2hfc2l6ZSkpDQorCQkgICYmIGxpa2VseSAoZWxm LT5zdGF0ZS5lbGYzMi5zaGRyW2NudF0uc2hfc2l6ZQ0KKwkJCSAgICAgPD0gbWF4c2l6ZSAtIGVs Zi0+c3RhdGUuZWxmMzIuc2hkcltjbnRdLnNoX29mZnNldCkpDQogCQllbGYtPnN0YXRlLmVsZjMy LnNjbnMuZGF0YVtjbnRdLnJhd2RhdGFfYmFzZSA9DQogCQkgIGVsZi0+c3RhdGUuZWxmMzIuc2Nu cy5kYXRhW2NudF0uZGF0YV9iYXNlID0NCiAJCSAgKChjaGFyICopIG1hcF9hZGRyZXNzICsgb2Zm c2V0DQpAQCAtNDI4LDggKzQyOCw4IEBAIGZpbGVfcmVhZF9lbGYgKGludCBmaWxkZXMsIHZvaWQg Km1hcF9hZGRyZXNzLCB1bnNpZ25lZCBjaGFyICplX2lkZW50LA0KIAkgICAgICBlbGYtPnN0YXRl LmVsZjY0LnNjbnMuZGF0YVtjbnRdLnNoZHIuZTY0ID0NCiAJCSZlbGYtPnN0YXRlLmVsZjY0LnNo ZHJbY250XTsNCiAJICAgICAgaWYgKGxpa2VseSAoZWxmLT5zdGF0ZS5lbGY2NC5zaGRyW2NudF0u c2hfb2Zmc2V0IDwgbWF4c2l6ZSkNCi0JCSAgJiYgbGlrZWx5IChtYXhzaXplIC0gZWxmLT5zdGF0 ZS5lbGY2NC5zaGRyW2NudF0uc2hfb2Zmc2V0DQotCQkJICAgICA8PSBlbGYtPnN0YXRlLmVsZjY0 LnNoZHJbY250XS5zaF9zaXplKSkNCisJCSAgJiYgbGlrZWx5IChlbGYtPnN0YXRlLmVsZjY0LnNo ZHJbY250XS5zaF9zaXplDQorCQkJICAgICA8PSBtYXhzaXplIC0gZWxmLT5zdGF0ZS5lbGY2NC5z aGRyW2NudF0uc2hfb2Zmc2V0KSkNCiAJCWVsZi0+c3RhdGUuZWxmNjQuc2Nucy5kYXRhW2NudF0u cmF3ZGF0YV9iYXNlID0NCiAJCSAgZWxmLT5zdGF0ZS5lbGY2NC5zY25zLmRhdGFbY250XS5kYXRh X2Jhc2UgPQ0KIAkJICAoKGNoYXIgKikgbWFwX2FkZHJlc3MgKyBvZmZzZXQNCmRpZmYgLS1naXQg YS9saWJlbGYvZWxmX2dldGRhdGEuYyBiL2xpYmVsZi9lbGZfZ2V0ZGF0YS5jDQppbmRleCBiYzlm MjZhLi4zM2QzNWQ2IDEwMDY0NA0KLS0tIGEvbGliZWxmL2VsZl9nZXRkYXRhLmMNCisrKyBiL2xp YmVsZi9lbGZfZ2V0ZGF0YS5jDQpAQCAtMjQzLDggKzI0MywxMSBAQCBfX2xpYmVsZl9zZXRfcmF3 ZGF0YV93cmxvY2sgKEVsZl9TY24gKnNjbikNCiAgICAgICBpZiAoZWxmLT5tYXBfYWRkcmVzcyAh PSBOVUxMKQ0KIAl7DQogCSAgLyogRmlyc3Qgc2VlIHdoZXRoZXIgdGhlIGluZm9ybWF0aW9uIGlu IHRoZSBzZWN0aW9uIGhlYWRlciBpcw0KLQkgICAgIHZhbGlkIGFuZCBpdCBkb2VzIG5vdCBhc2sg Zm9yIHRvbyBtdWNoLiAgKi8NCi0JICBpZiAodW5saWtlbHkgKG9mZnNldCArIHNpemUgPiBlbGYt Pm1heGltdW1fc2l6ZSkpDQorCSAgICAgdmFsaWQgYW5kIGl0IGRvZXMgbm90IGFzayBmb3IgdG9v IG11Y2guICBDaGVjayBmb3IgdW5zaWduZWQNCisJICAgICBvdmVyZmxvdy4gICovDQorCSAgaWYg KHVubGlrZWx5IChvZmZzZXQgKyBzaXplID4gZWxmLT5tYXhpbXVtX3NpemUNCisJCQl8fCAob2Zm c2V0ICsgc2l6ZSArIGVsZi0+bWF4aW11bV9zaXplDQorCQkJICAgIDwgZWxmLT5tYXhpbXVtX3Np emUpKSkNCiAJICAgIHsNCiAJICAgICAgLyogU29tZXRoaW5nIGlzIHdyb25nLiAgKi8NCiAJICAg ICAgX19saWJlbGZfc2V0ZXJybm8gKEVMRl9FX0lOVkFMSURfU0VDVElPTl9IRUFERVIpOw0KLS0g DQoxLjkuMw0KDQo= --===============5192112892125445239==--