[PATCH] readelf: Check count fits and doesn't overflow fptr in handle_file_note.

[PATCH] readelf: Check count fits and doesn't overflow fptr in handle_file_note.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 1296 bytes --]

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 src/ChangeLog | 5 +++++
 src/readelf.c | 8 ++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 4771dc9..456e5a4 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-09  Mark Wielaard  <mjw@redhat.com>
+
+	* readelf.c (handle_file_note): Check count fits data section and
+	doesn't overflow fptr.
+
 2014-12-08  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (print_debug_exception_table): Report invalid data if
diff --git a/src/readelf.c b/src/readelf.c
index 1db54c6..c6d10f7 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -9017,9 +9017,13 @@ handle_file_note (Elf *core, GElf_Word descsz, GElf_Off desc_pos)
       return;
     }
 
+  size_t addrsize = gelf_fsize (core, ELF_T_ADDR, 1, EV_CURRENT);
+  uint64_t maxcount = (size_t) (end - ptr) / (3 * addrsize);
+  if (count > maxcount)
+    goto fail;
+
   /* Where file names are stored.  */
-  unsigned char const *const fstart
-    = ptr + 3 * count * gelf_fsize (core, ELF_T_ADDR, 1, EV_CURRENT);
+  unsigned char const *const fstart = ptr + 3 * count * addrsize;
   char const *fptr = (char *) fstart;
 
   printf ("    %" PRId64 " files:\n", count);
-- 
1.8.3.1

Re: [PATCH] readelf: Check count fits and doesn't overflow fptr in handle_file_note.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 167 bytes --]

On Tue, 2014-12-09 at 13:19 +0100, Mark Wielaard wrote:
> There is similar code in libdwfl. Make sure we don't overflow there too.

Both patches pushed to master.

Re: [PATCH] readelf: Check count fits and doesn't overflow fptr in handle_file_note.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 76 bytes --]

There is similar code in libdwfl. Make sure we don't overflow there too.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-libdwfl-Check-file-count-overflow-in-handle_file_not.patch --]
[-- Type: text/x-patch, Size: 1417 bytes --]

From 95673c9f3a5a64c8ca3a7cf2eb4a82ae6a14abc5 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Tue, 9 Dec 2014 13:16:23 +0100
Subject: [PATCH] libdwfl: Check file count overflow in handle_file_note.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libdwfl/ChangeLog                    | 5 +++++
 libdwfl/dwfl_segment_report_module.c | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index b882f20..66e642f 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-09  Mark Wielaard  <mjw@redhat.com>
+
+	* dwfl_segment_report_module.c (handle_file_note): Check count doesn't
+	overflow.
+
 2014-12-07  Mark Wielaard  <mjw@redhat.com>
 
 	* relocate.c (relocate_section): Sanity check section overlap against
diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
index 827708e..898457f 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -158,6 +158,10 @@ handle_file_note (GElf_Addr module_start, GElf_Addr module_end,
   if (! buf_read_ulong (ei_data, sz, &ptr, end, NULL)) // page_size
     return NULL;
 
+  uint64_t maxcount = (size_t) (end - ptr) / (3 * sz);
+  if (count > maxcount)
+    return NULL;
+
   /* Where file names are stored.  */
   const char *fptr = ptr + 3 * count * sz;
 
-- 
1.8.3.1