* [PATCH] libelf: Add some ar header sanity checking.
@ 2014-12-11 15:30 Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2014-12-11 15:30 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 2133 bytes --]
Don't allow entries or size to overflow the parent file size.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libelf/ChangeLog | 6 ++++++
libelf/elf_begin.c | 15 ++++++++++++---
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 4860530..e4c5849 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,9 @@
+2014-12-11 Mark Wielaard <mjw@redhat.com>
+
+ * elf_begin.c (read_long_names): Check for offset overflow.
+ (__libelf_next_arhdr_wrlock): Likewise. Sanity check the ar_size.
+ Don't allow it to go beyond end of file.
+
2014-12-09 Mark Wielaard <mjw@redhat.com>
* elf_getarsym.c (elf_getarsym): Make sure n * w doesn't overflow.
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index d135dea..99a9c0a 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -673,7 +673,8 @@ read_long_names (Elf *elf)
{
if (elf->map_address != NULL)
{
- if (offset + sizeof (struct ar_hdr) > elf->maximum_size)
+ if ((size_t) offset > elf->maximum_size
+ || elf->maximum_size - offset < sizeof (struct ar_hdr))
return NULL;
/* The data is mapped. */
@@ -767,8 +768,10 @@ __libelf_next_arhdr_wrlock (elf)
if (elf->map_address != NULL)
{
/* See whether this entry is in the file. */
- if (unlikely (elf->state.ar.offset + sizeof (struct ar_hdr)
- > elf->start_offset + elf->maximum_size))
+ if (unlikely ((size_t) elf->state.ar.offset
+ > elf->start_offset + elf->maximum_size
+ || (elf->start_offset + elf->maximum_size
+ - elf->state.ar.offset) < sizeof (struct ar_hdr)))
{
/* This record is not anymore in the file. */
__libelf_seterrno (ELF_E_RANGE);
@@ -912,6 +915,12 @@ __libelf_next_arhdr_wrlock (elf)
INT_FIELD (ar_mode);
INT_FIELD (ar_size);
+ /* Truncated file? */
+ size_t maxsize;
+ maxsize = elf->maximum_size - elf->state.ar.offset - sizeof (struct ar_hdr);
+ if ((size_t) elf_ar_hdr->ar_size > maxsize)
+ elf_ar_hdr->ar_size = maxsize;
+
return 0;
}
--
1.8.3.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] libelf: Add some ar header sanity checking.
@ 2014-12-15 9:04 Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2014-12-15 9:04 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 388 bytes --]
On Thu, 2014-12-11 at 16:30 +0100, Mark Wielaard wrote:
> Don't allow entries or size to overflow the parent file size.
>
> +2014-12-11 Mark Wielaard <mjw@redhat.com>
> +
> + * elf_begin.c (read_long_names): Check for offset overflow.
> + (__libelf_next_arhdr_wrlock): Likewise. Sanity check the ar_size.
> + Don't allow it to go beyond end of file.
I pushed this to master.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-12-15 9:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-12-11 15:30 [PATCH] libelf: Add some ar header sanity checking Mark Wielaard
2014-12-15 9:04 Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).