From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 9465 invoked by alias); 20 Dec 2017 18:05:04 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 9453 invoked by uid 89); 20 Dec 2017 18:05:04 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY autolearn=ham version=3.3.2 spammy=Probably, U*mark, 1831 X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 20 Dec 2017 18:05:02 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 43EF2300090E; Wed, 20 Dec 2017 19:05:00 +0100 (CET) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id EFA714000AFA; Wed, 20 Dec 2017 19:04:59 +0100 (CET) Message-ID: <1513793099.3236.21.camel@klomp.org> Subject: Re: [PATCH 1/2 v2] Don't overflow in __libdw_in_section From: Mark Wielaard To: Ulf Hermann , elfutils-devel@sourceware.org Date: Wed, 20 Dec 2017 18:05:00 -0000 In-Reply-To: <8b4e21a8-6328-5f05-664c-004d92461ed1@qt.io> References: <5ae489eb-3981-24b4-294a-734b1c52731d@qt.io> <1513259021.15696.80.camel@klomp.org> <8b4e21a8-6328-5f05-664c-004d92461ed1@qt.io> Content-Type: multipart/mixed; boundary="=-xAguJ5bThoiTTyRMPR8f" X-Mailer: Evolution 3.22.6 (3.22.6-10.el7) Mime-Version: 1.0 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2017-q4/txt/msg00115.txt.bz2 --=-xAguJ5bThoiTTyRMPR8f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Content-length: 606 On Thu, 2017-12-14 at 14:55 +0100, Ulf Hermann wrote: > On 12/14/2017 02:43 PM, Mark Wielaard wrote: > > The transformation seems correct. But if we can overflow/underflow > > here, do we have the same problem in __libdw_offset_in_section > > where we > > =C2=A0 check data->d_size - offset < size, with offset a Dwarf_Off? >=20 > Probably we have the same problem there. I didn't catch any instances > of it, though. It is surprising we didn't see more issues with this code. There is also the fake loc cu that fetches data from a different section. I updated both functions as attached. Cheers, Mark= --=-xAguJ5bThoiTTyRMPR8f Content-Disposition: inline; filename*0=0002-Don-t-overflow-in-__libdw_in_section-and-__libdw_off.pat; filename*1=ch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0002-Don-t-overflow-in-__libdw_in_section-and-__libdw_off.patch"; charset="UTF-8" Content-length: 2615 RnJvbSAwZDEwMGY2M2RiNjQwYzUzMzc0OGE3YWRhYTA5OTQ5OWIyZDJkNGIw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBVbGYgSGVybWFubiA8 dWxmLmhlcm1hbm5AcXQuaW8+CkRhdGU6IFR1ZSwgOSBNYXkgMjAxNyAxODoy ODozMyArMDIwMApTdWJqZWN0OiBbUEFUQ0ggMi8yXSBEb24ndCBvdmVyZmxv dyBpbiBfX2xpYmR3X2luX3NlY3Rpb24gYW5kCiBfX2xpYmR3X29mZnNldF9p bl9zZWN0aW9uLgoKVGhpcyBleHBvc2VzIGEgYnVnIGluIGR3YXJmX2Zvcm1z dHJpbmcgYXMgZGV0ZWN0ZWQgYnkgdGhlIGR3YXJmLWdldG1hY3Jvcwp0ZXN0 IGJlZm9yZSB3ZSBtYWRlIHN1cmUgdG8gdXNlIHRoZSBjb3JyZWN0IHNlY19p ZHggZm9yIHRoZSBDVS4KClNpZ25lZC1vZmYtYnk6IFVsZiBIZXJtYW5uIDx1 bGYuaGVybWFubkBxdC5pbz4KU2lnbmVkLW9mZi1ieTogTWFyayBXaWVsYWFy ZCA8bWFya0BrbG9tcC5vcmc+Ci0tLQogbGliZHcvQ2hhbmdlTG9nIHwgNyAr KysrKysrCiBsaWJkdy9saWJkd1AuaCAgfCA2ICsrKystLQogMiBmaWxlcyBj aGFuZ2VkLCAxMSBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQoKZGlm ZiAtLWdpdCBhL2xpYmR3L0NoYW5nZUxvZyBiL2xpYmR3L0NoYW5nZUxvZwpp bmRleCAyMmI3YmY0Li5lYjFjYjcwIDEwMDY0NAotLS0gYS9saWJkdy9DaGFu Z2VMb2cKKysrIGIvbGliZHcvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTAgQEAK KzIwMTctMDUtMDkgIFVsZiBIZXJtYW5uICA8dWxmLmhlcm1hbm5AcXQuaW8+ CisJICAgIE1hcmsgV2llbGFhcmQgIDxtYXJrQGtsb21wLm9yZz4KKworCSog bGliZHdQLmggKF9fbGliZHdfaW5fc2VjdGlvbik6IEZpeCBjaGVjayBmb3Ig dGhlIHVwcGVyIGJvcmRlciBvZgorCXRoZSByYW5nZS4KKwkoX19saWJkd19v ZmZzZXRfaW5fc2VjdGlvbik6IExpa2V3aXNlLgorCiAyMDE3LTEyLTIwICBN YXJrIFdpZWxhYXJkICA8bWFya0BrbG9tcC5vcmc+CiAKIAkqIGxpYmR3UC5o IChzdHJ1Y3QgRHdhcmZfQ1UpOiBBZGQgc2VjX2lkeCBmaWVsZC4KZGlmZiAt LWdpdCBhL2xpYmR3L2xpYmR3UC5oIGIvbGliZHcvbGliZHdQLmgKaW5kZXgg ZjUyNDM0Ny4uODJiNDdkMCAxMDA2NDQKLS0tIGEvbGliZHcvbGliZHdQLmgK KysrIGIvbGliZHcvbGliZHdQLmgKQEAgLTYyOCw3ICs2MjgsOCBAQCBfX2xp YmR3X29mZnNldF9pbl9zZWN0aW9uIChEd2FyZiAqZGJnLCBpbnQgc2VjX2lu ZGV4LAogICBpZiAoZGF0YSA9PSBOVUxMKQogICAgIHJldHVybiAtMTsKICAg aWYgKHVubGlrZWx5IChvZmZzZXQgPiBkYXRhLT5kX3NpemUpCi0gICAgICB8 fCB1bmxpa2VseSAoZGF0YS0+ZF9zaXplIC0gb2Zmc2V0IDwgc2l6ZSkpCisg ICAgICB8fCB1bmxpa2VseSAoZGF0YS0+ZF9zaXplIDwgc2l6ZSkKKyAgICAg IHx8IHVubGlrZWx5IChvZmZzZXQgPiBkYXRhLT5kX3NpemUgLSBzaXplKSkK ICAgICB7CiAgICAgICBfX2xpYmR3X3NldGVycm5vIChEV0FSRl9FX0lOVkFM SURfT0ZGU0VUKTsKICAgICAgIHJldHVybiAtMTsKQEAgLTY0NSw3ICs2NDYs OCBAQCBfX2xpYmR3X2luX3NlY3Rpb24gKER3YXJmICpkYmcsIGludCBzZWNf aW5kZXgsCiAgIGlmIChkYXRhID09IE5VTEwpCiAgICAgcmV0dXJuIGZhbHNl OwogICBpZiAodW5saWtlbHkgKGFkZHIgPCBkYXRhLT5kX2J1ZikKLSAgICAg IHx8IHVubGlrZWx5IChkYXRhLT5kX3NpemUgLSAoYWRkciAtIGRhdGEtPmRf YnVmKSA8IHNpemUpKQorICAgICAgfHwgdW5saWtlbHkgKGRhdGEtPmRfc2l6 ZSA8IHNpemUpCisgICAgICB8fCB1bmxpa2VseSAoKHNpemVfdCkoYWRkciAt IGRhdGEtPmRfYnVmKSA+IGRhdGEtPmRfc2l6ZSAtIHNpemUpKQogICAgIHsK ICAgICAgIF9fbGliZHdfc2V0ZXJybm8gKERXQVJGX0VfSU5WQUxJRF9PRkZT RVQpOwogICAgICAgcmV0dXJuIGZhbHNlOwotLSAKMS44LjMuMQoK --=-xAguJ5bThoiTTyRMPR8f--