public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed
From: Mark Wielaard <mark@klomp.org>
To: elfutils-devel@sourceware.org
Cc: Mark Wielaard <mark@klomp.org>
Subject: [PATCH] readelf: Break sysv[64] symbol hash bucket chain loops.
Date: Wed, 28 Mar 2018 19:32:00 -0000	[thread overview]
Message-ID: <1522265528-4416-1-git-send-email-mark@klomp.org> (raw)

The bucket chain should not contain loops. If it does we should mark the
hash bucket chain as invalid. This is easily checked by noticing when we
have seen more than the number of chain elements. Which equals the max
number as symbols in the table.

https://sourceware.org/bugzilla/show_bug.cgi?id=23011

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 src/ChangeLog | 6 ++++++
 src/readelf.c | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/src/ChangeLog b/src/ChangeLog
index 1ad6b3d..e8bd6bf 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2018-03-28  Mark Wielaard  <mark@klomp.org>
+
+	* readelf.c (handle_sysv_hash): Break bucket chain after nchain
+	entries are found.
+	(handle_sysv_hash64): Likewise.
+
 2018-03-27  Mark Wielaard  <mark@klomp.org>
 
 	* readelf.c (attr_callback): Print dwarf_dieoffset as %PRIx64,
diff --git a/src/readelf.c b/src/readelf.c
index 4e35b61..226b19b 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3141,9 +3141,13 @@ handle_sysv_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
   for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
     {
       Elf32_Word inner = bucket[cnt];
+      Elf32_Word chain_len = 0;
       while (inner > 0 && inner < nchain)
 	{
 	  ++nsyms;
+	  ++chain_len;
+	  if (chain_len > nchain)
+	    goto invalid_data;
 	  if (maxlength < ++lengths[cnt])
 	    ++maxlength;
 
@@ -3198,9 +3202,13 @@ handle_sysv_hash64 (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
   for (Elf64_Xword cnt = 0; cnt < nbucket; ++cnt)
     {
       Elf64_Xword inner = bucket[cnt];
+      Elf64_Xword chain_len = 0;
       while (inner > 0 && inner < nchain)
 	{
 	  ++nsyms;
+	  ++chain_len;
+	  if (chain_len > nchain)
+	    goto invalid_data;
 	  if (maxlength < ++lengths[cnt])
 	    ++maxlength;
 
-- 
1.8.3.1

                 reply	other threads:[~2018-03-28 19:32 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1522265528-4416-1-git-send-email-mark@klomp.org \
    --to=mark@klomp.org \
    --cc=elfutils-devel@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).