From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24470 invoked by alias); 28 Mar 2018 19:32:14 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 24453 invoked by uid 89); 28 Mar 2018 19:32:13 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 28 Mar 2018 19:32:12 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id EE95830D3A35; Wed, 28 Mar 2018 21:32:09 +0200 (CEST) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id A5E0C413CD0D; Wed, 28 Mar 2018 21:32:09 +0200 (CEST) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [PATCH] readelf: Break sysv[64] symbol hash bucket chain loops. Date: Wed, 28 Mar 2018 19:32:00 -0000 Message-Id: <1522265528-4416-1-git-send-email-mark@klomp.org> X-Mailer: git-send-email 1.8.3.1 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q1/txt/msg00118.txt.bz2 The bucket chain should not contain loops. If it does we should mark the hash bucket chain as invalid. This is easily checked by noticing when we have seen more than the number of chain elements. Which equals the max number as symbols in the table. https://sourceware.org/bugzilla/show_bug.cgi?id=23011 Signed-off-by: Mark Wielaard --- src/ChangeLog | 6 ++++++ src/readelf.c | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/src/ChangeLog b/src/ChangeLog index 1ad6b3d..e8bd6bf 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,9 @@ +2018-03-28 Mark Wielaard + + * readelf.c (handle_sysv_hash): Break bucket chain after nchain + entries are found. + (handle_sysv_hash64): Likewise. + 2018-03-27 Mark Wielaard * readelf.c (attr_callback): Print dwarf_dieoffset as %PRIx64, diff --git a/src/readelf.c b/src/readelf.c index 4e35b61..226b19b 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -3141,9 +3141,13 @@ handle_sysv_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx) for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt) { Elf32_Word inner = bucket[cnt]; + Elf32_Word chain_len = 0; while (inner > 0 && inner < nchain) { ++nsyms; + ++chain_len; + if (chain_len > nchain) + goto invalid_data; if (maxlength < ++lengths[cnt]) ++maxlength; @@ -3198,9 +3202,13 @@ handle_sysv_hash64 (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx) for (Elf64_Xword cnt = 0; cnt < nbucket; ++cnt) { Elf64_Xword inner = bucket[cnt]; + Elf64_Xword chain_len = 0; while (inner > 0 && inner < nchain) { ++nsyms; + ++chain_len; + if (chain_len > nchain) + goto invalid_data; if (maxlength < ++lengths[cnt]) ++maxlength; -- 1.8.3.1