From: Mark Wielaard <mark@klomp.org>
To: elfutils-devel@sourceware.org
Cc: Mark Wielaard <mark@klomp.org>
Subject: [PATCH] readelf: Calculate max_entries instead of needed bytes (and overflowing).
Date: Fri, 08 Jun 2018 21:33:00 -0000 [thread overview]
Message-ID: <1528493613-23730-1-git-send-email-mark@klomp.org> (raw)
The afl fuzzer found that we would overflow the needed bytes when
calculating how many index entries would fit in the .debug_loclists
and .debug_rnglists tables. To fix this just calculate the max number
of entries. If the offset entry count is larger than that, do emit
an error, but print up to max_entries of offsets (so the user can
more clearly see what is wrong with their table).
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
src/ChangeLog | 7 +++++++
src/readelf.c | 12 ++++++------
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index ca1917a..8ebb5fb 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,12 @@
2018-06-08 Mark Wielaard <mark@klomp.org>
+ * readelf.c (print_debug_rnglists_section): Calculate max_entries
+ instead of needed bytes to prevent overflowing. Always print
+ max_entries (but not more).
+ (print_debug_loclists_section): Likewise.
+
+2018-06-08 Mark Wielaard <mark@klomp.org>
+
* readelf.c (print_debug_line_section): Stop printing directories
and files when we are at the end of the unit data.
diff --git a/src/readelf.c b/src/readelf.c
index af78f17..bbaaf96 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -5656,12 +5656,12 @@ print_debug_rnglists_section (Dwfl_Module *dwflmod,
const unsigned char *offset_array_start = readp;
if (offset_entry_count > 0)
{
- uint64_t needed = offset_entry_count * offset_size;
- if (unit_length - 8 < needed)
+ uint64_t max_entries = (unit_length - 8) / offset_size;
+ if (offset_entry_count > max_entries)
{
error (0, 0,
gettext ("too many offset entries for unit length"));
- goto next_table;
+ offset_entry_count = max_entries;
}
printf (gettext (" Offsets starting at 0x%" PRIx64 ":\n"),
@@ -8864,12 +8864,12 @@ print_debug_loclists_section (Dwfl_Module *dwflmod,
const unsigned char *offset_array_start = readp;
if (offset_entry_count > 0)
{
- uint64_t needed = offset_entry_count * offset_size;
- if (unit_length - 8 < needed)
+ uint64_t max_entries = (unit_length - 8) / offset_size;
+ if (offset_entry_count > max_entries)
{
error (0, 0,
gettext ("too many offset entries for unit length"));
- goto next_table;
+ offset_entry_count = max_entries;
}
printf (gettext (" Offsets starting at 0x%" PRIx64 ":\n"),
--
1.8.3.1
next reply other threads:[~2018-06-08 21:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-08 21:33 Mark Wielaard [this message]
2018-06-11 6:38 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1528493613-23730-1-git-send-email-mark@klomp.org \
--to=mark@klomp.org \
--cc=elfutils-devel@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).