From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 102475 invoked by alias); 8 Jun 2018 21:33:41 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 102462 invoked by uid 89); 8 Jun 2018 21:33:40 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 08 Jun 2018 21:33:38 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id A1507301470D; Fri, 8 Jun 2018 23:33:36 +0200 (CEST) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id 540EC413CB92; Fri, 8 Jun 2018 23:33:36 +0200 (CEST) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [PATCH] readelf: Calculate max_entries instead of needed bytes (and overflowing). Date: Fri, 08 Jun 2018 21:33:00 -0000 Message-Id: <1528493613-23730-1-git-send-email-mark@klomp.org> X-Mailer: git-send-email 1.8.3.1 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q2/txt/msg00190.txt.bz2 The afl fuzzer found that we would overflow the needed bytes when calculating how many index entries would fit in the .debug_loclists and .debug_rnglists tables. To fix this just calculate the max number of entries. If the offset entry count is larger than that, do emit an error, but print up to max_entries of offsets (so the user can more clearly see what is wrong with their table). Signed-off-by: Mark Wielaard --- src/ChangeLog | 7 +++++++ src/readelf.c | 12 ++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index ca1917a..8ebb5fb 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,12 @@ 2018-06-08 Mark Wielaard + * readelf.c (print_debug_rnglists_section): Calculate max_entries + instead of needed bytes to prevent overflowing. Always print + max_entries (but not more). + (print_debug_loclists_section): Likewise. + +2018-06-08 Mark Wielaard + * readelf.c (print_debug_line_section): Stop printing directories and files when we are at the end of the unit data. diff --git a/src/readelf.c b/src/readelf.c index af78f17..bbaaf96 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -5656,12 +5656,12 @@ print_debug_rnglists_section (Dwfl_Module *dwflmod, const unsigned char *offset_array_start = readp; if (offset_entry_count > 0) { - uint64_t needed = offset_entry_count * offset_size; - if (unit_length - 8 < needed) + uint64_t max_entries = (unit_length - 8) / offset_size; + if (offset_entry_count > max_entries) { error (0, 0, gettext ("too many offset entries for unit length")); - goto next_table; + offset_entry_count = max_entries; } printf (gettext (" Offsets starting at 0x%" PRIx64 ":\n"), @@ -8864,12 +8864,12 @@ print_debug_loclists_section (Dwfl_Module *dwflmod, const unsigned char *offset_array_start = readp; if (offset_entry_count > 0) { - uint64_t needed = offset_entry_count * offset_size; - if (unit_length - 8 < needed) + uint64_t max_entries = (unit_length - 8) / offset_size; + if (offset_entry_count > max_entries) { error (0, 0, gettext ("too many offset entries for unit length")); - goto next_table; + offset_entry_count = max_entries; } printf (gettext (" Offsets starting at 0x%" PRIx64 ":\n"), -- 1.8.3.1