* [PATCH] readelf: While printing .debug_loc make sure that next_off doesn't overflow.
@ 2018-06-13 13:24 Mark Wielaard
2018-06-15 22:24 ` Mark Wielaard
0 siblings, 1 reply; 2+ messages in thread
From: Mark Wielaard @ 2018-06-13 13:24 UTC (permalink / raw)
To: elfutils-devel; +Cc: Mark Wielaard
Found by the afl fuzzer. The next offset (after a locview) comes from a
DIE loclist attribute. This could be a bogus value so large it overflows
the buffer and makes us print past the end of buffer.
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
src/ChangeLog | 5 +++++
src/readelf.c | 4 +++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index 5f381cf..3d266e2 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-16 Mark Wielaard <mark@klomp.org>
+
+ * readelf.c (print_debug_loc_section): Make sure next_off doesn't
+ overflow d_buf.
+
2018-06-13 Mark Wielaard <mark@klomp.org>
* readelf.c (die_type_sign_bytes): New function.
diff --git a/src/readelf.c b/src/readelf.c
index 5e7061d..2e7378e 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -9310,7 +9310,9 @@ print_debug_loc_section (Dwfl_Module *dwflmod,
listptr_idx);
const unsigned char *locp = readp;
const unsigned char *locendp;
- if (next_off == 0)
+ if (next_off == 0
+ || next_off > (size_t) (endp
+ - (const unsigned char *) data->d_buf))
locendp = endp;
else
locendp = (const unsigned char *) data->d_buf + next_off;
--
1.8.3.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] readelf: While printing .debug_loc make sure that next_off doesn't overflow.
2018-06-13 13:24 [PATCH] readelf: While printing .debug_loc make sure that next_off doesn't overflow Mark Wielaard
@ 2018-06-15 22:24 ` Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2018-06-15 22:24 UTC (permalink / raw)
To: elfutils-devel
On Wed, Jun 13, 2018 at 03:24:45PM +0200, Mark Wielaard wrote:
> Found by the afl fuzzer. The next offset (after a locview) comes from a
> DIE loclist attribute. This could be a bogus value so large it overflows
> the buffer and makes us print past the end of buffer.
Pushed to master.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-06-15 22:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-13 13:24 [PATCH] readelf: While printing .debug_loc make sure that next_off doesn't overflow Mark Wielaard
2018-06-15 22:24 ` Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).