From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 66452 invoked by alias); 13 Jun 2018 13:24:52 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 66359 invoked by uid 89); 13 Jun 2018 13:24:52 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 13 Jun 2018 13:24:50 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id EE517300092E; Wed, 13 Jun 2018 15:24:47 +0200 (CEST) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id A44D0413CAAC; Wed, 13 Jun 2018 15:24:47 +0200 (CEST) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [PATCH] readelf: While printing .debug_loc make sure that next_off doesn't overflow. Date: Wed, 13 Jun 2018 13:24:00 -0000 Message-Id: <1528896285-26993-1-git-send-email-mark@klomp.org> X-Mailer: git-send-email 1.8.3.1 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q2/txt/msg00212.txt.bz2 Found by the afl fuzzer. The next offset (after a locview) comes from a DIE loclist attribute. This could be a bogus value so large it overflows the buffer and makes us print past the end of buffer. Signed-off-by: Mark Wielaard --- src/ChangeLog | 5 +++++ src/readelf.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/ChangeLog b/src/ChangeLog index 5f381cf..3d266e2 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2018-06-16 Mark Wielaard + + * readelf.c (print_debug_loc_section): Make sure next_off doesn't + overflow d_buf. + 2018-06-13 Mark Wielaard * readelf.c (die_type_sign_bytes): New function. diff --git a/src/readelf.c b/src/readelf.c index 5e7061d..2e7378e 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -9310,7 +9310,9 @@ print_debug_loc_section (Dwfl_Module *dwflmod, listptr_idx); const unsigned char *locp = readp; const unsigned char *locendp; - if (next_off == 0) + if (next_off == 0 + || next_off > (size_t) (endp + - (const unsigned char *) data->d_buf)) locendp = endp; else locendp = (const unsigned char *) data->d_buf + next_off; -- 1.8.3.1