From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 117349 invoked by alias); 14 Oct 2018 14:49:06 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 117181 invoked by uid 89); 14 Oct 2018 14:48:55 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.1 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sun, 14 Oct 2018 14:48:51 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id C385A3000468; Sun, 14 Oct 2018 16:48:36 +0200 (CEST) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id 43C4A413CD47; Sun, 14 Oct 2018 16:48:36 +0200 (CEST) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [PATCH] libdwfl: Sanity check partial core file data reads. Date: Sun, 14 Oct 2018 14:49:00 -0000 Message-Id: <1539528510-15686-1-git-send-email-mark@klomp.org> X-Mailer: git-send-email 1.8.3.1 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q4/txt/msg00022.txt.bz2 There were two issues when reading note data from a core file. We didn't check if the data we already had in a buffer was big enough. And if we did get the data, we should check if we got everything, or just a part of the data. https://sourceware.org/bugzilla/show_bug.cgi?id=23752 Signed-off-by: Mark Wielaard --- libdwfl/ChangeLog | 7 +++++++ libdwfl/dwfl_segment_report_module.c | 13 +++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog index c5ea563..2e7efd4 100644 --- a/libdwfl/ChangeLog +++ b/libdwfl/ChangeLog @@ -1,3 +1,10 @@ +2018-10-14 Mark Wielaard + + * dwfl_segment_report_module.c (read_portion): Check requested + filesz isn't larger than buffer_available. + (dwfl_segment_report_module): Check data_size vs filesz after + read_portion call. + 2018-10-02 Andreas Schwab * relocate.c (relocate): Handle ADD/SUB relocations. diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c index 36e5c82..8749884 100644 --- a/libdwfl/dwfl_segment_report_module.c +++ b/libdwfl/dwfl_segment_report_module.c @@ -1,5 +1,5 @@ /* Sniff out modules from ELF headers visible in memory segments. - Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc. + Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc. This file is part of elfutils. This file is free software; you can redistribute it and/or modify @@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, inline bool read_portion (void **data, size_t *data_size, GElf_Addr vaddr, size_t filesz) { - if (vaddr - start + filesz > buffer_available + /* Check whether we will have to read the segment data, or if it + can be returned from the existing buffer. */ + if (filesz > buffer_available + || vaddr - start > buffer_available - filesz /* If we're in string mode, then don't consider the buffer we have sufficient unless it contains the terminator of the string. */ || (filesz == 0 && memchr (vaddr - start + buffer, '\0', @@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, if (read_portion (&data, &data_size, vaddr, filesz)) return; + /* data_size will be zero if we got everything from the initial + buffer, otherwise it will be the size of the new buffer that + could be read. */ + if (data_size != 0) + filesz = data_size; + assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr)); void *notes; -- 1.8.3.1