[PATCH] readelf: Make sure readp is smaller than cieend in print_debug_frame

public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed

* [PATCH] readelf: Make sure readp is smaller than cieend in print_debug_frame_section.
@ 2018-10-16 12:22 Mark Wielaard
  2018-10-19 22:29 ` Mark Wielaard
  0 siblings, 1 reply; 2+ messages in thread
From: Mark Wielaard @ 2018-10-16 12:22 UTC (permalink / raw)
  To: elfutils-devel; +Cc: Mark Wielaard

We could end up with a negative length in a call to memchr.

https://sourceware.org/bugzilla/show_bug.cgi?id=23782

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 src/ChangeLog |  5 +++++
 src/readelf.c | 12 ++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 8fb3deb..1b29bb8 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-10-16  Mark Wielaard  <mark@klomp.org>
+
+	* readelf.c (print_debug_frame_section): Make sure readp is never
+	greater than cieend.
+
 2018-10-14  Mark Wielaard  <mark@klomp.org>
 
 	* ar.c (do_oper_extract): Assume epoch if ar_date is bogus.
diff --git a/src/readelf.c b/src/readelf.c
index bddcd70..e55fece 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -6598,18 +6598,24 @@ print_debug_frame_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 
       ptrdiff_t start = readp - (unsigned char *) data->d_buf;
       const unsigned char *const cieend = readp + unit_length;
-      if (unlikely (cieend > dataend || readp + 8 > dataend))
+      if (unlikely (cieend > dataend))
 	goto invalid_data;
 
       Dwarf_Off cie_id;
       if (length == 4)
 	{
+	  if (unlikely (cieend - readp < 4))
+	    goto invalid_data;
 	  cie_id = read_4ubyte_unaligned_inc (dbg, readp);
 	  if (!is_eh_frame && cie_id == DW_CIE_ID_32)
 	    cie_id = DW_CIE_ID_64;
 	}
       else
-	cie_id = read_8ubyte_unaligned_inc (dbg, readp);
+	{
+	  if (unlikely (cieend - readp < 8))
+	    goto invalid_data;
+	  cie_id = read_8ubyte_unaligned_inc (dbg, readp);
+	}
 
       uint_fast8_t version = 2;
       unsigned int code_alignment_factor;
@@ -6621,6 +6627,8 @@ print_debug_frame_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 
       if (cie_id == (is_eh_frame ? 0 : DW_CIE_ID_64))
 	{
+	  if (unlikely (cieend - readp < 2))
+	    goto invalid_data;
 	  version = *readp++;
 	  const char *const augmentation = (const char *) readp;
 	  readp = memchr (readp, '\0', cieend - readp);
-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] readelf: Make sure readp is smaller than cieend in print_debug_frame_section.
  2018-10-16 12:22 [PATCH] readelf: Make sure readp is smaller than cieend in print_debug_frame_section Mark Wielaard
@ 2018-10-19 22:29 ` Mark Wielaard
  0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2018-10-19 22:29 UTC (permalink / raw)
  To: elfutils-devel

On Tue, 2018-10-16 at 14:22 +0200, Mark Wielaard wrote:
> We could end up with a negative length in a call to memchr.

Pushed to master.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-10-19 22:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-16 12:22 [PATCH] readelf: Make sure readp is smaller than cieend in print_debug_frame_section Mark Wielaard
2018-10-19 22:29 ` Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).