From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: multipart/mixed; boundary="===============8529812963993599427=="
MIME-Version: 1.0
From: Mark Wielaard <mjw@redhat.com>
To: elfutils-devel@lists.fedorahosted.org
Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm,
 ...) with malformed file
Date: Tue, 11 Nov 2014 17:57:53 +0100
Message-ID: <20141111165753.GA11525@blokker.redhat.com>
In-Reply-To: 20141111145705.52983732@pc

--===============8529812963993599427==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 11, 2014 at 02:57:05PM +0100, Hanno B=C3=B6ck wrote:
> Am Tue, 11 Nov 2014 14:53:52 +0100
> schrieb Mark Wielaard <mjw@redhat.com>:
> =

> > On Tue, 2014-11-11 at 14:40 +0100, Hanno B=C3=B6ck wrote:
> > > I still get a bunch of crashers with correct LD_LIBRARY_PATH on
> > > readelf -a with 32 bit compile (CFLAGS=3D"-m32 -g"):
> > > sig:11,hash:378b8b26
> > > sig:11,hash:1aa8d351
> > > sig:11,hash:872fe371
> > > from attachment eu-readelf-crasher-hangs-2.tar.xz
> > > =

> > > and
> > > id:000113,src:000000,op:flip32,pos:5474
> > > id:000116,src:000000,op:flip32,pos:5554
> > > from attachment =

> > > /tmp/elfutils-nm-crasher.tar.xz
> > =

> > Could you attach or post those files somewhere?
> =

> These are all in attachments of previous mails in this thread:
> =

> eu-readelf-crasher-hangs-2.tar.xz
> https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004=
237.html
> =

> elfutils-nm-crasher.tar.xz
> https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004=
249.html

Aha, apparently I am unable to write correct overflow checks... sigh.

Please try the following:

diff --git a/libelf/elf_getdata.c b/libelf/elf_getdata.c
index 33d35d6..a60f3db 100644
--- a/libelf/elf_getdata.c
+++ b/libelf/elf_getdata.c
@@ -245,9 +245,8 @@ __libelf_set_rawdata_wrlock (Elf_Scn *scn)
          /* First see whether the information in the section header is
             valid and it does not ask for too much.  Check for unsigned
             overflow.  */
-         if (unlikely (offset + size > elf->maximum_size
-                       || (offset + size + elf->maximum_size
-                           < elf->maximum_size)))
+         if (unlikely (offset > elf->maximum_size
+                       || elf->maximum_size - offset < size))
            {
              /* Something is wrong.  */
              __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);

Thansk,

Mark


--===============8529812963993599427==--