On Sat, Nov 29, 2014 at 08:40:58PM +0100, Mark Wielaard wrote:
> American Fuzzy Lop (afl-fuzz) has an habit of generating ELF files
> with relocations that when applied (or removed/cleared) change one
> of the in-memory ELF headers. There does not seem to be a valid reason
> for having section data that contain relocations or to which relocations
> are applied to overlap with one of the headers.
> [...]
> +  GElf_Off shdr_start = ehdr->e_shoff;
> +  size_t shnums;
> +  if (elf_getshdrnum (relocated, &shnums) < 0)
> +    return DWFL_E_LIBELF;
> +  /* Overflows will have been checked by elf_getshdrnum/get|rawdata.  */
> +  GElf_Off shdr_end = shdr_start + shnums * ehdr->e_shentsize;
> +  if (unlikely ((shdr->sh_offset >= shdr_start
> +		 && shdr->sh_offset < shdr_end)
> +		|| (shdr->sh_offset + shdr->sh_size >= shdr_start
> +		    && shdr->sh_offset + shdr->sh_size < shdr_end)
> +		|| (tshdr->sh_offset >= shdr_start
> +		    && tshdr->sh_offset < shdr_end)
> +		|| (tshdr->sh_offset + tshdr->sh_size >= shdr_start
> +		    && tshdr->sh_offset + tshdr->sh_size < shdr_end)))
> +    return DWFL_E_BADELF;

Some testing revealed this test is too complicated and wrong.  It missed
the header being completely inside the section. Fixed version attached.

Cheers,

Mark