From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============7763799436865060353==" MIME-Version: 1.0 From: Mark Wielaard To: elfutils-devel@lists.fedorahosted.org Subject: Re: [PATCH] libdwfl: Check relocations don't overlap ELF ehdr, shdrs or phdrs. Date: Sun, 30 Nov 2014 21:02:13 +0100 Message-ID: <20141130200213.GD26030@blokker.redhat.com> In-Reply-To: 1417290058-24071-1-git-send-email-mjw@redhat.com --===============7763799436865060353== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Sat, Nov 29, 2014 at 08:40:58PM +0100, Mark Wielaard wrote: > American Fuzzy Lop (afl-fuzz) has an habit of generating ELF files > with relocations that when applied (or removed/cleared) change one > of the in-memory ELF headers. There does not seem to be a valid reason > for having section data that contain relocations or to which relocations > are applied to overlap with one of the headers. > [...] > + GElf_Off shdr_start =3D ehdr->e_shoff; > + size_t shnums; > + if (elf_getshdrnum (relocated, &shnums) < 0) > + return DWFL_E_LIBELF; > + /* Overflows will have been checked by elf_getshdrnum/get|rawdata. */ > + GElf_Off shdr_end =3D shdr_start + shnums * ehdr->e_shentsize; > + if (unlikely ((shdr->sh_offset >=3D shdr_start > + && shdr->sh_offset < shdr_end) > + || (shdr->sh_offset + shdr->sh_size >=3D shdr_start > + && shdr->sh_offset + shdr->sh_size < shdr_end) > + || (tshdr->sh_offset >=3D shdr_start > + && tshdr->sh_offset < shdr_end) > + || (tshdr->sh_offset + tshdr->sh_size >=3D shdr_start > + && tshdr->sh_offset + tshdr->sh_size < shdr_end))) > + return DWFL_E_BADELF; Some testing revealed this test is too complicated and wrong. It missed the header being completely inside the section. Fixed version attached. Cheers, Mark --===============7763799436865060353== Content-Type: text/plain MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="0001-libdwfl-Check-relocations-don-t-overlap-ELF-ehdr-shd.patch" PkZyb20gYzNjZmRiMDU2ZmU4ZmYyZjI5OTI0YzhkNmM5NGU3MjdhMzcyZmE1MSBNb24gU2VwIDE3 IDAwOjAwOjAwIDIwMDEKRnJvbTogTWFyayBXaWVsYWFyZCA8bWp3QHJlZGhhdC5jb20+CkRhdGU6 IFNhdCwgMjkgTm92IDIwMTQgMjA6MjM6MzAgKzAxMDAKU3ViamVjdDogW1BBVENIXSBsaWJkd2Zs OiBDaGVjayByZWxvY2F0aW9ucyBkb24ndCBvdmVybGFwIEVMRiBlaGRyLCBzaGRycyBvcgogcGhk cnMuCgpJZiBlaXRoZXIgdGhlIHNlY3Rpb24gdGhhdCBuZWVkcyB0aGUgcmVsb2NhdGlvbiBhcHBs aWVkLCBvciB0aGUKc2VjdGlvbiB0aGF0IHRoZSByZWxvY2F0aW9ucyBjb21lIGZyb20gb3Zlcmxh cCBvbmUgb2YgdGhlIGVoZHJzLApzaGRycyBvciBwaGRycyBkYXRhIHRoZW4gcmVmdXNlIHRvIGRv IHRoZSByZWxvY2F0aW9ucy4gIFdlIHVwZGF0ZQpib3RoIHNlY3Rpb24gZGF0YS4gSXQgaXNuJ3Qg aWxsZWdhbCBmb3IgRUxGIHNlY3Rpb24gZGF0YSB0byBvdmVybGFwCnRoZSBoZWFkZXIgZGF0YSwg YnV0IHVwZGF0aW5nIHRoZSAocmVsb2NhdGlvbikgZGF0YSBtaWdodCBjb3JydXB0CnRoZSBpbi1t ZW1vcnkgbGliZWxmIGhlYWRlcnMgY2F1c2luZyBzdHJhbmdlIGNvcnJ1cHRpb25zIG9yIGVycm9y cy4KCkFsc28gY2hlY2sgb2Zmc2V0ICsgc2l6ZSBvZiBhIHJlbG9jYXRpb24gZG9lc24ndCBvdmVy Zmxvdy4KClNpZ25lZC1vZmYtYnk6IE1hcmsgV2llbGFhcmQgPG1qd0ByZWRoYXQuY29tPgotLS0K IGxpYmR3ZmwvQ2hhbmdlTG9nICB8ICA2ICsrKysrKwogbGliZHdmbC9yZWxvY2F0ZS5jIHwgMzkg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKystCiAyIGZpbGVzIGNoYW5nZWQs IDQ0IGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS9saWJkd2ZsL0No YW5nZUxvZyBiL2xpYmR3ZmwvQ2hhbmdlTG9nCmluZGV4IDU4NzZmY2MuLjAzZmFlY2YgMTAwNjQ0 Ci0tLSBhL2xpYmR3ZmwvQ2hhbmdlTG9nCisrKyBiL2xpYmR3ZmwvQ2hhbmdlTG9nCkBAIC0xLDMg KzEsOSBAQAorMjAxNC0xMS0yOSAgTWFyayBXaWVsYWFyZCAgPG1qd0ByZWRoYXQuY29tPgorCisJ KiByZWxvY2F0ZS5jIChyZWxvY2F0ZV9zZWN0aW9uKTogQ2hlY2sgcmVsb2NhdGlvbiBzZWN0aW9u IGFuZCB0YXJnZXQKKwlzZWN0aW9uIGRhdGEgZG9uJ3Qgb3ZlcmxhcCBhbnkgb2YgdGhlIEVMRiBo ZWFkZXJzLgorCShyZWxvY2F0ZSk6IENoZWNrIGZvciBvZmZzZXQgKyBzaXplIG92ZXJmbG93Lgor CiAyMDE0LTExLTIyICBNYXJrIFdpZWxhYXJkICA8bWp3QHJlZGhhdC5jb20+CiAKIAkqIGxpbmtf bWFwLmMgKGNvbnNpZGVyX2V4ZWN1dGFibGUpOiBVc2UgZWxmX2dldHBoZHJudW0uCmRpZmYgLS1n aXQgYS9saWJkd2ZsL3JlbG9jYXRlLmMgYi9saWJkd2ZsL3JlbG9jYXRlLmMKaW5kZXggNTJiN2I1 ZS4uNjg2MjE4OSAxMDA2NDQKLS0tIGEvbGliZHdmbC9yZWxvY2F0ZS5jCisrKyBiL2xpYmR3Zmwv cmVsb2NhdGUuYwpAQCAtMjk3LDYgKzI5Nyw0MyBAQCByZWxvY2F0ZV9zZWN0aW9uIChEd2ZsX01v ZHVsZSAqbW9kLCBFbGYgKnJlbG9jYXRlZCwgY29uc3QgR0VsZl9FaGRyICplaGRyLAogICBpZiAo dGRhdGEgPT0gTlVMTCkKICAgICByZXR1cm4gRFdGTF9FX0xJQkVMRjsKIAorICAvKiBJZiBlaXRo ZXIgdGhlIHNlY3Rpb24gdGhhdCBuZWVkcyB0aGUgcmVsb2NhdGlvbiBhcHBsaWVkLCBvciB0aGUK KyAgICAgc2VjdGlvbiB0aGF0IHRoZSByZWxvY2F0aW9ucyBjb21lIGZyb20gb3ZlcmxhcCBvbmUg b2YgdGhlIGVoZHJzLAorICAgICBzaGRycyBvciBwaGRycyBkYXRhIHRoZW4gd2UgcmVmdXNlIHRv IGRvIHRoZSByZWxvY2F0aW9ucy4gIEl0CisgICAgIGlzbid0IGlsbGVnYWwgZm9yIEVMRiBzZWN0 aW9uIGRhdGEgdG8gb3ZlcmxhcCB0aGUgaGVhZGVyIGRhdGEsCisgICAgIGJ1dCB1cGRhdGluZyB0 aGUgKHJlbG9jYXRpb24pIGRhdGEgbWlnaHQgY29ycnVwdCB0aGUgaW4tbWVtb3J5CisgICAgIGxp YmVsZiBoZWFkZXJzIGNhdXNpbmcgc3RyYW5nZSBjb3JydXB0aW9ucyBvciBlcnJvcnMuICAqLwor ICBpZiAodW5saWtlbHkgKHNoZHItPnNoX29mZnNldCA8IGVoZHItPmVfZWhzaXplCisJCXx8IHRz aGRyLT5zaF9vZmZzZXQgPCBlaGRyLT5lX2Voc2l6ZSkpCisgICAgcmV0dXJuIERXRkxfRV9CQURF TEY7CisKKyAgR0VsZl9PZmYgc2hkcnNfc3RhcnQgPSBlaGRyLT5lX3Nob2ZmOworICBzaXplX3Qg c2hudW1zOworICBpZiAoZWxmX2dldHNoZHJudW0gKHJlbG9jYXRlZCwgJnNobnVtcykgPCAwKQor ICAgIHJldHVybiBEV0ZMX0VfTElCRUxGOworICAvKiBPdmVyZmxvd3Mgd2lsbCBoYXZlIGJlZW4g Y2hlY2tlZCBieSBlbGZfZ2V0c2hkcm51bS9nZXR8cmF3ZGF0YS4gICovCisgIEdFbGZfT2ZmIHNo ZHJzX2VuZCA9IHNoZHJzX3N0YXJ0ICsgc2hudW1zICogZWhkci0+ZV9zaGVudHNpemU7CisgIGlm ICh1bmxpa2VseSAoKHNoZHJzX3N0YXJ0IDwgc2hkci0+c2hfb2Zmc2V0ICsgc2hkci0+c2hfc2l6 ZQorCQkgJiYgc2hkci0+c2hfb2Zmc2V0IDwgc2hkcnNfZW5kKQorCQl8fCAoc2hkcnNfc3RhcnQg PCB0c2hkci0+c2hfb2Zmc2V0ICsgdHNoZHItPnNoX3NpemUKKwkJICAgICYmIHRzaGRyLT5zaF9v ZmZzZXQgPCBzaGRyc19lbmQpKSkKKyAgICByZXR1cm4gRFdGTF9FX0JBREVMRjsKKworICBHRWxm X09mZiBwaGRyc19zdGFydCA9IGVoZHItPmVfcGhvZmY7CisgIHNpemVfdCBwaG51bXM7CisgIGlm IChlbGZfZ2V0cGhkcm51bSAocmVsb2NhdGVkLCAmcGhudW1zKSA8IDApCisgICAgcmV0dXJuIERX RkxfRV9MSUJFTEY7CisgIGlmIChwaGRyc19zdGFydCAhPSAwICYmIHBobnVtcyAhPSAwKQorICAg IHsKKyAgICAgIC8qIE92ZXJmbG93cyB3aWxsIGhhdmUgYmVlbiBjaGVja2VkIGJ5IGVsZl9nZXRw aGRybnVtL2dldHxyYXdkYXRhLiAgKi8KKyAgICAgIEdFbGZfT2ZmIHBoZHJzX2VuZCA9IHBoZHJz X3N0YXJ0ICsgcGhudW1zICogZWhkci0+ZV9waGVudHNpemU7CisgICAgICBpZiAodW5saWtlbHkg KChwaGRyc19zdGFydCA8IHNoZHItPnNoX29mZnNldCArIHNoZHItPnNoX3NpemUKKwkJICAgICAm JiBzaGRyLT5zaF9vZmZzZXQgPCBwaGRyc19lbmQpCisJCSAgICB8fCAocGhkcnNfc3RhcnQgPCB0 c2hkci0+c2hfb2Zmc2V0ICsgdHNoZHItPnNoX3NpemUKKwkJCSYmIHRzaGRyLT5zaF9vZmZzZXQg PCBwaGRyc19lbmQpKSkKKwlyZXR1cm4gRFdGTF9FX0JBREVMRjsKKyAgICB9CisKICAgLyogQXBw bHkgb25lIHJlbG9jYXRpb24uICBSZXR1cm5zIHRydWUgZm9yIGFueSBpbnZhbGlkIGRhdGEuICAq LwogICBEd2ZsX0Vycm9yIHJlbG9jYXRlIChHRWxmX0FkZHIgb2Zmc2V0LCBjb25zdCBHRWxmX1N4 d29yZCAqYWRkZW5kLAogCQkgICAgICAgaW50IHJ0eXBlLCBpbnQgc3ltbmR4KQpAQCAtMzY1LDcg KzQwMiw3IEBAIHJlbG9jYXRlX3NlY3Rpb24gKER3ZmxfTW9kdWxlICptb2QsIEVsZiAqcmVsb2Nh dGVkLCBjb25zdCBHRWxmX0VoZHIgKmVoZHIsCiAJcmV0dXJuIERXRkxfRV9CQURSRUxUWVBFOwog ICAgICAgfQogCi0gICAgaWYgKG9mZnNldCArIHNpemUgPiB0ZGF0YS0+ZF9zaXplKQorICAgIGlm IChvZmZzZXQgPiB0ZGF0YS0+ZF9zaXplIHx8IHRkYXRhLT5kX3NpemUgLSBvZmZzZXQgPCBzaXpl KQogICAgICAgcmV0dXJuIERXRkxfRV9CQURSRUxPRkY7CiAKICNkZWZpbmUgRE9fVFlQRShOQU1F LCBOYW1lKSBHRWxmXyMjTmFtZSBOYW1lOwotLSAKMS45LjMKCg== --===============7763799436865060353==--