[PATCH] readelf, libdw: Handle too many directories or files in the line table better.

public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed

* [PATCH] readelf, libdw: Handle too many directories or files in the line table better.
@ 2018-06-08 14:06 Mark Wielaard
  2018-06-10 15:21 ` Mark Wielaard
  0 siblings, 1 reply; 2+ messages in thread
From: Mark Wielaard @ 2018-06-08 14:06 UTC (permalink / raw)
  To: elfutils-devel; +Cc: Mark Wielaard

The afl fuzzer found that the way we handle "too many" directories or files
in the (DWARF5 style) line table badly. In the case of eu-readelf we would
print an endless stream of "bad directory" or "bad file". Just stop printing
when the end of data is reached. In the case of dwarf_getsrclines we would
allocate a giant amount of memory, even if there was no data to actually
read in. Sanity check that the directory and file counts seem reasonable
compared to the amount of data left (assume we need at least 1 byte of
data per form describing the dirs or files).

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libdw/ChangeLog           |  4 ++++
 libdw/dwarf_getsrclines.c | 10 ++++++++++
 src/ChangeLog             |  5 +++++
 src/readelf.c             |  4 ++++
 4 files changed, 23 insertions(+)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 79fcf1e..ddd8296 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,5 +1,9 @@
 2018-06-08  Mark Wielaard  <mark@klomp.org>
 
+	* dwarf_getsrclines.c (read_srclines): Sanity check ndirs and nfiles.
+
+2018-06-08  Mark Wielaard  <mark@klomp.org>
+
 	* dwarf_getlocation_attr.c (addr_valp): Set error and return NULL
 	when there is no .debug_addr section.
 	(dwarf_getlocation_attr): If addr_valp returns NULL, then return -1.
diff --git a/libdw/dwarf_getsrclines.c b/libdw/dwarf_getsrclines.c
index 07baebc..bb512ec 100644
--- a/libdw/dwarf_getsrclines.c
+++ b/libdw/dwarf_getsrclines.c
@@ -356,6 +356,11 @@ read_srclines (Dwarf *dbg,
 
       if (nforms == 0 && ndirs != 0)
 	goto invalid_data;
+
+      /* Assume there is at least 1 byte needed per form to describe
+	 the directory.  Filters out insanely large ndirs.  */
+      if (nforms != 0 && ndirs > (size_t) (lineendp - linep) / nforms)
+	goto invalid_data;
     }
 
   /* Arrange the list in array form.  */
@@ -561,6 +566,11 @@ read_srclines (Dwarf *dbg,
       if (nforms == 0 && nfiles != 0)
 	goto invalid_data;
 
+      /* Assume there is at least 1 byte needed per form to describe
+	 the file.  Filters out insanely large nfiles.  */
+      if (nforms != 0 && nfiles > (size_t) (lineendp - linep) / nforms)
+	goto invalid_data;
+
       Dwarf_Attribute attr;
       attr.cu = &fake_cu;
       for (unsigned int n = 0; n < nfiles; n++)
diff --git a/src/ChangeLog b/src/ChangeLog
index 778238e..ca1917a 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-08  Mark Wielaard  <mark@klomp.org>
+
+	* readelf.c (print_debug_line_section): Stop printing directories
+	and files when we are at the end of the unit data.
+
 2018-06-07  Mark Wielaard  <mark@klomp.org>
 
 	* readelf.c (format_result): Removed.
diff --git a/src/readelf.c b/src/readelf.c
index f9514a1..af78f17 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -8294,6 +8294,8 @@ print_debug_line_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 		    printf (", ");
 		}
 	      printf ("\n");
+	      if (linep >= lineendp)
+		goto invalid_unit;
 	    }
 	}
       else
@@ -8370,6 +8372,8 @@ print_debug_line_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 		    printf (", ");
 		}
 	      printf ("\n");
+	      if (linep >= lineendp)
+		goto invalid_unit;
 	    }
 	}
       else
-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] readelf, libdw: Handle too many directories or files in the line table better.
  2018-06-08 14:06 [PATCH] readelf, libdw: Handle too many directories or files in the line table better Mark Wielaard
@ 2018-06-10 15:21 ` Mark Wielaard
  0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2018-06-10 15:21 UTC (permalink / raw)
  To: elfutils-devel

On Fri, Jun 08, 2018 at 04:06:29PM +0200, Mark Wielaard wrote:
> The afl fuzzer found that the way we handle "too many" directories or files
> in the (DWARF5 style) line table badly. In the case of eu-readelf we would
> print an endless stream of "bad directory" or "bad file". Just stop printing
> when the end of data is reached. In the case of dwarf_getsrclines we would
> allocate a giant amount of memory, even if there was no data to actually
> read in. Sanity check that the directory and file counts seem reasonable
> compared to the amount of data left (assume we need at least 1 byte of
> data per form describing the dirs or files).

Pushed to master.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-06-10 15:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-08 14:06 [PATCH] readelf, libdw: Handle too many directories or files in the line table better Mark Wielaard
2018-06-10 15:21 ` Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).