[COMMITTED] elflint: Fix check_sysv_hash[64] sanity checks to not overflow.

public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed

* [COMMITTED] elflint: Fix check_sysv_hash[64] sanity checks to not overflow.
@ 2018-08-18 20:08 Mark Wielaard
  0 siblings, 0 replies; only message in thread
From: Mark Wielaard @ 2018-08-18 20:08 UTC (permalink / raw)
  To: elfutils-devel; +Cc: Mark Wielaard

The sanity checks for how many words were needed in the section could
overflow causing errors. Fix the checks.

https://sourceware.org/bugzilla/show_bug.cgi?id=23542

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 src/ChangeLog | 7 +++++++
 src/elflint.c | 7 +++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index a01bd756..8c89f83d 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2018-08-18  Mark Wielaard  <mark@klomp.org>
+
+	* elflint.c (check_sysv_hash): Calculate needed size using unsigned
+	long long int to prevent overflow.
+	(check_sysv_hash64): Calculate maxwords used separately before
+	comparison to prevent overflow.
+
 2018-07-24  Mark Wielaard  <mark@klomp.org>
 
 	* unstrip.c (compare_unalloc_sections): Also compare sh_size.
diff --git a/src/elflint.c b/src/elflint.c
index eec799b2..90e8fed4 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -2023,7 +2023,7 @@ check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
   Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
   Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
 
-  if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word))
+  if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
     {
       ERROR (gettext ("\
 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
@@ -2077,7 +2077,10 @@ check_sysv_hash64 (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
   Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
   Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
 
-  if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf64_Xword))
+  uint64_t maxwords = shdr->sh_size / sizeof (Elf64_Xword);
+  if (maxwords < 2
+      || maxwords - 2 < nbucket
+      || maxwords - 2 - nbucket < nchain)
     {
       ERROR (gettext ("\
 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
-- 
2.18.0

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-08-18 20:08 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-18 20:08 [COMMITTED] elflint: Fix check_sysv_hash[64] sanity checks to not overflow Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).