* [COMMITTED] elflint: Fix check_sysv_hash[64] sanity checks to not overflow.
@ 2018-08-18 20:08 Mark Wielaard
0 siblings, 0 replies; only message in thread
From: Mark Wielaard @ 2018-08-18 20:08 UTC (permalink / raw)
To: elfutils-devel; +Cc: Mark Wielaard
The sanity checks for how many words were needed in the section could
overflow causing errors. Fix the checks.
https://sourceware.org/bugzilla/show_bug.cgi?id=23542
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
src/ChangeLog | 7 +++++++
src/elflint.c | 7 +++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index a01bd756..8c89f83d 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2018-08-18 Mark Wielaard <mark@klomp.org>
+
+ * elflint.c (check_sysv_hash): Calculate needed size using unsigned
+ long long int to prevent overflow.
+ (check_sysv_hash64): Calculate maxwords used separately before
+ comparison to prevent overflow.
+
2018-07-24 Mark Wielaard <mark@klomp.org>
* unstrip.c (compare_unalloc_sections): Also compare sh_size.
diff --git a/src/elflint.c b/src/elflint.c
index eec799b2..90e8fed4 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -2023,7 +2023,7 @@ check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
- if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word))
+ if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
{
ERROR (gettext ("\
section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
@@ -2077,7 +2077,10 @@ check_sysv_hash64 (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
- if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf64_Xword))
+ uint64_t maxwords = shdr->sh_size / sizeof (Elf64_Xword);
+ if (maxwords < 2
+ || maxwords - 2 < nbucket
+ || maxwords - 2 - nbucket < nchain)
{
ERROR (gettext ("\
section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
--
2.18.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-08-18 20:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-18 20:08 [COMMITTED] elflint: Fix check_sysv_hash[64] sanity checks to not overflow Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).