[PATCH] libelf: Add n_namesz offset overflow check to gelf_get

public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed

* [PATCH] libelf: Add n_namesz offset overflow check to gelf_get_note.
@ 2019-05-01 13:56 Mark Wielaard
  2019-05-04 19:57 ` Mark Wielaard
  0 siblings, 1 reply; 2+ messages in thread
From: Mark Wielaard @ 2019-05-01 13:56 UTC (permalink / raw)
  To: elfutils-devel; +Cc: Mark Wielaard

During fuzzing of the new xlate_notes testcase I noticed that
gelf_get_note didn't check whether the n_namesz of a note was
too big. This could lead to offset wrapping around. Causing an
infinite loop going over all ELF notes. Fix by adding an overflow
check before updating offset.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libelf/ChangeLog      | 5 +++++
 libelf/gelf_getnote.c | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 5eadaf7..924ff59 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2019-05-01  Mark Wielaard  <mark@klomp.org>
+
+	* gelf_getnote.c (gelf_getnote): Check n_namesz doesn't overflow
+	offset.
+
 2019-04-30  Mark Wielaard  <mark@klomp.org>
 
 	* note_xlate.h (elf_cvt_note): Indicate we only translated the note
diff --git a/libelf/gelf_getnote.c b/libelf/gelf_getnote.c
index 6d33b35..0f7b9d6 100644
--- a/libelf/gelf_getnote.c
+++ b/libelf/gelf_getnote.c
@@ -80,11 +80,12 @@ gelf_getnote (Elf_Data *data, size_t offset, GElf_Nhdr *result,
 	     the offset, after adding the namesz, and include padding
 	     in descsz to get to the end.  */
 	  *name_offset = offset;
-	  offset += n->n_namesz;
-	  if (offset > data->d_size)
+	  if (n->n_namesz > data->d_size
+	      || offset > data->d_size - n->n_namesz)
 	    offset = 0;
 	  else
 	    {
+	      offset += n->n_namesz;
 	      /* Include padding.  Check below for overflow.  */
 	      GElf_Word descsz = (data->d_type == ELF_T_NHDR8
 				  ? NOTE_ALIGN8 (n->n_descsz)
-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] libelf: Add n_namesz offset overflow check to gelf_get_note.
  2019-05-01 13:56 [PATCH] libelf: Add n_namesz offset overflow check to gelf_get_note Mark Wielaard
@ 2019-05-04 19:57 ` Mark Wielaard
  0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2019-05-04 19:57 UTC (permalink / raw)
  To: elfutils-devel

On Wed, May 01, 2019 at 03:55:59PM +0200, Mark Wielaard wrote:
> During fuzzing of the new xlate_notes testcase I noticed that
> gelf_get_note didn't check whether the n_namesz of a note was
> too big. This could lead to offset wrapping around. Causing an
> infinite loop going over all ELF notes. Fix by adding an overflow
> check before updating offset.

Pushed to master.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-05-04 19:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-01 13:56 [PATCH] libelf: Add n_namesz offset overflow check to gelf_get_note Mark Wielaard
2019-05-04 19:57 ` Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).