[COMMITTED] libdwfl: Don't allocate more than SIZE_MAX in dwfl_segment_report

public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed

* [COMMITTED] libdwfl: Don't allocate more than SIZE_MAX in dwfl_segment_report_module.
@ 2021-12-12 22:58 Mark Wielaard
  0 siblings, 0 replies; only message in thread
From: Mark Wielaard @ 2021-12-12 22:58 UTC (permalink / raw)
  To: elfutils-devel; +Cc: Evgeny Vereshchagin, Mark Wielaard

The code in dwfl_segment_report_module tries to allocate and fill in
memory as described in a core file. Normally all memory in filled in
through the (phdrs) memory_callback or the read_eagerly callback. If
the last callback doesn't work we try to calloc file_trimmed_end bytes
and then try to fill in the parts of memory we can from the core file
at the correct offsets.

file_trimmed_end is a GElf_Off which is an unsigned 64bit type. On
32bit systems this means when cast to a size_t to do an allocation
might allocate truncated (much smaller) value. So make sure to not
allocate more than SIZE_MAX bytes.

It would be nice to have a better way to limit the amount of memory
allocated here. A core file might describe really big memory areas for
which it doesn't provide any data. In that case we really shouldn't
calloc mega- or giga-bytes of zeroed out memory.

Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libdwfl/ChangeLog                    | 5 +++++
 libdwfl/dwfl_segment_report_module.c | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 856bd335..aaea164c 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2021-12-12  Mark Wielaard  <mark@klomp.org>
+
+	* dwfl_segment_report_module.c (dwfl_segment_report_module): Don't
+	allocate more than SIZE_MAX.
+
 2021-12-09  Mark Wielaard  <mark@klomp.org>

 	* link_map.c (dwfl_link_map_report): Limit dyn_filesz malloc size
diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
index f4acfe53..46564ec5 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -904,6 +904,9 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
       /* The caller wants to read the whole file in right now, but hasn't
 	 done it for us.  Fill in a local image of the virtual file.  */

+      if (file_trimmed_end > SIZE_MAX)
+	goto out;
+
       void *contents = calloc (1, file_trimmed_end);
       if (unlikely (contents == NULL))
 	goto out;
-- 
2.30.2

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-12-12 22:59 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-12 22:58 [COMMITTED] libdwfl: Don't allocate more than SIZE_MAX in dwfl_segment_report_module Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).