From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id B71D0385841A for ; Wed, 21 Feb 2024 21:42:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B71D0385841A Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B71D0385841A Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=45.83.234.184 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708551779; cv=none; b=v03on5/WoTvXXWJuhx3yZ/icEItaR1Lo2Cjh9LUB4b0I4sPJymrbrk+7ejXK/oiyMi98bst4O7zgXJkD+0hLFKbzX6P8f3Fijvga4jQw7EecS21XKHyX2glLItYZ6k0cUNthCE8Zbxn1v6nVitH2T9BN6Y2jesCJBv6Yzi4K3sw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708551779; c=relaxed/simple; bh=LMiecGJLS5inxv+NZ9ezgR4LzAZUSZLx3E/p3eZAoro=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=vW9OriHLJjnoGCbrhEp8m4LcZwnQXTv+1xbUoZZ5H2Nwr4U3UouADbhfucfvrPnI1i0IrNpRZoOsyAFiHvACqOCBOJrhKqYYkj9rH3x/B99hvntXyg+E+xF5CCliUffjxuRCJ/gR+NEo0xvSe3jrkvAWQFyrEugsffoN+S701XM= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from csb.redhat.com (deer0x03.wildebeest.org [172.31.17.133]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 7F7E93000400; Wed, 21 Feb 2024 22:42:55 +0100 (CET) Received: by csb.redhat.com (Postfix, from userid 10916) id C7E22C280A; Wed, 21 Feb 2024 22:19:35 +0100 (CET) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [PATCH] readelf: Use unsigned loop variables in handle_verneed and handle_verdef Date: Wed, 21 Feb 2024 22:19:32 +0100 Message-Id: <20240221211932.2168442-1-mark@klomp.org> X-Mailer: git-send-email 2.39.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-9.2 required=5.0 tests=BAYES_00,GIT_PATCH_0,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Prevent signed underflow by changing loop variables to unsigned and doing count checks before decrementing. This isn't really a bug, but prevents UB detected by ubsan on fuzzed input. The bad (fuzzed) input data does get detected anyway. * src/readelf.c (handle_verneed): Use unsigned cnt, cnt2. (handle_verdef): Likewise. Signed-off-by: Mark Wielaard --- src/readelf.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/readelf.c b/src/readelf.c index 802f8ede..0e931184 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -3159,7 +3159,7 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr) elf_strptr (ebl->elf, shstrndx, glink->sh_name)); unsigned int offset = 0; - for (int cnt = shdr->sh_info; --cnt >= 0; ) + for (unsigned int cnt = shdr->sh_info; cnt > 0; cnt--) { /* Get the data at the next offset. */ GElf_Verneed needmem; @@ -3173,7 +3173,7 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr) (unsigned short int) need->vn_cnt); unsigned int auxoffset = offset + need->vn_aux; - for (int cnt2 = need->vn_cnt; --cnt2 >= 0; ) + for (unsigned int cnt2 = need->vn_cnt; cnt2 > 0; cnt2--) { GElf_Vernaux auxmem; GElf_Vernaux *aux = gelf_getvernaux (data, auxoffset, &auxmem); @@ -3236,7 +3236,7 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr) elf_strptr (ebl->elf, shstrndx, glink->sh_name)); unsigned int offset = 0; - for (int cnt = shdr->sh_info; --cnt >= 0; ) + for (unsigned int cnt = shdr->sh_info; cnt > 0; cnt--) { /* Get the data at the next offset. */ GElf_Verdef defmem; @@ -3259,7 +3259,7 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr) elf_strptr (ebl->elf, shdr->sh_link, aux->vda_name)); auxoffset += aux->vda_next; - for (int cnt2 = 1; cnt2 < def->vd_cnt; ++cnt2) + for (unsigned int cnt2 = 1; cnt2 < def->vd_cnt; ++cnt2) { aux = gelf_getverdaux (data, auxoffset, &auxmem); if (unlikely (aux == NULL)) -- 2.39.3