| 1 |
commit: 10a9643d90a1ba6058a66066803fac6cf43f6917 |
| 2 |
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Wed Feb 1 22:40:09 2017 +0000 |
| 4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Feb 1 22:40:09 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=10a9643d |
| 7 |
|
| 8 |
dumpelf: check for invalid notes |
| 9 |
|
| 10 |
Handle cases where the size fields would overflow the additions. |
| 11 |
|
| 12 |
URL: https://bugs.gentoo.org/607898 |
| 13 |
Reported-by: Agostino Sarubbo <ago <AT> gentoo.org> |
| 14 |
|
| 15 |
dumpelf.c | 23 ++++++++++++++++------- |
| 16 |
1 file changed, 16 insertions(+), 7 deletions(-) |
| 17 |
|
| 18 |
diff --git a/dumpelf.c b/dumpelf.c |
| 19 |
index a9c6e05..60c78a3 100644 |
| 20 |
--- a/dumpelf.c |
| 21 |
+++ b/dumpelf.c |
| 22 |
@@ -209,6 +209,7 @@ static void dump_notes(elfobj *elf, size_t B, const void *memory, const void *me |
| 23 |
* world, the two structs are exactly the same. So avoid ugly CPP. |
| 24 |
*/ |
| 25 |
size_t i; |
| 26 |
+ bool corrupt = false; |
| 27 |
const void *ndata = memory; |
| 28 |
const char *name; |
| 29 |
const unsigned char *desc; |
| 30 |
@@ -223,23 +224,31 @@ static void dump_notes(elfobj *elf, size_t B, const void *memory, const void *me |
| 31 |
} |
| 32 |
|
| 33 |
printf("\n\t/%c note section dump:\n", '*'); |
| 34 |
- for (i = 0; ndata < memory_end; ++i) { |
| 35 |
+ for (i = 0; ndata < memory_end && !corrupt; ++i) { |
| 36 |
note = ndata; |
| 37 |
namesz = EGET(note->n_namesz); |
| 38 |
descsz = EGET(note->n_descsz); |
| 39 |
- name = namesz ? ndata + sizeof(*note) : ""; |
| 40 |
- desc = descsz ? ndata + sizeof(*note) + ALIGN_UP(namesz, 4) : ""; |
| 41 |
+ if (namesz > elf->len || descsz > elf->len) |
| 42 |
+ corrupt = true; |
| 43 |
+ name = namesz ? ndata + sizeof(*note) : NULL; |
| 44 |
+ desc = descsz ? ndata + sizeof(*note) + ALIGN_UP(namesz, 4) : NULL; |
| 45 |
ndata += sizeof(*note) + ALIGN_UP(namesz, 4) + ALIGN_UP(descsz, 4); |
| 46 |
|
| 47 |
- if (ndata > memory_end) { |
| 48 |
+ if (ndata > memory_end) |
| 49 |
+ corrupt = true; |
| 50 |
+ if (corrupt) { |
| 51 |
+ name = NULL; |
| 52 |
+ desc = NULL; |
| 53 |
printf("\tNote is corrupt\n"); |
| 54 |
- break; |
| 55 |
} |
| 56 |
|
| 57 |
printf("\t * Elf%zu_Nhdr note%zu = {\n", B, i); |
| 58 |
- printf("\t * \t.n_namesz = %u, (bytes) [%s]\n", namesz, name); |
| 59 |
+ printf("\t * \t.n_namesz = %u, (bytes)", namesz); |
| 60 |
+ if (name) |
| 61 |
+ printf(" [%s]", name); |
| 62 |
+ printf("\n"); |
| 63 |
printf("\t * \t.n_descsz = %u, (bytes)", descsz); |
| 64 |
- if (descsz) { |
| 65 |
+ if (desc) { |
| 66 |
printf(" [ "); |
| 67 |
for (i = 0; i < descsz; ++i) |
| 68 |
printf("%.2X ", desc[i]); |
Archives