diff options
| author | Mark Wielaard <mark@klomp.org> | 2021-12-08 22:20:17 +0100 |
|---|---|---|
| committer | Mark Wielaard <mark@klomp.org> | 2021-12-09 19:34:19 +0100 |
| commit | b9ed67836b6f4e580927b4e8e1c8517e70a086be (patch) | |
| tree | e32b2605512c7c9db3d26a1d52269a8a856aa0ae /libdwfl | |
| parent | libdwfl: Make sure we know the phdr entry size before searching phdrs. (diff) | |
| download | elfutils-b9ed67836b6f4e580927b4e8e1c8517e70a086be.tar.gz elfutils-b9ed67836b6f4e580927b4e8e1c8517e70a086be.tar.bz2 elfutils-b9ed67836b6f4e580927b4e8e1c8517e70a086be.tar.xz | |
libdwfl: Don't trust e_shentsize in dwfl_segment_report_module
When calulating the possible section header table end us the actual size
of the section headers (sizeof (Elf32_Shdr) or sizeof (Elf64_Shdr)),
not the ELF header e_shentsize value, which can be corrupted. This
prevents a posssible overflow, but we check the shdrs_end is sane
later anyway.
https://sourceware.org/bugzilla/show_bug.cgi?id=28659
Signed-off-by: Mark Wielaard <mark@klomp.org>
Diffstat (limited to 'libdwfl')
| -rw-r--r-- | libdwfl/ChangeLog | 5 | ||||
| -rw-r--r-- | libdwfl/dwfl_segment_report_module.c | 4 |
2 files changed, 7 insertions, 2 deletions
diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog index d875eabd..76e0899e 100644 --- a/libdwfl/ChangeLog +++ b/libdwfl/ChangeLog | |||
| @@ -1,5 +1,10 @@ | |||
| 1 | 2021-12-08 Mark Wielaard <mark@klomp.org> | 1 | 2021-12-08 Mark Wielaard <mark@klomp.org> |
| 2 | 2 | ||
| 3 | * dwfl_segment_report_module.c (dwfl_segment_report_module): Don't | ||
| 4 | trust e_shentsize. | ||
| 5 | |||
| 6 | 2021-12-08 Mark Wielaard <mark@klomp.org> | ||
| 7 | |||
| 3 | * link_map.c (dwfl_link_map_report): Make sure phent != 0. | 8 | * link_map.c (dwfl_link_map_report): Make sure phent != 0. |
| 4 | 9 | ||
| 5 | 2021-12-08 Mark Wielaard <mark@klomp.org> | 10 | 2021-12-08 Mark Wielaard <mark@klomp.org> |
diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c index f6a1799e..be0aff76 100644 --- a/libdwfl/dwfl_segment_report_module.c +++ b/libdwfl/dwfl_segment_report_module.c | |||
| @@ -383,7 +383,7 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, | |||
| 383 | zero sh_size field. We ignore this here because getting shdrs | 383 | zero sh_size field. We ignore this here because getting shdrs |
| 384 | is just a nice bonus (see below in the type == PT_LOAD case | 384 | is just a nice bonus (see below in the type == PT_LOAD case |
| 385 | where we trim the last segment). */ | 385 | where we trim the last segment). */ |
| 386 | shdrs_end = ehdr.e32.e_shoff + ehdr.e32.e_shnum * ehdr.e32.e_shentsize; | 386 | shdrs_end = ehdr.e32.e_shoff + ehdr.e32.e_shnum * sizeof (Elf32_Shdr); |
| 387 | break; | 387 | break; |
| 388 | 388 | ||
| 389 | case ELFCLASS64: | 389 | case ELFCLASS64: |
| @@ -397,7 +397,7 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, | |||
| 397 | if (phentsize != sizeof (Elf64_Phdr)) | 397 | if (phentsize != sizeof (Elf64_Phdr)) |
| 398 | goto out; | 398 | goto out; |
| 399 | /* See the NOTE above for shdrs_end and ehdr.e32.e_shnum. */ | 399 | /* See the NOTE above for shdrs_end and ehdr.e32.e_shnum. */ |
| 400 | shdrs_end = ehdr.e64.e_shoff + ehdr.e64.e_shnum * ehdr.e64.e_shentsize; | 400 | shdrs_end = ehdr.e64.e_shoff + ehdr.e64.e_shnum * sizeof (Elf64_Shdr); |
| 401 | break; | 401 | break; |
| 402 | 402 | ||
| 403 | default: | 403 | default: |