summaryrefslogtreecommitdiffstats
path: root/libdwfl
diff options
context:
space:
mode:
authorMark Wielaard <mark@klomp.org>2021-12-08 22:20:17 +0100
committerMark Wielaard <mark@klomp.org>2021-12-09 19:34:19 +0100
commitb9ed67836b6f4e580927b4e8e1c8517e70a086be (patch)
treee32b2605512c7c9db3d26a1d52269a8a856aa0ae /libdwfl
parentlibdwfl: Make sure we know the phdr entry size before searching phdrs. (diff)
downloadelfutils-b9ed67836b6f4e580927b4e8e1c8517e70a086be.tar.gz
elfutils-b9ed67836b6f4e580927b4e8e1c8517e70a086be.tar.bz2
elfutils-b9ed67836b6f4e580927b4e8e1c8517e70a086be.tar.xz
libdwfl: Don't trust e_shentsize in dwfl_segment_report_module
When calulating the possible section header table end us the actual size of the section headers (sizeof (Elf32_Shdr) or sizeof (Elf64_Shdr)), not the ELF header e_shentsize value, which can be corrupted. This prevents a posssible overflow, but we check the shdrs_end is sane later anyway. https://sourceware.org/bugzilla/show_bug.cgi?id=28659 Signed-off-by: Mark Wielaard <mark@klomp.org>
Diffstat (limited to 'libdwfl')
-rw-r--r--libdwfl/ChangeLog5
-rw-r--r--libdwfl/dwfl_segment_report_module.c4
2 files changed, 7 insertions, 2 deletions
diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index d875eabd..76e0899e 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,5 +1,10 @@
12021-12-08 Mark Wielaard <mark@klomp.org> 12021-12-08 Mark Wielaard <mark@klomp.org>
2 2
3 * dwfl_segment_report_module.c (dwfl_segment_report_module): Don't
4 trust e_shentsize.
5
62021-12-08 Mark Wielaard <mark@klomp.org>
7
3 * link_map.c (dwfl_link_map_report): Make sure phent != 0. 8 * link_map.c (dwfl_link_map_report): Make sure phent != 0.
4 9
52021-12-08 Mark Wielaard <mark@klomp.org> 102021-12-08 Mark Wielaard <mark@klomp.org>
diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
index f6a1799e..be0aff76 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -383,7 +383,7 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
383 zero sh_size field. We ignore this here because getting shdrs 383 zero sh_size field. We ignore this here because getting shdrs
384 is just a nice bonus (see below in the type == PT_LOAD case 384 is just a nice bonus (see below in the type == PT_LOAD case
385 where we trim the last segment). */ 385 where we trim the last segment). */
386 shdrs_end = ehdr.e32.e_shoff + ehdr.e32.e_shnum * ehdr.e32.e_shentsize; 386 shdrs_end = ehdr.e32.e_shoff + ehdr.e32.e_shnum * sizeof (Elf32_Shdr);
387 break; 387 break;
388 388
389 case ELFCLASS64: 389 case ELFCLASS64:
@@ -397,7 +397,7 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
397 if (phentsize != sizeof (Elf64_Phdr)) 397 if (phentsize != sizeof (Elf64_Phdr))
398 goto out; 398 goto out;
399 /* See the NOTE above for shdrs_end and ehdr.e32.e_shnum. */ 399 /* See the NOTE above for shdrs_end and ehdr.e32.e_shnum. */
400 shdrs_end = ehdr.e64.e_shoff + ehdr.e64.e_shnum * ehdr.e64.e_shentsize; 400 shdrs_end = ehdr.e64.e_shoff + ehdr.e64.e_shnum * sizeof (Elf64_Shdr);
401 break; 401 break;
402 402
403 default: 403 default: