diff options
| author | Mark Wielaard <mjw@redhat.com> | 2016-10-21 15:24:34 +0200 |
|---|---|---|
| committer | Mark Wielaard <mjw@redhat.com> | 2016-11-10 12:11:00 +0100 |
| commit | 09ec02ec7f7e6913d10943148e2a898264345b07 (patch) | |
| tree | f144caa8cf844d4643c2a89f84a9bddc993d08d4 | |
| parent | 191000fdedba3fafe4d5b8cddad3f3318b49c3fb (diff) | |
| download | elfutils-09ec02ec7f7e6913d10943148e2a898264345b07.tar.gz | |
libelf: Sanity check offset and size before trying to malloc and read data.
Bad sh_off or sh_size could trigger a bad malloc or read. Sanity check
the header values first before trying to malloc a huge buffer or reading
any data that will certainly fail.
https://bugzilla.redhat.com/show_bug.cgi?id=1387584
Signed-off-by: Mark Wielaard <mjw@redhat.com>
| -rw-r--r-- | libelf/ChangeLog | 5 | ||||
| -rw-r--r-- | libelf/elf_getdata.c | 11 |
2 files changed, 16 insertions, 0 deletions
diff --git a/libelf/ChangeLog b/libelf/ChangeLog index 39fbccf2..64141288 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,8 @@ +2016-10-21 Mark Wielaard <mjw@redhat.com> + + * elf_getdata.c (__libelf_set_rawdata_wrlock): Sanity check + offset and size before trying to malloc and read data. + 2016-10-26 Mark Wielaard <mjw@redhat.com> * elf_begin.c (read_file): Always set maxsize when parent == NULL. diff --git a/libelf/elf_getdata.c b/libelf/elf_getdata.c index d1fafbfe..97c503b5 100644 --- a/libelf/elf_getdata.c +++ b/libelf/elf_getdata.c @@ -312,6 +312,17 @@ __libelf_set_rawdata_wrlock (Elf_Scn *scn) } else if (likely (elf->fildes != -1)) { + /* First see whether the information in the section header is + valid and it does not ask for too much. Check for unsigned + overflow. */ + if (unlikely (offset > elf->maximum_size + || elf->maximum_size - offset < size)) + { + /* Something is wrong. */ + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER); + return 1; + } + /* We have to read the data from the file. Allocate the needed memory. */ scn->rawdata_base = scn->rawdata.d.d_buf |