[tnozaki-elftoolchain] TNF local patch for libelf - add miscellaneous integer overflow check
Issue #276
wontfix
No description provided.
Comments (5)
-
reporter -
reporter libelf_ehdr.c’s change:
index e012750c33b..c558dc2824d 100644 --- a/external/bsd/elftoolchain/dist/libelf/libelf_ehdr.c +++ b/external/bsd/elftoolchain/dist/libelf/libelf_ehdr.c @@ -29,6 +29,7 @@ #include <assert.h> #include <gelf.h> #include <libelf.h> +#include <limits.h> #include <stdlib.h> #include "_libelf.h" @@ -68,6 +69,11 @@ _libelf_load_extended(Elf *e, int ec, uint64_t shoff, uint16_t phnum, if ((scn = _libelf_allocate_scn(e, (size_t) 0)) == NULL) return (0); + if (shoff > SSIZE_MAX) { + LIBELF_SET_ERROR(HEADER, 0); + return (0); + } + xlator = _libelf_get_translator(ELF_T_SHDR, ELF_TOMEMORY, ec, _libelf_elfmachine(e)); (*xlator)((unsigned char *) &scn->s_shdr, sizeof(scn->s_shdr),
shoff range check is done previous:
if (shoff + fsz < shoff) { /* Numeric overflow. */ LIBELF_SET_ERROR(HEADER, 0); return (0); }
fix done r3688 https://sourceforge.net/p/elftoolchain/code/3688/
ticket 565 https://sourceforge.net/p/elftoolchain/tickets/565/
N HEAD is not merged this change yet.
-
reporter libelf_ehdr.c’s change:
diff --git a/external/bsd/elftoolchain/dist/libelf/libelf_ehdr.c b/external/bsd/elftoolchain/dist/libelf/libelf_ehdr.c index e012750c33b..32a9fd500ab 100644 --- a/external/bsd/elftoolchain/dist/libelf/libelf_ehdr.c +++ b/external/bsd/elftoolchain/dist/libelf/libelf_ehdr.c @@ -29,6 +29,7 @@ #include <assert.h> #include <gelf.h> #include <libelf.h> +#include <limits.h> #include <stdlib.h> #include "_libelf.h" @@ -82,6 +83,11 @@ _libelf_load_extended(Elf *e, int ec, uint64_t shoff, uint16_t phnum, return (0); } + if (GET_SHDR_MEMBER(sh_size) > UINT_MAX) { + LIBELF_SET_ERROR(HEADER, 0); + return (0); + } + e->e_u.e_elf.e_nscn = (size_t) GET_SHDR_MEMBER(sh_size); e->e_u.e_elf.e_nphdr = (phnum != PN_XNUM) ? phnum : GET_SHDR_MEMBER(sh_info);
but
GET_SHDR_MEMBER(sh_size)
's type is uint32_t or uint64_t, this check is always false, so it is completely meaningless.and if this code compile with -Werror=type-limits, may cause error.
so i don’t accept this code.
-
reporter - changed status to wontfix
all check is merged or meaningless, NAK.
-
reporter - changed title to [tnozaki-elftoolchain] TNF local patch for libelf - add miscellaneous integer overflow check
- Log in to comment
elf_scn.c’s change:
shoff’s range check have already done in following macro, i think.
fix done r3147 https://sourceforge.net/p/elftoolchain/code/3147/
ticket 462 https://sourceforge.net/p/elftoolchain/tickets/462/
N HEAD is not merged this change yet.