>>> On 09.12.16 at 12:54, wrote:
> Jan Beulich writes ("Re: [PATCH] libelf: Fix div0 issues in
> elf_{shdr,phdr}_count()"):
>> On 08.12.16 at 18:28, wrote:
>> > Looking at the commit message I was concerned that the phdr and shdr
>> > counts might be excessive, and that libelf might get stuck in
Jan Beulich writes ("Re: [PATCH] libelf: Fix div0 issues in
elf_{shdr,phdr}_count()"):
> On 08.12.16 at 18:28, wrote:
> > Looking at the commit message I was concerned that the phdr and shdr
> > counts might be excessive, and that libelf might get stuck in a loop
> > with an unreasonably high ite
>>> On 08.12.16 at 18:28, wrote:
> Part of the motivation for a01b6d4 was the anomaly which is the
> difference between the implementations of elf_phdr_size and
> elf_shdr_size.
>
> This was introduced in 39bf7b9d0ae5 "libelf: check loops for running
> away". That was part of the XSA-55 patchset
Ian Jackson writes ("Re: [PATCH] libelf: Fix div0 issues in
elf_{shdr,phdr}_count()"):
> Admittedly the rule about iteration count is not so easy to remember,
> and I had failed to anticipate that someone would introduce division.
> But both of those kind of bugs are denial of service, rather than
>>> On 08.12.16 at 16:47, wrote:
> Andrew Cooper writes ("Re: [PATCH] libelf: Fix div0 issues in
> elf_{shdr,phdr}_count()"):
>> On 08/12/16 15:17, Jan Beulich wrote:
>> > Oh, I see - elf_phdr_count() itself relies on the check that's
>> > about to be done. But I think the correct thing then woul
Andrew Cooper writes ("Re: [PATCH] libelf: Fix div0 issues in
elf_{shdr,phdr}_count()"):
> On 08/12/16 15:17, Jan Beulich wrote:
> > Oh, I see - elf_phdr_count() itself relies on the check that's
> > about to be done. But I think the correct thing then would be to
> > not use elf_phdr_count() here
On 08/12/16 15:17, Jan Beulich wrote:
On 08.12.16 at 15:46, wrote:
>> On 08/12/16 14:41, Jan Beulich wrote:
>> On 08.12.16 at 15:18, wrote:
elf_uval() can return zero either because the field itself is zero, or
>> because
the access is out of bounds.
c/s a01b6d4 "lib
>>> On 08.12.16 at 15:46, wrote:
> On 08/12/16 14:41, Jan Beulich wrote:
> On 08.12.16 at 15:18, wrote:
>>> elf_uval() can return zero either because the field itself is zero, or
> because
>>> the access is out of bounds.
>>>
>>> c/s a01b6d4 "libelf: treat phdr and shdr similarly" introduced
Jan Beulich writes ("Re: [PATCH] libelf: Fix div0 issues in
elf_{shdr,phdr}_count()"):
> On 08.12.16 at 15:18, wrote:
> > Spotted by Coverity.
>
> And wrongly so, imo.
...
> > @@ -148,11 +154,17 @@ unsigned elf_shdr_count(struct elf_binary *elf)
> > unsigned elf_phdr_count(struct elf_binary *el
On 08/12/16 14:41, Jan Beulich wrote:
On 08.12.16 at 15:18, wrote:
>> elf_uval() can return zero either because the field itself is zero, or
>> because
>> the access is out of bounds.
>>
>> c/s a01b6d4 "libelf: treat phdr and shdr similarly" introduced two div0
>> issues
>> as e_{ph,sh}ents
>>> On 08.12.16 at 15:18, wrote:
> elf_uval() can return zero either because the field itself is zero, or because
> the access is out of bounds.
>
> c/s a01b6d4 "libelf: treat phdr and shdr similarly" introduced two div0 issues
> as e_{ph,sh}entsize are not checked for sanity before being used to
elf_uval() can return zero either because the field itself is zero, or because
the access is out of bounds.
c/s a01b6d4 "libelf: treat phdr and shdr similarly" introduced two div0 issues
as e_{ph,sh}entsize are not checked for sanity before being used to divide
elf->size.
Spotted by Coverity.
Si
12 matches
Mail list logo
