Author: emaste
Date: Wed Mar 4 20:29:49 2020
New Revision: 358637
URL: https://svnweb.freebsd.org/changeset/base/358637
Log:
readelf: check note namesz and descsz
Previously corrupt note namesz or descsz (perhaps caused by readelf's
current lack of endian support for notes) resulted in a crash. Check
that namesz and descsz do not extend beyond the end of the buffer before
trying to access name and desc data.
Reported by: jhb
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Modified:
head/contrib/elftoolchain/readelf/readelf.c
Modified: head/contrib/elftoolchain/readelf/readelf.c
==============================================================================
--- head/contrib/elftoolchain/readelf/readelf.c Wed Mar 4 20:22:02 2020
(r358636)
+++ head/contrib/elftoolchain/readelf/readelf.c Wed Mar 4 20:29:49 2020
(r358637)
@@ -3740,6 +3740,10 @@ dump_notes_content(struct readelf *re, const char *buf
}
note = (Elf_Note *)(uintptr_t) buf;
buf += sizeof(Elf_Note);
+ if (buf + roundup2(note->n_namesz, 4) > end) {
+ warnx("invalid note header name");
+ return;
+ }
name = buf;
buf += roundup2(note->n_namesz, 4);
/*
@@ -3759,6 +3763,10 @@ dump_notes_content(struct readelf *re, const char *buf
printf(" %-13s %#010jx", name, (uintmax_t) note->n_descsz);
printf(" %s\n", note_type(name, re->ehdr.e_type,
note->n_type));
+ if (buf + roundup2(note->n_descsz, 4) > end) {
+ warnx("invalid note header desc");
+ return;
+ }
dump_notes_data(re, name, note->n_type, buf, note->n_descsz);
buf += roundup2(note->n_descsz, 4);
}
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
