svn commit: r358637 - head/contrib/elftoolchain/readelf
Ed Maste
emaste at FreeBSD.org
Wed Mar 4 20:29:50 UTC 2020
Author: emaste
Date: Wed Mar 4 20:29:49 2020
New Revision: 358637
URL: https://svnweb.freebsd.org/changeset/base/358637
Log:
readelf: check note namesz and descsz
Previously corrupt note namesz or descsz (perhaps caused by readelf's
current lack of endian support for notes) resulted in a crash. Check
that namesz and descsz do not extend beyond the end of the buffer before
trying to access name and desc data.
Reported by: jhb
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Modified:
head/contrib/elftoolchain/readelf/readelf.c
Modified: head/contrib/elftoolchain/readelf/readelf.c
==============================================================================
--- head/contrib/elftoolchain/readelf/readelf.c Wed Mar 4 20:22:02 2020 (r358636)
+++ head/contrib/elftoolchain/readelf/readelf.c Wed Mar 4 20:29:49 2020 (r358637)
@@ -3740,6 +3740,10 @@ dump_notes_content(struct readelf *re, const char *buf
}
note = (Elf_Note *)(uintptr_t) buf;
buf += sizeof(Elf_Note);
+ if (buf + roundup2(note->n_namesz, 4) > end) {
+ warnx("invalid note header name");
+ return;
+ }
name = buf;
buf += roundup2(note->n_namesz, 4);
/*
@@ -3759,6 +3763,10 @@ dump_notes_content(struct readelf *re, const char *buf
printf(" %-13s %#010jx", name, (uintmax_t) note->n_descsz);
printf(" %s\n", note_type(name, re->ehdr.e_type,
note->n_type));
+ if (buf + roundup2(note->n_descsz, 4) > end) {
+ warnx("invalid note header desc");
+ return;
+ }
dump_notes_data(re, name, note->n_type, buf, note->n_descsz);
buf += roundup2(note->n_descsz, 4);
}
More information about the svn-src-head
mailing list