[Bug 1692997] [NEW] libelf test for section size in wrong place
David Anderson
1692997 at bugs.launchpad.net
Tue May 23 18:23:44 UTC 2017
Public bug reported:
It seems to me that the test for an invalid section size
wants be moved up from the map case to cover both the read and the map
case.
To guard against a bogus section size for both cases.
Rather than relying on a malloc failure to catch a
completely bogus section size.
Thus allowing a more accurate error indication.
>From elfutils_0.165.orig.tar.bz2
elfutils-0.165/libelf/elf_getdata.c
--- elf_getdata.c.orig 2017-05-23 10:56:05.547607473 -0700
+++ elf_getdata.c 2017-05-23 11:08:27.459670572 -0700
@@ -292,21 +292,20 @@
__libelf_seterrno (ELF_E_INVALID_DATA);
return 1;
}
+ /* First see whether the information in the section header is
+ valid and it does not ask for too much. Check for unsigned
+ overflow. */
+ if (unlikely (offset > elf->maximum_size
+ || elf->maximum_size - offset < size))
+ {
+ /* Something is wrong. */
+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+ return 1;
+ }
/* We can use the mapped or loaded data if available. */
if (elf->map_address != NULL)
{
- /* First see whether the information in the section header is
- valid and it does not ask for too much. Check for unsigned
- overflow. */
- if (unlikely (offset > elf->maximum_size
- || elf->maximum_size - offset < size))
- {
- /* Something is wrong. */
- __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
- return 1;
- }
-
scn->rawdata_base = scn->rawdata.d.d_buf
= (char *) elf->map_address + elf->start_offset + offset;
}
** Affects: elfutils (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to elfutils in Ubuntu.
https://bugs.launchpad.net/bugs/1692997
Title:
libelf test for section size in wrong place
Status in elfutils package in Ubuntu:
New
Bug description:
It seems to me that the test for an invalid section size
wants be moved up from the map case to cover both the read and the map
case.
To guard against a bogus section size for both cases.
Rather than relying on a malloc failure to catch a
completely bogus section size.
Thus allowing a more accurate error indication.
From elfutils_0.165.orig.tar.bz2
elfutils-0.165/libelf/elf_getdata.c
--- elf_getdata.c.orig 2017-05-23 10:56:05.547607473 -0700
+++ elf_getdata.c 2017-05-23 11:08:27.459670572 -0700
@@ -292,21 +292,20 @@
__libelf_seterrno (ELF_E_INVALID_DATA);
return 1;
}
+ /* First see whether the information in the section header is
+ valid and it does not ask for too much. Check for unsigned
+ overflow. */
+ if (unlikely (offset > elf->maximum_size
+ || elf->maximum_size - offset < size))
+ {
+ /* Something is wrong. */
+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+ return 1;
+ }
/* We can use the mapped or loaded data if available. */
if (elf->map_address != NULL)
{
- /* First see whether the information in the section header is
- valid and it does not ask for too much. Check for unsigned
- overflow. */
- if (unlikely (offset > elf->maximum_size
- || elf->maximum_size - offset < size))
- {
- /* Something is wrong. */
- __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
- return 1;
- }
-
scn->rawdata_base = scn->rawdata.d.d_buf
= (char *) elf->map_address + elf->start_offset + offset;
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1692997/+subscriptions
More information about the foundations-bugs
mailing list