mirror of
https://github.com/openharmony/third_party_elfutils.git
synced 2026-07-01 06:41:51 -04:00
libelf: Add n_namesz offset overflow check to gelf_get_note.
During fuzzing of the new xlate_notes testcase I noticed that gelf_get_note didn't check whether the n_namesz of a note was too big. This could lead to offset wrapping around. Causing an infinite loop going over all ELF notes. Fix by adding an overflow check before updating offset. Signed-off-by: Mark Wielaard <mark@klomp.org>
This commit is contained in:
@@ -1,3 +1,8 @@
|
||||
2019-05-01 Mark Wielaard <mark@klomp.org>
|
||||
|
||||
* gelf_getnote.c (gelf_getnote): Check n_namesz doesn't overflow
|
||||
offset.
|
||||
|
||||
2019-04-30 Mark Wielaard <mark@klomp.org>
|
||||
|
||||
* note_xlate.h (elf_cvt_note): Indicate we only translated the note
|
||||
|
||||
@@ -80,11 +80,12 @@ gelf_getnote (Elf_Data *data, size_t offset, GElf_Nhdr *result,
|
||||
the offset, after adding the namesz, and include padding
|
||||
in descsz to get to the end. */
|
||||
*name_offset = offset;
|
||||
offset += n->n_namesz;
|
||||
if (offset > data->d_size)
|
||||
if (n->n_namesz > data->d_size
|
||||
|| offset > data->d_size - n->n_namesz)
|
||||
offset = 0;
|
||||
else
|
||||
{
|
||||
offset += n->n_namesz;
|
||||
/* Include padding. Check below for overflow. */
|
||||
GElf_Word descsz = (data->d_type == ELF_T_NHDR8
|
||||
? NOTE_ALIGN8 (n->n_descsz)
|
||||
|
||||
Reference in New Issue
Block a user