diff options
author | Sergei Trofimovich <slyfox@gentoo.org> | 2017-08-19 10:34:41 +0100 |
---|---|---|
committer | Fabian Groffen <grobian@gentoo.org> | 2017-09-18 09:05:20 +0200 |
commit | 720becce1314db8c0af8442650f496d972475327 (patch) | |
tree | 00d27c9307200f6a05b99c559de4f36704e166af | |
parent | paxelf: constify pax_short_* helpers (diff) | |
download | pax-utils-720becce1314db8c0af8442650f496d972475327.tar.gz pax-utils-720becce1314db8c0af8442650f496d972475327.tar.bz2 pax-utils-720becce1314db8c0af8442650f496d972475327.zip |
scanelf: fix out-of-bounds access in ia64
commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9
slightly changed decoder and added unchecked
read from elf header:
```
switch (EGET(dpltrel->d_un.d_val)) { \
case DT_REL: \
rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \
```
On ia64 'EGET(drel->d_un.d_val)' returns absolute address:
```
$ dumpelf bug/luatex
...
/* Dynamic tag #31 'DT_RELA' 0x97E310 */
{
.d_tag = 0x7 ,
.d_un = {
.d_val = 0x4000000000031C30 ,
.d_ptr = 0x4000000000031C30 ,
},
},
```
That causes 'scanelf' crash on binaries like 'luatex'.
This change restores check and loudly skips such sections:
scanelf: bug/luatex: DT_RELA is out of file range
Bug: https://bugs.gentoo.org/624356
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Fabian Groffen <grobian@gentoo.org>
-rw-r--r-- | scanelf.c | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -607,11 +607,23 @@ static char *scanelf_file_textrels(elfobj *elf, char *found_textrels, char *foun } \ switch (EGET(dpltrel->d_un.d_val)) { \ case DT_REL: \ + if (!VALID_RANGE(elf, EGET(drel->d_un.d_val), sizeof (drel->d_un.d_val))) { \ + rel = NULL; \ + rela = NULL; \ + warn("%s: DT_REL is out of file range", elf->filename); \ + break; \ + } \ rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ rela = NULL; \ pltrel = DT_REL; \ break; \ case DT_RELA: \ + if (!VALID_RANGE(elf, EGET(drel->d_un.d_val), sizeof (drel->d_un.d_val))) { \ + rel = NULL; \ + rela = NULL; \ + warn("%s: DT_RELA is out of file range", elf->filename); \ + break; \ + } \ rel = NULL; \ rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); \ pltrel = DT_RELA; \ |