From 720becce1314db8c0af8442650f496d972475327 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sat, 19 Aug 2017 10:34:41 +0100 Subject: scanelf: fix out-of-bounds access in ia64 commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9 slightly changed decoder and added unchecked read from elf header: ``` switch (EGET(dpltrel->d_un.d_val)) { \ case DT_REL: \ rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ ``` On ia64 'EGET(drel->d_un.d_val)' returns absolute address: ``` $ dumpelf bug/luatex ... /* Dynamic tag #31 'DT_RELA' 0x97E310 */ { .d_tag = 0x7 , .d_un = { .d_val = 0x4000000000031C30 , .d_ptr = 0x4000000000031C30 , }, }, ``` That causes 'scanelf' crash on binaries like 'luatex'. This change restores check and loudly skips such sections: scanelf: bug/luatex: DT_RELA is out of file range Bug: https://bugs.gentoo.org/624356 Signed-off-by: Sergei Trofimovich Signed-off-by: Fabian Groffen --- scanelf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/scanelf.c b/scanelf.c index 1ead891..a054408 100644 --- a/scanelf.c +++ b/scanelf.c @@ -607,11 +607,23 @@ static char *scanelf_file_textrels(elfobj *elf, char *found_textrels, char *foun } \ switch (EGET(dpltrel->d_un.d_val)) { \ case DT_REL: \ + if (!VALID_RANGE(elf, EGET(drel->d_un.d_val), sizeof (drel->d_un.d_val))) { \ + rel = NULL; \ + rela = NULL; \ + warn("%s: DT_REL is out of file range", elf->filename); \ + break; \ + } \ rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ rela = NULL; \ pltrel = DT_REL; \ break; \ case DT_RELA: \ + if (!VALID_RANGE(elf, EGET(drel->d_un.d_val), sizeof (drel->d_un.d_val))) { \ + rel = NULL; \ + rela = NULL; \ + warn("%s: DT_RELA is out of file range", elf->filename); \ + break; \ + } \ rel = NULL; \ rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); \ pltrel = DT_RELA; \ -- cgit v1.2.3-65-gdbad