libelf: Fix possible unbounded stack usage in getphdr_wrlock.

When a copy needs to be made of the phdrs, allocate with malloc and free
after conversion instead of calling alloca.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 4fd3f9f5604a296136832d43088e17ab803305db..65f9112d2971d1f6c95678df7153abbb3cf18a89 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-31  Mark Wielaard  <mjw@redhat.com>
+
+       * elf32_getphdr.c (getphdr_wrlock): Allocate phdrs with malloc, not
+       alloca and free after conversion when a copy needs to be made.
+
 2015-05-31  Mark Wielaard  <mjw@redhat.com>
 
        * elf_getarsym.c (elf_getarsym): Allocate temporary file_date with

diff --git a/libelf/elf32_getphdr.c b/libelf/elf32_getphdr.c
index 1b82a4802ff65fdd65fc1dfe466955f4bd705c1c..38e489dc37b8e43d97819e41febd037080f9fe88 100644 (file)
--- a/libelf/elf32_getphdr.c
+++ b/libelf/elf32_getphdr.c
@@ -141,13 +141,20 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
                }
              else
                {
-                 if (ALLOW_UNALIGNED
-                     || ((uintptr_t) file_phdr
-                         & (__alignof__ (ElfW2(LIBELFBITS,Phdr)) - 1)) == 0)
+                 bool copy = ! (ALLOW_UNALIGNED
+                                || ((uintptr_t) file_phdr
+                                    & (__alignof__ (ElfW2(LIBELFBITS,Phdr))
+                                       - 1)) == 0);
+                 if (! copy)
                    notcvt = file_phdr;
                  else
                    {
-                     notcvt = (ElfW2(LIBELFBITS,Phdr) *) alloca (size);
+                     notcvt = (ElfW2(LIBELFBITS,Phdr) *) malloc (size);
+                     if (unlikely (notcvt == NULL))
+                       {
+                         __libelf_seterrno (ELF_E_NOMEM);
+                         goto out;
+                       }
                      memcpy (notcvt, file_phdr, size);
                    }
 
@@ -162,6 +169,9 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
                      CONVERT_TO (phdr[cnt].p_flags, notcvt[cnt].p_flags);
                      CONVERT_TO (phdr[cnt].p_align, notcvt[cnt].p_align);
                    }
+
+                 if (copy)
+                   free (notcvt);
                }
            }
        }