libelf: Check e_shoff alignment before direct access of Elf(32|64)_Shdr.

In get_shnum the check was whether the Elf(32|64)_Ehdr was correctly
aligned, but to access the Shdr directly we need to check whether the
address that points to the Elf(32|64)_Shdr structure is correctly aligned.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index fd2fc53e0980bed4bfd1d17f1d3843758cb23129..772eb52d64b91f00d466416ab2c787b4a1071d1d 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-04  Mark Wielaard  <mjw@redhat.com>
+
+       * elf_begin.c (get_shnum): Check alignment of Shdr, not Ehdr before
+       direct access.
+
 2015-06-02  Mark Wielaard  <mjw@redhat.com>
 
        * elf_begin.c (file_read_elf): Split checks for ehdr and shdr

diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index e2e3b6b4dc00cc680fa5502624c77a3d08a0757e..f002ebf0b6defa26cca8b689f59518d14ca36331 100644 (file)
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -151,8 +151,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
 
          if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
              && (ALLOW_UNALIGNED
-                 || (((size_t) ((char *) map_address + offset))
-                     & (__alignof__ (Elf32_Ehdr) - 1)) == 0))
+                 || (((size_t) ((char *) map_address + ehdr.e32->e_shoff))
+                     & (__alignof__ (Elf32_Shdr) - 1)) == 0))
            /* We can directly access the memory.  */
            result = ((Elf32_Shdr *) ((char *) map_address + ehdr.e32->e_shoff
                                      + offset))->sh_size;
@@ -201,8 +201,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
          Elf64_Xword size;
          if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
              && (ALLOW_UNALIGNED
-                 || (((size_t) ((char *) map_address + offset))
-                     & (__alignof__ (Elf64_Ehdr) - 1)) == 0))
+                 || (((size_t) ((char *) map_address + ehdr.e64->e_shoff))
+                     & (__alignof__ (Elf64_Shdr) - 1)) == 0))
            /* We can directly access the memory.  */
            size = ((Elf64_Shdr *) ((char *) map_address + ehdr.e64->e_shoff
                                    + offset))->sh_size;