CVE-2014-0172 Check for overflow before calling malloc to uncompress data.

https://bugzilla.redhat.com/show_bug.cgi?id=1085663

Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 1d9b9a3b1c62d7cff835752ea9171493ac2c4cf0..e8f0eb88a4bcc75d931890f830df6817b0e23882 100644 (file)
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2014-04-09  Mark Wielaard  <mjw@redhat.com>
+
+       * dwarf_begin_elf.c (check_section): Check for unsigned overflow
+       before calling malloc to uncompress data.
+
 2014-03-03  Jan Kratochvil  <jan.kratochvil@redhat.com>
 
        Fix abort() on missing section headers.

diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
index 79daeacb682d5917df92eaf6738898817a82adc0..34ea373448780a7579934a594254fb9d3b3f3575 100644 (file)
--- a/libdw/dwarf_begin_elf.c
+++ b/libdw/dwarf_begin_elf.c
@@ -1,5 +1,5 @@
 /* Create descriptor from ELF descriptor for processing file.
-   Copyright (C) 2002-2011 Red Hat, Inc.
+   Copyright (C) 2002-2011, 2014 Red Hat, Inc.
    This file is part of elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 2002.
 
@@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
            memcpy (&size, data->d_buf + 4, sizeof size);
            size = be64toh (size);
 
+           /* Check for unsigned overflow so malloc always allocated
+              enough memory for both the Elf_Data header and the
+              uncompressed section data.  */
+           if (unlikely (sizeof (Elf_Data) + size < size))
+             break;
+
            Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
            if (unlikely (zdata == NULL))
              break;