libdwfl: Don't try to convert too many bytes in dwfl_link_map_report

When trying to read (corrupt) phdrs from a core file we only want
to read and convert the bytes we could read. Also make sure we don't
try to allocate too big buffers.

https://sourceware.org/bugzilla/show_bug.cgi?id=28666

Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index b2a8752a00ec958baf18712b1950f4869590e479..96251f0de8ffa1314f5e55db31ad50d422804c98 100644 (file)
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,9 @@
+2021-12-08  Mark Wielaard  <mark@klomp.org>
+
+       * link_map.c (dwfl_link_map_report): Limit malloc size to max
+       possible. When converting make sure we don't exceed the number
+       of bytes available in either in.d_buf nor out.d_buf.
+
 2021-12-08  Mark Wielaard  <mark@klomp.org>
 
        * dwfl_segment_report_module.c (dwfl_segment_report_module): Don't

diff --git a/libdwfl/link_map.c b/libdwfl/link_map.c
index 1e7d4502688787b8e6ab92e43aa12701f071bff7..1c298a8eab73deef7b6cee24936230275bd3ac4c 100644 (file)
--- a/libdwfl/link_map.c
+++ b/libdwfl/link_map.c
@@ -847,6 +847,11 @@ dwfl_link_map_report (Dwfl *dwfl, const void *auxv, size_t auxv_size,
              /* Note this in the !in_ok path.  That means memory_callback
                 failed.  But the callback might still have reset the d_size
                 value (to zero).  So explicitly set it here again.  */
+             if (unlikely (phnum > SIZE_MAX / phent))
+               {
+                 __libdwfl_seterrno (DWFL_E_NOMEM);
+                 return false;
+               }
              in.d_size = phnum * phent;
              in.d_buf = malloc (in.d_size);
              if (unlikely (in.d_buf == NULL))
@@ -876,6 +881,13 @@ dwfl_link_map_report (Dwfl *dwfl, const void *auxv, size_t auxv_size,
                  return false;
                }
              size_t nbytes = phnum * phent;
+             /* We can only process as many bytes/phnum as there are
+                in in.d_size. The data might have been truncated.  */
+             if (nbytes > in.d_size)
+               {
+                 nbytes = in.d_size;
+                 phnum = nbytes / phent;
+               }
              void *buf = malloc (nbytes);
              Elf32_Phdr (*p32)[phnum] = buf;
              Elf64_Phdr (*p64)[phnum] = buf;
@@ -888,10 +900,11 @@ dwfl_link_map_report (Dwfl *dwfl, const void *auxv, size_t auxv_size,
                {
                  .d_type = ELF_T_PHDR,
                  .d_version = EV_CURRENT,
-                 .d_size = phnum * phent,
+                 .d_size = nbytes,
                  .d_buf = buf
                };
-             in.d_size = out.d_size;
+             if (in.d_size > out.d_size)
+               in.d_size = out.d_size;
              if (likely ((elfclass == ELFCLASS32
                           ? elf32_xlatetom : elf64_xlatetom)
                          (&out, &in, elfdata) != NULL))