From: Mark Wielaard <mjw@redhat.com>
Date: Thu, 4 Jun 2015 11:51:27 +0000 (+0200)
Subject: libelf: Check e_shoff alignment before direct access of Elf(32|64)_Shdr.
X-Git-Tag: elfutils-0.162~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=560aa98b9aaa89ce345239de865eda0ba403af68;p=thirdparty%2Felfutils.git

libelf: Check e_shoff alignment before direct access of Elf(32|64)_Shdr.

In get_shnum the check was whether the Elf(32|64)_Ehdr was correctly
aligned, but to access the Shdr directly we need to check whether the
address that points to the Elf(32|64)_Shdr structure is correctly aligned.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index fd2fc53e0..772eb52d6 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-04  Mark Wielaard  <mjw@redhat.com>
+
+	* elf_begin.c (get_shnum): Check alignment of Shdr, not Ehdr before
+	direct access.
+
 2015-06-02  Mark Wielaard  <mjw@redhat.com>
 
 	* elf_begin.c (file_read_elf): Split checks for ehdr and shdr
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index e2e3b6b4d..f002ebf0b 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -151,8 +151,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
 
 	  if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
 	      && (ALLOW_UNALIGNED
-		  || (((size_t) ((char *) map_address + offset))
-		      & (__alignof__ (Elf32_Ehdr) - 1)) == 0))
+		  || (((size_t) ((char *) map_address + ehdr.e32->e_shoff))
+		      & (__alignof__ (Elf32_Shdr) - 1)) == 0))
 	    /* We can directly access the memory.  */
 	    result = ((Elf32_Shdr *) ((char *) map_address + ehdr.e32->e_shoff
 				      + offset))->sh_size;
@@ -201,8 +201,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
 	  Elf64_Xword size;
 	  if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
 	      && (ALLOW_UNALIGNED
-		  || (((size_t) ((char *) map_address + offset))
-		      & (__alignof__ (Elf64_Ehdr) - 1)) == 0))
+		  || (((size_t) ((char *) map_address + ehdr.e64->e_shoff))
+		      & (__alignof__ (Elf64_Shdr) - 1)) == 0))
 	    /* We can directly access the memory.  */
 	    size = ((Elf64_Shdr *) ((char *) map_address + ehdr.e64->e_shoff
 				    + offset))->sh_size;