From: Guillem Jover <guillem@hadrons.org>
Date: Sat, 15 Jun 2019 12:33:32 +0000 (+0200)
Subject: nlist: Check that e_shnum and e_shentsize are within bounds
X-Git-Tag: 0.10.0~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e9529d9b4a7833049d34b4ec3bf018bdfe68c807;p=thirdparty%2Flibbsd.git

nlist: Check that e_shnum and e_shentsize are within bounds

The e_shnum must not be 0, otherwise we will do a zero sized allocation
and further processing of the executable will lead to out of bounds
read/write accesses. The e_shentsize must be equal to sizeof(Elf_Shdr),
otherwise we will perform out of bounds read accesses on the shdr array.

Reported-by: Daniel Hodson <daniel@elttam.com.au>
Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au>
Signed-off-by: Guillem Jover <guillem@hadrons.org>
---

diff --git a/src/nlist.c b/src/nlist.c
index 776d315..2aa2eee 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -141,6 +141,12 @@ __fdnlist(int fd, struct nlist *list)
 	    fstat(fd, &st) < 0)
 		return (-1);
 
+	if (ehdr.e_shnum == 0 ||
+	    ehdr.e_shentsize != sizeof(Elf_Shdr)) {
+		errno = ERANGE;
+		return (-1);
+	}
+
 	/* calculate section header table size */
 	shdr_size = ehdr.e_shentsize * ehdr.e_shnum;