From 560aa98b9aaa89ce345239de865eda0ba403af68 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Thu, 4 Jun 2015 13:51:27 +0200
Subject: [PATCH] libelf: Check e_shoff alignment before direct access of
 Elf(32|64)_Shdr.

In get_shnum the check was whether the Elf(32|64)_Ehdr was correctly
aligned, but to access the Shdr directly we need to check whether the
address that points to the Elf(32|64)_Shdr structure is correctly aligned.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libelf/ChangeLog   | 5 +++++
 libelf/elf_begin.c | 8 ++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index fd2fc53e0..772eb52d6 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-04  Mark Wielaard  <mjw@redhat.com>
+
+	* elf_begin.c (get_shnum): Check alignment of Shdr, not Ehdr before
+	direct access.
+
 2015-06-02  Mark Wielaard  <mjw@redhat.com>
 
 	* elf_begin.c (file_read_elf): Split checks for ehdr and shdr
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index e2e3b6b4d..f002ebf0b 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -151,8 +151,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
 
 	  if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
 	      && (ALLOW_UNALIGNED
-		  || (((size_t) ((char *) map_address + offset))
-		      & (__alignof__ (Elf32_Ehdr) - 1)) == 0))
+		  || (((size_t) ((char *) map_address + ehdr.e32->e_shoff))
+		      & (__alignof__ (Elf32_Shdr) - 1)) == 0))
 	    /* We can directly access the memory.  */
 	    result = ((Elf32_Shdr *) ((char *) map_address + ehdr.e32->e_shoff
 				      + offset))->sh_size;
@@ -201,8 +201,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
 	  Elf64_Xword size;
 	  if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
 	      && (ALLOW_UNALIGNED
-		  || (((size_t) ((char *) map_address + offset))
-		      & (__alignof__ (Elf64_Ehdr) - 1)) == 0))
+		  || (((size_t) ((char *) map_address + ehdr.e64->e_shoff))
+		      & (__alignof__ (Elf64_Shdr) - 1)) == 0))
 	    /* We can directly access the memory.  */
 	    size = ((Elf64_Shdr *) ((char *) map_address + ehdr.e64->e_shoff
 				    + offset))->sh_size;
-- 
2.47.2