From 5e80a1e8f57fbae3bd5687bb80a65e97f824f914 Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Wed, 6 May 2015 17:38:18 +0200 Subject: [PATCH] elflint: Add sanity checks to check_attributes. This is similar to commit 9644aa for readelf print_attributes. Bail out when the vendor name isn't terminated and add overflow check for subsection_len. Note that readelf does handle non-gnu attributes, while elflint doesn't. Signed-off-by: Mark Wielaard --- src/ChangeLog | 2 ++ src/elflint.c | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 93f4aba24..089fe93fb 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -4,6 +4,8 @@ shift too big. (check_verdef): Use Elf64_Word for shdr->sh_info cnt. (check_verneed): Likewise. + (check_attributes): Break when vendor name isn't terminated. + Add overflow check for subsection_len. 2015-05-05 Mark Wielaard diff --git a/src/elflint.c b/src/elflint.c index 4e5364603..df476a1f8 100644 --- a/src/elflint.c +++ b/src/elflint.c @@ -3423,7 +3423,7 @@ section [%2d] '%s': offset %zu: invalid length in attribute section\n"), ERROR (gettext ("\ section [%2d] '%s': offset %zu: unterminated vendor name string\n"), idx, section_name (ebl, idx), pos (p)); - continue; + break; } ++q; @@ -3466,7 +3466,9 @@ section [%2d] '%s': offset %zu: zero length field in attribute subsection\n"), if (MY_ELFDATA != ehdr->e_ident[EI_DATA]) CONVERT (subsection_len); - if (p - chunk < (ptrdiff_t) subsection_len) + /* Don't overflow, ptrdiff_t might be 32bits, but signed. */ + if (p - chunk < (ptrdiff_t) subsection_len + || subsection_len >= (uint32_t) PTRDIFF_MAX) { ERROR (gettext ("\ section [%2d] '%s': offset %zu: invalid length in attribute subsection\n"), -- 2.47.2