From dd64d4a9268b822b035f8c59c2b8f55a65f80819 Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Mon, 3 Mar 2014 15:07:31 +0100 Subject: [PATCH] libdwfl: elf_from_remote_memory only trust shdrs of last file-only segment. If the last PT_LOAD segment that contains the whole shdrs also extends the segment in memory beyond the end of file the program might be reusing the memory space that we expect the shdrs to be in. Don't trust the shdrs are valid in that case. Signed-off-by: Mark Wielaard --- libdwfl/ChangeLog | 7 +++++++ libdwfl/elf-from-memory.c | 17 ++++++++++++----- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog index 85307875d..b6a9161e9 100644 --- a/libdwfl/ChangeLog +++ b/libdwfl/ChangeLog @@ -1,3 +1,10 @@ +2014-03-03 Mark Wielaard + + * elf-from-memory.c (elf_from_remote_memory): Keep track of + segments_end_mem. Pass memsz to first handle_segment pass. Only + extend contents_size and use shdrs if only file bits are in + segment. + 2014-03-11 Josh Stone * dwfl_module_getdwarf.c (open_elf): Only explicitly set diff --git a/libdwfl/elf-from-memory.c b/libdwfl/elf-from-memory.c index 602614b89..df9fbe695 100644 --- a/libdwfl/elf-from-memory.c +++ b/libdwfl/elf-from-memory.c @@ -196,6 +196,7 @@ elf_from_remote_memory (GElf_Addr ehdr_vma, /* Scan for PT_LOAD segments to find the total size of the file image. */ size_t contents_size = 0; GElf_Off segments_end = 0; + GElf_Off segments_end_mem = 0; GElf_Addr loadbase = ehdr_vma; bool found_base = false; switch (ehdr.e32.e_ident[EI_CLASS]) @@ -205,7 +206,8 @@ elf_from_remote_memory (GElf_Addr ehdr_vma, found_base yet). Returns true if sanity checking failed, false otherwise. */ inline bool handle_segment (GElf_Addr vaddr, GElf_Off offset, - GElf_Xword filesz, GElf_Xword palign) + GElf_Xword filesz, GElf_Xword memsz, + GElf_Xword palign) { /* Sanity check the alignment requirements. */ if ((palign & (pagesize - 1)) != 0 @@ -225,6 +227,7 @@ elf_from_remote_memory (GElf_Addr ehdr_vma, } segments_end = offset + filesz; + segments_end_mem = offset + memsz; return false; } @@ -235,7 +238,8 @@ elf_from_remote_memory (GElf_Addr ehdr_vma, for (uint_fast16_t i = 0; i < phnum; ++i) if (phdrs.p32[i].p_type == PT_LOAD) if (handle_segment (phdrs.p32[i].p_vaddr, phdrs.p32[i].p_offset, - phdrs.p32[i].p_filesz, phdrs.p32[i].p_align)) + phdrs.p32[i].p_filesz, phdrs.p32[i].p_memsz, + phdrs.p32[i].p_align)) goto bad_elf; break; @@ -246,7 +250,8 @@ elf_from_remote_memory (GElf_Addr ehdr_vma, for (uint_fast16_t i = 0; i < phnum; ++i) if (phdrs.p64[i].p_type == PT_LOAD) if (handle_segment (phdrs.p64[i].p_vaddr, phdrs.p64[i].p_offset, - phdrs.p64[i].p_filesz, phdrs.p64[i].p_align)) + phdrs.p64[i].p_filesz, phdrs.p64[i].p_memsz, + phdrs.p64[i].p_align)) goto bad_elf; break; @@ -257,9 +262,11 @@ elf_from_remote_memory (GElf_Addr ehdr_vma, /* Trim the last segment so we don't bother with zeros in the last page that are off the end of the file. However, if the extra bit in that - page includes the section headers, keep them. */ + page includes the section headers and the memory isn't extended (which + might indicate it will have been reused otherwise), keep them. */ if ((GElf_Off) contents_size > segments_end - && (GElf_Off) contents_size >= shdrs_end) + && (GElf_Off) contents_size >= shdrs_end + && segments_end == segments_end_mem) { contents_size = segments_end; if ((GElf_Off) contents_size < shdrs_end) -- 2.47.2