libelf: Always set ELF maxsize when reading an ELF file for sanity checks.

There are various sanity checks that depend on knowing the file size
of the underlying ELF file which we only used when mmapping the ELF file.
Although we probably won't crash if we use pread to try to read from
the file, we still might return completely bogus data structures. This
could cause us to malloc insane amounts of memory.

Always try to get the maxsize when unknown in elf_begin.c (read_file).

https://bugzilla.redhat.com/show_bug.cgi?id=1388057

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 35af78658cefed4600078cc977659d538de450d1..39fbccf2882d8ce37c5ec70b8738a325b3ccf9bc 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,4 +1,8 @@
-2015-10-11  Akihiko Odaki  <akihiko.odaki.4i@stu.hosei.ac.jp>
+2016-10-26  Mark Wielaard  <mjw@redhat.com>
+
+       * elf_begin.c (read_file): Always set maxsize when parent == NULL.
+
+2016-10-11  Akihiko Odaki  <akihiko.odaki.4i@stu.hosei.ac.jp>
 
        * elf_getarsym.c (elf_getarsym): Open code rawmemchr when not
        available.
@@ -6,7 +10,7 @@
        (validate_str): New function.
        (elf_strptr): Use validate_str instead of memrchr.
 
-2015-10-11  Akihiko Odaki  <akihiko.odaki.4i@stu.hosei.ac.jp>
+2016-10-11  Akihiko Odaki  <akihiko.odaki.4i@stu.hosei.ac.jp>
 
        * elf32_updatefile.c: Remove sys/param.h include.
        * elf32_updatenull.c: Likewise. Add system.h include.

diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index 8fdb37645ec67589e79a34cb4743000ba389b024..5e9099c272ff36d152a776fb8cdee43c28ecce92 100644 (file)
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -1,5 +1,5 @@
 /* Create descriptor for processing file.
-   Copyright (C) 1998-2010, 2012, 2014, 2015 Red Hat, Inc.
+   Copyright (C) 1998-2010, 2012, 2014, 2015, 2016 Red Hat, Inc.
    This file is part of elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
@@ -605,22 +605,30 @@ read_file (int fildes, off_t offset, size_t maxsize,
                  || cmd == ELF_C_WRITE_MMAP
                  || cmd == ELF_C_READ_MMAP_PRIVATE);
 
+  if (parent == NULL)
+    {
+      if (maxsize == ~((size_t) 0))
+       {
+         /* We don't know in the moment how large the file is.
+            Determine it now.  */
+         struct stat st;
+
+         if (fstat (fildes, &st) == 0
+             && (sizeof (size_t) >= sizeof (st.st_size)
+                 || st.st_size <= ~((size_t) 0)))
+           maxsize = (size_t) st.st_size;
+       }
+    }
+  else
+    {
+      /* The parent is already loaded.  Use it.  */
+      assert (maxsize != ~((size_t) 0));
+    }
+
   if (use_mmap)
     {
       if (parent == NULL)
        {
-         if (maxsize == ~((size_t) 0))
-           {
-             /* We don't know in the moment how large the file is.
-                Determine it now.  */
-             struct stat st;
-
-             if (fstat (fildes, &st) == 0
-                 && (sizeof (size_t) >= sizeof (st.st_size)
-                     || st.st_size <= ~((size_t) 0)))
-               maxsize = (size_t) st.st_size;
-           }
-
          /* We try to map the file ourself.  */
          map_address = mmap (NULL, maxsize, (cmd == ELF_C_READ_MMAP
                                              ? PROT_READ
@@ -635,9 +643,6 @@ read_file (int fildes, off_t offset, size_t maxsize,
        }
       else
        {
-         /* The parent is already loaded.  Use it.  */
-         assert (maxsize != ~((size_t) 0));
-
          map_address = parent->map_address;
        }
     }