libelf: Fix possible unbounded stack usage in load_shdr_wrlock.

When a copy needs to be made of the shdrs, allocate with malloc and free
after conversion instead of calling alloca.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 65f9112d2971d1f6c95678df7153abbb3cf18a89..79308fe8f9ab5eee7d05c2d6ef3166e0de579dc1 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-31  Mark Wielaard  <mjw@redhat.com>
+
+       * elf32_getshdr.c (load_shdr_wrlock): Allocate shdrs with malloc,
+       not alloca and free after conversion when a copy needs to be made.
+
 2015-05-31  Mark Wielaard  <mjw@redhat.com>
 
        * elf32_getphdr.c (getphdr_wrlock): Allocate phdrs with malloc, not

diff --git a/libelf/elf32_getshdr.c b/libelf/elf32_getshdr.c
index 741704736f7ae01cf33c4d4e87ffa22da98376b9..ee1aed8fccb6d9eca973e9227e4356f22a8420cc 100644 (file)
--- a/libelf/elf32_getshdr.c
+++ b/libelf/elf32_getshdr.c
@@ -111,15 +111,22 @@ load_shdr_wrlock (Elf_Scn *scn)
        }
       else
        {
-         if (ALLOW_UNALIGNED
-             || ((uintptr_t) file_shdr
-                 & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1)) == 0)
+         bool copy = ! (ALLOW_UNALIGNED
+                        || ((uintptr_t) file_shdr
+                            & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1))
+                            == 0);
+         if (! copy)
            notcvt = (ElfW2(LIBELFBITS,Shdr) *)
              ((char *) elf->map_address
               + elf->start_offset + ehdr->e_shoff);
          else
            {
-             notcvt = (ElfW2(LIBELFBITS,Shdr) *) alloca (size);
+             notcvt = (ElfW2(LIBELFBITS,Shdr) *) malloc (size);
+             if (unlikely (notcvt == NULL))
+               {
+                 __libelf_seterrno (ELF_E_NOMEM);
+                 goto out;
+               }
              memcpy (notcvt, ((char *) elf->map_address
                               + elf->start_offset + ehdr->e_shoff),
                      size);
@@ -153,6 +160,9 @@ load_shdr_wrlock (Elf_Scn *scn)
                elf->state.ELFW(elf,LIBELFBITS).scns.data[cnt].shndx_index
                  = -1;
            }
+
+         if (copy)
+           free (notcvt);
        }
     }
   else if (likely (elf->fildes != -1))