nlist: Check that e_shnum and e_shentsize are within bounds

The e_shnum must not be 0, otherwise we will do a zero sized allocation
and further processing of the executable will lead to out of bounds
read/write accesses. The e_shentsize must be equal to sizeof(Elf_Shdr),
otherwise we will perform out of bounds read accesses on the shdr array.

Reported-by: Daniel Hodson <daniel@elttam.com.au>
Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au>
Signed-off-by: Guillem Jover <guillem@hadrons.org>

diff --git a/src/nlist.c b/src/nlist.c
index 776d3157404e1ef95405d9541798ddc7a0839648..2aa2eeefee0f4b54333e4dc87bb3fa9c6edd8c78 100644 (file)
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -141,6 +141,12 @@ __fdnlist(int fd, struct nlist *list)
            fstat(fd, &st) < 0)
                return (-1);
 
+       if (ehdr.e_shnum == 0 ||
+           ehdr.e_shentsize != sizeof(Elf_Shdr)) {
+               errno = ERANGE;
+               return (-1);
+       }
+
        /* calculate section header table size */
        shdr_size = ehdr.e_shentsize * ehdr.e_shnum;