From: Mark Wielaard Date: Wed, 16 Jan 2019 14:41:31 +0000 (+0100) Subject: libebl: Check NT_PLATFORM core notes contain a zero terminated string. X-Git-Tag: elfutils-0.176~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de01cc6f9446187d69b9748bb3636361c79e77a4;p=thirdparty%2Felfutils.git libebl: Check NT_PLATFORM core notes contain a zero terminated string. Most strings in core notes are fixed size. But NT_PLATFORM contains just a variable length string. Check that it is actually zero terminated before passing to readelf to print. https://sourceware.org/bugzilla/show_bug.cgi?id=24089 Signed-off-by: Mark Wielaard --- diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog index b96cebf21..c295fa7d6 100644 --- a/libdwfl/ChangeLog +++ b/libdwfl/ChangeLog @@ -1,3 +1,8 @@ +2019-01-16 Mark Wielaard + + * linux-core-attach.c (core_next_thread): Pass desc to ebl_core_note. + (core_set_initial_registers): Likewise. + 2018-10-23 Mark Wielaard * relocate.c (relocate_section): Only sanity check mmapped Elf files diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c index 6c99b9e27..c0f1b0d00 100644 --- a/libdwfl/linux-core-attach.c +++ b/libdwfl/linux-core-attach.c @@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg, const Ebl_Register_Location *reglocs; size_t nitems; const Ebl_Core_Item *items; - if (! ebl_core_note (core_arg->ebl, &nhdr, name, + if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc, ®s_offset, &nregloc, ®locs, &nitems, &items)) { /* This note may be just not recognized, skip it. */ @@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp) const Ebl_Register_Location *reglocs; size_t nitems; const Ebl_Core_Item *items; - int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, ®s_offset, - &nregloc, ®locs, &nitems, &items); + int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc, + ®s_offset, &nregloc, ®locs, + &nitems, &items); /* __libdwfl_attach_state_for_core already verified the note is there. */ assert (core_note_err != 0); assert (nhdr.n_type == NT_PRSTATUS); @@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core) const Ebl_Register_Location *reglocs; size_t nitems; const Ebl_Core_Item *items; - if (! ebl_core_note (ebl, &nhdr, name, + if (! ebl_core_note (ebl, &nhdr, name, desc, ®s_offset, &nregloc, ®locs, &nitems, &items)) { /* This note may be just not recognized, skip it. */ diff --git a/libebl/ChangeLog b/libebl/ChangeLog index 77c22746e..9cdf8995e 100644 --- a/libebl/ChangeLog +++ b/libebl/ChangeLog @@ -1,3 +1,9 @@ +2019-01-16 Mark Wielaard + + * libebl.h (ebl_core_note): Add desc as argument. + * eblcorenote.c (ebl_core_note): Take desc as an argument, check + it contains a zero terminated string if it is an NT_PLATFORM note. + 2019-01-16 Mark Wielaard * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large. diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c index 783f98151..7fab39747 100644 --- a/libebl/eblcorenote.c +++ b/libebl/eblcorenote.c @@ -36,11 +36,13 @@ #include #include #include +#include #include int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name, + const char *desc, GElf_Word *regs_offset, size_t *nregloc, const Ebl_Register_Location **reglocs, size_t *nitems, const Ebl_Core_Item **items) @@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name, { /* The machine specific function did not know this type. */ - *regs_offset = 0; - *nregloc = 0; - *reglocs = NULL; - switch (nhdr->n_type) + /* NT_PLATFORM is kind of special since it needs a zero terminated + string (other notes often have a fixed size string). */ + static const Ebl_Core_Item platform[] = { -#define ITEMS(type, table) \ - case type: \ - *items = table; \ - *nitems = sizeof table / sizeof table[0]; \ - result = 1; \ - break + { + .name = "Platform", + .type = ELF_T_BYTE, .count = 0, .format = 's' + } + }; - static const Ebl_Core_Item platform[] = - { - { - .name = "Platform", - .type = ELF_T_BYTE, .count = 0, .format = 's' - } - }; - ITEMS (NT_PLATFORM, platform); - -#undef ITEMS + if (nhdr->n_type == NT_PLATFORM + && memchr (desc, '\0', nhdr->n_descsz) != NULL) + { + *regs_offset = 0; + *nregloc = 0; + *reglocs = NULL; + *items = platform; + *nitems = 1; + result = 1; } } diff --git a/libebl/libebl.h b/libebl/libebl.h index ca9b9fecb..24922eb81 100644 --- a/libebl/libebl.h +++ b/libebl/libebl.h @@ -319,7 +319,8 @@ typedef struct /* Describe the format of a core file note with the given header and NAME. NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */ -extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name, +extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, + const char *name, const char *desc, GElf_Word *regs_offset, size_t *nregloc, const Ebl_Register_Location **reglocs, size_t *nitems, const Ebl_Core_Item **items) diff --git a/src/ChangeLog b/src/ChangeLog index 803ac95fb..c0455f1cf 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,7 @@ +2019-01-16 Mark Wielaard + + * readelf (handle_core_note): Pass desc to ebl_core_note. + 2018-11-10 Mark Wielaard * elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment diff --git a/src/readelf.c b/src/readelf.c index 3a73710ff..71651e091 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, size_t nitems; const Ebl_Core_Item *items; - if (! ebl_core_note (ebl, nhdr, name, + if (! ebl_core_note (ebl, nhdr, name, desc, ®s_offset, &nregloc, ®locs, &nitems, &items)) return;