Commit e9529d9b4a7833049d34b4ec3bf018bdfe68c807

Guillem Jover 2019-06-15T14:33:32

nlist: Check that e_shnum and e_shentsize are within bounds The e_shnum must not be 0, otherwise we will do a zero sized allocation and further processing of the executable will lead to out of bounds read/write accesses. The e_shentsize must be equal to sizeof(Elf_Shdr), otherwise we will perform out of bounds read accesses on the shdr array. Reported-by: Daniel Hodson <daniel@elttam.com.au> Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au> Signed-off-by: Guillem Jover <guillem@hadrons.org>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
diff --git a/src/nlist.c b/src/nlist.c
index 776d315..2aa2eee 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -141,6 +141,12 @@ __fdnlist(int fd, struct nlist *list)
 	    fstat(fd, &st) < 0)
 		return (-1);
 
+	if (ehdr.e_shnum == 0 ||
+	    ehdr.e_shentsize != sizeof(Elf_Shdr)) {
+		errno = ERANGE;
+		return (-1);
+	}
+
 	/* calculate section header table size */
 	shdr_size = ehdr.e_shentsize * ehdr.e_shnum;