While iterating the notes we could overflow the len variable if the note name or description was too big. Fix this by adding an (unsigned) overflow check.
https://sourceware.org/bugzilla/show_bug.cgi?id=28654 Signed-off-by: Mark Wielaard <m...@klomp.org> --- libdwfl/ChangeLog | 5 +++++ libdwfl/dwfl_segment_report_module.c | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog index 520405c8..e1cd70fa 100644 --- a/libdwfl/ChangeLog +++ b/libdwfl/ChangeLog @@ -1,3 +1,8 @@ +2021-12-08 Mark Wielaard <m...@klomp.org> + + * dwfl_segment_report_module.c (dwfl_segment_report_module): Add + len overflow check while iterating notes. + 2021-12-08 Mark Wielaard <m...@klomp.org> * dwfl_segment_report_module.c (dwfl_segment_report_module): Don't diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c index f6a1799e..574f02a7 100644 --- a/libdwfl/dwfl_segment_report_module.c +++ b/libdwfl/dwfl_segment_report_module.c @@ -543,10 +543,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, const GElf_Nhdr *nh = notes; size_t len = 0; + size_t last_len; while (filesz > len + sizeof (*nh)) { const void *note_name; const void *note_desc; + last_len = len; len += sizeof (*nh); note_name = notes + len; @@ -555,7 +557,9 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name, len = align == 8 ? NOTE_ALIGN8 (len) : NOTE_ALIGN4 (len); note_desc = notes + len; - if (unlikely (filesz < len + nh->n_descsz)) + if (unlikely (filesz < len + nh->n_descsz + || len < last_len + || len + nh->n_descsz < last_len)) break; if (nh->n_type == NT_GNU_BUILD_ID -- 2.18.4
