Public bug reported:
It seems to me that the test for an invalid section size
wants be moved up from the map case to cover both the read and the map
case.
To guard against a bogus section size for both cases.
Rather than relying on a malloc failure to catch a
completely bogus section size.
Thus allowing a more accurate error indication.
>From elfutils_0.165.orig.tar.bz2
elfutils-0.165/libelf/elf_getdata.c
--- elf_getdata.c.orig 2017-05-23 10:56:05.547607473 -0700
+++ elf_getdata.c 2017-05-23 11:08:27.459670572 -0700
@@ -292,21 +292,20 @@
__libelf_seterrno (ELF_E_INVALID_DATA);
return 1;
}
+ /* First see whether the information in the section header is
+ valid and it does not ask for too much. Check for unsigned
+ overflow. */
+ if (unlikely (offset > elf->maximum_size
+ || elf->maximum_size - offset < size))
+ {
+ /* Something is wrong. */
+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+ return 1;
+ }
/* We can use the mapped or loaded data if available. */
if (elf->map_address != NULL)
{
- /* First see whether the information in the section header is
- valid and it does not ask for too much. Check for unsigned
- overflow. */
- if (unlikely (offset > elf->maximum_size
- || elf->maximum_size - offset < size))
- {
- /* Something is wrong. */
- __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
- return 1;
- }
-
scn->rawdata_base = scn->rawdata.d.d_buf
= (char *) elf->map_address + elf->start_offset + offset;
}
** Affects: elfutils (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1692997
Title:
libelf test for section size in wrong place
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1692997/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
