Public bug reported: It seems to me that the test for an invalid section size wants be moved up from the map case to cover both the read and the map case.
To guard against a bogus section size for both cases. Rather than relying on a malloc failure to catch a completely bogus section size. Thus allowing a more accurate error indication. >From elfutils_0.165.orig.tar.bz2 elfutils-0.165/libelf/elf_getdata.c --- elf_getdata.c.orig 2017-05-23 10:56:05.547607473 -0700 +++ elf_getdata.c 2017-05-23 11:08:27.459670572 -0700 @@ -292,21 +292,20 @@ __libelf_seterrno (ELF_E_INVALID_DATA); return 1; } + /* First see whether the information in the section header is + valid and it does not ask for too much. Check for unsigned + overflow. */ + if (unlikely (offset > elf->maximum_size + || elf->maximum_size - offset < size)) + { + /* Something is wrong. */ + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER); + return 1; + } /* We can use the mapped or loaded data if available. */ if (elf->map_address != NULL) { - /* First see whether the information in the section header is - valid and it does not ask for too much. Check for unsigned - overflow. */ - if (unlikely (offset > elf->maximum_size - || elf->maximum_size - offset < size)) - { - /* Something is wrong. */ - __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER); - return 1; - } - scn->rawdata_base = scn->rawdata.d.d_buf = (char *) elf->map_address + elf->start_offset + offset; } ** Affects: elfutils (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to elfutils in Ubuntu. https://bugs.launchpad.net/bugs/1692997 Title: libelf test for section size in wrong place Status in elfutils package in Ubuntu: New Bug description: It seems to me that the test for an invalid section size wants be moved up from the map case to cover both the read and the map case. To guard against a bogus section size for both cases. Rather than relying on a malloc failure to catch a completely bogus section size. Thus allowing a more accurate error indication. From elfutils_0.165.orig.tar.bz2 elfutils-0.165/libelf/elf_getdata.c --- elf_getdata.c.orig 2017-05-23 10:56:05.547607473 -0700 +++ elf_getdata.c 2017-05-23 11:08:27.459670572 -0700 @@ -292,21 +292,20 @@ __libelf_seterrno (ELF_E_INVALID_DATA); return 1; } + /* First see whether the information in the section header is + valid and it does not ask for too much. Check for unsigned + overflow. */ + if (unlikely (offset > elf->maximum_size + || elf->maximum_size - offset < size)) + { + /* Something is wrong. */ + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER); + return 1; + } /* We can use the mapped or loaded data if available. */ if (elf->map_address != NULL) { - /* First see whether the information in the section header is - valid and it does not ask for too much. Check for unsigned - overflow. */ - if (unlikely (offset > elf->maximum_size - || elf->maximum_size - offset < size)) - { - /* Something is wrong. */ - __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER); - return 1; - } - scn->rawdata_base = scn->rawdata.d.d_buf = (char *) elf->map_address + elf->start_offset + offset; } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1692997/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp