On Tue, Jan 28, 2020 at 7:11 PM Rob Landley <[email protected]> wrote: > > Is reading 64 bit binaries from 32 bit systems interesting? Because struct sh > and struct ph have "int" and "long" values, which are the same on 32 bit. > (long long is the one that's always 64 bit.)
i certainly intended to support that combination. i've actually since added CTS tests that use `readelf -S` output, but obviously not on files with values big enough to break this. i've sent the obvious patch. > Last elf plumbing I did (file?) I carefully made sure every access wouldn't go > off the end of the mmap. This doesn't seem to ever check that? (ph.filesz > could > be zero then you're feeding -1 to printf, etc...) like i said, i haven't fuzzed this at all, so there's doubtless _some_ checks missing. and, yes, that seems to be one. (and a sign [no pun intended] that all this should be switched to unsigned.) i'll send a patch for that tomorrow night if you haven't already done it by then. anywhere there's a dereference should be protected: search for references to TT.size. there aren't as many as you might expect to see because get_sh() and get_ph() won't return a bad section or program header. > Should work on non-pathological ELF files, of course... :) sadly i didn't test with chrome's .so files or i'd have caught this :-) > Rob > _______________________________________________ > Toybox mailing list > [email protected] > http://lists.landley.net/listinfo.cgi/toybox-landley.net _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
