Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-misc/pax-utils/files/pax-utils-1.2.2-scanelf-fix-out-of-bounds-access-in-ia64.patch
blob: 1fa5c3187e5a03b4cb27d5c18689dc6b76b71849 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

From e95103c40d0541fbcdb4b84b000832d9b1b83b8d Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Sat, 19 Aug 2017 10:34:41 +0100
Subject: [PATCH] scanelf: fix out-of-bounds access in ia64

commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9
slightly changed decoder and added unchecked
read from elf header:

```
       switch (EGET(dpltrel->d_un.d_val)) { \
       case DT_REL: \
               rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \
```

On ia64 'EGET(drel->d_un.d_val)' returns absolute address:

```
    $ dumpelf bug/luatex
    ...
    /* Dynamic tag #31 'DT_RELA' 0x97E310 */
    {
        .d_tag     = 0x7        ,
        .d_un      = {
                .d_val = 0x4000000000031C30 ,
                .d_ptr = 0x4000000000031C30 ,
        },
    },
```

That causes 'scanelf' crash on binaries like 'luatex'.

This change restores check and loudly skips such sections:
    scanelf: bug/luatex: DT_RELA is out of file range

Bug: https://bugs.gentoo.org/624356
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
---
 scanelf.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scanelf.c b/scanelf.c
index 1ead891..a054408 100644
--- a/scanelf.c
+++ b/scanelf.c
@@ -607,11 +607,23 @@ static char *scanelf_file_textrels(elfobj *elf, char *found_textrels, char *foun
 	} \
 	switch (EGET(dpltrel->d_un.d_val)) { \
 	case DT_REL: \
+		if (EGET(drel->d_un.d_val) >= (uint64_t)elf->len - sizeof (drel->d_un.d_val)) { \
+			rel = NULL; \
+			rela = NULL; \
+			warn("%s: DT_REL is out of file range", elf->filename); \
+			break; \
+		} \
 		rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \
 		rela = NULL; \
 		pltrel = DT_REL; \
 		break; \
 	case DT_RELA: \
+		if (EGET(drel->d_un.d_val) >= (uint64_t)elf->len - sizeof (drel->d_un.d_val)) { \
+			rel = NULL; \
+			rela = NULL; \
+			warn("%s: DT_RELA is out of file range", elf->filename); \
+			break; \
+		} \
 		rel = NULL; \
 		rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); \
 		pltrel = DT_RELA; \
-- 
2.14.1