This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
On Sat, Nov 29, 2014 at 08:40:58PM +0100, Mark Wielaard wrote: > American Fuzzy Lop (afl-fuzz) has an habit of generating ELF files > with relocations that when applied (or removed/cleared) change one > of the in-memory ELF headers. There does not seem to be a valid reason > for having section data that contain relocations or to which relocations > are applied to overlap with one of the headers. > [...] > + GElf_Off shdr_start = ehdr->e_shoff; > + size_t shnums; > + if (elf_getshdrnum (relocated, &shnums) < 0) > + return DWFL_E_LIBELF; > + /* Overflows will have been checked by elf_getshdrnum/get|rawdata. */ > + GElf_Off shdr_end = shdr_start + shnums * ehdr->e_shentsize; > + if (unlikely ((shdr->sh_offset >= shdr_start > + && shdr->sh_offset < shdr_end) > + || (shdr->sh_offset + shdr->sh_size >= shdr_start > + && shdr->sh_offset + shdr->sh_size < shdr_end) > + || (tshdr->sh_offset >= shdr_start > + && tshdr->sh_offset < shdr_end) > + || (tshdr->sh_offset + tshdr->sh_size >= shdr_start > + && tshdr->sh_offset + tshdr->sh_size < shdr_end))) > + return DWFL_E_BADELF; Some testing revealed this test is too complicated and wrong. It missed the header being completely inside the section. Fixed version attached. Cheers, Mark
Attachment:
0001-libdwfl-Check-relocations-don-t-overlap-ELF-ehdr-shd.patch
Description: Text document
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |