This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] libdw: Check register number in CFI isn't insanely large.


Some cfi.c array size allocation calculations might overflow when trying
to accommodate insanely large number of registers. Don't allow register
numbers larger than INT32_MAX / sizeof (dwarf_frame_register).

Found by afl-fuzz.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libdw/ChangeLog |  4 ++++
 libdw/cfi.c     | 11 ++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index ad5d891..135b757 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,7 @@
+2015-01-04  Mark Wielaard  <mjw@redhat.com>
+
+	* cfi.c (enough_registers): Check reg < INT32_MAX.
+
 2015-01-02  Mark Wielaard  <mjw@redhat.com>
 
 	* dwarf_getcfi_elf.c (parse_eh_frame_hdr): Add size check.
diff --git a/libdw/cfi.c b/libdw/cfi.c
index 632e91d..5a6f956 100644
--- a/libdw/cfi.c
+++ b/libdw/cfi.c
@@ -1,5 +1,5 @@
 /* CFI program execution.
-   Copyright (C) 2009-2010, 2014 Red Hat, Inc.
+   Copyright (C) 2009-2010, 2014, 2015 Red Hat, Inc.
    This file is part of elfutils.
 
    This file is free software; you can redistribute it and/or modify
@@ -79,6 +79,15 @@ execute_cfi (Dwarf_CFI *cache,
   Dwarf_Frame *fs = *state;
   inline bool enough_registers (Dwarf_Word reg)
     {
+      /* Don't allow insanely large register numbers.  268435456 registers
+	 should be enough for anybody.  And very large values might overflow
+	 the array size and offsetof calculations below.  */
+      if (unlikely (reg >= INT32_MAX / sizeof (fs->regs[0])))
+	{
+	  result = DWARF_E_INVALID_CFI;
+	  return false;
+	}
+
       if (fs->nregs <= reg)
 	{
 	  size_t size = offsetof (Dwarf_Frame, regs[reg + 1]);
-- 
1.8.3.1


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]