This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[PATCH] readelf: Break sysv[64] symbol hash bucket chain loops.
- From: Mark Wielaard <mark at klomp dot org>
- To: elfutils-devel at sourceware dot org
- Cc: Mark Wielaard <mark at klomp dot org>
- Date: Wed, 28 Mar 2018 21:32:08 +0200
- Subject: [PATCH] readelf: Break sysv[64] symbol hash bucket chain loops.
The bucket chain should not contain loops. If it does we should mark the
hash bucket chain as invalid. This is easily checked by noticing when we
have seen more than the number of chain elements. Which equals the max
number as symbols in the table.
https://sourceware.org/bugzilla/show_bug.cgi?id=23011
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
src/ChangeLog | 6 ++++++
src/readelf.c | 8 ++++++++
2 files changed, 14 insertions(+)
diff --git a/src/ChangeLog b/src/ChangeLog
index 1ad6b3d..e8bd6bf 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2018-03-28 Mark Wielaard <mark@klomp.org>
+
+ * readelf.c (handle_sysv_hash): Break bucket chain after nchain
+ entries are found.
+ (handle_sysv_hash64): Likewise.
+
2018-03-27 Mark Wielaard <mark@klomp.org>
* readelf.c (attr_callback): Print dwarf_dieoffset as %PRIx64,
diff --git a/src/readelf.c b/src/readelf.c
index 4e35b61..226b19b 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3141,9 +3141,13 @@ handle_sysv_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
{
Elf32_Word inner = bucket[cnt];
+ Elf32_Word chain_len = 0;
while (inner > 0 && inner < nchain)
{
++nsyms;
+ ++chain_len;
+ if (chain_len > nchain)
+ goto invalid_data;
if (maxlength < ++lengths[cnt])
++maxlength;
@@ -3198,9 +3202,13 @@ handle_sysv_hash64 (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
for (Elf64_Xword cnt = 0; cnt < nbucket; ++cnt)
{
Elf64_Xword inner = bucket[cnt];
+ Elf64_Xword chain_len = 0;
while (inner > 0 && inner < nchain)
{
++nsyms;
+ ++chain_len;
+ if (chain_len > nchain)
+ goto invalid_data;
if (maxlength < ++lengths[cnt])
++maxlength;
--
1.8.3.1