This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[PATCH 3/3] libelf: Fix possible unbounded stack usage in load_shdr_wrlock.
- From: Mark Wielaard <mjw at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Sun, 31 May 2015 21:05:44 +0200
- Subject: [PATCH 3/3] libelf: Fix possible unbounded stack usage in load_shdr_wrlock.
When a copy needs to be made of the shdrs, allocate with malloc and free
after conversion instead of calling alloca.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libelf/ChangeLog | 5 +++++
libelf/elf32_getshdr.c | 18 ++++++++++++++----
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 65f9112..79308fe 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,5 +1,10 @@
2015-05-31 Mark Wielaard <mjw@redhat.com>
+ * elf32_getshdr.c (load_shdr_wrlock): Allocate shdrs with malloc,
+ not alloca and free after conversion when a copy needs to be made.
+
+2015-05-31 Mark Wielaard <mjw@redhat.com>
+
* elf32_getphdr.c (getphdr_wrlock): Allocate phdrs with malloc, not
alloca and free after conversion when a copy needs to be made.
diff --git a/libelf/elf32_getshdr.c b/libelf/elf32_getshdr.c
index 7417047..ee1aed8 100644
--- a/libelf/elf32_getshdr.c
+++ b/libelf/elf32_getshdr.c
@@ -111,15 +111,22 @@ load_shdr_wrlock (Elf_Scn *scn)
}
else
{
- if (ALLOW_UNALIGNED
- || ((uintptr_t) file_shdr
- & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1)) == 0)
+ bool copy = ! (ALLOW_UNALIGNED
+ || ((uintptr_t) file_shdr
+ & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1))
+ == 0);
+ if (! copy)
notcvt = (ElfW2(LIBELFBITS,Shdr) *)
((char *) elf->map_address
+ elf->start_offset + ehdr->e_shoff);
else
{
- notcvt = (ElfW2(LIBELFBITS,Shdr) *) alloca (size);
+ notcvt = (ElfW2(LIBELFBITS,Shdr) *) malloc (size);
+ if (unlikely (notcvt == NULL))
+ {
+ __libelf_seterrno (ELF_E_NOMEM);
+ goto out;
+ }
memcpy (notcvt, ((char *) elf->map_address
+ elf->start_offset + ehdr->e_shoff),
size);
@@ -153,6 +160,9 @@ load_shdr_wrlock (Elf_Scn *scn)
elf->state.ELFW(elf,LIBELFBITS).scns.data[cnt].shndx_index
= -1;
}
+
+ if (copy)
+ free (notcvt);
}
}
else if (likely (elf->fildes != -1))
--
2.4.2