This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[PATCH 02/17] libelf: Fix possible unbounded stack usage in updatemmap.
- From: Mark Wielaard <mjw at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Sat, 23 May 2015 23:10:15 +0200
- Subject: [PATCH 02/17] libelf: Fix possible unbounded stack usage in updatemmap.
Allocate temporary shdr storage with malloc, not alloca. Free after
writing section headers.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libelf/ChangeLog | 5 +++++
libelf/elf32_updatefile.c | 25 ++++++++++++++++++++-----
2 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 17ab740..f1f8fac 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,5 +1,10 @@
2015-05-16 Mark Wielaard <mjw@redhat.com>
+ * elf32_updatefile.c (updatemmap): Allocate temporary shdr storage
+ with malloc, not alloca. Free after writing section header.
+
+2015-05-16 Mark Wielaard <mjw@redhat.com>
+
* elf_getarsym.c (elf_getarsym): Allocate temporary file_date with
malloc, not alloca. Call free after out.
diff --git a/libelf/elf32_updatefile.c b/libelf/elf32_updatefile.c
index 153e377..d45abcd 100644
--- a/libelf/elf32_updatefile.c
+++ b/libelf/elf32_updatefile.c
@@ -1,5 +1,5 @@
/* Write changed data structures.
- Copyright (C) 2000-2010, 2014 Red Hat, Inc.
+ Copyright (C) 2000-2010, 2014, 2015 Red Hat, Inc.
This file is part of elfutils.
Written by Ulrich Drepper <drepper@redhat.com>, 2000.
@@ -206,7 +206,12 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf, int change_bo, size_t shnum)
return 1;
Elf_ScnList *list = &elf->state.ELFW(elf,LIBELFBITS).scns;
- Elf_Scn **scns = (Elf_Scn **) alloca (shnum * sizeof (Elf_Scn *));
+ Elf_Scn **scns = (Elf_Scn **) malloc (shnum * sizeof (Elf_Scn *));
+ if (scns == NULL)
+ {
+ __libelf_seterrno (ELF_E_NOMEM);
+ return -1;
+ }
char *const shdr_start = ((char *) elf->map_address + elf->start_offset
+ ehdr->e_shoff);
char *const shdr_end = shdr_start + ehdr->e_shnum * ehdr->e_shentsize;
@@ -238,7 +243,12 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf, int change_bo, size_t shnum)
< ((char *) elf->map_address + elf->start_offset
+ elf->maximum_size));
- void *p = alloca (sizeof (ElfW2(LIBELFBITS,Shdr)));
+ void *p = malloc (sizeof (ElfW2(LIBELFBITS,Shdr)));
+ if (p == NULL)
+ {
+ __libelf_seterrno (ELF_E_NOMEM);
+ return -1;
+ }
scn->shdr.ELFW(e,LIBELFBITS)
= memcpy (p, scn->shdr.ELFW(e,LIBELFBITS),
sizeof (ElfW2(LIBELFBITS,Shdr)));
@@ -421,12 +431,17 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf, int change_bo, size_t shnum)
entry we now have to adjust the pointer again so
point to new place in the mapping. */
if (!elf->state.ELFW(elf,LIBELFBITS).shdr_malloced
- && (scn->shdr_flags & ELF_F_MALLOCED) == 0)
- scn->shdr.ELFW(e,LIBELFBITS) = &shdr_dest[scn->index];
+ && (scn->shdr_flags & ELF_F_MALLOCED) == 0
+ && scn->shdr.ELFW(e,LIBELFBITS) != &shdr_dest[scn->index])
+ {
+ free (scn->shdr.ELFW(e,LIBELFBITS));
+ scn->shdr.ELFW(e,LIBELFBITS) = &shdr_dest[scn->index];
+ }
scn->shdr_flags &= ~ELF_F_DIRTY;
}
}
+ free (scns);
}
/* That was the last part. Clear the overall flag. */
--
1.8.3.1