This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
Make gelf_getphdr more robust?
- From: Florian Weimer <fweimer at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Wed, 05 Feb 2014 18:52:39 +0100
- Subject: Make gelf_getphdr more robust?
readelf does this:
GElf_Phdr *phdr = gelf_getphdr (ebl->elf, cnt, &mem);
…
if (phdr->p_type == PT_INTERP)
{
/* We can show the user the name of the interpreter. */
size_t maxsize;
char *filedata = elf_rawfile (ebl->elf, &maxsize);
if (filedata != NULL && phdr->p_offset < maxsize)
printf (gettext ("\t[Requesting program interpreter: %s]\n"),
filedata + phdr->p_offset);
}
The check against maxsize is insufficient, it's also required to check
that phdr->p_filesz <= maxsize - phdr->p_offset. Would it make sense to
do both checks inside gelf_getphdr?
And the printf call can leak data or crash if filedata + phdr->p_offset
is not NUL terminated (which obviously needs a crafted ELF file). This
can't be fixed in gelf_getphdr, alas.
--
Florian Weimer / Red Hat Product Security Team