Date: Fri, 23 Jan 2015 04:07:08 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r277558 - stable/10/lib/libelf Message-ID: <201501230407.t0N478AM014910@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Fri Jan 23 04:07:07 2015 New Revision: 277558 URL: https://svnweb.freebsd.org/changeset/base/277558 Log: libelf: Improve ELF header validation Avoid integer overflow and reading past EOF. MFC of r276427, r276443, r277249 from contrib/elftoolchain. Modified: stable/10/lib/libelf/elf_scn.c Modified: stable/10/lib/libelf/elf_scn.c ============================================================================== --- stable/10/lib/libelf/elf_scn.c Fri Jan 23 02:39:00 2015 (r277557) +++ stable/10/lib/libelf/elf_scn.c Fri Jan 23 04:07:07 2015 (r277558) @@ -31,6 +31,7 @@ __FBSDID("$FreeBSD$"); #include <errno.h> #include <gelf.h> #include <libelf.h> +#include <stdint.h> #include <stdlib.h> #include "_libelf.h" @@ -55,8 +56,10 @@ _libelf_load_scn(Elf *e, void *ehdr) assert((e->e_flags & LIBELF_F_SHDRS_LOADED) == 0); #define CHECK_EHDR(E,EH) do { \ - if (fsz != (EH)->e_shentsize || \ - shoff + fsz * shnum > e->e_rawsize) { \ + if (shoff > e->e_rawsize || \ + fsz != (EH)->e_shentsize || \ + shnum > SIZE_MAX / fsz || \ + fsz * shnum > e->e_rawsize - shoff) { \ LIBELF_SET_ERROR(HEADER, 0); \ return (0); \ } \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501230407.t0N478AM014910>