From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-928776-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id A114413908F
	for <garchives@archives.gentoo.org>; Wed,  1 Feb 2017 23:08:13 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 09CA121C205;
	Wed,  1 Feb 2017 23:08:12 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id DA4BE21C205
	for <gentoo-commits@lists.gentoo.org>; Wed,  1 Feb 2017 23:08:11 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id EE876340DD8
	for <gentoo-commits@lists.gentoo.org>; Wed,  1 Feb 2017 23:08:10 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 340E83DB6
	for <gentoo-commits@lists.gentoo.org>; Wed,  1 Feb 2017 23:08:09 +0000 (UTC)
From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" <vapier@gentoo.org>
Message-ID: <1485988809.10a9643d90a1ba6058a66066803fac6cf43f6917.vapier@gentoo>
Subject: [gentoo-commits] proj/pax-utils:master commit in: /
X-VCS-Repository: proj/pax-utils
X-VCS-Files: dumpelf.c
X-VCS-Directories: /
X-VCS-Committer: vapier
X-VCS-Committer-Name: Mike Frysinger
X-VCS-Revision: 10a9643d90a1ba6058a66066803fac6cf43f6917
X-VCS-Branch: master
Date: Wed,  1 Feb 2017 23:08:09 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: d2ea8b11-61fe-4e6c-afa2-93e05d21f309
X-Archives-Hash: 382f6e2087461de5cc478cdbbbba5bad

commit:     10a9643d90a1ba6058a66066803fac6cf43f6917
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Feb  1 22:40:09 2017 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Feb  1 22:40:09 2017 +0000
URL:        https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=10a9643d

dumpelf: check for invalid notes

Handle cases where the size fields would overflow the additions.

URL: https://bugs.gentoo.org/607898
Reported-by: Agostino Sarubbo <ago <AT> gentoo.org>

 dumpelf.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/dumpelf.c b/dumpelf.c
index a9c6e05..60c78a3 100644
--- a/dumpelf.c
+++ b/dumpelf.c
@@ -209,6 +209,7 @@ static void dump_notes(elfobj *elf, size_t B, const void *memory, const void *me
 	 * world, the two structs are exactly the same.  So avoid ugly CPP.
 	 */
 	size_t i;
+	bool corrupt = false;
 	const void *ndata = memory;
 	const char *name;
 	const unsigned char *desc;
@@ -223,23 +224,31 @@ static void dump_notes(elfobj *elf, size_t B, const void *memory, const void *me
 	}
 
 	printf("\n\t/%c note section dump:\n", '*');
-	for (i = 0; ndata < memory_end; ++i) {
+	for (i = 0; ndata < memory_end && !corrupt; ++i) {
 		note = ndata;
 		namesz = EGET(note->n_namesz);
 		descsz = EGET(note->n_descsz);
-		name = namesz ? ndata + sizeof(*note) : "";
-		desc = descsz ? ndata + sizeof(*note) + ALIGN_UP(namesz, 4) : "";
+		if (namesz > elf->len || descsz > elf->len)
+			corrupt = true;
+		name = namesz ? ndata + sizeof(*note) : NULL;
+		desc = descsz ? ndata + sizeof(*note) + ALIGN_UP(namesz, 4) : NULL;
 		ndata += sizeof(*note) + ALIGN_UP(namesz, 4) + ALIGN_UP(descsz, 4);
 
-		if (ndata > memory_end) {
+		if (ndata > memory_end)
+			corrupt = true;
+		if (corrupt) {
+			name = NULL;
+			desc = NULL;
 			printf("\tNote is corrupt\n");
-			break;
 		}
 
 		printf("\t * Elf%zu_Nhdr note%zu = {\n", B, i);
-		printf("\t * \t.n_namesz = %u, (bytes) [%s]\n", namesz, name);
+		printf("\t * \t.n_namesz = %u, (bytes)", namesz);
+		if (name)
+			printf(" [%s]", name);
+		printf("\n");
 		printf("\t * \t.n_descsz = %u, (bytes)", descsz);
-		if (descsz) {
+		if (desc) {
 			printf(" [ ");
 			for (i = 0; i < descsz; ++i)
 				printf("%.2X ", desc[i]);