Check for multiplication integer overflow in CHECK_EHDR

The initial fix in r276374 is valid only for 64-bit objects. Revert it and return an error in CHECK_EHDR if the multiplication would overflow. The original buffer overflow issue was found with the security/afl fuzzer and has upstream elftoolchain ticket 462. The 32-bit object issue with r276374 found by antoine@ during an i386 exp-run. Sponsored by: The FreeBSD Foundation
2014-12-30 22:04:24 +00:00 · 2014-12-30 22:04:24 +00:00 · 6db8a9f3a5
commit 6db8a9f3a5
parent ee8c7bb573
1 changed files with 2 additions and 4 deletions
--- a/contrib/elftoolchain/libelf/elf_scn.c
+++ b/contrib/elftoolchain/libelf/elf_scn.c
@ -32,6 +32,7 @@
 #include <gelf.h>
 #include <libelf.h>
 #include <stddef.h>
+#include <stdint.h>
 #include <stdlib.h>

 #include "_libelf.h"
@ -50,7 +51,6 @@ _libelf_load_section_headers(Elf *e, void *ehdr)
 	Elf64_Ehdr *eh64;
 	int ec, swapbytes;
 	unsigned char *src;
-	unsigned char *rawend;
 	size_t fsz, i, shnum;
 	int (*xlator)(unsigned char *_d, size_t _dsz, unsigned char *_s,
 	    size_t _c, int _swap);
@ -61,6 +61,7 @@ _libelf_load_section_headers(Elf *e, void *ehdr)

 #define	CHECK_EHDR(E,EH)	do {				\
 		if (fsz != (EH)->e_shentsize ||			\
+		    shnum > SIZE_MAX / fsz ||			\
 		    shoff + fsz * shnum > e->e_rawsize) {	\
 			LIBELF_SET_ERROR(HEADER, 0);		\
 			return (0);				\
@ -87,7 +88,6 @@ _libelf_load_section_headers(Elf *e, void *ehdr)

 	swapbytes = e->e_byteorder != LIBELF_PRIVATE(byteorder);
 	src = e->e_rawfile + shoff;
-	rawend = e->e_rawfile + e->e_rawsize;

 	/*
 	 * If the file is using extended numbering then section #0
@ -104,8 +104,6 @@ _libelf_load_section_headers(Elf *e, void *ehdr)
 	}

 	for (; i < shnum; i++, src += fsz) {
-		if (src + sizeof(scn->s_shdr) > rawend)
-			return (0);
 		if ((scn = _libelf_allocate_scn(e, i)) == NULL)
 			return (0);