readelf: check note namesz and descsz

Previously corrupt note namesz or descsz (perhaps caused by readelf's current lack of endian support for notes) resulted in a crash. Check that namesz and descsz do not extend beyond the end of the buffer before trying to access name and desc data. Reported by: jhb MFC after: 3 days Sponsored by: The FreeBSD Foundation
2020-03-04 20:29:49 +00:00 · 2020-03-04 20:29:49 +00:00 · 721ac29c0c
commit 721ac29c0c
parent c30e9beba0
1 changed files with 8 additions and 0 deletions
--- a/contrib/elftoolchain/readelf/readelf.c
+++ b/contrib/elftoolchain/readelf/readelf.c
@ -3740,6 +3740,10 @@ dump_notes_content(struct readelf *re, const char *buf, size_t sz, off_t off)
 		}
 		note = (Elf_Note *)(uintptr_t) buf;
 		buf += sizeof(Elf_Note);
+		if (buf + roundup2(note->n_namesz, 4) > end) {
+			warnx("invalid note header name");
+			return;
+		}
 		name = buf;
 		buf += roundup2(note->n_namesz, 4);
 		/*
@ -3759,6 +3763,10 @@ dump_notes_content(struct readelf *re, const char *buf, size_t sz, off_t off)
 		printf("  %-13s %#010jx", name, (uintmax_t) note->n_descsz);
 		printf("      %s\n", note_type(name, re->ehdr.e_type,
 		    note->n_type));
+		if (buf + roundup2(note->n_descsz, 4) > end) {
+			warnx("invalid note header desc");
+			return;
+		}
 		dump_notes_data(re, name, note->n_type, buf, note->n_descsz);
 		buf += roundup2(note->n_descsz, 4);
 	}