readelf: check note namesz and descsz

Previously corrupt note namesz or descsz (perhaps caused by readelf's
current lack of endian support for notes) resulted in a crash.  Check
that namesz and descsz do not extend beyond the end of the buffer before
trying to access name and desc data.

Reported by:	jhb
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
emaste 2020-03-04 20:29:49 +00:00
parent 031d3981bd
commit e3abca0edc

View File

@ -3740,6 +3740,10 @@ dump_notes_content(struct readelf *re, const char *buf, size_t sz, off_t off)
}
note = (Elf_Note *)(uintptr_t) buf;
buf += sizeof(Elf_Note);
if (buf + roundup2(note->n_namesz, 4) > end) {
warnx("invalid note header name");
return;
}
name = buf;
buf += roundup2(note->n_namesz, 4);
/*
@ -3759,6 +3763,10 @@ dump_notes_content(struct readelf *re, const char *buf, size_t sz, off_t off)
printf(" %-13s %#010jx", name, (uintmax_t) note->n_descsz);
printf(" %s\n", note_type(name, re->ehdr.e_type,
note->n_type));
if (buf + roundup2(note->n_descsz, 4) > end) {
warnx("invalid note header desc");
return;
}
dump_notes_data(re, name, note->n_type, buf, note->n_descsz);
buf += roundup2(note->n_descsz, 4);
}