From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E88961396D0 for ; Mon, 18 Sep 2017 07:06:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 44CB1E0F30; Mon, 18 Sep 2017 07:06:21 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 278A2E0F30 for ; Mon, 18 Sep 2017 07:06:21 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2050533BEBE for ; Mon, 18 Sep 2017 07:06:20 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id BA8C1907A for ; Mon, 18 Sep 2017 07:06:18 +0000 (UTC) From: "Fabian Groffen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Fabian Groffen" Message-ID: <1505718320.720becce1314db8c0af8442650f496d972475327.grobian@gentoo> Subject: [gentoo-commits] proj/pax-utils:master commit in: / X-VCS-Repository: proj/pax-utils X-VCS-Files: scanelf.c X-VCS-Directories: / X-VCS-Committer: grobian X-VCS-Committer-Name: Fabian Groffen X-VCS-Revision: 720becce1314db8c0af8442650f496d972475327 X-VCS-Branch: master Date: Mon, 18 Sep 2017 07:06:18 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 8da7b1e8-5004-46d3-886d-8ec081cd273c X-Archives-Hash: 3c88254b19441174668744492988f318 commit: 720becce1314db8c0af8442650f496d972475327 Author: Sergei Trofimovich gentoo org> AuthorDate: Sat Aug 19 09:34:41 2017 +0000 Commit: Fabian Groffen gentoo org> CommitDate: Mon Sep 18 07:05:20 2017 +0000 URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=720becce scanelf: fix out-of-bounds access in ia64 commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9 slightly changed decoder and added unchecked read from elf header: ``` switch (EGET(dpltrel->d_un.d_val)) { \ case DT_REL: \ rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ ``` On ia64 'EGET(drel->d_un.d_val)' returns absolute address: ``` $ dumpelf bug/luatex ... /* Dynamic tag #31 'DT_RELA' 0x97E310 */ { .d_tag = 0x7 , .d_un = { .d_val = 0x4000000000031C30 , .d_ptr = 0x4000000000031C30 , }, }, ``` That causes 'scanelf' crash on binaries like 'luatex'. This change restores check and loudly skips such sections: scanelf: bug/luatex: DT_RELA is out of file range Bug: https://bugs.gentoo.org/624356 Signed-off-by: Sergei Trofimovich gentoo.org> Signed-off-by: Fabian Groffen gentoo.org> scanelf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/scanelf.c b/scanelf.c index 1ead891..a054408 100644 --- a/scanelf.c +++ b/scanelf.c @@ -607,11 +607,23 @@ static char *scanelf_file_textrels(elfobj *elf, char *found_textrels, char *foun } \ switch (EGET(dpltrel->d_un.d_val)) { \ case DT_REL: \ + if (!VALID_RANGE(elf, EGET(drel->d_un.d_val), sizeof (drel->d_un.d_val))) { \ + rel = NULL; \ + rela = NULL; \ + warn("%s: DT_REL is out of file range", elf->filename); \ + break; \ + } \ rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ rela = NULL; \ pltrel = DT_REL; \ break; \ case DT_RELA: \ + if (!VALID_RANGE(elf, EGET(drel->d_un.d_val), sizeof (drel->d_un.d_val))) { \ + rel = NULL; \ + rela = NULL; \ + warn("%s: DT_RELA is out of file range", elf->filename); \ + break; \ + } \ rel = NULL; \ rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); \ pltrel = DT_RELA; \