nlist: Check that e_shnum and e_shentsize are within bounds

The e_shnum must not be 0, otherwise we will do a zero sized allocation and further processing of the executable will lead to out of bounds read/write accesses. The e_shentsize must be equal to sizeof(Elf_Shdr), otherwise we will perform out of bounds read accesses on the shdr array. Reported-by: Daniel Hodson <daniel@elttam.com.au> Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au> Signed-off-by: Guillem Jover <guillem@hadrons.org>

nlist: Check that e_shnum and e_shentsize are within bounds
The e_shnum must not be 0, otherwise we will do a zero sized allocation and further processing of the executable will lead to out of bounds read/write accesses. The e_shentsize must be equal to sizeof(Elf_Shdr), otherwise we will perform out of bounds read accesses on the shdr array. Reported-by: Daniel Hodson <daniel@elttam.com.au> Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au> Signed-off-by: Guillem Jover <guillem@hadrons.org>
e9529d9b · Guillem Jover · 3aaedb12 · e9529d9b
Commit e9529d9b authored Jun 15, 2019 by Guillem Jover
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

src/nlist.c src/nlist.c +6 -0

No files found.
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -141,6 +141,12 @@ __fdnlist(int fd, struct nlist *list)
 	    fstat(fd, &st) < 0)
 		return (-1);

+	if (ehdr.e_shnum == 0 ||
+	    ehdr.e_shentsize != sizeof(Elf_Shdr)) {
+		errno = ERANGE;
+		return (-1);
+	}
+
 	/* calculate section header table size */
 	shdr_size = ehdr.e_shentsize * ehdr.e_shnum;