From patchwork Fri Jul 27 18:22:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "H.J. Lu" <hjl.tools@gmail.com>
X-Patchwork-Id: 28653
Received: (qmail 74980 invoked by alias); 27 Jul 2018 18:22:04 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 74961 invoked by uid 89); 27 Jul 2018 18:22:04 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-25.4 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE,
	SPF_PASS autolearn=ham version=3.3.2 spammy=H*r:sk:y207-v6
X-HELO: mail-oi0-f67.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=mime-version:from:date:message-id:subject:to:cc;
	bh=7zzeo9ep90jQ2VJ7zVJHLlHy91GjZbJ7BI0Kb7PUvRg=;
	b=dSAtaLaxZQhLFUrk0deVa0+1janUmaemKmOYTNmZr+zOVMFlEhyhLP9Aj1+QFX9lIK
	+trt83hb4RNPwc6P+48BjSt7iDE/gBJdDW6MV3rk84tcGE0xux4+8Bunc7oKXfoZ4JAt
	bGiJh6bDhkVBd/GAXvetKFT6aaFoUWTMuEuWQvXr48donGIm3xeX5uQBRl7qrLeIiYwJ
	ApbOgmzoXQ0RJw8/ZxyVfhNWl7XjTF8aV2+1L91N5Y77+OPD1KwEAXov/gLeOI2FxAXq
	w55iHyDTqoZUoTnbftSorZ+L88pMC2m4LerG7ttfpFS+j3OjQQp59zRlqK3xPChVn6Ix
	rvdw==
MIME-Version: 1.0
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Fri, 27 Jul 2018 11:22:00 -0700
Message-ID: 
 <CAMe9rOoAQgbtMzftq6UOG_dMvUL3EtAu2Gk3bu_7=Rdt27F+qw@mail.gmail.com>
Subject: [PATCH] x86/CET: Don't parse beyond the note end
To: Florian Weimer <fweimer@redhat.com>
Cc: GNU C Library <libc-alpha@sourceware.org>,
	"Carlos O'Donell" <carlos@redhat.com>

On Fri, Jul 27, 2018 at 11:20 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 07/27/2018 07:56 PM, H.J. Lu wrote:
>>
>> Yes, I can reproduce it.  Let me take a look.
>
>
> Great.  Did you see the patch I posted?
>

Please this one instead.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>

From 8de773a7f9225bb9e42eae1263719ca506670087 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Fri, 27 Jul 2018 11:17:04 -0700
Subject: [PATCH] x86/CET: Don't parse beyond the note end

Simply check if "ptr < ptr_end" since "ptr" is always incremented by 8.

	* sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Don't
	parse beyond the note end.
---
 sysdeps/x86/dl-prop.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysdeps/x86/dl-prop.h b/sysdeps/x86/dl-prop.h
index d56e20a6dc..35d3f16a23 100644
--- a/sysdeps/x86/dl-prop.h
+++ b/sysdeps/x86/dl-prop.h
@@ -73,7 +73,7 @@ _dl_process_cet_property_note (struct link_map *l,
 	  unsigned char *ptr = (unsigned char *) (note + 1) + 4;
 	  unsigned char *ptr_end = ptr + note->n_descsz;
 
-	  while (1)
+	  while (ptr < ptr_end)
 	    {
 	      unsigned int type = *(unsigned int *) ptr;
 	      unsigned int datasz = *(unsigned int *) (ptr + 4);
-- 
2.17.1