diff mbox series

libdwfl: Add overflow check while iterating in dwfl_segment_report_module

Message ID 20211208170227.18011-1-mark@klomp.org
State Committed
Headers show
Series libdwfl: Add overflow check while iterating in dwfl_segment_report_module | expand

Commit Message

Mark Wielaard Dec. 8, 2021, 5:02 p.m. UTC
While iterating the notes we could overflow the len variable if the
note name or description was too big. Fix this by adding an (unsigned)
overflow check.

https://sourceware.org/bugzilla/show_bug.cgi?id=28654

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libdwfl/ChangeLog                    | 5 +++++
 libdwfl/dwfl_segment_report_module.c | 6 +++++-
 2 files changed, 10 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 520405c8..e1cd70fa 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@ 
+2021-12-08  Mark Wielaard  <mark@klomp.org>
+
+	* dwfl_segment_report_module.c (dwfl_segment_report_module): Add
+	len overflow check while iterating notes.
+
 2021-12-08  Mark Wielaard  <mark@klomp.org>
 
 	* dwfl_segment_report_module.c (dwfl_segment_report_module): Don't
diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
index f6a1799e..574f02a7 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -543,10 +543,12 @@  dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
 
               const GElf_Nhdr *nh = notes;
               size_t len = 0;
+              size_t last_len;
               while (filesz > len + sizeof (*nh))
                 {
                   const void *note_name;
                   const void *note_desc;
+                  last_len = len;
 
                   len += sizeof (*nh);
                   note_name = notes + len;
@@ -555,7 +557,9 @@  dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
                   len = align == 8 ? NOTE_ALIGN8 (len) : NOTE_ALIGN4 (len);
                   note_desc = notes + len;
 
-                  if (unlikely (filesz < len + nh->n_descsz))
+                  if (unlikely (filesz < len + nh->n_descsz
+                                || len < last_len
+                                || len + nh->n_descsz < last_len))
                     break;
 
                   if (nh->n_type == NT_GNU_BUILD_ID