From patchwork Sun Mar 20 21:29:40 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Wielaard <mark@klomp.org>
X-Patchwork-Id: 52155
Return-Path: <elfutils-devel-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id B87853857018
	for <patchwork@sourceware.org>; Sun, 20 Mar 2022 21:32:53 +0000 (GMT)
X-Original-To: elfutils-devel@sourceware.org
Delivered-To: elfutils-devel@sourceware.org
Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184])
 by sourceware.org (Postfix) with ESMTPS id 0DCDD3858D37
 for <elfutils-devel@sourceware.org>; Sun, 20 Mar 2022 21:32:47 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0DCDD3858D37
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=klomp.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org
Received: from reform (deer0x09.wildebeest.org [172.31.17.139])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by gnu.wildebeest.org (Postfix) with ESMTPSA id A9410302FB81;
 Sun, 20 Mar 2022 22:32:44 +0100 (CET)
Received: by reform (Postfix, from userid 1000)
 id 25D0E2E81D4B; Sun, 20 Mar 2022 22:32:44 +0100 (CET)
From: Mark Wielaard <mark@klomp.org>
To: elfutils-devel@sourceware.org
Subject: [PATCH] libelf: Don't overflow offsets in elf_cvt_Verneed and
 elf_cvt_Verdef
Date: Sun, 20 Mar 2022 22:29:40 +0100
Message-Id: <20220320212940.155193-1-mark@klomp.org>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-Spam-Status: No, score=-9.8 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: elfutils-devel@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Elfutils-devel mailing list <elfutils-devel.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/elfutils-devel/>
List-Help: <mailto:elfutils-devel-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=subscribe>
Cc: Mark Wielaard <mark@klomp.org>
Errors-To: elfutils-devel-bounces+patchwork=sourceware.org@sourceware.org
Sender: "Elfutils-devel"
 <elfutils-devel-bounces+patchwork=sourceware.org@sourceware.org>

The conversion functions for Verdef and Verneed keep offsets to the next
structure. Make sure that following vd_aux, vda_next, vd_next, vn_aux,
vna_next and vn_next don't overflow (and wrap around) the offsets.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libelf/ChangeLog       |  7 ++++++
 libelf/version_xlate.h | 56 ++++++++++++++++++++++++++++++++++++------
 2 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index f6b47c68..ea204e2b 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,10 @@
+2022-03-20  Mark Wielaard  <mark@klomp.org>
+
+	* version_xlate.h (elf_cvt_Verdef): Make sure aux_offset and
+	def_offset don't overflow.
+	(elf_cvt_Verneed): Make sure aux_offset and need_offset don't
+	overflow.
+
 2022-03-18  Mark Wielaard  <mark@klomp.org>
 
 	* version_xlate.h (elf_cvt_Verdef): Check alignment of def_offset
diff --git a/libelf/version_xlate.h b/libelf/version_xlate.h
index b7bd301d..97f3b730 100644
--- a/libelf/version_xlate.h
+++ b/libelf/version_xlate.h
@@ -87,10 +87,16 @@ elf_cvt_Verdef (void *dest, const void *src, size_t len, int encode)
 	  ddest->vd_aux = bswap_32 (dsrc->vd_aux);
 	  ddest->vd_next = bswap_32 (dsrc->vd_next);
 
+	  if (ddest->vd_aux > len - def_offset)
+	    return;
 	  aux_offset = def_offset + ddest->vd_aux;
 	}
       else
-	aux_offset = def_offset + dsrc->vd_aux;
+	{
+	  if (dsrc->vd_aux > len - def_offset)
+	    return;
+	  aux_offset = def_offset + dsrc->vd_aux;
+	}
 
       /* Handle all the auxiliary records belonging to this definition.  */
       do
@@ -107,19 +113,29 @@ elf_cvt_Verdef (void *dest, const void *src, size_t len, int encode)
 	  asrc = (GElf_Verdaux *) ((char *) src + aux_offset);
 
 	  if (encode)
-	    aux_offset += asrc->vda_next;
+	    {
+	      if (asrc->vda_next > len - aux_offset)
+		return;
+	      aux_offset += asrc->vda_next;
+	    }
 
 	  adest->vda_name = bswap_32 (asrc->vda_name);
 	  adest->vda_next = bswap_32 (asrc->vda_next);
 
 	  if (! encode)
-	    aux_offset += adest->vda_next;
+	    {
+	      if (adest->vda_next > len - aux_offset)
+		return;
+	      aux_offset += adest->vda_next;
+	    }
 	}
       while (asrc->vda_next != 0);
 
       /* Encode now if necessary.  */
       if (encode)
 	{
+	  if (dsrc->vd_next > len - def_offset)
+	    return;
 	  def_offset += dsrc->vd_next;
 
 	  ddest->vd_version = bswap_16 (dsrc->vd_version);
@@ -131,7 +147,11 @@ elf_cvt_Verdef (void *dest, const void *src, size_t len, int encode)
 	  ddest->vd_next = bswap_32 (dsrc->vd_next);
 	}
       else
-	def_offset += ddest->vd_next;
+	{
+	  if (ddest->vd_next > len - def_offset)
+	    return;
+	  def_offset += ddest->vd_next;
+	}
     }
   while (dsrc->vd_next != 0);
 }
@@ -188,10 +208,16 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, int encode)
 	  ndest->vn_aux = bswap_32 (nsrc->vn_aux);
 	  ndest->vn_next = bswap_32 (nsrc->vn_next);
 
+	  if (ndest->vn_aux > len - need_offset)
+	    return;
 	  aux_offset = need_offset + ndest->vn_aux;
 	}
       else
-	aux_offset = need_offset + nsrc->vn_aux;
+	{
+	  if (nsrc->vn_aux > len - need_offset)
+	    return;
+	  aux_offset = need_offset + nsrc->vn_aux;
+	}
 
       /* Handle all the auxiliary records belonging to this requirement.  */
       do
@@ -208,7 +234,11 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, int encode)
 	  asrc = (GElf_Vernaux *) ((char *) src + aux_offset);
 
 	  if (encode)
-	    aux_offset += asrc->vna_next;
+	    {
+	      if (asrc->vna_next > len - aux_offset)
+		return;
+	      aux_offset += asrc->vna_next;
+	    }
 
 	  adest->vna_hash = bswap_32 (asrc->vna_hash);
 	  adest->vna_flags = bswap_16 (asrc->vna_flags);
@@ -217,13 +247,19 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, int encode)
 	  adest->vna_next = bswap_32 (asrc->vna_next);
 
 	  if (! encode)
-	    aux_offset += adest->vna_next;
+	    {
+	      if (adest->vna_next > len - aux_offset)
+		return;
+	      aux_offset += adest->vna_next;
+	    }
 	}
       while (asrc->vna_next != 0);
 
       /* Encode now if necessary.  */
       if (encode)
 	{
+	  if (nsrc->vn_next > len - need_offset)
+	    return;
 	  need_offset += nsrc->vn_next;
 
 	  ndest->vn_version = bswap_16 (nsrc->vn_version);
@@ -233,7 +269,11 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, int encode)
 	  ndest->vn_next = bswap_32 (nsrc->vn_next);
 	}
       else
-	need_offset += ndest->vn_next;
+	{
+	  if (ndest->vn_next > len - need_offset)
+	    return;
+	  need_offset += ndest->vn_next;
+	}
     }
   while (nsrc->vn_next != 0);
 }