Message ID | 20240307-elf2dmp-v4-19-4f324ad4d99d@daynix.com |
---|---|
State | New |
Headers | show |
Series | contrib/elf2dmp: Improve robustness | expand |
On Thu, 7 Mar 2024 at 10:21, Akihiko Odaki <akihiko.odaki@daynix.com> wrote: > > Callers of elf64_getphdr() and elf_getphdrnum() assume phdrs are > accessible. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2202 > Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> > --- Reviewed-by: Peter Maydell <peter.maydell@linaro.org> thanks -- PMM
diff --git a/contrib/elf2dmp/qemu_elf.c b/contrib/elf2dmp/qemu_elf.c index 8d750adf904a..c9bad6e82cf3 100644 --- a/contrib/elf2dmp/qemu_elf.c +++ b/contrib/elf2dmp/qemu_elf.c @@ -132,6 +132,7 @@ static void exit_states(QEMU_Elf *qe) static bool check_ehdr(QEMU_Elf *qe) { Elf64_Ehdr *ehdr = qe->map; + uint64_t phendoff; if (sizeof(Elf64_Ehdr) > qe->size) { eprintf("Invalid input dump file size\n"); @@ -173,6 +174,13 @@ static bool check_ehdr(QEMU_Elf *qe) return false; } + if (umul64_overflow(ehdr->e_phnum, sizeof(Elf64_Phdr), &phendoff) || + uadd64_overflow(phendoff, ehdr->e_phoff, &phendoff) || + phendoff > qe->size) { + eprintf("phdrs do not fit in file\n"); + return false; + } + return true; }
Callers of elf64_getphdr() and elf_getphdrnum() assume phdrs are accessible. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2202 Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> --- contrib/elf2dmp/qemu_elf.c | 8 ++++++++ 1 file changed, 8 insertions(+)