From owner-svn-src-head@FreeBSD.ORG Tue Dec 30 22:04:26 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 263BDF55; Tue, 30 Dec 2014 22:04:26 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EDD7464F07; Tue, 30 Dec 2014 22:04:25 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sBUM4Par089062; Tue, 30 Dec 2014 22:04:25 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sBUM4PHr089061; Tue, 30 Dec 2014 22:04:25 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201412302204.sBUM4PHr089061@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 30 Dec 2014 22:04:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r276427 - head/contrib/elftoolchain/libelf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 22:04:26 -0000 Author: emaste Date: Tue Dec 30 22:04:24 2014 New Revision: 276427 URL: https://svnweb.freebsd.org/changeset/base/276427 Log: Check for multiplication integer overflow in CHECK_EHDR The initial fix in r276374 is valid only for 64-bit objects. Revert it and return an error in CHECK_EHDR if the multiplication would overflow. The original buffer overflow issue was found with the security/afl fuzzer and has upstream elftoolchain ticket 462. The 32-bit object issue with r276374 found by antoine@ during an i386 exp-run. Sponsored by: The FreeBSD Foundation Modified: head/contrib/elftoolchain/libelf/elf_scn.c Modified: head/contrib/elftoolchain/libelf/elf_scn.c ============================================================================== --- head/contrib/elftoolchain/libelf/elf_scn.c Tue Dec 30 21:55:50 2014 (r276426) +++ head/contrib/elftoolchain/libelf/elf_scn.c Tue Dec 30 22:04:24 2014 (r276427) @@ -32,6 +32,7 @@ #include #include #include +#include #include #include "_libelf.h" @@ -50,7 +51,6 @@ _libelf_load_section_headers(Elf *e, voi Elf64_Ehdr *eh64; int ec, swapbytes; unsigned char *src; - unsigned char *rawend; size_t fsz, i, shnum; int (*xlator)(unsigned char *_d, size_t _dsz, unsigned char *_s, size_t _c, int _swap); @@ -61,6 +61,7 @@ _libelf_load_section_headers(Elf *e, voi #define CHECK_EHDR(E,EH) do { \ if (fsz != (EH)->e_shentsize || \ + shnum > SIZE_MAX / fsz || \ shoff + fsz * shnum > e->e_rawsize) { \ LIBELF_SET_ERROR(HEADER, 0); \ return (0); \ @@ -87,7 +88,6 @@ _libelf_load_section_headers(Elf *e, voi swapbytes = e->e_byteorder != LIBELF_PRIVATE(byteorder); src = e->e_rawfile + shoff; - rawend = e->e_rawfile + e->e_rawsize; /* * If the file is using extended numbering then section #0 @@ -104,8 +104,6 @@ _libelf_load_section_headers(Elf *e, voi } for (; i < shnum; i++, src += fsz) { - if (src + sizeof(scn->s_shdr) > rawend) - return (0); if ((scn = _libelf_allocate_scn(e, i)) == NULL) return (0);