Project

General

Profile

Bug #5507

libelf may overflow data buffer when translating data to memory representation

Added by Rich Lowe about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Rich Lowe
Category:
lib - userland libraries
Start date:
2015-01-06
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

If a section is of a size that is not a multiple of its section size, libelf may overflow the buffer allocated to hold the data.

That's because:

(size / size-of-file-repr) * size-of-memory-repr

May be smaller than 'size' (thanks to integer division). It's considered invariant in libelf, that the size of the memory representation is always larger than or equal to the representation in a file, so we presume that allocating an amount of space equal to the above will always give us room to copy the entire section's data. It won't if the division has a remainder, even if the invariant otherwise holds.

Talking about this, briefly, with Robert, we think the right (or the least surprising, at least) thing for libelf to do is probably to allocate enough space for the whole section, thus proving all the data to the client (even the junk data).

#1

Updated by Electric Monk about 6 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

git commit 98cadd320d4521e7438bc624f89adef498589add

commit  98cadd320d4521e7438bc624f89adef498589add
Author: Richard Lowe <richlowe@richlowe.net>
Date:   2015-01-09T18:28:13.000Z

    5507 libelf may overflow data buffer when translating data to memory representation
    Reviewed by: Gordon Ross <gwr@nexenta.com>
    Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
    Approved by: Robert Mustacchi <rm@joyent.com>

Also available in: Atom PDF