Bug #5507
libelf may overflow data buffer when translating data to memory representation
100%
Description
If a section is of a size that is not a multiple of its section size, libelf may overflow the buffer allocated to hold the data.
That's because:
(size / size-of-file-repr) * size-of-memory-repr
May be smaller than 'size' (thanks to integer division). It's considered invariant in libelf, that the size of the memory representation is always larger than or equal to the representation in a file, so we presume that allocating an amount of space equal to the above will always give us room to copy the entire section's data. It won't if the division has a remainder, even if the invariant otherwise holds.
Talking about this, briefly, with Robert, we think the right (or the least surprising, at least) thing for libelf to do is probably to allocate enough space for the whole section, thus proving all the data to the client (even the junk data).
Updated by Electric Monk about 6 years ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
git commit 98cadd320d4521e7438bc624f89adef498589add
commit 98cadd320d4521e7438bc624f89adef498589add Author: Richard Lowe <richlowe@richlowe.net> Date: 2015-01-09T18:28:13.000Z 5507 libelf may overflow data buffer when translating data to memory representation Reviewed by: Gordon Ross <gwr@nexenta.com> Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com> Approved by: Robert Mustacchi <rm@joyent.com>