Bug #7106
closedelfdump crashes with invalid ELF
100%
Files
Updated by Dillon Amburgey over 6 years ago
Webrev available at http://us-east.manta.joyent.com/dillona/public/webrevs/7106/index.html
Updated by Dillon Amburgey over 6 years ago
- Category set to cmd - userland programs
- Status changed from New to In Progress
- Tags deleted (
needs-triage)
Updated by Dillon Amburgey over 6 years ago
The issue here is that the existing code in interp does not check that c_data has a d_buf associated with it. In any valid ELF, this should indeed be the case.
However elf_getdata (through _elf_locked_getdata) in libelf can return non-NULL but with d_buf being null. This is happening here because sh_offset is 0.
From getdata.c in usr/src/cmd/sgs/libelf/common/
if ((d->db_off 0) || (d->db_fsz 0)) {
d->db_myflags |= DBF_READY;
return (&d->db_data);
}
Therefore the following existing check is not sufficient.
if (ishdr && icache->c_data) {
...
} else
(void) fprintf(stderr, MSG_INTL(MSG_WARN_INVINTERP1), file);
We must add additional checking for the elements of c_data (particularly d_buf but the patch also includes d_size for thoroughness)
Excerpts from elfdump (before the crash)
Section Header[30]: sh_name: section[30]
sh_addr: 0 sh_flags: [ SHF_ALLOC ]
sh_size: 0x67a8 sh_type: 0x117
sh_offset: 0 sh_entsize: 0x4 (6634 entries)
sh_link: 3168 sh_info: 31
sh_addralign: 0x64
Interpreter Section: section[30]
Updated by Electric Monk over 6 years ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
git commit 5093b3b62da799ea81b3a0f84f606266d06ce94e
commit 5093b3b62da799ea81b3a0f84f606266d06ce94e Author: Dillon Amburgey <dillona@dillona.com> Date: 2016-06-22T14:48:46.000Z 7106 elfdump crashes with invalid ELF Reviewed by: Toomas Soome <tsoome@me.com> Approved by: Robert Mustacchi <rm@joyent.com>