Actions
Bug #7141
closed
divide by zero when string table entry size is zero
Start date:
2016-06-26
Due date:
% Done:
100%
Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:
External Bug:
Description
In stringtbl in usr/src/cmd/sgs/elfdump/common/elfdump.c, the symbol table entry size (and link) are checked:
/*
* Validate the symbol table section.
*/
if ((shdr->sh_link == 0) || (shdr->sh_link >= shnum)) {
(void) fprintf(stderr, MSG_INTL(MSG_ERR_BADSHLINK),
file, cache[ndx].c_name, EC_WORD(shdr->sh_link));
return (0);
}
if ((shdr->sh_entsize == 0) || (shdr->sh_size == 0)) {
(void) fprintf(stderr, MSG_INTL(MSG_ERR_BADSZ),
file, cache[ndx].c_name);
return (0);
}
However the string table goes under such checking:
/*
* Establish the string table index.
*/
ndx = shdr->sh_link;
shdr = cache[ndx].c_shdr;
/*
* Return symbol table information.
*/
if (symnum)
*symnum = (shdr->sh_size / shdr->sh_entsize);
If shdr->sh_entsize is 0, a divide by zero will occur.
See the attached ELF for an example.
Files
Updated by Dillon Amburgey over 7 years ago
- File div_zero_hash div_zero_hash added
The same issue exists in the hash function. Attaching an example
Updated by Dillon Amburgey over 7 years ago
- File div_zero_got div_zero_got added
Same issue happening in processing the got
Updated by Dillon Amburgey over 7 years ago
- File div_zero_syminfo div_zero_syminfo added
Same thing in syminfo
Updated by Electric Monk about 7 years ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
git commit 4520d59fda389ed57a633978297f35ae1e5c37b8
commit 4520d59fda389ed57a633978297f35ae1e5c37b8
Author: Dillon Amburgey <dillona@dillona.com>
Date: 2016-07-07T16:39:38.000Z
7141 divide by zero when string table entry size is zero
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Albert Lee <trisk@omniti.com>
Approved by: Robert Mustacchi <rm@joyent.com>
Actions