Project

General

Profile

Actions
Copy link

Bug #7177

closed

More null pointer dereferences in elfdump

Added by Dillon Amburgey almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Low
Assignee:
Dillon Amburgey
Category:
cmd - userland programs
Start date:
2016-07-03
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

usr/src/head/libelf.h defines struct Elf_Data like so:

/*
 * Data descriptor
 */
typedef struct {
    Elf_Void    *d_buf;
    Elf_Type    d_type;
    size_t        d_size;
    off_t        d_off;        /* offset into section */
    size_t        d_align;    /* alignment in section */
    unsigned    d_version;    /* elf version */
} Elf_Data;

elfdump uses these structures to cache various section data. Unfortunately there is insufficient checking on references (as I discovered in #7106).
d_buf is allowed to and can be NULL, primarily on corrupted or truncated binaries (as also seen in #6177).

In this ticket I endeavor to remove all of these insufficient checks from elfdump. I've attached another crashing sample. Unfortunately I do not have samples of all of these cases to verify they were fixed, but I believe the code is straightforward enough to show this through analysis.

Files

another_null_ptr (9.05 KB) another_null_ptr Dillon Amburgey, 2016-07-10 09:25 PM
Actions
Copy link
 #1

Updated by Electric Monk almost 6 years ago

  • Status changed from New to Closed
  • % Done changed from 90 to 100

git commit a5dce49383b67bfd3a81999460d579f53a67c029

commit  a5dce49383b67bfd3a81999460d579f53a67c029
Author: Dillon Amburgey <dillona@dillona.com>
Date:   2016-07-13T18:32:29.000Z

    7177 More null pointer dereferences in elfdump
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

Actions
Copy link

Also available in: Atom PDF