Actions
Bug #7177
closedMore null pointer dereferences in elfdump
Start date:
2016-07-03
Due date:
% Done:
100%
Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:
Description
usr/src/head/libelf.h defines struct Elf_Data like so:
/* * Data descriptor */ typedef struct { Elf_Void *d_buf; Elf_Type d_type; size_t d_size; off_t d_off; /* offset into section */ size_t d_align; /* alignment in section */ unsigned d_version; /* elf version */ } Elf_Data;
elfdump uses these structures to cache various section data. Unfortunately there is insufficient checking on references (as I discovered in #7106).
d_buf is allowed to and can be NULL, primarily on corrupted or truncated binaries (as also seen in #6177).
In this ticket I endeavor to remove all of these insufficient checks from elfdump. I've attached another crashing sample. Unfortunately I do not have samples of all of these cases to verify they were fixed, but I believe the code is straightforward enough to show this through analysis.
Files
Updated by Electric Monk almost 6 years ago
- Status changed from New to Closed
- % Done changed from 90 to 100
git commit a5dce49383b67bfd3a81999460d579f53a67c029
commit a5dce49383b67bfd3a81999460d579f53a67c029 Author: Dillon Amburgey <dillona@dillona.com> Date: 2016-07-13T18:32:29.000Z 7177 More null pointer dereferences in elfdump Reviewed by: Robert Mustacchi <rm@joyent.com> Approved by: Dan McDonald <danmcd@omniti.com>
Actions