Project

General

Profile

Bug #7179

Insufficient checking in elfdump when processing hash info

Added by Dillon Amburgey almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Low
Category:
cmd - userland programs
Start date:
2016-07-11
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Files

hash_crash (9.05 KB) hash_crash An exemplar of this crashing behavior Dillon Amburgey, 2016-07-11 02:26 AM

History

#1

Updated by Dillon Amburgey almost 4 years ago

An ELF hash table section consists of a count of buckets, a count of chains, an array of buckets, and an array of chains (in that order).
In several locations, these arrays are accessed with indexed that are not checked to be within bounds.
Indeed it is not even checked that there is enough data to access even the size fields:

        hash = (uint_t *)_cache->c_data->d_buf;
        bkts = *hash;
        chain = hash + 2 + bkts;
        hash += 2;

If _cache->c_data->d_size were for example 3, this would access invalid memory.

The attached crashing file dies due to _ndx and *hash not being checked:

    _ndx = chain[*hash];
            _cnt = 1;
            while (_ndx) {
                hash_entry(_cache, &cache[sshdr->sh_link],
                    hsecname, ndx, _ndx, symn, syms, file,
                    bkts, flags, 1);
                _ndx = chain[_ndx];
                _cnt++;
            }

This method must be examined against the file format to make sure all requisite checks are taking place. I also have over 130 other crashing inputs due to this issue.

#2

Updated by Electric Monk almost 4 years ago

  • Status changed from New to Closed
  • % Done changed from 80 to 100

git commit acefc525a071e96f717b3d8d4338fa9d0a807b8a

commit  acefc525a071e96f717b3d8d4338fa9d0a807b8a
Author: Dillon Amburgey <dillona@dillona.com>
Date:   2016-07-25T13:40:21.000Z

    7179 Insufficient checking in elfdump when processing hash info
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

Also available in: Atom PDF