diff options
author | Aleksei Vetrov <vvvvvv@google.com> | 2023-11-16 21:29:22 +0000 |
---|---|---|
committer | Aleksei Vetrov <vvvvvv@google.com> | 2023-11-22 19:51:15 +0000 |
commit | 0a1e6c198647878418a6dbea4d53c554d870ba55 (patch) | |
tree | 75bf99dfbe80a6310421222133ccc24b68a72b28 | |
parent | 7c7f2af329ae801ce6f71ade19a1744495bff3d6 (diff) | |
download | elfutils-0a1e6c198647878418a6dbea4d53c554d870ba55.tar.gz |
libdw: check offset dwarf_formstring in all cases
This check was initially added to test if offset overflows the safe
prefix where any string will be null-terminated. However the check
was placed in a wrong place and didn't cover all `attrp->form` cases.
* libdw/dwarf_formstring.c (dwarf_formstring): Move offset check
right before returning the result.
Change-Id: I8d73a87640eb8c959d124b2a39fc3ef05401716c
Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
-rw-r--r-- | libdw/dwarf_formstring.c | 6 | ||||
-rw-r--r-- | patches/libdw-check-offset-dwarf_formstring-in-all-cases.patch | 36 |
2 files changed, 39 insertions, 3 deletions
diff --git a/libdw/dwarf_formstring.c b/libdw/dwarf_formstring.c index 0ee42411..65f03a5e 100644 --- a/libdw/dwarf_formstring.c +++ b/libdw/dwarf_formstring.c @@ -173,11 +173,11 @@ dwarf_formstring (Dwarf_Attribute *attrp) off = read_4ubyte_unaligned (dbg, datap); else off = read_8ubyte_unaligned (dbg, datap); - - if (off >= data_size) - goto invalid_offset; } + if (off >= data_size) + goto invalid_offset; + return (const char *) data->d_buf + off; } INTDEF(dwarf_formstring) diff --git a/patches/libdw-check-offset-dwarf_formstring-in-all-cases.patch b/patches/libdw-check-offset-dwarf_formstring-in-all-cases.patch new file mode 100644 index 00000000..7e30d2a3 --- /dev/null +++ b/patches/libdw-check-offset-dwarf_formstring-in-all-cases.patch @@ -0,0 +1,36 @@ +From 1bd9deb9aa19ac2e2fa9665009e0d5924adcf4d3 Mon Sep 17 00:00:00 2001 +From: Aleksei Vetrov <vvvvvv@google.com> +Date: Thu, 16 Nov 2023 21:29:22 +0000 +Subject: [PATCH] libdw: check offset dwarf_formstring in all cases + +This check was initially added to test if offset overflows the safe +prefix where any string will be null-terminated. However the check +was placed in a wrong place and didn't cover all `attrp->form` cases. + + * libdw/dwarf_formstring.c (dwarf_formstring): Move offset check + right before returning the result. + +Signed-off-by: Aleksei Vetrov <vvvvvv@google.com> + +diff --git a/libdw/dwarf_formstring.c b/libdw/dwarf_formstring.c +index 0ee42411..65f03a5e 100644 +--- a/libdw/dwarf_formstring.c ++++ b/libdw/dwarf_formstring.c +@@ -173,11 +173,11 @@ dwarf_formstring (Dwarf_Attribute *attrp) + off = read_4ubyte_unaligned (dbg, datap); + else + off = read_8ubyte_unaligned (dbg, datap); +- +- if (off >= data_size) +- goto invalid_offset; + } + ++ if (off >= data_size) ++ goto invalid_offset; ++ + return (const char *) data->d_buf + off; + } + INTDEF(dwarf_formstring) +-- +2.43.0.rc1.413.gea7ed67945-goog + |