[PATCH] D25239: [Object/ELF] - Do not crash on invalid sh_size value of REL[A] section.

George Rimar via llvm-commits llvm-commits at lists.llvm.org
Tue Oct 4 08:22:49 PDT 2016 

grimar created this revision.
grimar added reviewers: rafael, davide.
grimar added subscribers: llvm-commits, grimar, evgeny777.

Previously code would access invalid memory and may crash,
patch fixes the issue. 
Was noticed by Rafael Ávila de Espíndola in comments for https://reviews.llvm.org/D25187.


https://reviews.llvm.org/D25239

Files:
  include/llvm/Object/ELF.h
  test/Object/Inputs/invalid-relocation-sec-sh_size.elf-i386
  test/Object/Inputs/invalid-relocation-sec-sh_size.elf-x86-64
  test/Object/invalid.test


Index: test/Object/invalid.test
===================================================================
--- test/Object/invalid.test
+++ test/Object/invalid.test
@@ -64,3 +64,9 @@
 RUN: not llvm-readobj -r %p/Inputs/invalid-relocation-sec-sh_offset.elf-x86-64 2>&1 | \
 RUN:   FileCheck --check-prefix=INVALID-RELOC-SH-OFFSET %s
 INVALID-RELOC-SH-OFFSET: Invalid relocation entry offset
+
+RUN: not llvm-readobj -r %p/Inputs/invalid-relocation-sec-sh_size.elf-i386 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-RELOC-SH-SIZE %s
+RUN: not llvm-readobj -r %p/Inputs/invalid-relocation-sec-sh_size.elf-x86-64 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-RELOC-SH-SIZE %s
+INVALID-RELOC-SH-SIZE: Invalid relocation entry size
Index: include/llvm/Object/ELF.h
===================================================================
--- include/llvm/Object/ELF.h
+++ include/llvm/Object/ELF.h
@@ -146,7 +146,10 @@
     uint64_t Size = sec->sh_size;
     if (Size % sizeof(Elf_Rela))
       report_fatal_error("Invalid relocation table size");
-    return rela_begin(sec) + Size / sizeof(Elf_Rela);
+    const Elf_Rela *Begin = rela_begin(sec);
+    if (reinterpret_cast<const uint8_t *>(Begin + Size) >= base() + Buf.size())
+      report_fatal_error("Invalid relocation entry size");
+    return Begin + Size / sizeof(Elf_Rela);
   }
 
   Elf_Rela_Range relas(const Elf_Shdr *Sec) const {
@@ -165,7 +168,10 @@
     uint64_t Size = sec->sh_size;
     if (Size % sizeof(Elf_Rel))
       report_fatal_error("Invalid relocation table size");
-    return rel_begin(sec) + Size / sizeof(Elf_Rel);
+    const Elf_Rel *Begin = rel_begin(sec);
+    if (reinterpret_cast<const uint8_t *>(Begin + Size) >= base() + Buf.size())
+      report_fatal_error("Invalid relocation entry size");
+    return Begin + Size / sizeof(Elf_Rel);
   }
 
   Elf_Rel_Range rels(const Elf_Shdr *Sec) const {


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D25239.73484.patch
Type: text/x-patch
Size: 1905 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20161004/bd8d8b02/attachment.bin>

More information about the llvm-commits mailing list