[all-commits] [llvm/llvm-project] ba808b: [llvm-readobj] - Validate the DT_STRSZ value to av...

[Georgii Rymar via All-commits]

  Branch: refs/heads/master
  Home:   https://github.com/llvm/llvm-project
  Commit: ba808b157e84774e8f384d9436c911c1341105cd
      https://github.com/llvm/llvm-project/commit/ba808b157e84774e8f384d9436c911c1341105cd
  Author: Georgii Rymar <grimar at accesssoftek.com>
  Date:   2020-06-22 (Mon, 22 Jun 2020)

  Changed paths:
    M llvm/test/tools/llvm-readobj/ELF/dyn-symbols.test
    M llvm/test/tools/llvm-readobj/ELF/dynamic-malformed.test
    M llvm/tools/llvm-readobj/ELFDumper.cpp

  Log Message:
  -----------
  [llvm-readobj] - Validate the DT_STRSZ value to avoid crash.

It is possible to trigger a crash when a dynamic symbol has a
broken (too large) st_name and the DT_STRSZ is also broken.

We have the following code in the `Elf_Sym_Impl<ELFT>::getName`:

```
template <class ELFT>
Expected<StringRef> Elf_Sym_Impl<ELFT>::getName(StringRef StrTab) const {
  uint32_t Offset = this->st_name;
  if (Offset >= StrTab.size())
    return createStringError(object_error::parse_failed,
                             "st_name (0x%" PRIx32
                             ") is past the end of the string table"
                             " of size 0x%zx",
                             Offset, StrTab.size());
...
```

The problem is that `StrTab` here is a `ELFDumper::DynamicStringTab` member
which is not validated properly on initialization. So it is possible to bypass the
`if` even when the `st_name` is huge.

This patch fixes the issue.

Differential revision: https://reviews.llvm.org/D82201