[PATCH] D25187: [Object/ELF] - Do not crash on invalid sh_offset value of REL[A] section.
George Rimar via llvm-commits
llvm-commits at lists.llvm.org
Mon Oct 3 07:02:33 PDT 2016
grimar created this revision.
grimar added reviewers: rafael, davide.
grimar added subscribers: llvm-commits, grimar, evgeny777.
Previously code would access invalid memory and may crash,
patch fixes the issue. Used AFL and latest lld code with WIP patches applied to find.
https://reviews.llvm.org/D25187
Files:
include/llvm/Object/ELF.h
test/Object/Inputs/invalid-relocation-sec-sh_offset.elf-i386
test/Object/Inputs/invalid-relocation-sec-sh_offset.elf-x86-64
test/Object/invalid.test
Index: test/Object/invalid.test
===================================================================
--- test/Object/invalid.test
+++ test/Object/invalid.test
@@ -54,3 +54,9 @@
RUN: not llvm-readobj -t %p/Inputs/invalid-xindex-size.elf 2>&1 | FileCheck --check-prefix=INVALID-XINDEX-SIZE %s
INVALID-XINDEX-SIZE: Invalid data was encountered while parsing the file.
+
+RUN: not llvm-readobj -r %p/Inputs/invalid-relocation-sec-sh_offset.elf-i386 2>&1 | \
+RUN: FileCheck --check-prefix=INVALID-RELOC-SH-OFFSET %s
+RUN: not llvm-readobj -r %p/Inputs/invalid-relocation-sec-sh_offset.elf-x86-64 2>&1 | \
+RUN: FileCheck --check-prefix=INVALID-RELOC-SH-OFFSET %s
+INVALID-RELOC-SH-OFFSET: Invalid relocation entry offset
Index: include/llvm/Object/ELF.h
===================================================================
--- include/llvm/Object/ELF.h
+++ include/llvm/Object/ELF.h
@@ -137,6 +137,8 @@
const Elf_Rela *rela_begin(const Elf_Shdr *sec) const {
if (sec->sh_entsize != sizeof(Elf_Rela))
report_fatal_error("Invalid relocation entry size");
+ if (sec->sh_offset >= Buf.size())
+ report_fatal_error("Invalid relocation entry offset");
return reinterpret_cast<const Elf_Rela *>(base() + sec->sh_offset);
}
@@ -154,6 +156,8 @@
const Elf_Rel *rel_begin(const Elf_Shdr *sec) const {
if (sec->sh_entsize != sizeof(Elf_Rel))
report_fatal_error("Invalid relocation entry size");
+ if (sec->sh_offset >= Buf.size())
+ report_fatal_error("Invalid relocation entry offset");
return reinterpret_cast<const Elf_Rel *>(base() + sec->sh_offset);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D25187.73272.patch
Type: text/x-patch
Size: 1638 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20161003/afce1911/attachment.bin>
More information about the llvm-commits
mailing list