[PATCH] D82201: [llvm-readobj] - Validate the DT_STRSZ value to avoid crash.
George Rimar via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Fri Jun 19 09:12:43 PDT 2020
grimar created this revision.
grimar added reviewers: jhenderson, MaskRay.
Herald added subscribers: rupprecht, emaste.
Herald added a reviewer: espindola.
Herald added a project: LLVM.
It is possible to trigger a crash when a dynamic symbol has a
broken (too large) st_name and the DT_STRSZ is also broken.
We have the following code in the `Elf_Sym_Impl<ELFT>::getName`:
template <class ELFT>
Expected<StringRef> Elf_Sym_Impl<ELFT>::getName(StringRef StrTab) const {
uint32_t Offset = this->st_name;
if (Offset >= StrTab.size())
return createStringError(object_error::parse_failed,
"st_name (0x%" PRIx32
") is past the end of the string table"
" of size 0x%zx",
Offset, StrTab.size());
...
The problem is that `StrTab` here is a `ELFDumper::DynamicStringTab` member
which is not validated properly on initialization. So it is possible to bypass the
`if` even when the `st_name` is huge.
This patch fixes the issue.
https://reviews.llvm.org/D82201
Files:
llvm/test/tools/llvm-readobj/ELF/dyn-symbols.test
llvm/test/tools/llvm-readobj/ELF/dynamic-malformed.test
llvm/tools/llvm-readobj/ELFDumper.cpp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D82201.272096.patch
Type: text/x-patch
Size: 4818 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20200619/5b8d3495/attachment-0001.bin>
More information about the llvm-commits
mailing list