libelf: Fix possible unbounded stack usage in getphdr_wrlock.

When a copy needs to be made of the phdrs, allocate with malloc and free
after conversion instead of calling alloca.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

2 files changed, 19 insertions, 4 deletions

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 4fd3f9f5..65f9112d 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,5 +1,10 @@
 2015-05-31  Mark Wielaard  <mjw@redhat.com>
 
+	* elf32_getphdr.c (getphdr_wrlock): Allocate phdrs with malloc, not
+	alloca and free after conversion when a copy needs to be made.
+
+2015-05-31  Mark Wielaard  <mjw@redhat.com>
+
 	* elf_getarsym.c (elf_getarsym): Allocate temporary file_date with
 	malloc, not alloca also in !ALLOW_UNALIGNED case.
 
diff --git a/libelf/elf32_getphdr.c b/libelf/elf32_getphdr.c
index 1b82a480..38e489dc 100644
--- a/libelf/elf32_getphdr.c
+++ b/libelf/elf32_getphdr.c
@@ -141,13 +141,20 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
 		}
 	      else
 		{
-		  if (ALLOW_UNALIGNED
-		      || ((uintptr_t) file_phdr
-			  & (__alignof__ (ElfW2(LIBELFBITS,Phdr)) - 1)) == 0)
+		  bool copy = ! (ALLOW_UNALIGNED
+				 || ((uintptr_t) file_phdr
+				     & (__alignof__ (ElfW2(LIBELFBITS,Phdr))
+					- 1)) == 0);
+		  if (! copy)
 		    notcvt = file_phdr;
 		  else
 		    {
-		      notcvt = (ElfW2(LIBELFBITS,Phdr) *) alloca (size);
+		      notcvt = (ElfW2(LIBELFBITS,Phdr) *) malloc (size);
+		      if (unlikely (notcvt == NULL))
+			{
+			  __libelf_seterrno (ELF_E_NOMEM);
+			  goto out;
+			}
 		      memcpy (notcvt, file_phdr, size);
 		    }
 
@@ -162,6 +169,9 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
 		      CONVERT_TO (phdr[cnt].p_flags, notcvt[cnt].p_flags);
 		      CONVERT_TO (phdr[cnt].p_align, notcvt[cnt].p_align);
 		    }
+
+		  if (copy)
+		    free (notcvt);
 		}
 	    }
 	}