libelf: Fix possible unbounded stack usage in load_shdr_wrlock.

When a copy needs to be made of the shdrs, allocate with malloc and free
after conversion instead of calling alloca.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

2 files changed, 19 insertions, 4 deletions

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 65f9112d..79308fe8 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,5 +1,10 @@
 2015-05-31  Mark Wielaard  <mjw@redhat.com>
 
+	* elf32_getshdr.c (load_shdr_wrlock): Allocate shdrs with malloc,
+	not alloca and free after conversion when a copy needs to be made.
+
+2015-05-31  Mark Wielaard  <mjw@redhat.com>
+
 	* elf32_getphdr.c (getphdr_wrlock): Allocate phdrs with malloc, not
 	alloca and free after conversion when a copy needs to be made.
 
diff --git a/libelf/elf32_getshdr.c b/libelf/elf32_getshdr.c
index 74170473..ee1aed8f 100644
--- a/libelf/elf32_getshdr.c
+++ b/libelf/elf32_getshdr.c
@@ -111,15 +111,22 @@ load_shdr_wrlock (Elf_Scn *scn)
 	}
       else
 	{
-	  if (ALLOW_UNALIGNED
-	      || ((uintptr_t) file_shdr
-		  & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1)) == 0)
+	  bool copy = ! (ALLOW_UNALIGNED
+			 || ((uintptr_t) file_shdr
+			     & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1))
+			     == 0);
+	  if (! copy)
 	    notcvt = (ElfW2(LIBELFBITS,Shdr) *)
 	      ((char *) elf->map_address
 	       + elf->start_offset + ehdr->e_shoff);
 	  else
 	    {
-	      notcvt = (ElfW2(LIBELFBITS,Shdr) *) alloca (size);
+	      notcvt = (ElfW2(LIBELFBITS,Shdr) *) malloc (size);
+	      if (unlikely (notcvt == NULL))
+		{
+		  __libelf_seterrno (ELF_E_NOMEM);
+		  goto out;
+		}
 	      memcpy (notcvt, ((char *) elf->map_address
 			       + elf->start_offset + ehdr->e_shoff),
 		      size);
@@ -153,6 +160,9 @@ load_shdr_wrlock (Elf_Scn *scn)
 		elf->state.ELFW(elf,LIBELFBITS).scns.data[cnt].shndx_index
 		  = -1;
 	    }
+
+	  if (copy)
+	    free (notcvt);
 	}
     }
   else if (likely (elf->fildes != -1))