| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
We already require -std=gnu99 and old-style function definitions might
hide some compiler warnings.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Our dl-hash.h implementation originally came from, or was written at the
same time as, the glibc implementation. At some point (around 9 years ago)
they diverged and the elfutils version got an updated copyright header.
The glibc version saw various updates/optimizations. Just treat the file
like we do for elf.h and copy it whenever the glibc version is updated.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
When something goes wrong during the update make sure to always free any
temporary allocated memory (shdr_data and/or scns).
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When elf_update.c (write_file) doesn't know the current maximum file length
it might have to reduce the file size. posix_fallocate can only extend the
file. So always call ftruncate before that to set the file size and making
sure the backing store is fully there. Add test cases for checking strip
in place (eu-strip without -o) actually reduces the file size. But only
for non-ET_REL files. We might not be able to strip ET_REL files (except
when they are kernel modules) because they might contain "dangling" symbol
table entries.
https://bugzilla.redhat.com/show_bug.cgi?id=1232206
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
elf_getdata_rawchunk might return an unaligned buffer for the requested
ELF data type. Make sure the data is also correctly aligned when using
an mmapped file. Also add some missing alignments for ELF data types
for __libelf_type_align (the missing types could also make elf_getdata
to return unaligned data).
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The gelf_xlate conversion functions work on properly aligned ELF data
types. If elf_get data needs to do conversion and ! ALLOW_UNALIGNED
and the rawdata_base isn't aligned properly for the section type, then
provide an aligned copy of the data.
Found with --enable-sanitize-undefined in run-test-archive64.sh on x86_64.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
| |
In get_shnum the check was whether the Elf(32|64)_Ehdr was correctly
aligned, but to access the Shdr directly we need to check whether the
address that points to the Elf(32|64)_Shdr structure is correctly aligned.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are various places in the code that check whether mmapped structures
are correctly aligned (or ALLOW_UNALIGNED is set). Some of these checks
are asserts. Like the one in elf(32|64)_getshdr. We should not get into
that part of the code if the shdr scn structure was cached in elf_begin
because it was mmapped in and properly aligned.
These asserts could trigger because in elf_begin.c file_read_elf ()
all alignment checks were combined. So even though only one of the ehdr,
shdr or phdr structures were not properly aligned all structures would be
copied. Also the phdr structure was not even read in elf_begin, so the
alignment check was unnecessary.
This patch splits the alignment checks and reading of ehdr and shdr
structures into separate code paths. It also drops the phdr alignment
checks in elf_begin. Those phdr checks are done in elf(32|64)_getphdr
already.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
When a copy needs to be made of the shdrs, allocate with malloc and free
after conversion instead of calling alloca.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
When a copy needs to be made of the phdrs, allocate with malloc and free
after conversion instead of calling alloca.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
The number of entries in the index can be large, don't use alloca to
read in temporary data, use malloc (which is freed after out).
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
| |
When size is zero the buffer src and dest buffers might be NULL.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
When d_size is zero d_buf might be NULL. last_position doesn't need to be
updated in that case.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
Allocate shdr_data and scns with malloc, not alloca. Free after writing
section headers.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
Allocate temporary shdr storage with malloc, not alloca. Free after
writing section headers.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
The number of entries in the index can be large, don't use alloca to
read in temporary data, use malloc (and free after out).
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes an obscure SIGBUS error when using ELF_C_WRITE_MMAP on an ELF
file that needs extending when the underlying file system is (nearly) full.
Use posix_fallocate to make sure the file content is really there. Using
ftruncate might mean the file is extended, but space isn't allocated yet.
This might cause a SIGBUS once we write into the mmapped space and the disk
is full.
Using fallocate might fail on some file systems. posix_fallocate is
required to extend the file and allocate enough space even if the
underlying filesystem would normally return EOPNOTSUPP or the kernel
doesn't implement the fallocate syscall. Also posix_fallocate has been in
glibc since 2.1.94, while support for fallocate was only added in 2.10
and kernel 2.6.23.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If phnum is zero make sure e_phoff is also zero and not some random value.
That would cause trouble in update_file. This could happen when ELF_F_LAYOUT
is set and the user copied over a ehdr from a bogus ELF file where the phdrs
are unreadable. In that case trying to write out the new ELF image would
crash trying to follow the bogus e_phdr value.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were two issues with bogus sh_addralign values. First we would only
check the individual Elf_Data d_align values were powerof2. But not the
actual shdr addralign value. This would cause an issue if the shdr addralign
was bigger than all of the individual d_align values. Then we could write
out a bogus (! powerof2) shdr addralign value for the sections. Secondly
when reading in the Elf_Data we would set the d_align value to the value
of the shdr addralign value. But we would not check it was valid at all.
In practice there are ELF files with incorrect sh_addralign values (they
are a powerof2, but aren't aligned to the ELF image offset). We would try
to fix that up in elf_update by adding extra padding. But this could bloat
the ELF image a lot for large alignment values. So for too large alignments
that are bigger than the offset in the ELF file clamp them to the offset
value. This could lead us to reject to write out the data again when the
offset was not a powerof2. But this will only happen for aligment values
bigger than 64. Which are uncommon in practice.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Creating phdr with more than PN_XNUM phnum requires a valid section zero
shdr to store the extended value. Make sure the shdrs are valid. Also fix
the error when count was too big to store by setting ELF_E_INVALID_INDEX
before failing.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Don't trust the elf version given by the file. It could be completely
bogus. In which case gelf_fsize just returns zero. Which could cause
divide by zero errors.
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c34
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c16
contains an example of usage of undefined memory when version section
data needs to be translated, but the version xlate functions detect they
cannot fully transform the section data. To make sure the dest buffer
data is completely defined this patch makes sure all data is moved
from src to dest first. This is somewhat inefficient since normally
all data will be fully converted. But the translation functions have
no way to indicate only partial data was converted.
Reported-by: Alexander Cherepanov <cherepan@mccme.ru>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't explicitly extend the file size for SHT_NOBITS sections. Since
that could cause a size beyond any actual file content it will cause
issues when the underlying ELF file has been mmapped or will extend
the file size to increase (writing fill bytes) when not mmapped. The
sh_offset value is essentially meaningless for SHT_NOBITS. gabi says
that a NOBITS section sh_offset member locates the "conceptual
placement" in the file. But it doesn't say this cannot be beyond the
enf of the file. When ELF_F_LAYOUT is set we should trust sh_offset
as given is what is wanted for an SHT_NOBITS section without extending
the file size.
https://bugzilla.redhat.com/show_bug.cgi?id=1020842
Buggy binutils ld could generate files where SHT_NOBITS sections have
sh_offset outside the file.
https://sourceware.org/bugzilla/show_bug.cgi?id=12921
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
__libelf_set_data_list_rdlock from elf_getdata.c is marked as an
internal_function in the implementation, but not in libelfP.h when it
is declared. Add internal_function to the declaration. This broke
the i686 build.
Reported-by: Alexander Cherepanov <ch3root@openwall.com>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the Koji build for arm32 fails with:
extracting debug info from /builddir/build/BUILDROOT/etcd-2.0.0-0.3.rc1.fc22.arm/usr/bin/etcd
Failed to write file: invalid section alignment
This is because the binary etcd
http://people.redhat.com/jkratoch/etcdctl.xz
contains:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[11] .rel.plt REL 00459ee0 449ee0 000088 08 A 13 0 0
^
which corresponds to golang's code:
go/src/cmd/ld/elf.c
case EM_X86_64:
sh = elfshname(".rela.plt");
sh->addralign = RegSize;
default:
sh = elfshname(".rel.plt");
<nothing>
ELF spec says:
Values 0 and 1 mean the section has no alignment constraints.
and libelf/elf32_updatenull.c really parses it that way at line 204
ElfW2(LIBELFBITS,Word) sh_align = shdr->sh_addralign ?: 1;
but unfortunately the later line being patched no longer does.
libelf/
2015-02-07 Jan Kratochvil <jan.kratochvil@redhat.com>
* elf32_updatenull.c (__elfw2(LIBELFBITS,updatenull_wrlock)): Consider
sh_addralign 0 as 1.
Signed-off-by: Jan Kratochvil <jan.kratochvil@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The result of elf_strptr is often used directly to print or strcmp
the string. If the section data was truncated or corrupted that could
lead to invalid memory reads possibly crashing the application.
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c24
Reported-by: Alexander Cherepanov <cherepan@mccme.ru>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
elf_strptr always used the rawdata when available. But when data has been
added to the section it should find the correct buffer in the datalist.
Adds a large testcase that checks various ways of adding and extracting
strings from a section.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When ELF data for a section has been read by elf_rawdata, data_read
and rawdata_base are set, but data_list_rear will not be set until the
data will be converted (by elf_getdata). elf_newdata would overwrite
the existing data in that case. Both elf_getdata and elf_update rely
on the fact that when data_list_rear is set they don't have to look
at the raw data anymore. So make sure we update the data list properly
before adding any new data and raw data is available in elf_newdata.
Add newdata test that calls elf_newdata before and after elf_rawdata
and elf_getdata and checks the new size and contents of the section.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
elf_strptr might be called before the shdrs are read in. In that case it
needs to explicitly call __elf[32|64]_getshdr_rdlock to check the section
type and size. The new strptr testcase triggers this corner case and crashes
before the fix.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
elf_getphdrnum does checks the phdrnum makes sense. But gelf_getphdr
checked the given index against the "raw" e_phnum or internal
__elf_getphdrnum_rdlock result without checking. Extract the checking
code into a new internal __elf_getphdrnum_chk_rdlock function and
use that.
Found by afl-fuzz.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Elf_Arhdr ar_size is loff_t, which is signed. Make sure it isn't negative.
When the parent start_offset is non-zero maxsize should include it to
compensate for ar offset.
Found with afl-fuzz.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
read_long_names terminates names at the first '/' found but then skips
one character without checking (it's supposed to be '\n'). Hence the
next name could start with any character including '/'. This leads to
a directory traversal vulnerability at the time the contents of the
archive is extracted.
The danger is mitigated by the fact that only one '/' is possible in a
resulting filename and only in the leading position. Hence only files
in the root directory can be written via this vuln and only when ar is
executed as root.
The fix for the vuln is to not skip any characters while looking
for '/'.
Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
|
| |
|
|
|
|
| |
The commands to check for invalid text relocations in the generated DSOs
shouldn't be displayed. They contain an echo which prints the text.
This patch suppresses the commands from being printed.
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
The ELF64 case didn't check for overflow and accidentially used the 32bit
Shdr size.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
| |
Don't allow entries or size to overflow the parent file size.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using american fuzzy lop has found a lot of issues. It would be nice to
make using it a bit easier. Our build files make sure that no shared
library uses text relocations, but afl-gcc will insert some on i686.
http://www.akkadia.org/drepper/textrelocs.html
Now CC=afl-gcc ./configure --disable-textrelcheck will allow them so
that afl can instrument the libraries.
Don't try to use or install them except with afl-fuzz. When selinux is
enabled it might prevent loading the libraries with DT_TEXTREL set.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
Arithmetic of signed values that overflow causes undefined behaviour
Change to explicit unsigned arithmetic overflow check.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
| |
If any data is left then the data is likely part of the truncated note
name/desc. This probably means the note is corrupted, but it is better
to have the actual data in dest instead of random uninitialized memory.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The internal __elf_getphdrnum_rdlock might return an inconsistent phnum.
Return a sanitized value, or return an error to users that rely on phnum
to be consistent. That way iterating over all phdrs using elf_getphdr
will return consistent results.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
| |
Since elf_strptr can fail and return NULL we should always check the result
before usage. Debug sections are only handled by section name, so make sure
the name actually exists.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
|
| |
If there is no e_phoff e_phnum cannot be trusted. Extended phnum can only
be gotten if we have an actual section table and a shdr for section zero,
Extended phnum can be too large to fit in the file (or a size_t).
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
| |
|
|
|
|
|
| |
Since ELF notes need to be properly aligned they can include padding.
Make sure the padding itself and the padding calculation doesn't overflow.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
|
