From 2ec518247897bfa41327db2627e1e6112e5d59da Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Sun, 31 May 2015 16:05:34 +0200 Subject: libelf: Fix possible unbounded stack usage in getphdr_wrlock. When a copy needs to be made of the phdrs, allocate with malloc and free after conversion instead of calling alloca. Signed-off-by: Mark Wielaard --- libelf/ChangeLog | 5 +++++ libelf/elf32_getphdr.c | 18 ++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'libelf') diff --git a/libelf/ChangeLog b/libelf/ChangeLog index 4fd3f9f5..65f9112d 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,8 @@ +2015-05-31 Mark Wielaard + + * elf32_getphdr.c (getphdr_wrlock): Allocate phdrs with malloc, not + alloca and free after conversion when a copy needs to be made. + 2015-05-31 Mark Wielaard * elf_getarsym.c (elf_getarsym): Allocate temporary file_date with diff --git a/libelf/elf32_getphdr.c b/libelf/elf32_getphdr.c index 1b82a480..38e489dc 100644 --- a/libelf/elf32_getphdr.c +++ b/libelf/elf32_getphdr.c @@ -141,13 +141,20 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf) } else { - if (ALLOW_UNALIGNED - || ((uintptr_t) file_phdr - & (__alignof__ (ElfW2(LIBELFBITS,Phdr)) - 1)) == 0) + bool copy = ! (ALLOW_UNALIGNED + || ((uintptr_t) file_phdr + & (__alignof__ (ElfW2(LIBELFBITS,Phdr)) + - 1)) == 0); + if (! copy) notcvt = file_phdr; else { - notcvt = (ElfW2(LIBELFBITS,Phdr) *) alloca (size); + notcvt = (ElfW2(LIBELFBITS,Phdr) *) malloc (size); + if (unlikely (notcvt == NULL)) + { + __libelf_seterrno (ELF_E_NOMEM); + goto out; + } memcpy (notcvt, file_phdr, size); } @@ -162,6 +169,9 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf) CONVERT_TO (phdr[cnt].p_flags, notcvt[cnt].p_flags); CONVERT_TO (phdr[cnt].p_align, notcvt[cnt].p_align); } + + if (copy) + free (notcvt); } } } -- cgit v1.2.3