| blob | 525980e73e34c1444f8ede020985ca953d0707ba |
1 From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001
2 From: Pierre Neidhardt <ambrevar@gmail.com>
3 Date: Sat, 16 Jun 2018 16:35:00 +0200
4 Subject: [PATCH] Protect against bad crafted input
6 Also check for wrap-around when checking oversize involving e_shoff and e_shnum.
8 raised by https://github.com/upx/upx/pull/190
9 modified: p_lx_elf.cpp
10 ---
11 src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++
12 1 file changed, 30 insertions(+)
14 diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
15 index 822a7652..41e805ee 100644
16 --- a/src/p_lx_elf.cpp
17 +++ b/src/p_lx_elf.cpp
18 @@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f)
19 sz_phdrs = 0;
20 return;
21 }
22 + if (0==e_phnum) throwCantUnpack("0==e_phnum");
23 e_phoff = get_te32(&ehdri.e_phoff);
24 + unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr);
25 + if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
26 + throwCantUnpack("bad e_phoff");
27 + }
28 e_shoff = get_te32(&ehdri.e_shoff);
29 + unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr);
30 + if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
31 + throwCantUnpack("bad e_shoff");
32 + }
33 sz_phdrs = e_phnum * e_phentsize;
35 if (f && Elf32_Ehdr::ET_DYN!=e_type) {
36 @@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f)
37 sz_phdrs = 0;
38 return;
39 }
40 + if (0==e_phnum) throwCantUnpack("0==e_phnum");
41 e_phoff = get_te64(&ehdri.e_phoff);
42 + upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr);
43 + if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
44 + throwCantUnpack("bad e_phoff");
45 + }
46 e_shoff = get_te64(&ehdri.e_shoff);
47 + upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr);
48 + if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
49 + throwCantUnpack("bad e_shoff");
50 + }
51 sz_phdrs = e_phnum * e_phentsize;
53 if (f && Elf64_Ehdr::ET_DYN!=e_type) {
54 @@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft)
56 void PackLinuxElf64::unpack(OutputFile *fo)
57 {
58 + if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr
59 + throwCantUnpack("bad e_phoff");
60 + }
61 unsigned const c_phnum = get_te16(&ehdri.e_phnum);
62 upx_uint64_t old_data_off = 0;
63 upx_uint64_t old_data_len = 0;
64 @@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo)
65 unsigned total_out = 0;
66 unsigned c_adler = upx_adler32(NULL, 0);
67 unsigned u_adler = upx_adler32(NULL, 0);
68 + if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) {
69 + throwCantUnpack("bad compressed e_phnum");
70 + }
72 // Packed ET_EXE has no PT_DYNAMIC.
73 // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
74 @@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
76 void PackLinuxElf32::unpack(OutputFile *fo)
77 {
78 + if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr
79 + throwCantUnpack("bad e_phoff");
80 + }
81 unsigned const c_phnum = get_te16(&ehdri.e_phnum);
82 unsigned old_data_off = 0;
83 unsigned old_data_len = 0;
84 @@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo)
85 unsigned total_out = 0;
86 unsigned c_adler = upx_adler32(NULL, 0);
87 unsigned u_adler = upx_adler32(NULL, 0);
88 + if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) {
89 + throwCantUnpack("bad compressed e_phnum");
90 + }
92 // Packed ET_EXE has no PT_DYNAMIC.
93 // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld.
94 --
95 2.17.0