From cf954a8d42716d004bcdece09e11724c82375207 Mon Sep 17 00:00:00 2001
From: Serge Lamikhov-Center <to_serge@hotmail.com>
Date: Sun, 19 Jun 2022 17:37:22 +0300
Subject: [PATCH] Prevent memory access to data out the notes' section
---
.vscode/launch.json | 2 +-
.vscode/tasks.json | 21 ++++++++++++++++++++-
elfio/elfio_note.hpp | 12 ++++++++----
tests/elfio_fuzzer.cpp | 18 +++++++++++++++++-
4 files changed, 46 insertions(+), 7 deletions(-)
diff --git a/.vscode/launch.json b/.vscode/launch.json
index 0a5d80c..c25b5c5 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -102,7 +102,7 @@
"request": "launch",
"program": "${workspaceFolder}/tests/elfio_fuzzer",
"args": [
- "slow-unit-82cabac818b690bc042110f7b073e63462c7553d"
+ "crash-98819328ee414bbba1ee50073d66c0727d60a7af"
],
"cwd": "${workspaceFolder}/tests",
}
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
index 2e010ce..27d3297 100644
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -64,7 +64,7 @@
"args": [
"-g",
"-O0",
- "-fsanitize=fuzzer",
+ "-fsanitize=fuzzer,address",
"-I..",
"elfio_fuzzer.cpp",
"-o",
@@ -80,6 +80,25 @@
"problemMatcher": [
"$gcc"
]
+ },
+ {
+ "type": "shell",
+ "label": "Fuzzer Tests",
+ "command": "./elfio_fuzzer",
+ "args": [
+ "-jobs=8",
+ "corpus"
+ ],
+ "options": {
+ "cwd": "${workspaceRoot}/tests"
+ },
+ "group": {
+ "kind": "build",
+ "isDefault": true
+ },
+ "problemMatcher": [
+ "$gcc"
+ ]
}
],
"version": "2.0.0"
diff --git a/elfio/elfio_note.hpp b/elfio/elfio_note.hpp
index e8494d9..db52314 100644
--- a/elfio/elfio_note.hpp
+++ b/elfio/elfio_note.hpp
@@ -145,14 +145,18 @@ class note_section_accessor_template
Elf_Word align = sizeof( Elf_Word );
while ( current + (Elf_Xword)3 * align <= size ) {
- note_start_positions.emplace_back( current );
Elf_Word namesz = convertor( *(const Elf_Word*)( data + current ) );
Elf_Word descsz = convertor(
*(const Elf_Word*)( data + current + sizeof( namesz ) ) );
+ Elf_Word advance =
+ (Elf_Xword)3 * sizeof( Elf_Word ) +
+ ( ( namesz + align - 1 ) / align ) * (Elf_Xword)align +
+ ( ( descsz + align - 1 ) / align ) * (Elf_Xword)align;
+ if ( current + advance <= size ) {
+ note_start_positions.emplace_back( current );
+ }
- current += (Elf_Xword)3 * sizeof( Elf_Word ) +
- ( ( namesz + align - 1 ) / align ) * (Elf_Xword)align +
- ( ( descsz + align - 1 ) / align ) * (Elf_Xword)align;
+ current += advance;
}
}
diff --git a/tests/elfio_fuzzer.cpp b/tests/elfio_fuzzer.cpp
index 8154a11..6589d18 100644
--- a/tests/elfio_fuzzer.cpp
+++ b/tests/elfio_fuzzer.cpp
@@ -2,15 +2,31 @@
#include <sstream>
#include <elfio/elfio.hpp>
+#include <elfio/elfio_dump.hpp>
+
using namespace ELFIO;
extern "C" int LLVMFuzzerTestOneInput( const uint8_t* Data, size_t Size )
{
std::string str( (const char*)Data, Size );
std::istringstream ss( str );
+ std::ostringstream oss;
elfio elf;
- elf.load( ss );
+
+ if ( !elf.load( ss ) ) {
+ return 0;
+ }
+
+ dump::header( oss, elf );
+ dump::section_headers( oss, elf );
+ dump::segment_headers( oss, elf );
+ dump::symbol_tables( oss, elf );
+ dump::notes( oss, elf );
+ dump::modinfo( oss, elf );
+ dump::dynamic_tags( oss, elf );
+ dump::section_datas( oss, elf );
+ dump::segment_datas( oss, elf );
return 0;
}
--
GitLab