libdw: check that DWARF strings are null-terminated

It is expected from libdw to return strings that are null-terminated to avoid overflowing ELF data. * Add calculation of a safe prefix inside string sections, where any string will be null-terminated. * Check if offset overflows the safe prefix in dwarf_formstring. Signed-off-by: Aleksei Vetrov <[email protected]>
author: Aleksei Vetrov <[email protected]> 2023-02-14 20:30:02 +0000
committer: Mark Wielaard <[email protected]> 2023-02-17 00:18:53 +0100
commit: fda09f5f188fb173b2123815be71ca4647a8adfb (patch)
tree: fc66ad4c3abae0765528e7b7bbb622882d4e9182 /libdw/dwarf_formstring.c
parent: 73e212b0a778c6dbe84f79b7eb2647dea50ea16f (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libdw/dwarf_formstring.c b/libdw/dwarf_formstring.c
index c3e892a8..0ee42411 100644
--- a/libdw/dwarf_formstring.c
+++ b/libdw/dwarf_formstring.c
@@ -61,6 +61,9 @@ dwarf_formstring (Dwarf_Attribute *attrp)
   Elf_Data *data = ((attrp->form == DW_FORM_line_strp)
 		    ? dbg_ret->sectiondata[IDX_debug_line_str]
 		    : dbg_ret->sectiondata[IDX_debug_str]);
+  size_t data_size = ((attrp->form == DW_FORM_line_strp)
+		      ? dbg_ret->string_section_size[STR_SCN_IDX_debug_line_str]
+		      : dbg_ret->string_section_size[STR_SCN_IDX_debug_str]);
   if (data == NULL)
     {
       __libdw_seterrno ((attrp->form == DW_FORM_line_strp)
@@ -171,7 +174,7 @@ dwarf_formstring (Dwarf_Attribute *attrp)
       else
 	off = read_8ubyte_unaligned (dbg, datap);
 
-      if (off > dbg->sectiondata[IDX_debug_str]->d_size)
+      if (off >= data_size)
 	goto invalid_offset;
     }
author	Aleksei Vetrov <[email protected]>	2023-02-14 20:30:02 +0000
committer	Mark Wielaard <[email protected]>	2023-02-17 00:18:53 +0100
commit	fda09f5f188fb173b2123815be71ca4647a8adfb (patch)
tree	fc66ad4c3abae0765528e7b7bbb622882d4e9182 /libdw/dwarf_formstring.c
parent	73e212b0a778c6dbe84f79b7eb2647dea50ea16f (diff)