libelf: find 1st section instead of assuming

When getting section headers it is assumed that the first section
is on the first section list. However, it is possible that the
first section list only contains the zeroth section, in which
case either illegal memory access occurs or elf_nextscn()
erroneously returns NULL.

With this patch, checks are added to avoid the illegal memory
access and (if available) the second section list is looked at
to find the first section.

A new test emptyfile is added that tests adding a section to
and "empty" ELF file 32/64 class with ELF_C_RDWR[_MMAP].

Signed-off-by: John Ogness <[email protected]>
Signed-off-by: Mark Wielaard <[email protected]>

3 files changed, 32 insertions, 23 deletions

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 4b9f2736..82a2a9f4 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,9 @@
+2016-06-24  John Ogness  <[email protected]>
+
+	* elf32_updatenull.c (updatenull_wrlock): Find first section.
+	* elf_nextscn.c (elf_nextscn): When scn is NULL start from 0th
+	section.
+
 2016-06-28  Richard Henderson  <[email protected]>
 
 	* elf.h: Update from glibc.  Add lots of new EM_* definitions.
diff --git a/libelf/elf32_updatenull.c b/libelf/elf32_updatenull.c
index 03de0321..75070628 100644
--- a/libelf/elf32_updatenull.c
+++ b/libelf/elf32_updatenull.c
@@ -180,6 +180,7 @@ __elfw2(LIBELFBITS,updatenull_wrlock) (Elf *elf, int *change_bop, size_t shnum)
 
   if (shnum > 0)
     {
+      struct Elf_Scn *scn1 = NULL;
       Elf_ScnList *list;
       bool first = true;
 
@@ -198,10 +199,16 @@ __elfw2(LIBELFBITS,updatenull_wrlock) (Elf *elf, int *change_bop, size_t shnum)
       /* Go over all sections and find out how large they are.  */
       list = &elf->state.ELFW(elf,LIBELFBITS).scns;
 
+      /* Find the first section. */
+      if (list->cnt > 1)
+	scn1 = &list->data[1];
+      else if (list->next != NULL)
+	scn1 = &list->next->data[0];
+
       /* Load the section headers if necessary.  This loads the
 	 headers for all sections.  */
-      if (list->data[1].shdr.ELFW(e,LIBELFBITS) == NULL)
-	(void) __elfw2(LIBELFBITS,getshdr_wrlock) (&list->data[1]);
+      if (scn1 != NULL && scn1->shdr.ELFW(e,LIBELFBITS) == NULL)
+	(void) __elfw2(LIBELFBITS,getshdr_wrlock) (scn1);
 
       do
 	{
diff --git a/libelf/elf_nextscn.c b/libelf/elf_nextscn.c
index 62cb8914..d2f3e7cb 100644
--- a/libelf/elf_nextscn.c
+++ b/libelf/elf_nextscn.c
@@ -41,6 +41,7 @@
 Elf_Scn *
 elf_nextscn (Elf *elf, Elf_Scn *scn)
 {
+  Elf_ScnList *list;
   Elf_Scn *result = NULL;
 
   if (elf == NULL)
@@ -50,34 +51,29 @@ elf_nextscn (Elf *elf, Elf_Scn *scn)
 
   if (scn == NULL)
     {
-      /* If no section handle is given return the first (not 0th) section.  */
+      /* If no section handle is given return the first (not 0th) section.
+	 Set scn to the 0th section and perform nextscn.  */
       if (elf->class == ELFCLASS32
 	   || (offsetof (Elf, state.elf32.scns)
 	       == offsetof (Elf, state.elf64.scns)))
-	{
-	  if (elf->state.elf32.scns.cnt > 1)
-	    result = &elf->state.elf32.scns.data[1];
-	}
+	list = &elf->state.elf32.scns;
       else
-	{
-	  if (elf->state.elf64.scns.cnt > 1)
-	    result = &elf->state.elf64.scns.data[1];
-	}
+	list = &elf->state.elf64.scns;
+
+      scn = &list->data[0];
     }
   else
+    list = scn->list;
+
+  if (scn + 1 < &list->data[list->cnt])
+    result = scn + 1;
+  else if (scn + 1 == &list->data[list->max]
+	   && (list = list->next) != NULL)
     {
-      Elf_ScnList *list = scn->list;
-
-      if (scn + 1 < &list->data[list->cnt])
-	result = scn + 1;
-      else if (scn + 1 == &list->data[list->max]
-	       && (list = list->next) != NULL)
-	{
-	  /* If there is another element in the section list it must
-	     have at least one entry.  */
-	  assert (list->cnt > 0);
-	  result = &list->data[0];
-	}
+      /* If there is another element in the section list it must
+         have at least one entry.  */
+      assert (list->cnt > 0);
+      result = &list->data[0];
     }
 
   rwlock_unlock (elf->lock);