| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
When e_version is EV_NONE we should set it to EV_CURRENT like we do for
the EI_VERSION and like we set EI_DATA to the correct byte order when set
to ELFDATANONE. Likewise we should always set e_shentsize like we do for
e_phentsize, not just when ELF_F_LAYOUT isn't set.
Add a new elfshphehdr testcase to check the above.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we banned old style function definitions GCC is able to diagnose
function definitions that don't match the function declaration:
elf32_getehdr.c:78: error: conflicting types for ‘__elf64_getehdr_wrlock’
libelfP.h:498: note: previous declaration of ‘__elf64_getehdr_wrlock’
This happens on i386 because there internal functions are marked with:
# define internal_function __attribute__ ((regparm (3), stdcall))
Make sure all internal function declarations and definitions are marked
with internal_function.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
We already require -std=gnu99 and old-style function definitions might
hide some compiler warnings.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
Our dl-hash.h implementation originally came from, or was written at the
same time as, the glibc implementation. At some point (around 9 years ago)
they diverged and the elfutils version got an updated copyright header.
The glibc version saw various updates/optimizations. Just treat the file
like we do for elf.h and copy it whenever the glibc version is updated.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
When something goes wrong during the update make sure to always free any
temporary allocated memory (shdr_data and/or scns).
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When elf_update.c (write_file) doesn't know the current maximum file length
it might have to reduce the file size. posix_fallocate can only extend the
file. So always call ftruncate before that to set the file size and making
sure the backing store is fully there. Add test cases for checking strip
in place (eu-strip without -o) actually reduces the file size. But only
for non-ET_REL files. We might not be able to strip ET_REL files (except
when they are kernel modules) because they might contain "dangling" symbol
table entries.
https://bugzilla.redhat.com/show_bug.cgi?id=1232206
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
elf_getdata_rawchunk might return an unaligned buffer for the requested
ELF data type. Make sure the data is also correctly aligned when using
an mmapped file. Also add some missing alignments for ELF data types
for __libelf_type_align (the missing types could also make elf_getdata
to return unaligned data).
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
The gelf_xlate conversion functions work on properly aligned ELF data
types. If elf_get data needs to do conversion and ! ALLOW_UNALIGNED
and the rawdata_base isn't aligned properly for the section type, then
provide an aligned copy of the data.
Found with --enable-sanitize-undefined in run-test-archive64.sh on x86_64.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
| |
In get_shnum the check was whether the Elf(32|64)_Ehdr was correctly
aligned, but to access the Shdr directly we need to check whether the
address that points to the Elf(32|64)_Shdr structure is correctly aligned.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are various places in the code that check whether mmapped structures
are correctly aligned (or ALLOW_UNALIGNED is set). Some of these checks
are asserts. Like the one in elf(32|64)_getshdr. We should not get into
that part of the code if the shdr scn structure was cached in elf_begin
because it was mmapped in and properly aligned.
These asserts could trigger because in elf_begin.c file_read_elf ()
all alignment checks were combined. So even though only one of the ehdr,
shdr or phdr structures were not properly aligned all structures would be
copied. Also the phdr structure was not even read in elf_begin, so the
alignment check was unnecessary.
This patch splits the alignment checks and reading of ehdr and shdr
structures into separate code paths. It also drops the phdr alignment
checks in elf_begin. Those phdr checks are done in elf(32|64)_getphdr
already.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
When a copy needs to be made of the shdrs, allocate with malloc and free
after conversion instead of calling alloca.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
When a copy needs to be made of the phdrs, allocate with malloc and free
after conversion instead of calling alloca.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
The number of entries in the index can be large, don't use alloca to
read in temporary data, use malloc (which is freed after out).
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
| |
When size is zero the buffer src and dest buffers might be NULL.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
When d_size is zero d_buf might be NULL. last_position doesn't need to be
updated in that case.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
Allocate shdr_data and scns with malloc, not alloca. Free after writing
section headers.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
Allocate temporary shdr storage with malloc, not alloca. Free after
writing section headers.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
The number of entries in the index can be large, don't use alloca to
read in temporary data, use malloc (and free after out).
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes an obscure SIGBUS error when using ELF_C_WRITE_MMAP on an ELF
file that needs extending when the underlying file system is (nearly) full.
Use posix_fallocate to make sure the file content is really there. Using
ftruncate might mean the file is extended, but space isn't allocated yet.
This might cause a SIGBUS once we write into the mmapped space and the disk
is full.
Using fallocate might fail on some file systems. posix_fallocate is
required to extend the file and allocate enough space even if the
underlying filesystem would normally return EOPNOTSUPP or the kernel
doesn't implement the fallocate syscall. Also posix_fallocate has been in
glibc since 2.1.94, while support for fallocate was only added in 2.10
and kernel 2.6.23.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
If phnum is zero make sure e_phoff is also zero and not some random value.
That would cause trouble in update_file. This could happen when ELF_F_LAYOUT
is set and the user copied over a ehdr from a bogus ELF file where the phdrs
are unreadable. In that case trying to write out the new ELF image would
crash trying to follow the bogus e_phdr value.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were two issues with bogus sh_addralign values. First we would only
check the individual Elf_Data d_align values were powerof2. But not the
actual shdr addralign value. This would cause an issue if the shdr addralign
was bigger than all of the individual d_align values. Then we could write
out a bogus (! powerof2) shdr addralign value for the sections. Secondly
when reading in the Elf_Data we would set the d_align value to the value
of the shdr addralign value. But we would not check it was valid at all.
In practice there are ELF files with incorrect sh_addralign values (they
are a powerof2, but aren't aligned to the ELF image offset). We would try
to fix that up in elf_update by adding extra padding. But this could bloat
the ELF image a lot for large alignment values. So for too large alignments
that are bigger than the offset in the ELF file clamp them to the offset
value. This could lead us to reject to write out the data again when the
offset was not a powerof2. But this will only happen for aligment values
bigger than 64. Which are uncommon in practice.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
Creating phdr with more than PN_XNUM phnum requires a valid section zero
shdr to store the extended value. Make sure the shdrs are valid. Also fix
the error when count was too big to store by setting ELF_E_INVALID_INDEX
before failing.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
Don't trust the elf version given by the file. It could be completely
bogus. In which case gelf_fsize just returns zero. Which could cause
divide by zero errors.
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c34
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c16
contains an example of usage of undefined memory when version section
data needs to be translated, but the version xlate functions detect they
cannot fully transform the section data. To make sure the dest buffer
data is completely defined this patch makes sure all data is moved
from src to dest first. This is somewhat inefficient since normally
all data will be fully converted. But the translation functions have
no way to indicate only partial data was converted.
Reported-by: Alexander Cherepanov <[email protected]>
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't explicitly extend the file size for SHT_NOBITS sections. Since
that could cause a size beyond any actual file content it will cause
issues when the underlying ELF file has been mmapped or will extend
the file size to increase (writing fill bytes) when not mmapped. The
sh_offset value is essentially meaningless for SHT_NOBITS. gabi says
that a NOBITS section sh_offset member locates the "conceptual
placement" in the file. But it doesn't say this cannot be beyond the
enf of the file. When ELF_F_LAYOUT is set we should trust sh_offset
as given is what is wanted for an SHT_NOBITS section without extending
the file size.
https://bugzilla.redhat.com/show_bug.cgi?id=1020842
Buggy binutils ld could generate files where SHT_NOBITS sections have
sh_offset outside the file.
https://sourceware.org/bugzilla/show_bug.cgi?id=12921
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
__libelf_set_data_list_rdlock from elf_getdata.c is marked as an
internal_function in the implementation, but not in libelfP.h when it
is declared. Add internal_function to the declaration. This broke
the i686 build.
Reported-by: Alexander Cherepanov <[email protected]>
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the Koji build for arm32 fails with:
extracting debug info from /builddir/build/BUILDROOT/etcd-2.0.0-0.3.rc1.fc22.arm/usr/bin/etcd
Failed to write file: invalid section alignment
This is because the binary etcd
http://people.redhat.com/jkratoch/etcdctl.xz
contains:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[11] .rel.plt REL 00459ee0 449ee0 000088 08 A 13 0 0
^
which corresponds to golang's code:
go/src/cmd/ld/elf.c
case EM_X86_64:
sh = elfshname(".rela.plt");
sh->addralign = RegSize;
default:
sh = elfshname(".rel.plt");
<nothing>
ELF spec says:
Values 0 and 1 mean the section has no alignment constraints.
and libelf/elf32_updatenull.c really parses it that way at line 204
ElfW2(LIBELFBITS,Word) sh_align = shdr->sh_addralign ?: 1;
but unfortunately the later line being patched no longer does.
libelf/
2015-02-07 Jan Kratochvil <[email protected]>
* elf32_updatenull.c (__elfw2(LIBELFBITS,updatenull_wrlock)): Consider
sh_addralign 0 as 1.
Signed-off-by: Jan Kratochvil <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
The result of elf_strptr is often used directly to print or strcmp
the string. If the section data was truncated or corrupted that could
lead to invalid memory reads possibly crashing the application.
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c24
Reported-by: Alexander Cherepanov <[email protected]>
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
elf_strptr always used the rawdata when available. But when data has been
added to the section it should find the correct buffer in the datalist.
Adds a large testcase that checks various ways of adding and extracting
strings from a section.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When ELF data for a section has been read by elf_rawdata, data_read
and rawdata_base are set, but data_list_rear will not be set until the
data will be converted (by elf_getdata). elf_newdata would overwrite
the existing data in that case. Both elf_getdata and elf_update rely
on the fact that when data_list_rear is set they don't have to look
at the raw data anymore. So make sure we update the data list properly
before adding any new data and raw data is available in elf_newdata.
Add newdata test that calls elf_newdata before and after elf_rawdata
and elf_getdata and checks the new size and contents of the section.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
elf_strptr might be called before the shdrs are read in. In that case it
needs to explicitly call __elf[32|64]_getshdr_rdlock to check the section
type and size. The new strptr testcase triggers this corner case and crashes
before the fix.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
elf_getphdrnum does checks the phdrnum makes sense. But gelf_getphdr
checked the given index against the "raw" e_phnum or internal
__elf_getphdrnum_rdlock result without checking. Extract the checking
code into a new internal __elf_getphdrnum_chk_rdlock function and
use that.
Found by afl-fuzz.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
Elf_Arhdr ar_size is loff_t, which is signed. Make sure it isn't negative.
When the parent start_offset is non-zero maxsize should include it to
compensate for ar offset.
Found with afl-fuzz.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
read_long_names terminates names at the first '/' found but then skips
one character without checking (it's supposed to be '\n'). Hence the
next name could start with any character including '/'. This leads to
a directory traversal vulnerability at the time the contents of the
archive is extracted.
The danger is mitigated by the fact that only one '/' is possible in a
resulting filename and only in the leading position. Hence only files
in the root directory can be written via this vuln and only when ar is
executed as root.
The fix for the vuln is to not skip any characters while looking
for '/'.
Signed-off-by: Alexander Cherepanov <[email protected]>
|
| |
|
|
|
|
| |
The commands to check for invalid text relocations in the generated DSOs
shouldn't be displayed. They contain an echo which prints the text.
This patch suppresses the commands from being printed.
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
The ELF64 case didn't check for overflow and accidentially used the 32bit
Shdr size.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
| |
Don't allow entries or size to overflow the parent file size.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using american fuzzy lop has found a lot of issues. It would be nice to
make using it a bit easier. Our build files make sure that no shared
library uses text relocations, but afl-gcc will insert some on i686.
http://www.akkadia.org/drepper/textrelocs.html
Now CC=afl-gcc ./configure --disable-textrelcheck will allow them so
that afl can instrument the libraries.
Don't try to use or install them except with afl-fuzz. When selinux is
enabled it might prevent loading the libraries with DT_TEXTREL set.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
| |
Arithmetic of signed values that overflow causes undefined behaviour
Change to explicit unsigned arithmetic overflow check.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
| |
If any data is left then the data is likely part of the truncated note
name/desc. This probably means the note is corrupted, but it is better
to have the actual data in dest instead of random uninitialized memory.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
The internal __elf_getphdrnum_rdlock might return an inconsistent phnum.
Return a sanitized value, or return an error to users that rely on phnum
to be consistent. That way iterating over all phdrs using elf_getphdr
will return consistent results.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
|
|
|
|
| |
Since elf_strptr can fail and return NULL we should always check the result
before usage. Debug sections are only handled by section name, so make sure
the name actually exists.
Signed-off-by: Mark Wielaard <[email protected]>
|
| |
|
|
| |
Signed-off-by: Mark Wielaard <[email protected]>
|
