[CRIU] [PATCH] compel handle_elf(): fix strings sect bounds check

Cyrill Gorcunov gorcunov at gmail.com
Thu Dec 8 01:24:25 PST 2016


On Wed, Dec 07, 2016 at 08:00:25PM -0800, Kir Kolyshkin wrote:
> Got this when using compel hgen on arm 32-bit:
> 
> Error (compel/src/lib/handle-elf-host.c:115): String section header
> @0xf66e11ec is out of [0xf66e1174, 0xf66e1264)
> 
> Looking at this, it does not make sense. For the reference,
> sizeof(Elf_Shdr) is 0x28, so end position is also well within bounds.
> 
> Apparently, the check for string section header bounds is wrong
> as the last argument of __ptr_struct_oob() is supposed to be a
> region size, not the region end address as it is.
> 
> This always worked before because the check was too relaxed, and
> compel was never used on 32-bit ARM. This time it didn't work
> because of a 32-bit overflow, which helped to find this bug.
> 
> This is a fix to commit 6402f03 ("compel: separate get_strings_section
> from __handle_elf").
> 
> Cc: Dmitry Safonov <dsafonov at virtuozzo.com>
> Signed-off-by: Kir Kolyshkin <kir at openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>



More information about the CRIU mailing list