[CRIU] [PATCH 17/20] compel handle_elf(): fix strings sect bounds check
Dmitry Safonov
dsafonov at virtuozzo.com
Thu Dec 8 02:38:42 PST 2016
On 12/08/2016 12:44 PM, Kir Kolyshkin wrote:
> Got this when using compel hgen on arm 32-bit:
>
> Error (compel/src/lib/handle-elf-host.c:115): String section header
> @0xf66e11ec is out of [0xf66e1174, 0xf66e1264)
>
> Looking at this, it does not make sense. For the reference,
> sizeof(Elf_Shdr) is 0x28, so end position is also well within bounds.
>
> Apparently, the check for string section header bounds is wrong
> as the last argument of __ptr_struct_oob() is supposed to be a
> region size, not the region end address as it is.
>
> This always worked before because the check was too relaxed, and
> compel was never used on 32-bit ARM. This time it didn't work
> because of a 32-bit overflow, which helped to find this bug.
>
> This is a fix to commit 6402f03 ("compel: separate get_strings_section
> from __handle_elf").
>
> Cc: Dmitry Safonov <dsafonov at virtuozzo.com>
> Signed-off-by: Kir Kolyshkin <kir at openvz.org>
Good catch!
Reviewed-by: Dmitry Safonov <dsafonov at virtuozzo.com>
> ---
> compel/src/lib/handle-elf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/compel/src/lib/handle-elf.c b/compel/src/lib/handle-elf.c
> index 14b066b..035cd0d 100644
> --- a/compel/src/lib/handle-elf.c
> +++ b/compel/src/lib/handle-elf.c
> @@ -110,7 +110,7 @@ static const char *get_strings_section(Elf_Ehdr *hdr, uintptr_t mem, size_t size
> */
> addr = sec_table + ((size_t) hdr->e_shentsize) * hdr->e_shstrndx;
> if (__ptr_struct_oob(addr, sizeof(Elf_Shdr),
> - sec_table, sec_table + sec_table_size)) {
> + sec_table, sec_table_size)) {
> pr_err("String section header @%#zx is out of [%#zx, %#zx)\n",
> addr, sec_table, sec_table + sec_table_size);
> return NULL;
>
--
Dmitry
More information about the CRIU
mailing list