libdwfl: Add overflow check while iterating in dwfl_segment_report_module

While iterating the notes we could overflow the len variable if the
note name or description was too big. Fix this by adding an (unsigned)
overflow check.

https://sourceware.org/bugzilla/show_bug.cgi?id=28654

Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 7bf789e..f849b81 100644 (file)
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2021-12-08  Mark Wielaard  <mark@klomp.org>
+
+       * dwfl_segment_report_module.c (dwfl_segment_report_module): Add
+       len overflow check while iterating notes.
+
 2021-12-15  Mark Wielaard  <mark@klomp.org>
 
        * link_map.c (dwfl_link_map_report): Make sure phent is either sizeof

diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
index 46564ec..f323929 100644 (file)
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -543,10 +543,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
 
               const GElf_Nhdr *nh = notes;
               size_t len = 0;
+              size_t last_len;
               while (filesz > len + sizeof (*nh))
                 {
                   const void *note_name;
                   const void *note_desc;
+                  last_len = len;
 
                   len += sizeof (*nh);
                   note_name = notes + len;
@@ -555,7 +557,9 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
                   len = align == 8 ? NOTE_ALIGN8 (len) : NOTE_ALIGN4 (len);
                   note_desc = notes + len;
 
-                  if (unlikely (filesz < len + nh->n_descsz))
+                  if (unlikely (filesz < len + nh->n_descsz
+                                || len < last_len
+                                || len + nh->n_descsz < last_len))
                     break;
 
                   if (nh->n_type == NT_GNU_BUILD_ID