libdwfl: Don't trust e_shentsize in dwfl_segment_report_module

When calulating the possible section header table end us the actual size
of the section headers (sizeof (Elf32_Shdr) or sizeof (Elf64_Shdr)),
not the ELF header e_shentsize value, which can be corrupted. This
prevents a posssible overflow, but we check the shdrs_end is sane
later anyway.

https://sourceware.org/bugzilla/show_bug.cgi?id=28659

Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index d875eab..76e0899 100644 (file)
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,5 +1,10 @@
 2021-12-08  Mark Wielaard  <mark@klomp.org>
 
+       * dwfl_segment_report_module.c (dwfl_segment_report_module): Don't
+       trust e_shentsize.
+
+2021-12-08  Mark Wielaard  <mark@klomp.org>
+
        * link_map.c (dwfl_link_map_report): Make sure phent != 0.
 
 2021-12-08  Mark Wielaard  <mark@klomp.org>

diff --git a/libdwfl/dwfl_segment_report_module.c b/libdwfl/dwfl_segment_report_module.c
index f6a1799..be0aff7 100644 (file)
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -383,7 +383,7 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
         zero sh_size field. We ignore this here because getting shdrs
         is just a nice bonus (see below in the type == PT_LOAD case
         where we trim the last segment).  */
-      shdrs_end = ehdr.e32.e_shoff + ehdr.e32.e_shnum * ehdr.e32.e_shentsize;
+      shdrs_end = ehdr.e32.e_shoff + ehdr.e32.e_shnum * sizeof (Elf32_Shdr);
       break;
 
     case ELFCLASS64:
@@ -397,7 +397,7 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const char *name,
       if (phentsize != sizeof (Elf64_Phdr))
        goto out;
       /* See the NOTE above for shdrs_end and ehdr.e32.e_shnum.  */
-      shdrs_end = ehdr.e64.e_shoff + ehdr.e64.e_shnum * ehdr.e64.e_shentsize;
+      shdrs_end = ehdr.e64.e_shoff + ehdr.e64.e_shnum * sizeof (Elf64_Shdr);
       break;
 
     default: