From patchwork Thu Feb 16 14:22:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 94081 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp2538795qgi; Thu, 16 Feb 2017 06:50:30 -0800 (PST) X-Received: by 10.55.212.23 with SMTP id l23mr2223566qki.247.1487256629986; Thu, 16 Feb 2017 06:50:29 -0800 (PST) Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id v62si5376915qte.101.2017.02.16.06.50.29 for (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 16 Feb 2017 06:50:29 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:47119 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceNO9-0006zR-Dd for patch@linaro.org; Thu, 16 Feb 2017 09:50:29 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48464) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceMxH-0002BJ-IS for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:22:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ceMxG-0002Ia-9I for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:22:43 -0500 Received: from mout.kundenserver.de ([212.227.17.13]:60047) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ceMxF-0002I9-TF for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:22:42 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue101 [212.227.15.183]) with ESMTPSA (Nemesis) id 0Lcxai-1bwCQp3dL6-00iBYG; Thu, 16 Feb 2017 15:22:40 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Thu, 16 Feb 2017 15:22:26 +0100 Message-Id: <20170216142227.27448-14-laurent@vivier.eu> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170216142227.27448-1-laurent@vivier.eu> References: <20170216142227.27448-1-laurent@vivier.eu> MIME-Version: 1.0 X-Provags-ID: V03:K0:wyuyzBPmCPzD/S6R/fAuuGX0d0eKWbV4BI4kr2BKoGOZRtzztAM 0uFDoMq7PxjzHAuNWXaYwZa3O1wNlO0PPeKgr/FHKMLuAbnrzKu5yEL6He2zbU0cb9R4Bzj gfMYMQPuHa43lJLlIeRe5lyDAM3PAQYVyQ2EtL117A0ueP6+l4/MWB4/Vset6Q7HyUoK4G9 PUyll4WXOzWeFjrS0P8hg== X-UI-Out-Filterresults: notjunk:1; V01:K0:A9U/ue4JLN8=:GskzxuTWQyuuWaA+viSL1W wylFPLI3ndMy3ui+p7FWQGpBC7BKbn/diSoNfoCrb8qnwhs4Q4zqr02KmIsyewzgJ8sdzYkIx Yy9QbTPPFpbtbXm97XCP9ciPIQPIycyTV0yEq8ZewgWEK0ctuBYNCyCp3IJ5d9ZlZid2r1eez +YLidgxMS7ixBx0NvwoFax0wt4sQbGJVJDzvRe5SL5K94Mzcs3ufRo94qaMedEMz3E9ZyfyIL G3SkCjcFiGJicnI4j24+U2U3CeYcWIRB86APKpFWs8lBC/XfMc9gytIDlmSz0cLuR1P0quEUP 7H8z5rJFiL+2T7FJJzg0H3KXA55zS5LicgXLYOZ4YDEgsbivzXR+QBAHDS3OFQGRpzxheFN0u 8cDobVf+wtnhnBr/I7FvRvuqIABBK8qtoTWQHXNJx8r75uA+otqGkRgbEup91Fw/aKHbzjzru 1BTvQkggR899K8AI9wW2eYFiSjUr1sBAnMVL/oqsZoN4hBBlnwPKvlYV1HTHDopZbjL0EVBWD ZdbTUbL6UWK95dtI7DeE0zuLnon8pt6wCnKkQUMThJYOYa3AxHHrNRhrts0C8LunXfbZXs7yw XYaCVXwaL7EN/9hUVUNB2DaygGMT1kONa+C9voJf4VlbY/7UbCK21enUYtBBmVCeMocds3t63 5R70qc4ZB03HRHfiQuIoWGNyN6wnsGZMPjwS0xR4uqTRd+PENwha9/nsFc0sPYRfFNMXInz2Z ej9/5lFZpbOZQRCl X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 212.227.17.13 Subject: [Qemu-devel] [PULL 13/14] linux-user: Use correct types in load_symbols() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Riku Voipio , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell Coverity doesn't like the code in load_symbols() which assumes it can use 'int' for a variable that might hold an offset into the guest ELF file, because in a 64-bit guest that could overflow. Guest binaries with 2GB sections aren't very likely and this isn't a security issue because we fully trust the guest linux-user binary anyway, but we might as well use the right types, which will placate Coverity. Use uint64_t to hold section sizes, and bail out if the symbol table is too large rather than just overflowing an int. (Coverity issue CID1005776) Signed-off-by: Peter Maydell Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé Message-Id: <1486249533-5260-1-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/elfload.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) -- 2.9.3 diff --git a/linux-user/elfload.c b/linux-user/elfload.c index 8271227..f520d77 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -2262,6 +2262,7 @@ static int symcmp(const void *s0, const void *s1) static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) { int i, shnum, nsyms, sym_idx = 0, str_idx = 0; + uint64_t segsz; struct elf_shdr *shdr; char *strings = NULL; struct syminfo *s = NULL; @@ -2293,19 +2294,26 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) goto give_up; } - i = shdr[str_idx].sh_size; - s->disas_strtab = strings = g_try_malloc(i); - if (!strings || pread(fd, strings, i, shdr[str_idx].sh_offset) != i) { + segsz = shdr[str_idx].sh_size; + s->disas_strtab = strings = g_try_malloc(segsz); + if (!strings || + pread(fd, strings, segsz, shdr[str_idx].sh_offset) != segsz) { goto give_up; } - i = shdr[sym_idx].sh_size; - syms = g_try_malloc(i); - if (!syms || pread(fd, syms, i, shdr[sym_idx].sh_offset) != i) { + segsz = shdr[sym_idx].sh_size; + syms = g_try_malloc(segsz); + if (!syms || pread(fd, syms, segsz, shdr[sym_idx].sh_offset) != segsz) { goto give_up; } - nsyms = i / sizeof(struct elf_sym); + if (segsz / sizeof(struct elf_sym) > INT_MAX) { + /* Implausibly large symbol table: give up rather than ploughing + * on with the number of symbols calculation overflowing + */ + goto give_up; + } + nsyms = segsz / sizeof(struct elf_sym); for (i = 0; i < nsyms; ) { bswap_sym(syms + i); /* Throw away entries which we do not need. */