From patchwork Thu Feb 16 14:38:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Laurent Vivier X-Patchwork-Id: 94083 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp2556451qgi; Thu, 16 Feb 2017 07:30:11 -0800 (PST) X-Received: by 10.55.209.203 with SMTP id o72mr2489155qkl.281.1487259011199; Thu, 16 Feb 2017 07:30:11 -0800 (PST) Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id 36si5464572qtp.26.2017.02.16.07.30.11 for (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 16 Feb 2017 07:30:11 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org Received: from localhost ([::1]:47337 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceO0Y-0007CF-Hg for patch@linaro.org; Thu, 16 Feb 2017 10:30:10 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53769) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceNCk-0000gn-Cn for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:38:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ceNCg-0002LP-B7 for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:38:42 -0500 Received: from mout.kundenserver.de ([212.227.17.13]:52445) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ceNCg-0002Kr-0O for qemu-devel@nongnu.org; Thu, 16 Feb 2017 09:38:38 -0500 Received: from localhost.localdomain ([78.238.229.36]) by mrelayeu.kundenserver.de (mreue101 [212.227.15.183]) with ESMTPSA (Nemesis) id 0M2uxS-1cMA7u1P9y-00sf8u; Thu, 16 Feb 2017 15:38:28 +0100 From: Laurent Vivier To: qemu-devel@nongnu.org Date: Thu, 16 Feb 2017 15:38:15 +0100 Message-Id: <20170216143816.2384-14-laurent@vivier.eu> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170216143816.2384-1-laurent@vivier.eu> References: <20170216143816.2384-1-laurent@vivier.eu> MIME-Version: 1.0 X-Provags-ID: V03:K0:zFhnxao5bq+YIvzETA9BDxT2vca4sEA5PC7p7rEobu662fNO3gD uaIs+HYs33HHJRwlm4TmxtQugZOh6kUBZg6gUcHd4Ygk2ZZuf+uiRIjG/KLW7V7kYcJ3q+d pSoq0p/gvC8mlozpu65+h+nPDgn0Ev3mabah7Yj88K5jf4QuugACphWhCLwhvGqN0h4bNNg SUNNCvrr22q5CP+Yl/nHg== X-UI-Out-Filterresults: notjunk:1; V01:K0:xCz3WQAaXMU=:2+6uEhfeptmCrCBz3rgAMM TErSWtdM+6ZEjSw6xjksmhbouLvaz7x72rnCqDCGcO3700lsIFD/yBH5U+7qevTgx0mVyHijE oPWrP4kMvMyknfr9uvmAG6SXZGhi6GuyHUIOsGE54n0lFld+XCkhoO+2UXItwgFpXaE2vnM7t MmMcq8LdBhymAPPcCIgqvY7uSltYTWYA5z/0gQDdv0vcrZIydE4krhc4HPqJZDsyRgaZiAkoL BjWGZ87IPZCtdFKH1B9jgSde1nnhj3n3VnQBCXDjr92nzxz04vt8BC6p3dYRyX4KWf/QdvinY FjUrLPn1dt8KogKvswtOoqD4OQ9KcEb2h9WC9PZzL1FL9AttUd1GQ3TIUsQureJz7CUPqDQ5f kLaW8N8HPE4TXFnztRMTD7tnt9N6RjUls8LzKt6jlEGxyGhy6RTeHnT+1a6QkX+Ei6Fd8a0g3 JmRb0RatwKGD/klCOah5LgB2iFtMZTUJVrovpRO9P66w2RvpNd/OlFOfzN318r4cudroZDFhD w5bPWB8k9jQ4pMPHqMEJU4JUMDNYHNYj3jnuxinNPtTVA9/vqD/b4VLArtQP3E4vFfa7+9qd6 HC5DysRVR1qaIx7k4PGeIkTYbknpbFhblQ+ekAVXTp5730/Fa1oRoBIrrpqw37cIF5DTvIx80 I4sy92J/yhxRj8GLJyWdxhORq/3ZB/1wvBcIEXTWLMrrDWxOxakHwCLokLozzdgSYIgb52d/i hc9ND04yzrEGv2MI X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 212.227.17.13 Subject: [Qemu-devel] [PULL v2 13/14] linux-user: Use correct types in load_symbols() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Riku Voipio , Laurent Vivier Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell Coverity doesn't like the code in load_symbols() which assumes it can use 'int' for a variable that might hold an offset into the guest ELF file, because in a 64-bit guest that could overflow. Guest binaries with 2GB sections aren't very likely and this isn't a security issue because we fully trust the guest linux-user binary anyway, but we might as well use the right types, which will placate Coverity. Use uint64_t to hold section sizes, and bail out if the symbol table is too large rather than just overflowing an int. (Coverity issue CID1005776) Signed-off-by: Peter Maydell Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé Message-Id: <1486249533-5260-1-git-send-email-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier --- linux-user/elfload.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) -- 2.9.3 diff --git a/linux-user/elfload.c b/linux-user/elfload.c index 8271227..f520d77 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -2262,6 +2262,7 @@ static int symcmp(const void *s0, const void *s1) static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) { int i, shnum, nsyms, sym_idx = 0, str_idx = 0; + uint64_t segsz; struct elf_shdr *shdr; char *strings = NULL; struct syminfo *s = NULL; @@ -2293,19 +2294,26 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) goto give_up; } - i = shdr[str_idx].sh_size; - s->disas_strtab = strings = g_try_malloc(i); - if (!strings || pread(fd, strings, i, shdr[str_idx].sh_offset) != i) { + segsz = shdr[str_idx].sh_size; + s->disas_strtab = strings = g_try_malloc(segsz); + if (!strings || + pread(fd, strings, segsz, shdr[str_idx].sh_offset) != segsz) { goto give_up; } - i = shdr[sym_idx].sh_size; - syms = g_try_malloc(i); - if (!syms || pread(fd, syms, i, shdr[sym_idx].sh_offset) != i) { + segsz = shdr[sym_idx].sh_size; + syms = g_try_malloc(segsz); + if (!syms || pread(fd, syms, segsz, shdr[sym_idx].sh_offset) != segsz) { goto give_up; } - nsyms = i / sizeof(struct elf_sym); + if (segsz / sizeof(struct elf_sym) > INT_MAX) { + /* Implausibly large symbol table: give up rather than ploughing + * on with the number of symbols calculation overflowing + */ + goto give_up; + } + nsyms = segsz / sizeof(struct elf_sym); for (i = 0; i < nsyms; ) { bswap_sym(syms + i); /* Throw away entries which we do not need. */