Fwd: security vulnerability in File
Christos Zoulas
christos at zoulas.com
Thu Feb 27 10:50:02 EST 2003
On Feb 27, 9:13am, endler at eecs.tulane.edu (David Endler) wrote:
-- Subject: Re: Fwd: security vulnerability in File
| > Actually, the program headers can be taken advantage of the same way
| > I have a more complete patch
|
| Christos, Ian, etc al,
|
| Can you send the final patch along so we can plan a public advisory and
| inform the OS vendors? Thanks,
Here's my final patch, including the other memory overflow in softmagic
I mentioned.
Regards,
christos
--- readelf.c 8 Feb 2003 18:33:53 -0000 1.23
+++ readelf.c 25 Feb 2003 15:30:00 -0000 1.26
@@ -92,12 +92,18 @@
#define sh_addr (class == ELFCLASS32 \
? (void *) &sh32 \
: (void *) &sh64)
+#define sh_size (class == ELFCLASS32 \
+ ? sizeof sh32 \
+ : sizeof sh64)
#define shs_type (class == ELFCLASS32 \
? getu32(swap, sh32.sh_type) \
: getu32(swap, sh64.sh_type))
#define ph_addr (class == ELFCLASS32 \
? (void *) &ph32 \
: (void *) &ph64)
+#define ph_size (class == ELFCLASS32 \
+ ? sizeof ph32 \
+ : sizeof ph64)
#define ph_type (class == ELFCLASS32 \
? getu32(swap, ph32.p_type) \
: getu32(swap, ph64.p_type))
@@ -129,11 +135,14 @@
Elf32_Shdr sh32;
Elf64_Shdr sh64;
+ if (size != sh_size)
+ error("corrupted section header size.\n");
+
if (lseek(fd, off, SEEK_SET) == -1)
error("lseek failed (%s).\n", strerror(errno));
for ( ; num; num--) {
- if (read(fd, sh_addr, size) == -1)
+ if (read(fd, sh_addr, sh_size) == -1)
error("read failed (%s).\n", strerror(errno));
if (shs_type == SHT_SYMTAB /* || shs_type == SHT_DYNSYM */) {
(void) printf (", not stripped");
@@ -162,11 +171,13 @@
size_t offset, nameoffset;
off_t savedoffset;
+ if (size != ph_size)
+ error("corrupted program header size.\n");
if (lseek(fd, off, SEEK_SET) == -1)
error("lseek failed (%s).\n", strerror(errno));
for ( ; num; num--) {
- if (read(fd, ph_addr, size) == -1)
+ if (read(fd, ph_addr, ph_size) == -1)
error("read failed (%s).\n", strerror(errno));
if ((savedoffset = lseek(fd, 0, SEEK_CUR)) == -1)
error("lseek failed (%s).\n", strerror(errno));
@@ -360,13 +371,15 @@
int bufsize;
int os_style = -1;
+ if (size != ph_size)
+ error("corrupted program header size.\n");
/*
* Loop through all the program headers.
*/
for ( ; num; num--) {
if (lseek(fd, off, SEEK_SET) == -1)
error("lseek failed (%s).\n", strerror(errno));
- if (read(fd, ph_addr, size) == -1)
+ if (read(fd, ph_addr, ph_size) == -1)
error("read failed (%s).\n", strerror(errno));
off += size;
if (ph_type != PT_NOTE)
--- softmagic.c 8 Feb 2003 18:33:53 -0000 1.52
+++ softmagic.c 25 Feb 2003 13:04:32 -0000 1.54
@@ -105,7 +105,8 @@
int firstline = 1; /* a flag to print X\n X\n- X */
if (tmpoff == NULL)
- if ((tmpoff = (int32_t *) malloc(tmplen = 20)) == NULL)
+ if ((tmpoff = (int32_t *) malloc(
+ (tmplen = 20) * sizeof(*tmpoff))) == NULL)
error("out of memory\n");
for (magindex = 0; magindex < nmagic; magindex++) {
@@ -137,7 +138,7 @@
/* and any continuations that match */
if (++cont_level >= tmplen)
if ((tmpoff = (int32_t *) realloc(tmpoff,
- tmplen += 20)) == NULL)
+ (tmplen += 20) * sizeof(*tmpoff))) == NULL)
error("out of memory\n");
while (magic[magindex+1].cont_level != 0 &&
++magindex < nmagic) {
@@ -184,7 +185,8 @@
if (++cont_level >= tmplen)
if ((tmpoff =
(int32_t *) realloc(tmpoff,
- tmplen += 20)) == NULL)
+ (tmplen += 20)
+ * sizeof(*tmpoff))) == NULL)
error("out of memory\n");
}
if (magic[magindex].flag & OFFADD) {
More information about the File
mailing list