git: b541e44b7c30 - stable/12 - ldd: guard against stack overflow reading corrupted files.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 19 Oct 2022 21:10:11 UTC
The branch stable/12 has been updated by sjg:
URL: https://cgit.FreeBSD.org/src/commit/?id=b541e44b7c30d56b445dd91c8e03cc11488faf48
commit b541e44b7c30d56b445dd91c8e03cc11488faf48
Author: Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2022-10-19 21:08:43 +0000
Commit: Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2022-10-19 21:08:43 +0000
ldd: guard against stack overflow reading corrupted files.
Reviewed by: imp, emaste
Reported by: UK National Cyber Security Centre (NCSC)
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D37010
---
usr.bin/ldd/ldd.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/usr.bin/ldd/ldd.c b/usr.bin/ldd/ldd.c
index d237850be765..7db8875ed2e3 100644
--- a/usr.bin/ldd/ldd.c
+++ b/usr.bin/ldd/ldd.c
@@ -335,6 +335,10 @@ is_executable(const char *fname, int fd, int *is_shlib, int *type)
warnx("%s: header too short", fname);
return (0);
}
+ if (hdr.elf32.e_phentsize != sizeof(phdr32)) {
+ warnx("%s: corrupt header", fname);
+ return (0);
+ }
for (i = 0; i < hdr.elf32.e_phnum; i++) {
if (read(fd, &phdr32, hdr.elf32.e_phentsize) !=
sizeof(phdr32)) {
@@ -403,6 +407,10 @@ is_executable(const char *fname, int fd, int *is_shlib, int *type)
warnx("%s: header too short", fname);
return (0);
}
+ if (hdr.elf.e_phentsize != sizeof(phdr)) {
+ warnx("%s: corrupt header", fname);
+ return (0);
+ }
for (i = 0; i < hdr.elf.e_phnum; i++) {
if (read(fd, &phdr, hdr.elf.e_phentsize)
!= sizeof(phdr)) {