[Qemu-devel] [PATCH] linux-user: Use correct types in load

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] linux-user: Use correct types in load_symbols()
@ 2017-02-04 23:05 Peter Maydell
  2017-02-05 14:46 ` Laurent Vivier
  2017-02-09 22:13 ` Philippe Mathieu-Daudé
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Maydell @ 2017-02-04 23:05 UTC (permalink / raw)
  To: qemu-devel; +Cc: patches, Laurent Vivier, Riku Voipio

Coverity doesn't like the code in load_symbols() which assumes
it can use 'int' for a variable that might hold an offset into
the guest ELF file, because in a 64-bit guest that could
overflow. Guest binaries with 2GB sections aren't very likely
and this isn't a security issue because we fully trust the
guest linux-user binary anyway, but we might as well use the
right types, which will placate Coverity. Use uint64_t to
hold section sizes, and bail out if the symbol table is too
large rather than just overflowing an int.

(Coverity issue CID1005776)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/elfload.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index c66cbbe..f4c7b0c 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -2263,6 +2263,7 @@ static int symcmp(const void *s0, const void *s1)
 static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias)
 {
     int i, shnum, nsyms, sym_idx = 0, str_idx = 0;
+    uint64_t segsz;
     struct elf_shdr *shdr;
     char *strings = NULL;
     struct syminfo *s = NULL;
@@ -2294,19 +2295,26 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias)
         goto give_up;
     }
 
-    i = shdr[str_idx].sh_size;
-    s->disas_strtab = strings = g_try_malloc(i);
-    if (!strings || pread(fd, strings, i, shdr[str_idx].sh_offset) != i) {
+    segsz = shdr[str_idx].sh_size;
+    s->disas_strtab = strings = g_try_malloc(segsz);
+    if (!strings ||
+        pread(fd, strings, segsz, shdr[str_idx].sh_offset) != segsz) {
         goto give_up;
     }
 
-    i = shdr[sym_idx].sh_size;
-    syms = g_try_malloc(i);
-    if (!syms || pread(fd, syms, i, shdr[sym_idx].sh_offset) != i) {
+    segsz = shdr[sym_idx].sh_size;
+    syms = g_try_malloc(segsz);
+    if (!syms || pread(fd, syms, segsz, shdr[sym_idx].sh_offset) != segsz) {
         goto give_up;
     }
 
-    nsyms = i / sizeof(struct elf_sym);
+    if (segsz / sizeof(struct elf_sym) > INT_MAX) {
+        /* Implausibly large symbol table: give up rather than ploughing
+         * on with the number of symbols calculation overflowing
+         */
+        goto give_up;
+    }
+    nsyms = segsz / sizeof(struct elf_sym);
     for (i = 0; i < nsyms; ) {
         bswap_sym(syms + i);
         /* Throw away entries which we do not need.  */
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] linux-user: Use correct types in load_symbols()
  2017-02-04 23:05 [Qemu-devel] [PATCH] linux-user: Use correct types in load_symbols() Peter Maydell
@ 2017-02-05 14:46 ` Laurent Vivier
  2017-02-09 22:13 ` Philippe Mathieu-Daudé
  1 sibling, 0 replies; 3+ messages in thread
From: Laurent Vivier @ 2017-02-05 14:46 UTC (permalink / raw)
  To: Peter Maydell, qemu-devel; +Cc: patches, Riku Voipio

Le 05/02/2017 à 00:05, Peter Maydell a écrit :
> Coverity doesn't like the code in load_symbols() which assumes
> it can use 'int' for a variable that might hold an offset into
> the guest ELF file, because in a 64-bit guest that could
> overflow. Guest binaries with 2GB sections aren't very likely
> and this isn't a security issue because we fully trust the
> guest linux-user binary anyway, but we might as well use the
> right types, which will placate Coverity. Use uint64_t to
> hold section sizes, and bail out if the symbol table is too
> large rather than just overflowing an int.
> 
> (Coverity issue CID1005776)
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Laurent Vivier <laurent@vivier.eu>

> ---
>  linux-user/elfload.c | 22 +++++++++++++++-------
>  1 file changed, 15 insertions(+), 7 deletions(-)
> 
> diff --git a/linux-user/elfload.c b/linux-user/elfload.c
> index c66cbbe..f4c7b0c 100644
> --- a/linux-user/elfload.c
> +++ b/linux-user/elfload.c
> @@ -2263,6 +2263,7 @@ static int symcmp(const void *s0, const void *s1)
>  static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias)
>  {
>      int i, shnum, nsyms, sym_idx = 0, str_idx = 0;
> +    uint64_t segsz;
>      struct elf_shdr *shdr;
>      char *strings = NULL;
>      struct syminfo *s = NULL;
> @@ -2294,19 +2295,26 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias)
>          goto give_up;
>      }
>  
> -    i = shdr[str_idx].sh_size;
> -    s->disas_strtab = strings = g_try_malloc(i);
> -    if (!strings || pread(fd, strings, i, shdr[str_idx].sh_offset) != i) {
> +    segsz = shdr[str_idx].sh_size;
> +    s->disas_strtab = strings = g_try_malloc(segsz);
> +    if (!strings ||
> +        pread(fd, strings, segsz, shdr[str_idx].sh_offset) != segsz) {
>          goto give_up;
>      }
>  
> -    i = shdr[sym_idx].sh_size;
> -    syms = g_try_malloc(i);
> -    if (!syms || pread(fd, syms, i, shdr[sym_idx].sh_offset) != i) {
> +    segsz = shdr[sym_idx].sh_size;
> +    syms = g_try_malloc(segsz);
> +    if (!syms || pread(fd, syms, segsz, shdr[sym_idx].sh_offset) != segsz) {
>          goto give_up;
>      }
>  
> -    nsyms = i / sizeof(struct elf_sym);
> +    if (segsz / sizeof(struct elf_sym) > INT_MAX) {
> +        /* Implausibly large symbol table: give up rather than ploughing
> +         * on with the number of symbols calculation overflowing
> +         */
> +        goto give_up;
> +    }
> +    nsyms = segsz / sizeof(struct elf_sym);
>      for (i = 0; i < nsyms; ) {
>          bswap_sym(syms + i);
>          /* Throw away entries which we do not need.  */
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] linux-user: Use correct types in load_symbols()
  2017-02-04 23:05 [Qemu-devel] [PATCH] linux-user: Use correct types in load_symbols() Peter Maydell
  2017-02-05 14:46 ` Laurent Vivier
@ 2017-02-09 22:13 ` Philippe Mathieu-Daudé
  1 sibling, 0 replies; 3+ messages in thread
From: Philippe Mathieu-Daudé @ 2017-02-09 22:13 UTC (permalink / raw)
  To: Peter Maydell, qemu-devel; +Cc: Riku Voipio, Laurent Vivier, patches

On 02/04/2017 08:05 PM, Peter Maydell wrote:
> Coverity doesn't like the code in load_symbols() which assumes
> it can use 'int' for a variable that might hold an offset into
> the guest ELF file, because in a 64-bit guest that could
> overflow. Guest binaries with 2GB sections aren't very likely
> and this isn't a security issue because we fully trust the
> guest linux-user binary anyway, but we might as well use the
> right types, which will placate Coverity. Use uint64_t to
> hold section sizes, and bail out if the symbol table is too
> large rather than just overflowing an int.
>
> (Coverity issue CID1005776)
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

> ---
>  linux-user/elfload.c | 22 +++++++++++++++-------
>  1 file changed, 15 insertions(+), 7 deletions(-)
>
> diff --git a/linux-user/elfload.c b/linux-user/elfload.c
> index c66cbbe..f4c7b0c 100644
> --- a/linux-user/elfload.c
> +++ b/linux-user/elfload.c
> @@ -2263,6 +2263,7 @@ static int symcmp(const void *s0, const void *s1)
>  static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias)
>  {
>      int i, shnum, nsyms, sym_idx = 0, str_idx = 0;
> +    uint64_t segsz;
>      struct elf_shdr *shdr;
>      char *strings = NULL;
>      struct syminfo *s = NULL;
> @@ -2294,19 +2295,26 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias)
>          goto give_up;
>      }
>
> -    i = shdr[str_idx].sh_size;
> -    s->disas_strtab = strings = g_try_malloc(i);
> -    if (!strings || pread(fd, strings, i, shdr[str_idx].sh_offset) != i) {
> +    segsz = shdr[str_idx].sh_size;
> +    s->disas_strtab = strings = g_try_malloc(segsz);
> +    if (!strings ||
> +        pread(fd, strings, segsz, shdr[str_idx].sh_offset) != segsz) {
>          goto give_up;
>      }
>
> -    i = shdr[sym_idx].sh_size;
> -    syms = g_try_malloc(i);
> -    if (!syms || pread(fd, syms, i, shdr[sym_idx].sh_offset) != i) {
> +    segsz = shdr[sym_idx].sh_size;
> +    syms = g_try_malloc(segsz);
> +    if (!syms || pread(fd, syms, segsz, shdr[sym_idx].sh_offset) != segsz) {
>          goto give_up;
>      }
>
> -    nsyms = i / sizeof(struct elf_sym);
> +    if (segsz / sizeof(struct elf_sym) > INT_MAX) {
> +        /* Implausibly large symbol table: give up rather than ploughing
> +         * on with the number of symbols calculation overflowing
> +         */
> +        goto give_up;
> +    }
> +    nsyms = segsz / sizeof(struct elf_sym);
>      for (i = 0; i < nsyms; ) {
>          bswap_sym(syms + i);
>          /* Throw away entries which we do not need.  */
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-02-09 22:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-04 23:05 [Qemu-devel] [PATCH] linux-user: Use correct types in load_symbols() Peter Maydell
2017-02-05 14:46 ` Laurent Vivier
2017-02-09 22:13 ` Philippe Mathieu-Daudé

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).