Invalid read in process_netbsd_elf_note

* readelf.c (process_netbsd_elf_note): Validate descsz before accessing descdata. Formatting.
2020-03-19 12:19:50 +10:30 · 2020-03-19 12:19:50 +10:30 · b966f55ffa
commit b966f55ffa
parent 645ba68105
2 changed files with 15 additions and 7 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,8 @@
+2020-03-19  Alan Modra  <amodra@gmail.com>
+
+	* readelf.c (process_netbsd_elf_note): Validate descsz before
+	accessing descdata.  Formatting.
+
 2020-03-19  Alan Modra  <amodra@gmail.com>

 	* elfcomm.c (setup_archive): Make file_size an off_t.  Comment.
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@ -18402,15 +18402,17 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)
  switch (pnote->type)
    {
    case NT_NETBSD_IDENT:
+      if (pnote->descsz < 1)
+	break;
      version = byte_get ((unsigned char *) pnote->descdata, sizeof (version));
      if ((version / 10000) % 100)
-        printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u%s%c)\n", pnote->descsz,
+	printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u%s%c)\n", pnote->descsz,
 		version, version / 100000000, (version / 1000000) % 100,
 		(version / 10000) % 100 > 26 ? "Z" : "",
 		'A' + (version / 10000) % 26);
      else
 	printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u.%u)\n", pnote->descsz,
-	        version, version / 100000000, (version / 1000000) % 100,
+		version, version / 100000000, (version / 1000000) % 100,
 		(version / 100) % 100);
      return TRUE;

@ -18421,6 +18423,8 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)

 #ifdef   NT_NETBSD_PAX
    case NT_NETBSD_PAX:
+      if (pnote->descsz < 1)
+	break;
      version = byte_get ((unsigned char *) pnote->descdata, sizeof (version));
      printf ("  NetBSD\t\t0x%08lx\tPaX <%s%s%s%s%s%s>\n", pnote->descsz,
 	      ((version & NT_NETBSD_PAX_MPROTECT) ? "+mprotect" : ""),
@ -18431,12 +18435,11 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)
 	      ((version & NT_NETBSD_PAX_NOASLR) ? "-ASLR" : ""));
      return TRUE;
 #endif
-
-    default:
-      printf ("  NetBSD\t0x%08lx\tUnknown note type: (0x%08lx)\n", pnote->descsz,
-	      pnote->type);
-      return FALSE;
    }
+
+  printf ("  NetBSD\t0x%08lx\tUnknown note type: (0x%08lx)\n",
+	  pnote->descsz, pnote->type);
+  return FALSE;
 }

 static const char *