VirtualBox

Changeset 77941 in vbox


Ignore:
Timestamp:
Mar 28, 2019 4:04:35 PM (6 years ago)
Author:
vboxsync
svn:sync-xref-src-repo-rev:
129661
Message:

Runtime/ldrELFRelocatable.cpp.h: several fixes

  • Check that the string tables are zero terminated (in theory a crazy linker could pad the string table with non zero bytes while technically being correct and triggering a false positive with the check is something we bother with when we encounter it)
  • Verify that st_name is within bounds of the string table
  • Plug a few memory leaks when opening a corrupted image fails
Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/include/iprt/err.h

    r76585 r77941  
    916916/** The ELF loader didn't find the symbol/string table for the image. */
    917917#define VERR_LDRELF_NO_SYMBOL_OR_NO_STRING_TABS (-640)
     918/** The ELF loader encountered an unterminated string table. */
     919#define VERR_LDRELF_UNTERMINATED_STRING_TAB     (-641)
    918920/** Invalid link address. */
    919921#define VERR_LDR_INVALID_LINK_ADDRESS           (-647)

  • trunk/src/VBox/Runtime/common/ldr/ldrELFRelocatable.cpp.h

    r77185 r77941  
    160160            pModElf->pStr   =    (const char *)(pu8 + pModElf->paShdrs[pModElf->iStrSh].sh_offset);
    161161        pModElf->pShStr     =    (const char *)(pu8 + pModElf->paShdrs[pModElf->Ehdr.e_shstrndx].sh_offset);
     162
     163        /*
     164         * Verify that the ends of the string tables have a zero terminator
     165         * (this avoids duplicating the appropriate checks later in the code accessing the string tables).
     166         *
     167         * sh_offset and sh_size were verfied in RTLDRELF_NAME(ValidateSectionHeader)() already so they
     168         * are safe to use.
     169         */
     170        AssertMsgStmt(   pModElf->iStrSh == ~0U
     171                      || pModElf->pStr[pModElf->paShdrs[pModElf->iStrSh].sh_size - 1] == '\0',
     172                      ("The string table is not zero terminated!\n"),
     173                      rc = VERR_LDRELF_UNTERMINATED_STRING_TAB);
     174        AssertMsgStmt(pModElf->pShStr[pModElf->paShdrs[pModElf->Ehdr.e_shstrndx].sh_size - 1] == '\0',
     175                      ("The section header string table is not zero terminated!\n"),
     176                      rc = VERR_LDRELF_UNTERMINATED_STRING_TAB);
     177
     178        if (RT_FAILURE(rc))
     179        {
     180            /* Unmap. */
     181            int rc2 = pModElf->Core.pReader->pfnUnmap(pModElf->Core.pReader, pModElf->pvBits);
     182            AssertRC(rc2);
     183            pModElf->pvBits = NULL;
     184            pModElf->paSyms = NULL;
     185            pModElf->pStr   = NULL;
     186            pModElf->pShStr = NULL;
     187        }
    162188    }
    163189    return rc;
     
    748774                return VERR_BAD_EXE_FORMAT;
    749775            }
     776
     777            AssertMsgReturn(paSyms[iSym].st_name < pModElf->cbStr,
     778                            ("String outside string table! iSym=%d paSyms[iSym].st_name=%#x\n", iSym, paSyms[iSym].st_name),
     779                            VERR_LDRELF_INVALID_SYMBOL_NAME_OFFSET);
     780
    750781            const char *pszName = ELF_STR(pModElf, paSyms[iSym].st_name);
     782            /* String termination was already checked when the string table was mapped. */
    751783            if (    (pszName && *pszName)
    752784                &&  (   (fFlags & RTLDR_ENUM_SYMBOL_FLAGS_ALL)
     
    19301962                        pModElf->iSymSh = i;
    19311963                        pModElf->cSyms  = (unsigned)(paShdrs[i].sh_size / sizeof(Elf_Sym));
    1932                         AssertReturn(pModElf->cSyms == paShdrs[i].sh_size / sizeof(Elf_Sym), VERR_IMAGE_TOO_BIG);
     1964                        AssertBreakStmt(pModElf->cSyms == paShdrs[i].sh_size / sizeof(Elf_Sym), rc = VERR_IMAGE_TOO_BIG);
    19331965                        pModElf->iStrSh = paShdrs[i].sh_link;
    19341966                        pModElf->cbStr  = (unsigned)paShdrs[pModElf->iStrSh].sh_size;
    1935                         AssertReturn(pModElf->cbStr == paShdrs[pModElf->iStrSh].sh_size, VERR_IMAGE_TOO_BIG);
     1967                        AssertBreakStmt(pModElf->cbStr == paShdrs[pModElf->iStrSh].sh_size, rc = VERR_IMAGE_TOO_BIG);
    19361968                    }
    19371969
     
    20042036                            {
    20052037                                pModElf->cbImage = (size_t)EndAddr;
    2006                                 AssertMsgReturn(pModElf->cbImage == EndAddr, (FMT_ELF_ADDR "\n", EndAddr), VERR_IMAGE_TOO_BIG);
     2038                                AssertMsgBreakStmt(pModElf->cbImage == EndAddr, (FMT_ELF_ADDR "\n", EndAddr), rc = VERR_IMAGE_TOO_BIG);
    20072039                            }
    20082040                            Log2(("RTLdrElf: %s: Assigned " FMT_ELF_ADDR " to section #%d\n", pszLogName, paShdrs[i].sh_addr, i));
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette