harden ELF relocation parsing and mmap safety #2
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -80,12 +80,18 @@ static int64_t sleb128_decode(struct sleb128_decoder *decoder) { | |
| const size_t size = sizeof(int64_t) * CHAR_BIT; | ||
|
|
||
| do { | ||
| if (decoder->current >= decoder->end) { | ||
| LOGF("Failed to decode SLEB128: buffer overrun"); | ||
| return 0; | ||
| } | ||
|
|
||
| byte = *decoder->current++; | ||
| value |= ((int64_t)(byte & 0x7F)) << shift; | ||
| shift += 7; | ||
| if (shift > size) { | ||
| LOGF("SLEB128 shift overflow"); | ||
| return 0; | ||
| } | ||
|
Comment on lines
+91
to
+94
Member
There was a problem hiding this comment. https://android.googlesource.com/platform/bionic/+/refs/heads/main/linker/linker_sleb128.h#40 The code comes from AOSP |
||
| } while (byte & 0x80); | ||
|
|
||
| if (shift < size && (byte & 0x40)) { | ||
|
|
@@ -327,8 +333,9 @@ static bool elfutil_unpack_android_relocs(const struct elf_image *elf, struct an | |
| struct sleb128_decoder decoder; | ||
| sleb128_decoder_init(&decoder, (const uint8_t *)elf->rel_android_, elf->rel_android_size_); | ||
|
|
||
| int64_t num_relocs_signed = sleb128_decode(&decoder); | ||
| if (num_relocs_signed <= 0) return false; | ||
| uint64_t num_relocs = (uint64_t)num_relocs_signed; | ||
|
Comment on lines
+336
to
+338
Member
There was a problem hiding this comment. I'll see about that, but there should be no case where it will ever go below 0
Author
There was a problem hiding this comment. If sleb128_decode returns -1 due to corruption |
||
|
|
||
| size_t out_index = 0; | ||
| void *entries = calloc(num_relocs, elf->rel_android_is_rela_ ? sizeof(ElfW(Rela)) : sizeof(ElfW(Rel))); | ||
|
|
@@ -397,6 +404,14 @@ static bool elfutil_unpack_android_relocs(const struct elf_image *elf, struct an | |
| if (elf->rel_android_is_rela_ && group_flags_reloc == RELOCATION_GROUP_HAS_ADDEND_FLAG) | ||
| r_addend += sleb128_decode(&decoder); | ||
|
|
||
| if (out_index >= num_relocs) { | ||
| LOGE("out_index exceeded num_relocs"); | ||
|
|
||
| free(entries); | ||
|
|
||
| return false; | ||
| } | ||
|
Comment on lines
+407
to
+413
Member
There was a problem hiding this comment. Follow the project coding style. There should be empty new lines between the LOGE, free and return, moreover the "Android reloc: " shouldn't exist
Author
There was a problem hiding this comment. Understood, will fix the formatting. |
||
|
|
||
| if (elf->rel_android_is_rela_) { | ||
| ElfW(Rela) *rela = (ElfW(Rela) *)entries; | ||
| rela[out_index].r_offset = current_offset; | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://android.googlesource.com/platform/bionic/+/refs/heads/main/linker/linker_sleb128.h#40
The code comes from AOSP
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since our LOGF doesn't abort like AOSP's async_safe_fatal, the return 0 is necessary to prevent OOB reads. Do you think we should keep it for safety, or would you prefer a different way to handle this?