Prevent memory access to data out the notes' section

2025-01-29 21:32:44 +00:00 · 2022-06-19 17:37:22 +03:00 · 2022-06-19 17:37:22 +03:00 · cf954a8d42
commit cf954a8d42
parent cb61d172bb
4 changed files with 46 additions and 7 deletions
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -102,7 +102,7 @@
            "request": "launch",
            "program": "${workspaceFolder}/tests/elfio_fuzzer",
            "args": [
-                "slow-unit-82cabac818b690bc042110f7b073e63462c7553d"
+                "crash-98819328ee414bbba1ee50073d66c0727d60a7af"
            ],
            "cwd": "${workspaceFolder}/tests",
        }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -64,7 +64,7 @@
            "args": [
                "-g",
                "-O0",
-                "-fsanitize=fuzzer",
+                "-fsanitize=fuzzer,address",
                "-I..",
                "elfio_fuzzer.cpp",
                "-o",
@ -80,6 +80,25 @@
            "problemMatcher": [
                "$gcc"
            ]
+        },
+        {
+            "type": "shell",
+            "label": "Fuzzer Tests",
+            "command": "./elfio_fuzzer",
+            "args": [
+                "-jobs=8",
+                "corpus"
+            ],
+            "options": {
+                "cwd": "${workspaceRoot}/tests"
+            },
+            "group": {
+                "kind": "build",
+                "isDefault": true
+            },
+            "problemMatcher": [
+                "$gcc"
+            ]
        }
    ],
    "version": "2.0.0"
--- a/elfio/elfio_note.hpp
+++ b/elfio/elfio_note.hpp
@ -145,14 +145,18 @@ class note_section_accessor_template

        Elf_Word align = sizeof( Elf_Word );
        while ( current + (Elf_Xword)3 * align <= size ) {
-            note_start_positions.emplace_back( current );
            Elf_Word namesz = convertor( *(const Elf_Word*)( data + current ) );
            Elf_Word descsz = convertor(
                *(const Elf_Word*)( data + current + sizeof( namesz ) ) );
+            Elf_Word advance =
+                (Elf_Xword)3 * sizeof( Elf_Word ) +
+                ( ( namesz + align - 1 ) / align ) * (Elf_Xword)align +
+                ( ( descsz + align - 1 ) / align ) * (Elf_Xword)align;
+            if ( current + advance <= size ) {
+                note_start_positions.emplace_back( current );
+            }

-            current += (Elf_Xword)3 * sizeof( Elf_Word ) +
-                       ( ( namesz + align - 1 ) / align ) * (Elf_Xword)align +
-                       ( ( descsz + align - 1 ) / align ) * (Elf_Xword)align;
+            current += advance;
        }
    }

--- a/tests/elfio_fuzzer.cpp
+++ b/tests/elfio_fuzzer.cpp
@ -2,15 +2,31 @@
 #include <sstream>

 #include <elfio/elfio.hpp>
+#include <elfio/elfio_dump.hpp>
+
 using namespace ELFIO;

 extern "C" int LLVMFuzzerTestOneInput( const uint8_t* Data, size_t Size )
 {
    std::string        str( (const char*)Data, Size );
    std::istringstream ss( str );
+    std::ostringstream oss;

    elfio elf;
-    elf.load( ss );
+
+    if ( !elf.load( ss ) ) {
+        return 0;
+    }
+
+    dump::header( oss, elf );
+    dump::section_headers( oss, elf );
+    dump::segment_headers( oss, elf );
+    dump::symbol_tables( oss, elf );
+    dump::notes( oss, elf );
+    dump::modinfo( oss, elf );
+    dump::dynamic_tags( oss, elf );
+    dump::section_datas( oss, elf );
+    dump::segment_datas( oss, elf );

    return 0;
 }