Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 6d7db37eb36deb7ba07c7443934ccc48d3ab5308^1..6d7db37eb36deb7ba07c7443934ccc48d3ab5308 / .
commit6d7db37eb36deb7ba07c7443934ccc48d3ab5308[log] [tgz]
authorElliott Hughes <enh@google.com>Wed Dec 04 14:59:12 2024 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Wed Dec 04 14:59:12 2024 +0000
treeee13ae8c2057b123a668bb300a265cdbee812aee
parentbe60d68b86535cea8b1f27f5cf4eb7fb5df379c2 [diff]
parent89c1fdf21944be3e0e090aaf7997af82b814f96a [diff]
Merge "Fix an overflow bug in __get_elf_note()." into main am: de3bfea9be am: 89c1fdf219

Original change: https://android-review.googlesource.com/c/platform/bionic/+/3387020

Change-Id: Ic01f9964d05d563732e1ed4fda82dcd2079f4b97
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

diff --git a/libc/bionic/elf_note.cpp b/libc/bionic/elf_note.cpp
index d5cd5de..9cc6b21 100644
--- a/libc/bionic/elf_note.cpp
+++ b/libc/bionic/elf_note.cpp

@@ -38,31 +38,34 @@
     return false;
   }
 
+  size_t note_name_len = strlen(note_name) + 1;
+
   ElfW(Addr) p = note_addr;
   ElfW(Addr) note_end = p + phdr_note->p_memsz;
-
   while (p + sizeof(ElfW(Nhdr)) <= note_end) {
+    // Parse the note and check it's structurally valid.
     const ElfW(Nhdr)* note = reinterpret_cast<const ElfW(Nhdr)*>(p);
     p += sizeof(ElfW(Nhdr));
     const char* name = reinterpret_cast<const char*>(p);
-    p += align_up(note->n_namesz, 4);
+    if (__builtin_add_overflow(p, align_up(note->n_namesz, 4), &p)) {
+      return false;
+    }
     const char* desc = reinterpret_cast<const char*>(p);
-    p += align_up(note->n_descsz, 4);
+    if (__builtin_add_overflow(p, align_up(note->n_descsz, 4), &p)) {
+      return false;
+    }
     if (p > note_end) {
-      break;
-    }
-    if (note->n_type != note_type) {
-      continue;
-    }
-    size_t note_name_len = strlen(note_name) + 1;
-    if (note->n_namesz != note_name_len || strncmp(note_name, name, note_name_len) != 0) {
-      break;
+      return false;
     }
 
-    *note_hdr = note;
-    *note_desc = desc;
-
-    return true;
+    // Is this the note we're looking for?
+    if (note->n_type == note_type &&
+        note->n_namesz == note_name_len &&
+        strncmp(note_name, name, note_name_len) == 0) {
+      *note_hdr = note;
+      *note_desc = desc;
+      return true;
+    }
   }
   return false;
 }