ReadPadSegmentNote: Skip PT_NOTEs that are beyond the end of the file Some obfuscated ELFs have PT_NOTE headers that are past the end of the file. Skip parsing these for crt_pad_segment note, as accesses beyond the file will cause a SIGBUS. Bug: 331717625 Test: Manual - Launch Guns up app Change-Id: I39365064e6c1538b0be1114479557d94a72ee369 Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

commit: 751bb8ae9dfbbd6aabd8ee533536ba8e8ef52431 [log] [tgz]
author: Kalesh Singh <kaleshsingh@google.com> Fri Mar 29 17:55:37 2024 -0700
committer: Kalesh Singh <kaleshsingh@google.com> Tue Apr 02 00:53:20 2024 +0000
tree: 0e5dbfcb658cc9c42294e80acb0610da4966bf22
parent: 8ba5f4890751863c94c2178be9468f1cd7871a19 [diff] [blame]
diff --git a/linker/linker_phdr.cpp b/linker/linker_phdr.cpp
index 074012d..49c3b57 100644
--- a/linker/linker_phdr.cpp
+++ b/linker/linker_phdr.cpp

@@ -724,6 +724,16 @@
       continue;
     }
 
+    // If the PT_NOTE extends beyond the file. The ELF is doing something
+    // strange -- obfuscation, embedding hidden loaders, ...
+    //
+    // It doesn't contain the pad_segment note. Skip it to avoid SIGBUS
+    // by accesses beyond the file.
+    off64_t note_end_off = file_offset_ + phdr->p_offset + phdr->p_filesz;
+    if (note_end_off > file_size_) {
+      continue;
+    }
+
     // note_fragment is scoped to within the loop so that there is
     // at most 1 PT_NOTE mapped at anytime during this search.
     MappedFileFragment note_fragment;
commit	751bb8ae9dfbbd6aabd8ee533536ba8e8ef52431	[log] [tgz]
author	Kalesh Singh <kaleshsingh@google.com>	Fri Mar 29 17:55:37 2024 -0700
committer	Kalesh Singh <kaleshsingh@google.com>	Tue Apr 02 00:53:20 2024 +0000
tree	0e5dbfcb658cc9c42294e80acb0610da4966bf22
parent	8ba5f4890751863c94c2178be9468f1cd7871a19 [diff] [blame]