readelf does this:
GElf_Phdr *phdr = gelf_getphdr (ebl->elf, cnt, &mem);
…
if (phdr->p_type == PT_INTERP)
{
/* We can show the user the name of the interpreter. */
size_t maxsize;
char *filedata = elf_rawfile (ebl->elf, &maxsize);
if (filedata != NULL && phdr->p_offset < maxsize)
printf (gettext ("\t[Requesting program interpreter: %s]\n"),
filedata + phdr->p_offset);
}
The check against maxsize is insufficient, it's also required to check
that phdr->p_filesz <= maxsize - phdr->p_offset. Would it make sense to
do both checks inside gelf_getphdr?
And the printf call can leak data or crash if filedata + phdr->p_offset
is not NUL terminated (which obviously needs a crafted ELF file). This
can't be fixed in gelf_getphdr, alas.
--
Florian Weimer / Red Hat Product Security Team
