>>> On 09.04.16 at 00:10, <andrew.coop...@citrix.com> wrote:
> On 08/04/16 22:26, Konrad Rzeszutek Wilk wrote:
>> On Fri, Apr 08, 2016 at 03:53:44PM +0100, Andrew Cooper wrote:
>>> On 07/04/16 04:49, Konrad Rzeszutek Wilk wrote:
>>>> + nsym = symtab_sec->sec->sh_size / symtab_sec->sec->sh_entsize;
>>> Has anything checked sh_entsize for being 0 or -1 ?
>> Let me double-check.
>
> Git grep says elf_resolve_sections() has
>
> if ( !elf->symtab->sec->sh_size ||
> elf->symtab->sec->sh_entsize < sizeof(Elf_Sym) )
> {
> dprintk(XENLOG_DEBUG, XSPLICE "%s: Symbol table header is
> corrupted!\n",
> elf->name);
> return -EINVAL;
> }
>
> I would check for !=, rather than <
>
> Nothing good can come of having sh_entsize being bigger than what we
> expect an Elf_Sym to be.
The whole purpose of recording the section table entry size is such
that the structure could eventually get extended without breaking
existing consumers. Hence != is not what the standard suggests to
be used.
> Also be aware that Elf_Sym.sh_entsize and Ehdr.e_shentsize appear to be
> multiple locations containing the same information. I would also cross
> check them.
You mean Elf_Section.sh_entsize, which has a completely different
purpose (see e.g. relocation sections).
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
