From patchwork Thu Oct 16 19:23:00 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: DJ Delorie <dj@redhat.com>
X-Patchwork-Id: 121990
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 0B23E3858023
	for <patchwork@sourceware.org>; Thu, 16 Oct 2025 19:23:47 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0B23E3858023
Authentication-Results: sourceware.org;
	dkim=pass (1024-bit key,
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=YoNvQujk
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTP id 9FC473858D1E
 for <libc-alpha@sourceware.org>; Thu, 16 Oct 2025 19:23:06 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9FC473858D1E
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none)
 header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9FC473858D1E
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1760642586; cv=none;
 b=jSirR864utdONwL0ujcm+zjaJspP3X/AFxFYlO7UK7KlyL4hQGB+/I6feJOR133nLkup0NfjSk2GtjeBY8xOLngdku6mLrMOvklEsz0Q9IyBYYGKQwqkfPvH9ChSIFch/oZtF7pbkQLCkJ1TFDelniJcFL4K1GU1C0EUEY78fc8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1760642586; c=relaxed/simple;
 bh=7VckzT8Nz3ulBMTGtaGJ0QvDAKH08ZTjrXGn5p5gP+U=;
 h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
 b=ittsKztrwTZNB+Gb7qk3jl0rU0tbTn27ev6sazMmJXFzEdLtMIBMg2dISWW4ITWMbTAoKMKIxyrHv3BeKr74Vo4KsprhiA0FoeTpBURRFM9lAiyQWcTPGT07KLpv2ze2RtoSFN5UOMox4oP1XP7pHdWOoMoKGzASYi+LyzRyTaA=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9FC473858D1E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1760642586;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to; bh=Z4U04bjyFfuVhgO06CkYkdgd6MkPInAO8kK+vtTSSnw=;
 b=YoNvQujkPlufwY3y8MGR62QxMKhqvcDvetUv3KjlNmUqR+vw25+y5kl8+Wz+JgYK9vzKka
 IYrDsR89zJSZLmt94YSEI9YkpWYw3aJti1jg+Xlt+ZeH0NkeGxw9c9gNe0SOonCvhUT1/P
 Azo3gB5Kn45XXLoICd3mwNfbBRNcVrI=
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-155-RtYcbKsVP5idWWnA5_HejQ-1; Thu,
 16 Oct 2025 15:23:04 -0400
X-MC-Unique: RtYcbKsVP5idWWnA5_HejQ-1
X-Mimecast-MFC-AGG-ID: RtYcbKsVP5idWWnA5_HejQ_1760642583
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id A7725195608F; Thu, 16 Oct 2025 19:23:03 +0000 (UTC)
Received: from greed.delorie.com (unknown [10.22.90.104])
 by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS
 id 2A249300019F; Thu, 16 Oct 2025 19:23:03 +0000 (UTC)
Received: from greed.delorie.com.redhat.com (localhost [127.0.0.1])
 by greed.delorie.com (8.16.1/8.16.1) with ESMTP id 59GJN0oN2598065;
 Thu, 16 Oct 2025 15:23:00 -0400
From: DJ Delorie <dj@redhat.com>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: collin.funk1@gmail.com, libc-alpha@sourceware.org
Subject: [v2] sprof: check pread size and offset for overflow
In-Reply-To: <dc8e1991-4907-4880-ad9f-070d1e76d50e@cs.ucla.edu> (message
 from Paul Eggert on Thu, 16 Oct 2025 09:21:03 -0700)
Date: Thu, 16 Oct 2025 15:23:00 -0400
Message-ID: <xnms5qodm3.fsf@greed.delorie.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: XxeV-FnMUEsY9l40s9mS6MiHgJzQkUkma8pVoFfnFJU_1760642583
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,
 RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_PASS,
 SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

Add a bit of descriptive paranoia to the values we read from
    the ELF headers and use to access data.

---- 8< ----

v2: rewrote check math

Paul Eggert <eggert@cs.ucla.edu> writes:
> On 2025-10-15 19:22, DJ Delorie wrote:
>> I want to do more than just check the sum, I want to check that every
>> aspect of this math is "inside" the file.  Any bad data is an error.
>> ...
>> #define PCHECK(s,l) if ((s) < 0  || (s) > st.st_size			\
>> 			|| (l) < 0 || (l) > st.st_size			\
>> 			|| ((s)+(l)) < 0 || ((s)+(l)) > st.st_size)	\
>
> The problem is that the last line does not do what you want. If S+L 
> overflows, behavior is undefined. This is why Collin suggested using 
> __builtin_add_overflow (or C23 ckd_add).

I rewrote the code to more closely check the underlying concerns, and
avoided the UB (I think).

diff --git a/elf/sprof.c b/elf/sprof.c
index c82c7c9db6..638281ffca 100644
--- a/elf/sprof.c
+++ b/elf/sprof.c
@@ -410,6 +410,7 @@ load_shobj (const char *name)
   int fd;
   ElfW(Shdr) *shdr;
   size_t pagesize = getpagesize ();
+  struct stat st;
 
   /* Since we use dlopen() we must be prepared to work around the sometimes
      strange lookup rules for the shared objects.  If we have a file foo.so
@@ -550,14 +551,34 @@ load_shobj (const char *name)
     error (EXIT_FAILURE, errno, _("Reopening shared object `%s' failed"),
 	   map->l_name);
 
+  if (fstat (fd, &st) < 0)
+    error (EXIT_FAILURE, errno, _("stat(%s) failure"), map->l_name);
+
+  /* We're depending on data that's being read from the file, so be a
+     bit paranoid here and make sure the requests are reasonable -
+     i.e. both size and offset are nonnegative and smaller than the
+     file size, as well as the offset of the end of the data.  PREAD
+     would have failed anyway, but this is more robust and explains
+     what happened better.  Note that SZ must be unsigned and OFF may
+     be signed or unsigned.  */
+#define PCHECK(sz,off) if ((sz) > st.st_size				\
+			   || (off_t)(off) < 0 || (off_t)(off) > st.st_size \
+			   ((sz)+(off_t)(off)) > st.st_size)		\
+    error (EXIT_FAILURE, ERANGE,					\
+	   _("read outside of file extents %zu + %zd > %zu"),		\
+	   (size_t)(sz), (off_t)(l), st.st_size)
+
   /* Map the section header.  */
   size_t size = ehdr->e_shnum * sizeof (ElfW(Shdr));
   shdr = (ElfW(Shdr) *) alloca (size);
+  PCHECK (size, ehdr->e_shoff);
   if (pread (fd, shdr, size, ehdr->e_shoff) != size)
     error (EXIT_FAILURE, errno, _("reading of section headers failed"));
 
   /* Get the section header string table.  */
   char *shstrtab = (char *) alloca (shdr[ehdr->e_shstrndx].sh_size);
+  PCHECK (shdr[ehdr->e_shstrndx].sh_size,
+	  shdr[ehdr->e_shstrndx].sh_offset);
   if (pread (fd, shstrtab, shdr[ehdr->e_shstrndx].sh_size,
 	     shdr[ehdr->e_shstrndx].sh_offset)
       != shdr[ehdr->e_shstrndx].sh_size)
@@ -585,6 +606,7 @@ load_shobj (const char *name)
       size_t size = debuglink_entry->sh_size;
       char *debuginfo_fname = (char *) alloca (size + 1);
       debuginfo_fname[size] = '\0';
+      PCHECK (size, debuglink_entry->sh_offset);
       if (pread (fd, debuginfo_fname, size, debuglink_entry->sh_offset)
 	  != size)
 	{
@@ -638,8 +660,13 @@ load_shobj (const char *name)
       if (fd2 != -1)
 	{
 	  ElfW(Ehdr) ehdr2;
+	  struct stat st;
+
+	  if (fstat (fd2, &st) < 0)
+	    error (EXIT_FAILURE, errno, _("stat(%s) failure"), workbuf);
 
 	  /* Read the ELF header.  */
+	  PCHECK (sizeof (ehdr2), 0);
 	  if (pread (fd2, &ehdr2, sizeof (ehdr2), 0) != sizeof (ehdr2))
 	    error (EXIT_FAILURE, errno,
 		   _("reading of ELF header failed"));
@@ -647,12 +674,15 @@ load_shobj (const char *name)
 	  /* Map the section header.  */
 	  size_t size = ehdr2.e_shnum * sizeof (ElfW(Shdr));
 	  ElfW(Shdr) *shdr2 = (ElfW(Shdr) *) alloca (size);
+	  PCHECK (size, ehdr2.e_shoff);
 	  if (pread (fd2, shdr2, size, ehdr2.e_shoff) != size)
 	    error (EXIT_FAILURE, errno,
 		   _("reading of section headers failed"));
 
 	  /* Get the section header string table.  */
 	  shstrtab = (char *) alloca (shdr2[ehdr2.e_shstrndx].sh_size);
+	  PCHECK (shdr2[ehdr2.e_shstrndx].sh_size,
+		  shdr2[ehdr2.e_shstrndx].sh_offset);
 	  if (pread (fd2, shstrtab, shdr2[ehdr2.e_shstrndx].sh_size,
 		     shdr2[ehdr2.e_shstrndx].sh_offset)
 	      != shdr2[ehdr2.e_shstrndx].sh_size)