Do not parse beyond the end of the ELF dynplt section ##bin

radareorg · May 3, 2024 · 86299f1 · 86299f1
1 parent 5225ba5
commit 86299f1
Show file tree

Hide file tree

Showing 3 changed files with 368 additions and 16 deletions.
diff --git a/libr/bin/format/elf/elf.c b/libr/bin/format/elf/elf.c
@@ -1,6 +1,7 @@
 /* radare - LGPL - Copyright 2008-2024 - nibble, pancake, alvaro_fe */
 
 // R2R db/formats/elf/versioninfo
+// R2R db/formats/elf/reloc
 #define R_LOG_ORIGIN "elf"
 #include <r_types.h>
 #include <r_util.h>
@@ -3202,22 +3203,25 @@ static size_t populate_relocs_record_from_dynamic(ELFOBJ *eo, size_t pos, size_t
 static size_t get_next_not_analysed_offset(ELFOBJ *eo, size_t section_vaddr, size_t offset) {
 	size_t gvaddr = section_vaddr + offset;
 
-	if (eo->dyn_info.dt_rela != R_BIN_ELF_ADDR_MAX && eo->dyn_info.dt_rela <= gvaddr
+	if (eo->dyn_info.dt_rela != R_BIN_ELF_ADDR_MAX \
+		&& gvaddr >= eo->dyn_info.dt_rela \
 		&& gvaddr < eo->dyn_info.dt_rela + eo->dyn_info.dt_relasz) {
 		return eo->dyn_info.dt_rela + eo->dyn_info.dt_relasz - section_vaddr;
 	}
 
-	if (eo->dyn_info.dt_rel != R_BIN_ELF_ADDR_MAX && eo->dyn_info.dt_rel <= gvaddr
+	if (eo->dyn_info.dt_rel != R_BIN_ELF_ADDR_MAX \
+		&& gvaddr >= eo->dyn_info.dt_rel \
 		&& gvaddr < eo->dyn_info.dt_rel + eo->dyn_info.dt_relsz) {
 		return eo->dyn_info.dt_rel + eo->dyn_info.dt_relsz - section_vaddr;
 	}
 
-	if (eo->dyn_info.dt_jmprel != R_BIN_ELF_ADDR_MAX && eo->dyn_info.dt_jmprel <= gvaddr
+	if (eo->dyn_info.dt_jmprel != R_BIN_ELF_ADDR_MAX \
+		&& gvaddr >= eo->dyn_info.dt_jmprel \
 		&& gvaddr < eo->dyn_info.dt_jmprel + eo->dyn_info.dt_pltrelsz) {
 		return eo->dyn_info.dt_jmprel + eo->dyn_info.dt_pltrelsz - section_vaddr;
 	}
 
-	return offset;
+	return offset; // UT64_MAX;
 }
 
 static size_t populate_relocs_record_from_section(ELFOBJ *eo, size_t pos, size_t num_relocs) {
@@ -3229,15 +3233,21 @@ static size_t populate_relocs_record_from_section(ELFOBJ *eo, size_t pos, size_t
 	RBinElfSection *section;
 	r_vector_foreach (&eo->g_sections, section) {
 		Elf_(Xword) rel_mode = get_section_mode (eo, i);
-		if (!is_reloc_section (rel_mode) || section->size > eo->size || section->offset > eo->size) {
+		if (!is_reloc_section (rel_mode)) {
+			i++;
+			continue;
+		}
+		if (section->size > eo->size || section->offset > eo->size) {
 			i++;
 			continue;
 		}
 
 		size_t size = get_size_rel_mode (rel_mode);
-		size_t j;
+		ut64 dim_relocs = section->size / size;
+		dim_relocs = R_MIN (dim_relocs, num_relocs) + 2;
+		ut64 j;
 		for (j = get_next_not_analysed_offset (eo, section->rva, 0);
-			j < section->size && pos < num_relocs;
+			j < section->size && pos <= dim_relocs;
 			j = get_next_not_analysed_offset (eo, section->rva, j + size)) {
 
 			RBinElfReloc *reloc = r_vector_end (&eo->g_relocs);

diff --git a/libr/bin/p/bin_elf.inc.c b/libr/bin/p/bin_elf.inc.c
@@ -592,9 +592,9 @@ static RBinReloc *reloc_convert(ELFOBJ* eo, RBinElfReloc *rel, ut64 got_addr) {
 		break;
 	case EM_RISCV:
 		switch (rel->type) {
-		case R_RISCV_NONE:      break;
+		case R_RISCV_NONE: break;
 		case R_RISCV_JUMP_SLOT: ADD(64, 0); break;
-		case R_RISCV_RELATIVE:  ADD(64, B); break;
+		case R_RISCV_RELATIVE: ADD(64, B); break;
 		default: ADD(64, got_addr); break; // reg relocations
 		}
 		break;
@@ -603,7 +603,7 @@ static RBinReloc *reloc_convert(ELFOBJ* eo, RBinElfReloc *rel, ut64 got_addr) {
 		case R_AARCH64_GLOB_DAT: SET (64); break;
 		case R_AARCH64_JUMP_SLOT: SET (64); break;
 		case R_AARCH64_RELATIVE: ADD (64, B); break;
-		  // data references
+		// data references
 		case R_AARCH64_PREL16: ADD (16, B); break;
 		case R_AARCH64_PREL32: ADD (32, B); break;
 		case R_AARCH64_PREL64: ADD (64, B); break;
@@ -976,9 +976,7 @@ static void _patch_reloc(ELFOBJ *bo, ut16 e_machine, RIOBind *iob, RBinElfReloc
 
 static RList* patch_relocs(RBinFile *bf) {
 	r_return_val_if_fail (bf && bf->rbin, NULL);
-	RList *ret = NULL;
 	RBinReloc *ptr = NULL;
-	HtUU *relocs_by_sym;
 	RBin *b = bf->rbin;
 	RIO *io = b->iob.io;
 	if (!io || !io->desc) {
@@ -1035,10 +1033,12 @@ static RList* patch_relocs(RBinFile *bf) {
 	if (!relocs) {
 		return NULL;
 	}
-	if (!(ret = r_list_newf ((RListFree)free))) {
+	RList *ret = r_list_newf ((RListFree)free);
+	if (!ret) {
 		return NULL;
 	}
-	if (!(relocs_by_sym = ht_uu_new0 ())) {
+	HtUU *relocs_by_sym = ht_uu_new0 ();
+	if (!relocs_by_sym) {
 		r_list_free (ret);
 		return NULL;
 	}
@@ -1060,10 +1060,11 @@ static RList* patch_relocs(RBinFile *bf) {
 				plt_entry_addr = sym_addr;
 			}
 		}
-		//ut64 raddr = sym_addr? sym_addr: vaddr;
+		// ut64 raddr = sym_addr? sym_addr: vaddr;
 		ut64 raddr = (sym_addr && sym_addr != UT64_MAX)? sym_addr: vaddr;
 		_patch_reloc (eo, eo->ehdr.e_machine, &b->iob, reloc, raddr, 0, plt_entry_addr);
-		if (!(ptr = reloc_convert (eo, reloc, n_vaddr))) {
+		ptr = reloc_convert (eo, reloc, n_vaddr);
+		if (!ptr) {
 			continue;
 		}