1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 05:17:35 +00:00

Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071)

If a buffer smaller than Elf32_Ehdr was passed to Image, header()
would do an out-of-bounds read.

Make parse() check for that. Make most Image methods assert that the image
is_valid(). For that to work, set m_valid early in Image::parse()
instead of only at its end.

Also reorder a few things so that the fuzzer doesn't hit (valid)
assertions, which were harmless from a security PoV but which still
allowed userspace to crash the kernel with an invalid ELF file.

Make dbgprintf()s configurable at run time so that the fuzzer doesn't
produce lots of logspam.
This commit is contained in:
Nico Weber 2020-08-10 09:55:17 -04:00 committed by GitHub
parent eaf7e68408
commit 00f658b984
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 123 additions and 39 deletions

View file

@ -37,7 +37,7 @@ namespace ELF {
class Image {
public:
explicit Image(const u8*, size_t);
explicit Image(const u8*, size_t, bool verbose_logging = true);
~Image();
void dump() const;
bool is_valid() const { return m_valid; }
@ -206,7 +206,6 @@ public:
VirtualAddress entry() const { return VirtualAddress(header().e_entry); }
private:
bool parse_header();
const char* raw_data(unsigned offset) const;
const Elf32_Ehdr& header() const;
const Elf32_Shdr& section_header(unsigned) const;
@ -218,6 +217,7 @@ private:
const u8* m_buffer { nullptr };
size_t m_size { 0 };
bool m_verbose_logging { true };
HashMap<String, unsigned> m_sections;
bool m_valid { false };
unsigned m_symbol_table_section_index { 0 };