Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071)

If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2025-07-25 22:27:35 +00:00 · 2020-08-10 09:55:17 -04:00 · 2020-08-10 09:55:17 -04:00 · 00f658b984
commit 00f658b984
parent eaf7e68408
8 changed files with 123 additions and 39 deletions
--- a/Libraries/LibELF/Image.h
+++ b/Libraries/LibELF/Image.h
@ -37,7 +37,7 @@ namespace ELF {

 class Image {
 public:
-    explicit Image(const u8*, size_t);
+    explicit Image(const u8*, size_t, bool verbose_logging = true);
    ~Image();
    void dump() const;
    bool is_valid() const { return m_valid; }
@ -206,7 +206,6 @@ public:
    VirtualAddress entry() const { return VirtualAddress(header().e_entry); }

 private:
-    bool parse_header();
    const char* raw_data(unsigned offset) const;
    const Elf32_Ehdr& header() const;
    const Elf32_Shdr& section_header(unsigned) const;
@ -218,6 +217,7 @@ private:

    const u8* m_buffer { nullptr };
    size_t m_size { 0 };
+    bool m_verbose_logging { true };
    HashMap<String, unsigned> m_sections;
    bool m_valid { false };
    unsigned m_symbol_table_section_index { 0 };