[Bug] user input is not sanitized in QEMU_Elf_init and can lead to buffer overflow
In the file contrib/elf2dmp/main.c
, the main
function has the following code:
int main(int argc, char *argv[])
{
QEMU_Elf qemu_elf;
if (QEMU_Elf_init(&qemu_elf, argv[1])) {
eprintf("Failed to initialize QEMU ELF dump\n");
return 1;
}
}
Inside the function QEMU_Elf_init
, we have:
int QEMU_Elf_init(QEMU_Elf *qe, const char *filename)
{
qe->gmf = g_mapped_file_new(filename, TRUE, &gerr);
...
qe->map = g_mapped_file_get_contents(qe->gmf);
qe->size = g_mapped_file_get_length(qe->gmf);
if (init_states(qe)) {
...
}
}
static int init_states(QEMU_Elf *qe)
{
Elf64_Phdr *phdr = elf64_getphdr(qe->map);
Elf64_Nhdr *start = (void *)((uint8_t *)qe->map + phdr[0].p_offset);
...
}
The above code maps the file contents into qe->map
and tries to init the states of qe
in init_states
.
However, the validity of the file contents is never checked. By simply manipulating the file contents, the code can trigger buffer overflows. For example, phdr
may not point to valid memory as one can craft a large e_phoff
value in the file:
Elf64_Phdr *elf64_getphdr(void *map)
{
Elf64_Ehdr *ehdr = map;
Elf64_Phdr *phdr = (void *)((uint8_t *)map + ehdr->e_phoff);
return phdr;
}