Skip to content

[Bug] user input is not sanitized in QEMU_Elf_init and can lead to buffer overflow

In the file contrib/elf2dmp/main.c, the main function has the following code:

int main(int argc, char *argv[]) 
{
    QEMU_Elf qemu_elf;
    if (QEMU_Elf_init(&qemu_elf, argv[1])) {
        eprintf("Failed to initialize QEMU ELF dump\n");
        return 1;
    }
}

Inside the function QEMU_Elf_init, we have:

int QEMU_Elf_init(QEMU_Elf *qe, const char *filename) 
{
    qe->gmf = g_mapped_file_new(filename, TRUE, &gerr);
    ...
    qe->map = g_mapped_file_get_contents(qe->gmf);
    qe->size = g_mapped_file_get_length(qe->gmf);

    if (init_states(qe)) {
        ...
    }
}

static int init_states(QEMU_Elf *qe)
{
    Elf64_Phdr *phdr = elf64_getphdr(qe->map);
    Elf64_Nhdr *start = (void *)((uint8_t *)qe->map + phdr[0].p_offset);
    ...
}

The above code maps the file contents into qe->map and tries to init the states of qe in init_states.

However, the validity of the file contents is never checked. By simply manipulating the file contents, the code can trigger buffer overflows. For example, phdr may not point to valid memory as one can craft a large e_phoff value in the file:

Elf64_Phdr *elf64_getphdr(void *map)
{
    Elf64_Ehdr *ehdr = map;
    Elf64_Phdr *phdr = (void *)((uint8_t *)map + ehdr->e_phoff);

    return phdr;
}
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information