debug/elf: validate phentsize and shentsize

No test case because the problem can only happen for invalid data. Let
the fuzzer find cases like this.

Fixes #56129

Change-Id: I6c81933781384c5e2c8ba0fd99cec50455b9664a
Reviewed-on: https://go-review.googlesource.com/c/go/+/441976
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@golang.org>

diff --git a/src/debug/elf/file.go b/src/debug/elf/file.go
index 83a3cbc0b808b7cb8bc687fd4bb8ed0fc915682d..d181d340ec05272dddac24e2bedc4a2c2f0ca5ac 100644 (file)
--- a/src/debug/elf/file.go
+++ b/src/debug/elf/file.go
@@ -344,6 +344,19 @@ func NewFile(r io.ReaderAt) (*File, error) {
                return nil, &FormatError{0, "invalid ELF shstrndx", shstrndx}
        }
 
+       var wantPhentsize, wantShentsize int
+       switch f.Class {
+       case ELFCLASS32:
+               wantPhentsize = 8 * 4
+               wantShentsize = 10 * 4
+       case ELFCLASS64:
+               wantPhentsize = 2*4 + 6*8
+               wantShentsize = 4*4 + 6*8
+       }
+       if phnum > 0 && phentsize < wantPhentsize {
+               return nil, &FormatError{0, "invalid ELF phentsize", phentsize}
+       }
+
        // Read program headers
        f.Progs = make([]*Prog, phnum)
        for i := 0; i < phnum; i++ {
@@ -439,6 +452,10 @@ func NewFile(r io.ReaderAt) (*File, error) {
                }
        }
 
+       if shnum > 0 && shentsize < wantShentsize {
+               return nil, &FormatError{0, "invalid ELF shentsize", shentsize}
+       }
+
        // Read section headers
        f.Sections = make([]*Section, shnum)
        names := make([]uint32, shnum)