From: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Date: Tue, 8 Oct 2019 21:34:51 +0000 (-0400)
Subject: Fix: sessiond: unbounded elf section data size allocation
X-Git-Tag: v2.11.0~11
X-Git-Url: http://git.liburcu.org/?a=commitdiff_plain;h=a1243fdc865a6d3320d8a74a9e92efa459e68ca4;hp=a1243fdc865a6d3320d8a74a9e92efa459e68ca4;p=lttng-tools.git

Fix: sessiond: unbounded elf section data size allocation

The size of ELF sections is read from a user-provided file descriptor
to an ELF file which could be malformed. In theory it would not
really be a problem as the run-as process is automatically restarted
after a crash (e.g. SIGBUS).

The alloctions are now bounded to the smallest of 512MB or the
file's size. The limit is kept high to accomodate very large
binaries and not impose an artificial limitation.

In time, this should be replaced by an mmap() of the section's
data rather than copying to a private set of pages.

1405558 Untrusted value as argument

The argument could be controlled by an attacker, who could invoke the
function with arbitrary values (for example, a very high or negative
buffer size).

In lttng_elf_get_sdt_probe_offsets: An unscrutinized value from an
untrusted source used as argument to a function (for example, a buffer
size) (CWE-20)

Reported-by: Coverity Scan
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
---