Enforce a bounds check on HashTable accesses.

khuey · khuey · commit 57685c35512a · 2025-03-18T16:52:32.000-07:00
Without this bounds check a malformed ELF file could trigger an out-of-bounds read. Fixes #86
diff --git a/src/hash.rs b/src/hash.rs
@@ -1,15 +1,25 @@
+use core::mem;
+
 use symbol_table::Entry;
-use zero::Pod;
+use zero::{read, Pod};
 
 #[derive(Clone, Copy, Debug)]
 #[repr(C)]
-pub struct HashTable {
+struct HashTableInner {
     bucket_count: u32,
     chain_count: u32,
     first_bucket: u32,
 }
 
-unsafe impl Pod for HashTable {}
+const OFFSET_OF_FIRST_BUCKET: usize = mem::offset_of!(HashTableInner, first_bucket);
+
+#[derive(Clone, Copy, Debug)]
+pub struct HashTable<'a> {
+    inner: &'a HashTableInner,
+    bounds: usize, // In number of u32s
+}
+
+unsafe impl Pod for HashTableInner {}
 
 pub fn hash(input: &str) -> u32 {
     let mut result = 0;
@@ -24,26 +34,35 @@ pub fn hash(input: &str) -> u32 {
     result
 }
 
-impl HashTable {
+impl<'a> HashTable<'a> {
+    pub(crate) fn read(data: &'a [u8]) -> HashTable<'a> {
+        HashTable {
+            inner: read(&data[0..12]),
+            bounds: (data.len() - OFFSET_OF_FIRST_BUCKET) / mem::size_of::<u32>(),
+        }
+    }
+
     pub fn get_bucket(&self, index: u32) -> u32 {
-        assert!(index < self.bucket_count);
+        assert!(index < self.inner.bucket_count);
+        assert!((index as usize) < self.bounds);
         unsafe {
-            let ptr = (&self.first_bucket as *const u32).offset(index as isize);
+            let ptr = (&self.inner.first_bucket as *const u32).offset(index as isize);
             *ptr
         }
     }
 
     pub fn get_chain(&self, index: u32) -> u32 {
-        assert!(index < self.chain_count);
-        let index = self.bucket_count + index;
+        assert!(index < self.inner.chain_count);
+        let index = self.inner.bucket_count + index;
+        assert!((index as usize) < self.bounds);
         unsafe {
-            let ptr = (&self.first_bucket as *const u32).offset(index as isize);
+            let ptr = (&self.inner.first_bucket as *const u32).offset(index as isize);
             *ptr
         }
     }
 
-    pub fn lookup<'a, F>(&'a self, _name: &str, _f: F) -> &'a dyn Entry
-        where F: Fn(&'a dyn Entry) -> bool
+    pub fn lookup<F>(&'a self, _name: &str, _f: F) -> &'a dyn Entry
+        where F: Fn(&dyn Entry) -> bool
     {
         // TODO
         unimplemented!();
diff --git a/src/sections.rs b/src/sections.rs
@@ -165,7 +165,7 @@ impl<'a> SectionHeader<'a> {
             }
             ShType::Hash => {
                 let data = self.raw_data(elf_file);
-                SectionData::HashTable(read(&data[0..12]))
+                SectionData::HashTable(HashTable::read(data))
             }
         }))
     }
@@ -366,7 +366,7 @@ pub enum SectionData<'a> {
     Rel64(&'a [Rel<P64>]),
     Dynamic32(&'a [Dynamic<P32>]),
     Dynamic64(&'a [Dynamic<P64>]),
-    HashTable(&'a HashTable),
+    HashTable(HashTable<'a>),
 }
 
 #[derive(Debug)]

Original file line number	Diff line number	Diff line change
`@@ -165,7 +165,7 @@ impl<'a> SectionHeader<'a> {`
`165`	`165`	`}`
`166`	`166`	`ShType::Hash => {`
`167`	`167`	`let data = self.raw_data(elf_file);`
`168`		`- SectionData::HashTable(read(&data[0..12]))`
	`168`	`+ SectionData::HashTable(HashTable::read(data))`
`169`	`169`	`}`
`170`	`170`	`}))`
`171`	`171`	`}`
`@@ -366,7 +366,7 @@ pub enum SectionData<'a> {`
`366`	`366`	`Rel64(&'a [Rel<P64>]),`
`367`	`367`	`Dynamic32(&'a [Dynamic<P32>]),`
`368`	`368`	`Dynamic64(&'a [Dynamic<P64>]),`
`369`		`- HashTable(&'a HashTable),`
	`369`	`+ HashTable(HashTable<'a>),`
`370`	`370`	`}`
`371`	`371`
`372`	`372`	`#[derive(Debug)]`