- use IS_ELF() to check the ELF magic bytes

- reject non-sensical program header values which would result in a crash
  when accessing the 0 bytes sized buffer allocated due to it

ok deraadt@ kettenis@

diff --git a/libexec/ld.so/ldd/ldd.c b/libexec/ld.so/ldd/ldd.c
index a7a874e..860f463 100644 (file)
--- a/libexec/ld.so/ldd/ldd.c
+++ b/libexec/ld.so/ldd/ldd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ldd.c,v 1.22 2017/10/27 16:47:08 mpi Exp $    */
+/*     $OpenBSD: ldd.c,v 1.23 2023/07/13 19:04:50 jasper Exp $ */
 /*
  * Copyright (c) 2001 Artur Grabowski <art@openbsd.org>
  * All rights reserved.
@@ -117,19 +117,25 @@ doit(char *name)
                close(fd);
                return 1;
        }
+
        if (read(fd, &ehdr, sizeof(ehdr)) < 0) {
                warn("read(%s)", name);
                close(fd);
                return 1;
        }
 
-       if (memcmp(ehdr.e_ident, ELFMAG, SELFMAG) ||
-           ehdr.e_machine != ELF_TARG_MACH) {
+       if (!IS_ELF(ehdr) || ehdr.e_machine != ELF_TARG_MACH) {
                warnx("%s: not an ELF executable", name);
                close(fd);
                return 1;
        }
 
+       if (ehdr.e_phnum == 0 || ehdr.e_phentsize == 0) {
+               warnx("%s: missing program header", name);
+               close(fd);
+               return 1;
+       }
+
        if ((phdr = reallocarray(NULL, ehdr.e_phnum, sizeof(Elf_Phdr))) == NULL)
                err(1, "reallocarray");
        size = ehdr.e_phnum * sizeof(Elf_Phdr);