{"id":"RUSTSEC-2022-0079","summary":"ELF header parsing library doesn't check for valid offset","details":"The crate has several unsafe sections that don't perform proper pointer validation.\n\nAn example can be found in the following function:\n\n```\nfn section_header_raw(&self) -\u003e &[ET::SectionHeader] {\n    let sh_off = self.elf_header().section_header_offset() as usize;\n    let sh_num = self.elf_header().section_header_entry_num() as usize;\n    unsafe {\n        let sh_ptr = self.content().as_ptr().add(sh_off);\n        from_raw_parts(sh_ptr as *const ET::SectionHeader, sh_num)\n    }\n}\n```\n\nWhile this will work perfectly fine *if* the ELF header is valid, malicious or\nmalformed input can contain a section header offset of an arbitrary size, meaning\nthat the resultant pointer in the unsafe block can point to an artibrary address\nin the address space of the process.\n\nThis can result in unpredictable behaviour, and in our fuzz testing, we discovered\nthat it's trivial to cause SIGABRT (signal 6), or SEGV (signal 11).\n\nThe function should either be marked as unsafe, with a note that the caller is responsible\nfor providing only valid inputs, or it should ideally do the due diligence to ensure that the\noffset doesn't exceed the bounds of the header (and add additional checks as necessary).","aliases":["GHSA-g6pw-999w-j75m"],"modified":"2023-11-08T04:19:21.655074Z","published":"2022-10-31T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/elf_rs"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0079.html"},{"type":"REPORT","url":"https://github.com/vincenthouyi/elf_rs/issues/11"}],"affected":[{"package":{"name":"elf_rs","ecosystem":"crates.io","purl":"pkg:cargo/elf_rs"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.3.0"}]}],"ecosystem_specific":{"affects":{"os":[],"arch":[],"functions":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0079.json","informational":null,"cvss":null,"categories":["memory-corruption"]}}],"schema_version":"1.7.3"}