fix(native): Validate ELF header entry sizes

CHANGELOG.md

@@ -13,6 +13,7 @@
 - Windows: fix HTTP rate limit response header parsing. ([#1732](https://github.com/getsentry/sentry-native/pull/1732))
 - POSIX: prevent condition-variable timeout overflow from busy-spinning flush and shutdown waits. ([#1731](https://github.com/getsentry/sentry-native/pull/1731))
 - Native/macOS: fix thread stack descriptor. ([#1726](https://github.com/getsentry/sentry-native/pull/1726))
+- Native: validate ELF header entry sizes. ([#1746](https://github.com/getsentry/sentry-native/pull/1746))
 
 ## 0.14.2
 

src/backends/native/minidump/sentry_minidump_linux.c

@@ -20,6 +20,7 @@
 #    include <time.h>
 #    include <unistd.h>
 
+#    include "../sentry_elf.h"
 #    include "sentry_alloc.h"
 #    include "sentry_logger.h"
 #    include "sentry_minidump_common.h"
@@ -911,6 +912,11 @@ extract_elf_build_id(const char *elf_path, uint8_t *build_id, size_t max_len)
         return 0;
     }
 
+    if (!sentry__elf_has_shdr_size(ehdr.e_ident, ehdr.e_shentsize)) {
+        close(fd);
+        return 0;
+    }
+
     // Read section headers
     // Cast to size_t to prevent integer overflow (uint16_t * uint16_t promotes
     // to int, which can overflow)
@@ -1030,6 +1036,11 @@ compute_elf_size_from_phdrs(const char *elf_path)
         return 0;
     }
 
+    if (!sentry__elf_has_phdr_size(ehdr.e_ident, ehdr.e_phentsize)) {
+        close(fd);
+        return 0;
+    }
+
     // Read program headers
     size_t phdr_size = (size_t)ehdr.e_phentsize * ehdr.e_phnum;
     void *phdr_buf = sentry_malloc(phdr_size);
@@ -1111,6 +1122,11 @@ read_elf_soname(const char *elf_path, char *soname_buf, size_t soname_buf_size)
         return false;
     }
 
+    if (!sentry__elf_has_shdr_size(ehdr.e_ident, ehdr.e_shentsize)) {
+        close(fd);
+        return false;
+    }
+
     // Read section headers to find .dynamic and .dynstr
     size_t shdr_size = (size_t)ehdr.e_shentsize * ehdr.e_shnum;
     void *shdr_buf = sentry_malloc(shdr_size);

src/backends/native/sentry_crash_daemon.c

@@ -1066,6 +1066,7 @@ build_stacktrace_for_thread(
 }
 
 #if defined(SENTRY_PLATFORM_LINUX) || defined(SENTRY_PLATFORM_ANDROID)
+#    include "sentry_elf.h"
 #    include <elf.h>
 
 /**
@@ -1099,8 +1100,13 @@ extract_elf_build_id_for_module(
         return 0;
     }
 
+    if (!sentry__elf_has_shdr_size(ehdr.e_ident, ehdr.e_shentsize)) {
+        close(fd);
+        return 0;
+    }
+
     // Read section headers
-    size_t shdr_size = ehdr.e_shentsize * ehdr.e_shnum;
+    size_t shdr_size = (size_t)ehdr.e_shentsize * ehdr.e_shnum;
     void *shdr_buf = sentry_malloc(shdr_size);
     if (!shdr_buf) {
         close(fd);

src/backends/native/sentry_elf.h

@@ -0,0 +1,54 @@
+#ifndef SENTRY_ELF_H_INCLUDED
+#define SENTRY_ELF_H_INCLUDED
+
+#include "sentry_boot.h"
+
+#if defined(SENTRY_PLATFORM_LINUX) || defined(SENTRY_PLATFORM_ANDROID)
+
+#    include <elf.h>
+#    include <stdbool.h>
+#    include <stddef.h>
+
+static inline bool
+sentry__elf_is_native_class(const unsigned char e_ident[EI_NIDENT])
+{
+#    if defined(__x86_64__) || defined(__aarch64__)
+    return e_ident[EI_CLASS] == ELFCLASS64;
+#    else
+    return e_ident[EI_CLASS] == ELFCLASS32;
+#    endif
+}
+
+static inline bool
+sentry__elf_has_shdr_size(
+    const unsigned char e_ident[EI_NIDENT], size_t e_shentsize)
+{
+    if (!sentry__elf_is_native_class(e_ident)) {
+        return false;
+    }
+
+#    if defined(__x86_64__) || defined(__aarch64__)
+    return e_shentsize == sizeof(Elf64_Shdr);
+#    else
+    return e_shentsize == sizeof(Elf32_Shdr);
+#    endif
+}
+
+static inline bool
+sentry__elf_has_phdr_size(
+    const unsigned char e_ident[EI_NIDENT], size_t e_phentsize)
+{
+    if (!sentry__elf_is_native_class(e_ident)) {
+        return false;
+    }
+
+#    if defined(__x86_64__) || defined(__aarch64__)
+    return e_phentsize == sizeof(Elf64_Phdr);
+#    else
+    return e_phentsize == sizeof(Elf32_Phdr);
+#    endif
+}
+
+#endif
+
+#endif

tests/unit/test_native_backend.c

@@ -15,6 +15,11 @@
 #    include "../../src/backends/native/sentry_crash_context.h"
 #endif
 
+#if defined(SENTRY_PLATFORM_LINUX) || defined(SENTRY_PLATFORM_ANDROID)
+#    include "backends/native/sentry_elf.h"
+#    include <elf.h>
+#endif
+
 /**
  * Test minidump header structure size and alignment
  */
@@ -521,3 +526,41 @@ SENTRY_TEST(minidump_structures_packed)
     SKIP_TEST();
 #endif
 }
+
+SENTRY_TEST(elf_header_entry_sizes)
+{
+#if !defined(SENTRY_PLATFORM_LINUX) && !defined(SENTRY_PLATFORM_ANDROID)
+    SKIP_TEST();
+#else
+    unsigned char e_ident[EI_NIDENT] = { 0 };
+    unsigned char other_class;
+    size_t shdr_size;
+    size_t phdr_size;
+
+#    if defined(__x86_64__) || defined(__aarch64__)
+    e_ident[EI_CLASS] = ELFCLASS64;
+    other_class = ELFCLASS32;
+    shdr_size = sizeof(Elf64_Shdr);
+    phdr_size = sizeof(Elf64_Phdr);
+#    else
+    e_ident[EI_CLASS] = ELFCLASS32;
+    other_class = ELFCLASS64;
+    shdr_size = sizeof(Elf32_Shdr);
+    phdr_size = sizeof(Elf32_Phdr);
+#    endif
+
+    TEST_CHECK(sentry__elf_is_native_class(e_ident));
+    TEST_CHECK(sentry__elf_has_shdr_size(e_ident, shdr_size));
+    TEST_CHECK(sentry__elf_has_phdr_size(e_ident, phdr_size));
+
+    TEST_CHECK(!sentry__elf_has_shdr_size(e_ident, shdr_size - 1));
+    TEST_CHECK(!sentry__elf_has_shdr_size(e_ident, shdr_size + 1));
+    TEST_CHECK(!sentry__elf_has_phdr_size(e_ident, phdr_size - 1));
+    TEST_CHECK(!sentry__elf_has_phdr_size(e_ident, phdr_size + 1));
+
+    e_ident[EI_CLASS] = other_class;
+    TEST_CHECK(!sentry__elf_is_native_class(e_ident));
+    TEST_CHECK(!sentry__elf_has_shdr_size(e_ident, shdr_size));
+    TEST_CHECK(!sentry__elf_has_phdr_size(e_ident, phdr_size));
+#endif
+}

tests/unit/tests.inc

@@ -129,6 +129,7 @@ XX(dsn_with_non_http_scheme_is_invalid)
 XX(dsn_without_project_id_is_invalid)
 XX(dsn_without_url_scheme_is_invalid)
 XX(effective_org_id_resolution)
+XX(elf_header_entry_sizes)
 XX(embedded_info_basic)
 XX(embedded_info_build_id)
 XX(embedded_info_disabled)