vbpf / prevail / 25071483533

push

github

Fix heap-buffer-overflow from non-instruction-aligned FUNC symbols (#1106)

* Fix heap-buffer-overflow from non-instruction-aligned FUNC symbols

Reject ELF FUNC symbols in executable sections whose st_value is not a
multiple of sizeof(EbpfInst) (8 bytes). A malformed ELF with such a
symbol causes get_program_name_and_size() to produce non-aligned program
boundaries. When read_programs() advances offset by a non-aligned
symbol_size, compute_reachable_program_span() uses truncating integer
division (offset / sizeof(EbpfInst)), inflating the computed span and
causing vector_of<EbpfInst> to memcpy past the section data buffer.

The root-cause fix validates FUNC symbol alignment in
get_program_name_and_size(), which is shared by both read_programs() and
ElfObjectState::discover_programs(). A defense-in-depth bounds check
before the vector_of call in read_programs() guards against future
regressions in span computation.

Add a test that constructs a minimal ELF with a FUNC symbol at an
unaligned offset and verifies it is cleanly rejected.

* Add acceptance test for instruction-aligned FUNC symbols

Companion to the rejection test — verifies that FUNC symbols at
8-byte-aligned offsets are accepted without error, ensuring the
alignment validation does not reject well-formed ELF files.

---------

Signed-off-by: Michael Agun <danielagun@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

75 of 76 new or added lines in 2 files covered. (98.68%)

13863 of 15472 relevant lines covered (89.6%)

4364924.2 hits per line