GP-3543 additional vaidity checks for ELF Android relocation processing

and corrected related markup data
NationalSecurityAgency · Jun 14, 2023 · 6928935 · 6928935
1 parent 3736ae0
commit 6928935
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 7 deletions.
diff --git a/...Features/Base/src/main/java/ghidra/app/util/bin/format/elf/AndroidElfRelocationGroup.java b/...Features/Base/src/main/java/ghidra/app/util/bin/format/elf/AndroidElfRelocationGroup.java
@@ -15,9 +15,8 @@
  */
 package ghidra.app.util.bin.format.elf;
 
-import java.util.ArrayList;
-
 import java.io.IOException;
+import java.util.ArrayList;
 
 import javax.help.UnsupportedOperationException;
 
@@ -177,7 +176,7 @@ long getLastRelocationOffset(WrappedMemBuffer buf) {
 			WrappedMemBuffer cbuf = new WrappedMemBuffer(buf, comps[2].getOffset());
 			s = (Scalar) comps[2].getDataType().getValue(cbuf, null, comps[2].getLength());
 			long groupOffsetDelta = s.getValue();
-			return baseRelocOffset + ((groupSize - 1) * groupOffsetDelta);
+			return baseRelocOffset + (groupSize * groupOffsetDelta);
 		}
 
 		if (lastDtc.getFieldName().startsWith("group_")) {

diff --git a/Ghidra/Features/Base/src/main/java/ghidra/app/util/bin/format/elf/ElfRelocationTable.java b/Ghidra/Features/Base/src/main/java/ghidra/app/util/bin/format/elf/ElfRelocationTable.java
@@ -229,23 +229,28 @@ private List<ElfRelocation> parseAndroidRelocations(BinaryReader reader)
 				long groupRInfo = groupedByInfo ? reader.readNext(LEB128::signed) : 0;
 
 				if (groupHasAddend && groupedByAddend) {
+					if (!addendTypeReloc) {
+						elfHeader.logError(
+							"ELF Android Relocation processing failed.  Unexpected r_addend in android.rel section");
+						return List.of();
+					}
 					// group_addend (optional)
 					addend += reader.readNext(LEB128::signed);
 				}
 				else if (!groupHasAddend) {
 					addend = 0;
 				}
 
+				// Process all group entries
 				for (int i = 0; i < groupSize; i++) {
 					// reloc_offset (optional)
-					offset +=
-						groupedByDelta ? groupOffsetDelta : reader.readNext(LEB128::signed);
+					offset += groupedByDelta ? groupOffsetDelta : reader.readNext(LEB128::signed);
 
 					// reloc_info (optional)
 					long info = groupedByInfo ? groupRInfo : reader.readNext(LEB128::signed);
 
 					long rAddend = 0;
-					if (groupHasAddend) {
+					if (addendTypeReloc && groupHasAddend) {
 						if (!groupedByAddend) {
 							// reloc_addend (optional)
 							addend += reader.readNext(LEB128::signed);

diff --git a/...work/SoftwareModeling/src/main/java/ghidra/program/model/data/AbstractLeb128DataType.java b/...work/SoftwareModeling/src/main/java/ghidra/program/model/data/AbstractLeb128DataType.java
@@ -95,7 +95,7 @@ public Object getValue(MemBuffer buf, Settings settings, int maxLength) {
 		}
 
 		// approximate bitLength from storage byte length
-		int bitLength = Math.max(64, len * 7);
+		int bitLength = Math.min(64, len * 7);
 		int mod = bitLength % 8;
 		if (mod != 0) {
 			bitLength += (8 - mod);