[Bug binutils/24132] New: A suspicious unsigned integer overflow which m

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24132] New: A suspicious unsigned integer overflow which m

From:	poppeter1982 at gmail dot com
Subject:	[Bug binutils/24132] New: A suspicious unsigned integer overflow which may bypass a check
Date:	Thu, 24 Jan 2019 19:04:50 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24132

            Bug ID: 24132
           Summary: A suspicious unsigned integer overflow which may
                    bypass a check
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: poppeter1982 at gmail dot com
  Target Milestone: ---

Created attachment 11569
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11569&action=edit
The PoC to demonstrate the unsigned integer overflow

Hi There

Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
process_program_headers of readelf.c of version 2.31.51.20190117.

static bfd_boolean
process_program_headers (Filedata * filedata)
{
            …
          /* PR binutils/17512: Avoid corrupt dynamic section info in the
             segment.  Check this after matching against the section headers
             so we don't warn on debuginfo file (which have NOBITS .dynamic
             sections).  */
          if (dynamic_addr + dynamic_size >= filedata->file_size)
            {
              error (_("the dynamic segment offset + size exceeds the size of
the file\n"));
              dynamic_addr = dynamic_size = 0;
            }
          break;
            …
}

If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is found that dynamic_addr + dynamic_size overflows and
may bypass the check. Can you please help verify if it is a true positive and
do you think adding check for each variable against file_size is necessary?

If you have any questions about this issue and input in the attachment, please
let me know.

Thanks
Peng

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/24132] New: A suspicious unsigned integer overflow which may bypass a check, poppeter1982 at gmail dot com <=
- [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check, nickc at redhat dot com, 2019/01/25
- [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check, poppeter1982 at gmail dot com, 2019/01/25
- [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check, nickc at redhat dot com, 2019/01/28

Prev by Date: [Bug binutils/24131] New: A unsigned integer overflow found in readelf which may cause OOB memory access
Next by Date: [Bug gas/24125] mingw-w64: -enable-experimental breaks as/gas
Previous by thread: [Bug binutils/24131] New: A unsigned integer overflow found in readelf which may cause OOB memory access
Next by thread: [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check
Index(es):
- Date
- Thread