[Bug binutils/24100] New: An unsigned integer overflow which may cause h

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24100] New: An unsigned integer overflow which may cause h

From:	poppeter1982 at gmail dot com
Subject:	[Bug binutils/24100] New: An unsigned integer overflow which may cause huge amount of heap allocation
Date:	Thu, 17 Jan 2019 02:47:29 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24100

            Bug ID: 24100
           Summary: An unsigned integer overflow which may cause huge
                    amount of heap allocation
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: poppeter1982 at gmail dot com
  Target Milestone: ---

Hi There

Peng Li and Shengjian Guo at Baidu X-Lab discovered a suspicious unsigned
integer overflow which may lead to a huge amount of memory allocation in heap. 

In get_dynamic_data of readelf.c of version 2.31.51.20190117

static bfd_vma *
get_dynamic_data (Filedata * filedata, bfd_size_type number, unsigned int
ent_size)
{       
    ...

    if (ent_size * number > filedata->file_size)
    { 
      error (_("Invalid number of dynamic entries: %s\n"),
             bfd_vmatoa ("u", number));
      return NULL;
    }

    e_data = (unsigned char *) cmalloc ((size_t) number, ent_size);

    ...
}

If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is reported that readelf.c:11251:16: runtime error:
unsigned integer overflow: 8 * 5765762010251921410 cannot be represented in
type 'unsigned long'. With regards to this input, the wrap around result of
ent_size * number is still greater than file_size (2413), so the variable
"number" that is 5765762010251921410 does not flow into cmalloc operation. 

However, let's think about the case where number is still a huge number and
8*huge_number is less than file_size, then consequently a huge amount of memory
will be allocated in heap. One possible solution to resolve the multiplication
overflow is to use division instead, for example, the conditional is changed to
if (ent_size > filedata->file_size/number). 

If you have any questions about this issue and input in the attachment, please
let me know.

Thanks
Peng

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/24100] New: An unsigned integer overflow which may cause huge amount of heap allocation, poppeter1982 at gmail dot com <=
- [Bug binutils/24100] An unsigned integer overflow which may cause huge amount of heap allocation in readelf, poppeter1982 at gmail dot com, 2019/01/16
- [Bug binutils/24100] An unsigned integer overflow which may cause huge amount of heap allocation in readelf, amodra at gmail dot com, 2019/01/17

Prev by Date: [Bug binutils/24098] New: readelf gets SegFault on crafted input that may cause DoS
Next by Date: [Bug binutils/24100] An unsigned integer overflow which may cause huge amount of heap allocation in readelf
Previous by thread: [Bug binutils/24098] New: readelf gets SegFault on crafted input that may cause DoS
Next by thread: [Bug binutils/24100] An unsigned integer overflow which may cause huge amount of heap allocation in readelf
Index(es):
- Date
- Thread