[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/16664] New: segmentation fault in process_attributes() of
From: |
antiagainst at gmail dot com |
Subject: |
[Bug binutils/16664] New: segmentation fault in process_attributes() of readelf.c |
Date: |
Thu, 06 Mar 2014 03:41:16 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=16664
Bug ID: 16664
Summary: segmentation fault in process_attributes() of
readelf.c
Product: binutils
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: antiagainst at gmail dot com
Created attachment 7456
--> https://sourceware.org/bugzilla/attachment.cgi?id=7456&action=edit
contains a 8-byte SHT_GNU_ATTRIBUTES triggering the bug
The following is based on readelf 2.24. I built it on Ubuntu 13.10 with GCC
4.8.1.
In process_attributes() of readelf.c, there exist integer underflow and pointer
out of bounds problems. These problems can cause segmentation faults.
On a little endian machine, given a 8-byte SHT_GNU_ATTRIBUTES section whose
content is `4104 0000 00ff ffff`, getdata() will allocate 9-bytes to hold it in
memory. (Adding a `\0` to the end.) Then `contents` is a 9-byte char array. The
first byte is matched to 'A' (line 12166), and `section_len` gets its value
from next 4 bytes (line 12177), which is 4. The last 4 bytes are interpreted as
a name string (line 12188), and its size is assigned to `namelen` (line 12200),
which is 4.
So, at line 12202, `section_len -= namelen + 4` is `4 -= 4 + 4`. This is a
integer underflow. And at the end of line 12201, `p` is already goes out of the
memory allocated for `contents`. This is a pointer out of bounds. Then `size`
is read from some random memory after `contents` (line 12210). Later `end` is
assigned to `p + size - 1` (line 12219), which could be out of bounds, and
passed to display_raw_attribute(), which will cause a segmentation fault.
A small problem is attached to help reproduce the bug. The command is `readelf
-a readelf-5-83-A`. The program will loop for a while and then crash with
segmentation fault and core dumping.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/16664] New: segmentation fault in process_attributes() of readelf.c,
antiagainst at gmail dot com <=
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, cvs-commit at gcc dot gnu.org, 2014/03/06
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, nickc at redhat dot com, 2014/03/06
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, meadori at codesourcery dot com, 2014/03/13
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, meadori at codesourcery dot com, 2014/03/13
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, nickc at redhat dot com, 2014/03/14