[Bug binutils/16664] New: segmentation fault in process

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/16664] New: segmentation fault in process_attributes() of

From:	antiagainst at gmail dot com
Subject:	[Bug binutils/16664] New: segmentation fault in process_attributes() of readelf.c
Date:	Thu, 06 Mar 2014 03:41:16 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=16664

            Bug ID: 16664
           Summary: segmentation fault in process_attributes() of
                    readelf.c
           Product: binutils
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: antiagainst at gmail dot com

Created attachment 7456
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7456&action=edit
contains a 8-byte SHT_GNU_ATTRIBUTES triggering the bug

The following is based on readelf 2.24. I built it on Ubuntu 13.10 with GCC
4.8.1.

In process_attributes() of readelf.c, there exist integer underflow and pointer
out of bounds problems. These problems can cause segmentation faults.

On a little endian machine, given a 8-byte SHT_GNU_ATTRIBUTES section whose
content is `4104 0000 00ff ffff`, getdata() will allocate 9-bytes to hold it in
memory. (Adding a `\0` to the end.) Then `contents` is a 9-byte char array. The
first byte is matched to 'A' (line 12166), and `section_len` gets its value
from next 4 bytes (line 12177), which is 4. The last 4 bytes are interpreted as
a name string (line 12188), and its size is assigned to `namelen` (line 12200),
which is 4.

So, at line 12202, `section_len -= namelen + 4` is `4 -= 4 + 4`. This is a
integer underflow. And at the end of line 12201, `p` is already goes out of the
memory allocated for `contents`. This is a pointer out of bounds. Then `size`
is read from some random memory after `contents` (line 12210). Later `end` is
assigned to `p + size - 1` (line 12219), which could be out of bounds, and
passed to display_raw_attribute(), which will cause a segmentation fault.

A small problem is attached to help reproduce the bug. The command is `readelf
-a readelf-5-83-A`. The program will loop for a while and then crash with
segmentation fault and core dumping.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/16664] New: segmentation fault in process_attributes() of readelf.c, antiagainst at gmail dot com <=
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, cvs-commit at gcc dot gnu.org, 2014/03/06
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, nickc at redhat dot com, 2014/03/06
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, meadori at codesourcery dot com, 2014/03/13
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, meadori at codesourcery dot com, 2014/03/13
- [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c, nickc at redhat dot com, 2014/03/14

Prev by Date: [Bug gas/15220] MIPS/Loongson 2F: Wrong opcodes for madd.ps/msub.ps/nmadd.ps/nmsub.ps
Next by Date: [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c
Previous by thread: [Bug gas/15220] MIPS/Loongson 2F: Wrong opcodes for madd.ps/msub.ps/nmadd.ps/nmsub.ps
Next by thread: [Bug binutils/16664] segmentation fault in process_attributes() of readelf.c
Index(es):
- Date
- Thread