[Bug binutils/22894] New: integer overflow in parse

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22894] New: integer overflow in parse_die

From:	luanjunchao at 163 dot com
Subject:	[Bug binutils/22894] New: integer overflow in parse_die
Date:	Mon, 26 Feb 2018 03:38:43 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22894

            Bug ID: 22894
           Summary: integer overflow in parse_die
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: luanjunchao at 163 dot com
  Target Milestone: ---

The command I test is "nm-new -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D $POC".

In function parse_die, I find a case which can lead to interger overflow of
xptr. Below is part of function parse_die.

case FORM_BLOCK4:
          if (xptr + 4 <= aDiePtrEnd)
            xptr += bfd_get_32 (abfd, xptr);
          xptr += 4;
          break;

The result of bfd_get_32 can be large and when it's added to xptr, xptr
overflow.
Backtrace of gdb 
(gdb) bt                                                                        
#0  0x08056486 in bfd_getl16 (p=0x206da1) at
/work/binutils-gdb/bfd/libbfd.c:583                                             
#1  0x080a0c55 in parse_die (address@hidden,
aDiePtr=<optimized out>, aDiePtrEnd=0x8188026 "\r", abfd=<optimized out>) at
/work/binutils-gdb/bfd/dwarf1.c:221                                             
#2  0x080a123c in _bfd_dwarf1_find_nearest_line (abfd=0x817e058,
symbols=0x8184de0, section=0x817faa0, offset=160, filename_ptr=0xffffd568,
functionname_ptr=0xffffd56c, linenumber_ptr=0xffffd570) at
/work/binutils-gdb/bfd/dwarf1.c:541            
#3  0x0807fda9 in _bfd_elf_find_nearest_line (abfd=0x817e058,
symbols=0x8184de0, section=0x817faa0, offset=160, filename_ptr=0xffffd568,
functionname_ptr=0xffffd56c, line_ptr=0xffffd570, discriminator_ptr=0x0) at
/work/binutils-gdb/bfd/elf.c:8746
#4  0x0804b279 in print_symbol (address@hidden, sym=<optimized out>,
ssize=0, archive_bfd=0x0) at /work/binutils-gdb/binutils/nm.c:1009              
#5  0x0804b55c in print_symbols (archive_bfd=<optimized out>, size=<optimized
out>, symcount=<optimized out>, minisyms=<optimized out>, is_dynamic=<optimized
out>, abfd=0x817e058) at /work/binutils-gdb/binutils/nm.c:1089
#6  display_rel_file (address@hidden,
address@hidden) at /work/binutils-gdb/binutils/nm.c:1205     
#7  0x0804c67b in display_file (filename=<optimized out>) at
/work/binutils-gdb/binutils/nm.c:1325                                           
#8  0x0804a505 in main (argc=11, argv=0xffffd744) at
/work/binutils-gdb/binutils/nm.c:1799 

The poc file is
https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_parse_die.elf

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22894] New: integer overflow in parse_die, luanjunchao at 163 dot com <=
- [Bug binutils/22894] integer overflow in parse_die, nickc at redhat dot com, 2018/02/27
- [Bug binutils/22894] integer overflow in parse_die, luanjunchao at 163 dot com, 2018/02/27
- [Bug binutils/22894] integer overflow in parse_die, luanjunchao at 163 dot com, 2018/02/27
- [Bug binutils/22894] integer overflow in parse_die, cvs-commit at gcc dot gnu.org, 2018/02/28
- [Bug binutils/22894] integer overflow in parse_die, nickc at redhat dot com, 2018/02/28

Prev by Date: [Bug binutils/22893] New: heap buffer overflow in bfd_getl32
Next by Date: [Bug binutils/22895] New: integer overflow in read_attribute_value
Previous by thread: [Bug binutils/22893] New: heap buffer overflow in bfd_getl32
Next by thread: [Bug binutils/22894] integer overflow in parse_die
Index(es):
- Date
- Thread