[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24100] New: An unsigned integer overflow which may cause h
poppeter1982 at gmail dot com
[Bug binutils/24100] New: An unsigned integer overflow which may cause huge amount of heap allocation
Thu, 17 Jan 2019 02:47:29 +0000
Bug ID: 24100
Summary: An unsigned integer overflow which may cause huge
amount of heap allocation
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Peng Li and Shengjian Guo at Baidu X-Lab discovered a suspicious unsigned
integer overflow which may lead to a huge amount of memory allocation in heap.
In get_dynamic_data of readelf.c of version 18.104.22.16890117
static bfd_vma *
get_dynamic_data (Filedata * filedata, bfd_size_type number, unsigned int
if (ent_size * number > filedata->file_size)
error (_("Invalid number of dynamic entries: %s\n"),
bfd_vmatoa ("u", number));
e_data = (unsigned char *) cmalloc ((size_t) number, ent_size);
If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is reported that readelf.c:11251:16: runtime error:
unsigned integer overflow: 8 * 5765762010251921410 cannot be represented in
type 'unsigned long'. With regards to this input, the wrap around result of
ent_size * number is still greater than file_size (2413), so the variable
"number" that is 5765762010251921410 does not flow into cmalloc operation.
However, let's think about the case where number is still a huge number and
8*huge_number is less than file_size, then consequently a huge amount of memory
will be allocated in heap. One possible solution to resolve the multiplication
overflow is to use division instead, for example, the conditional is changed to
if (ent_size > filedata->file_size/number).
If you have any questions about this issue and input in the attachment, please
let me know.
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24100] New: An unsigned integer overflow which may cause huge amount of heap allocation,
poppeter1982 at gmail dot com <=