A suspicious unsigned integer overflow which may bypass check

[Li,Peng(R&D Center, USA)]

Hi There

 

Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer overflow which may bypass a check unintentionally. The bug is found in function get_data of readelf.c of version 2.31.51.20190117.

 

static void *

get_data (void *         var,

          Filedata *     filedata,

          unsigned long  offset,

          bfd_size_type  size,

          bfd_size_type  nmemb,

          const char *   reason)

{

            …

            // Based on the input, offset: 18446744073709551615, archive_file_offset: 0, amt: 255

// (offset + archive_file_offset + amt): 254, filedata->file_size: 256

            if (amt > filedata->file_size

                         || offset + archive_file_offset + amt > filedata->file_size)

            {

                         if (reason)

                           error (_("Reading %s bytes extends past end of file for %s\n"),

                                                  bfd_vmatoa ("u", amt), reason);

                         return NULL;

            }

            …

}

 

If you compile readelf with -fsanitize=unsigned-integer-overflow and run ./readelf -a input, it is found that offset + archive_file_offset + amt overflows and bypass the check. Can you please help verify if it is a true positive and think whether adding check for each variable against file_size is necessary?

 

If you have any questions about this issue and input in the attachment, please let me know.

 

Thanks

Peng

 

input
Description: input