|From:||Li,Peng(R&D Center, USA)|
|Subject:||A suspicious unsigned integer overflow which may bypass check|
|Date:||Thu, 24 Jan 2019 00:02:02 +0000|
Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer overflow which may bypass a check unintentionally. The bug is found in function get_data of readelf.c of version 126.96.36.19990117.
static void *
get_data (void * var,
Filedata * filedata,
unsigned long offset,
const char * reason)
// Based on the input, offset: 18446744073709551615, archive_file_offset: 0, amt: 255
// (offset + archive_file_offset + amt): 254, filedata->file_size: 256
if (amt > filedata->file_size
|| offset + archive_file_offset + amt > filedata->file_size)
error (_("Reading %s bytes extends past end of file for %s\n"),
bfd_vmatoa ("u", amt), reason);
If you compile readelf with -fsanitize=unsigned-integer-overflow and run ./readelf -a input, it is found that offset + archive_file_offset + amt overflows and bypass the check. Can you please help verify if it is a true positive and think whether adding check for each variable against file_size is necessary?
If you have any questions about this issue and input in the attachment, please let me know.
|[Prev in Thread]||Current Thread||[Next in Thread]|