|
From: | Li,Peng(R&D Center, USA) |
Subject: | A suspicious unsigned integer overflow which may bypass check |
Date: | Thu, 24 Jan 2019 00:02:02 +0000 |
Hi There Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer overflow which may bypass a check unintentionally.
The bug is found in function get_data
of readelf.c of version 2.31.51.20190117. static void * get_data (void *
var,
Filedata *
filedata,
unsigned long
offset,
bfd_size_type
size,
bfd_size_type
nmemb,
const char *
reason) {
…
// Based on the input, offset: 18446744073709551615, archive_file_offset: 0, amt: 255 // (offset + archive_file_offset + amt): 254, filedata->file_size: 256
if (amt > filedata->file_size
|| offset + archive_file_offset + amt > filedata->file_size)
{
if (reason)
error (_("Reading %s bytes extends past end of file for %s\n"),
bfd_vmatoa ("u", amt), reason);
return NULL;
}
… } If you compile readelf with -fsanitize=unsigned-integer-overflow and run ./readelf -a input, it is found that
offset + archive_file_offset + amt overflows and bypass the check. Can you please help verify if it is a true positive and think whether adding check for each variable against file_size is necessary? If you have any questions about this issue and input in the attachment, please let me know. Thanks Peng |
input
Description: input
[Prev in Thread] | Current Thread | [Next in Thread] |