[Bug binutils/24131] New: A unsigned integer overflow found in readelf which may cause OOB memory access

[poppeter1982 at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=24131

            Bug ID: 24131
           Summary: A unsigned integer overflow found in readelf which may
                    cause OOB memory access
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: poppeter1982 at gmail dot com
  Target Milestone: ---

Created attachment 11568
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11568&action=edit
The PoC to demonstrate the unsigned integer overflow

Hi There

Peng Li and Shengjian Guo at Baidu XLab discovered a suspicious unsigned
integer overflow which may lead to out of bound access. The bug is found in
function process_notes_at of readelf.c of version 2.31.51.20190117.

static bfd_boolean
process_notes_at (Filedata *           filedata,
                  Elf_Internal_Shdr *  section,
                  bfd_vma              offset,
                  bfd_vma              length,
                  bfd_vma              align)
{
       …
       if (inote.namedata[inote.namesz - 1] != '\0') {
….
       }
}

If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is found that inote.namesz is equal to 0, “inote.namesz
– 1” wraps around and becomes a super large number, causing the out of bound
access. Can you please help verify if it is a true positive?

If you have any questions about this issue and input in the attachment, please
let me know.


Thanks
Peng

-- 
You are receiving this mail because:
You are on the CC list for the bug.