[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24131] New: A unsigned integer overflow found in readelf w
From: |
poppeter1982 at gmail dot com |
Subject: |
[Bug binutils/24131] New: A unsigned integer overflow found in readelf which may cause OOB memory access |
Date: |
Thu, 24 Jan 2019 18:40:59 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24131
Bug ID: 24131
Summary: A unsigned integer overflow found in readelf which may
cause OOB memory access
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Created attachment 11568
--> https://sourceware.org/bugzilla/attachment.cgi?id=11568&action=edit
The PoC to demonstrate the unsigned integer overflow
Hi There
Peng Li and Shengjian Guo at Baidu XLab discovered a suspicious unsigned
integer overflow which may lead to out of bound access. The bug is found in
function process_notes_at of readelf.c of version 2.31.51.20190117.
static bfd_boolean
process_notes_at (Filedata * filedata,
Elf_Internal_Shdr * section,
bfd_vma offset,
bfd_vma length,
bfd_vma align)
{
…
if (inote.namedata[inote.namesz - 1] != '\0') {
….
}
}
If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is found that inote.namesz is equal to 0, “inote.namesz
– 1” wraps around and becomes a super large number, causing the out of bound
access. Can you please help verify if it is a true positive?
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24131] New: A unsigned integer overflow found in readelf which may cause OOB memory access,
poppeter1982 at gmail dot com <=