[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24138] New: A suspicious unsigned integer overflow which m
From: |
poppeter1982 at gmail dot com |
Subject: |
[Bug binutils/24138] New: A suspicious unsigned integer overflow which may bypass the check |
Date: |
Fri, 25 Jan 2019 13:16:02 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24138
Bug ID: 24138
Summary: A suspicious unsigned integer overflow which may
bypass the check
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Created attachment 11571
--> https://sourceware.org/bugzilla/attachment.cgi?id=11571&action=edit
PoC to demonstrate the check is bypassed unintentionally
Hi There
Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
get_data of readelf.c of version 2.31.51.20190117.
static void *
get_data (void * var,
Filedata * filedata,
unsigned long offset,
bfd_size_type size,
bfd_size_type nmemb,
const char * reason)
{
…
// Based on the input, offset: 18446744073709551615, archive_file_offset:
0, amt: 255
// (offset + archive_file_offset + amt): 254, filedata->file_size: 256
if (amt > filedata->file_size
|| offset + archive_file_offset + amt > filedata->file_size)
{
if (reason)
error (_("Reading %s bytes extends past end of file for %s\n"),
bfd_vmatoa ("u", amt), reason);
return NULL;
}
…
}
If you compile readelf with clang and -fsanitize=unsigned-integer-overflow and
run ./readelf -a input, it is found that offset + archive_file_offset + amt
overflows and bypass the check. Can you please help verify if it is a true
positive and think whether adding check for each variable against file_size is
necessary?
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24138] New: A suspicious unsigned integer overflow which may bypass the check,
poppeter1982 at gmail dot com <=