[Bug binutils/24138] New: A suspicious unsigned integer overflow which m

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24138] New: A suspicious unsigned integer overflow which m

From:	poppeter1982 at gmail dot com
Subject:	[Bug binutils/24138] New: A suspicious unsigned integer overflow which may bypass the check
Date:	Fri, 25 Jan 2019 13:16:02 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24138

            Bug ID: 24138
           Summary: A suspicious unsigned integer overflow which may
                    bypass the check
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: poppeter1982 at gmail dot com
  Target Milestone: ---

Created attachment 11571
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11571&action=edit
PoC to demonstrate the check is bypassed unintentionally

Hi There

Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
get_data of readelf.c of version 2.31.51.20190117.

static void *
get_data (void *         var,
          Filedata *     filedata,
          unsigned long  offset,
          bfd_size_type  size,
          bfd_size_type  nmemb,
          const char *   reason)
{
       …
      // Based on the input, offset: 18446744073709551615, archive_file_offset:
0, amt: 255
      // (offset + archive_file_offset + amt): 254, filedata->file_size: 256
      if (amt > filedata->file_size
           || offset + archive_file_offset + amt > filedata->file_size)
      {
          if (reason)
            error (_("Reading %s bytes extends past end of file for %s\n"),
                     bfd_vmatoa ("u", amt), reason);
            return NULL;
      }
      …
}

If you compile readelf with clang and -fsanitize=unsigned-integer-overflow and
run ./readelf -a input, it is found that offset + archive_file_offset + amt
overflows and bypass the check. Can you please help verify if it is a true
positive and think whether adding check for each variable against file_size is
necessary?

If you have any questions about this issue and input in the attachment, please
let me know.

Thanks
Peng

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/24138] New: A suspicious unsigned integer overflow which may bypass the check, poppeter1982 at gmail dot com <=
- [Bug binutils/24138] A suspicious unsigned integer overflow which may bypass the check, nickc at redhat dot com, 2019/01/28

Prev by Date: [Bug binutils/24131] A unsigned integer overflow found in readelf which may cause OOB memory access
Next by Date: [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check
Previous by thread: [Bug ld/24035] wrong VMA when not specified explicitly
Next by thread: [Bug binutils/24138] A suspicious unsigned integer overflow which may bypass the check
Index(es):
- Date
- Thread