bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24829] readelf: interger overflow in apply_relocations

From: tfx_sec at hotmail dot com
Subject: [Bug binutils/24829] readelf: interger overflow in apply_relocations
Date: Tue, 20 Aug 2019 16:11:59 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=24829

tfx <tfx_sec at hotmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #7 from tfx <tfx_sec at hotmail dot com> ---
Hi Nick, 

I found several similar problems in dwarf.c

You can reproduce it use "readelf -w poc5" with ASAN.
The crash output show as follow.

 Line Number Statements:
ASAN:DEADLYSIGNAL
=================================================================
==1276==ERROR: AddressSanitizer: SEGV on unknown address 0x1bf66161 (pc
0x08234f98 bp 0xffc3aa88 sp 0xffc3a7e0 T0)
    #0 0x8234f97 in display_debug_lines_raw ./src/binutils/dwarf.c:3840:18
    #1 0x8234f97 in display_debug_lines ./src/binutils/dwarf.c:4825
    #2 0x81984d7 in display_debug_section ./src/binutils/readelf.c:14231:18
    #3 0x81984d7 in process_section_contents ./src/binutils/readelf.c:14322
    #4 0x8178730 in process_object ./src/binutils/readelf.c:19760:9
    #5 0x8140c51 in process_file ./src/binutils/readelf.c:20190:13
    #6 0x8140c51 in main ./src/binutils/readelf.c:20249
    #7 0xf7ce1636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #8 0x806254c in _start (/vul/readelf/readelf-pat+0x806254c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./src/binutils/dwarf.c:3840:18 in
display_debug_lines_raw
==1276==ABORTING



The source code with problem show as follow. 

dwarf.c

 2064       if (block_start + uvalue > end || data < block_start)
 2065         {
 2066           warn (_("Corrupt attribute block length: %lx\n"), (long)
uvalue);
 2067           uvalue = end - block_start;
 2068         }


 2084       data = block_start + uvalue;
 2085       if (block_start + uvalue > end || data < block_start)
 2086         {
 2087           warn (_("Corrupt attribute block length: %lx\n"), (long)
uvalue);
 2088           uvalue = end - block_start;
 2089         }


 2105       data = block_start + uvalue;
 2106       if (block_start + uvalue > end || data < block_start)
 2107         {
 2108           warn (_("Corrupt attribute block length: %lx\n"), (long)
uvalue);
 2109           uvalue = end - block_start;
 2110         }



 2127       data = block_start + uvalue;
 2128       if (block_start + uvalue > end
 2129           /* PR 17531: file: 5b5f0592.  */
 2130           || data < block_start)
 2131         {
 2132           warn (_("Corrupt attribute block length: %lx\n"), (long)
uvalue);
 2133           uvalue = end - block_start;
 2134         }
 2135       if (do_loc)
 2136         data = block_start + uvalue;
 2137       else
 2138         data = display_block (block_start, uvalue, end, delimiter);
 2139       break;

When "uvalue" is a specific value,  "block_start + uvalue" will cause integer
overflow. This will cause a wrong "data" value and trigger crash.

3840               op_code = *data++;


It seems that reporting this type of bug has no meaning. What do you think?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]