[Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c

[nickc at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=24829

Nick Clifton <nickc at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |WAITING

--- Comment #9 from Nick Clifton <nickc at redhat dot com> ---
(In reply to tfx from comment #7)
Hi tfx,

> You can reproduce it use "readelf -w poc5" with ASAN.
> The crash output show as follow.

Again I cannot reproduce this failure. :-(
Part of the problem is that I am unable to build 32-bit binaries
with address sanitization enabled.  I think that this is a limitation
of the Fedora distribution, but I do not know of any way around the
problem.

>  2063       data = block_start + uvalue;
>  2064       if (block_start + uvalue > end || data < block_start)
>  2065         {
>  2066           warn (_("Corrupt attribute block length: %lx\n"), (long)
> uvalue);
>  2067           uvalue = end - block_start;
>  2068         }


> When "uvalue" is a specific value,  "block_start + uvalue" will cause
> integer overflow. This will cause a wrong "data" value and trigger crash.

I get the "block_start + uvalue" can overflow, but won't this trigger
the "data < block_start" part of the test ?  Which in turn will reset
uvalue to a sane number, and so allow the rest of the code to continue ?


> It seems that reporting this type of bug has no meaning. What do you think?

Oh no, they are definitely worth reporting.  It is just proving to be
very hard for me to track down the cause of the problems and come up
with fixes that will work.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.