[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24829] readelf: multi interger overflow in readelf.c and d
|
From: |
tfx_sec at hotmail dot com |
|
Subject: |
[Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c |
|
Date: |
Wed, 21 Aug 2019 14:23:56 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24829
--- Comment #11 from tfx <tfx_sec at hotmail dot com> ---
(In reply to Nick Clifton from comment #9)
> (In reply to tfx from comment #7)
>
> > You can reproduce it use "readelf -w poc5" with ASAN.
> > The crash output show as follow.
>
> Again I cannot reproduce this failure. :-(
> Part of the problem is that I am unable to build 32-bit binaries
> with address sanitization enabled. I think that this is a limitation
> of the Fedora distribution, but I do not know of any way around the
> problem.
>
You can try to only build part of 32-bit binaries.
CC="clang -m32" CXX="clang -m32" CFLAGS="-m32 -fsanitize=address"
CXXFLAGS="-m32 -fsanitize=address" ./configure
make all-binutils
> > 2063 data = block_start + uvalue;
> > 2064 if (block_start + uvalue > end || data < block_start)
> > 2065 {
> > 2066 warn (_("Corrupt attribute block length: %lx\n"), (long)
> > uvalue);
> > 2067 uvalue = end - block_start;
> > 2068 }
>
>
> > When "uvalue" is a specific value, "block_start + uvalue" will cause
> > integer overflow. This will cause a wrong "data" value and trigger crash.
>
> I get the "block_start + uvalue" can overflow, but won't this trigger
> the "data < block_start" part of the test ? Which in turn will reset
> uvalue to a sane number, and so allow the rest of the code to continue ?
>
I found root of the problem is that "data < block_start" is compiled as "uvalue
< 0" in gcc. When integer overflow, these two statements have different
judgment results.
Debug 32bit readelf with asan use poc5 in gdb
(gdb) info reg eax
eax 0x26262626 640034342
(gdb) info reg edx
edx 0xf5e03b33 -169854157
(gdb)
eax is "uvalue"
edx is "block_start"
data is 0xf5e03b33 + 0x26262626 = 0x1c066159
"data < block_start" is true. But "uvalue < 0" is false, code in braces is
skipped, "uvalue" can't be reset.
It just happens when block_start > 0x80000000 and "block_start + uvalue >=
0x1`00000000".
Trigger this crash is difficult, but the overflow can happen.
I only trigger crash in 32bit readelf with ASAN.
(In reply to Alan Modra from comment #10)
> > I get the "block_start + uvalue" can overflow, but won't this trigger the
> > "data < block_start" part of the test?
>
> Not necessarily. The pointers may only be 32 bit, which with a 64-bit
> uvalue leads to many values of uvalue > 4G that wrap to a "valid" range.
> Pointer comparisons are a pain. It's much better in this situation to
> calculate the max valid size left then compare that with uvalue.
I think that's a good solution.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c, tfx_sec at hotmail dot com, 2019/08/20
- [Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c, nickc at redhat dot com, 2019/08/21
- [Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c, amodra at gmail dot com, 2019/08/21
- [Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c,
tfx_sec at hotmail dot com <=
- [Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c, nickc at redhat dot com, 2019/08/22
- [Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c, tfx_sec at hotmail dot com, 2019/08/22
- [Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c, cvs-commit at gcc dot gnu.org, 2019/08/23
- [Bug binutils/24829] readelf: multi interger overflow in readelf.c and dwarf.c, nickc at redhat dot com, 2019/08/23