[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/27286] New: False results/ misinformation, unpredictable b
From: |
dennis.r at columbia dot edu |
Subject: |
[Bug binutils/27286] New: False results/ misinformation, unpredictable behavior and potential crash through Multiple Integer Overflows/ Underflows in elf32_avr_get_note_desc() |
Date: |
Sun, 31 Jan 2021 03:29:45 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=27286
Bug ID: 27286
Summary: False results/ misinformation, unpredictable behavior
and potential crash through Multiple Integer
Overflows/ Underflows in elf32_avr_get_note_desc()
Product: binutils
Version: 2.36
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dennis.r at columbia dot edu
Target Milestone: ---
Created attachment 13177
--> https://sourceware.org/bugzilla/attachment.cgi?id=13177&action=edit
poc
= Attachment =
./memory
= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage memory
= Location =
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L107
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/bfd/section.c#L1585
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L113
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L114
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L111
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L117
= Description =
Three distinct bug locations may cause the function to improperly return NULL.
The execution will proceed on a wrong path with wrong values (Unintended
Behavior) causing misinformation or potentially crash
od-elf32_avr.c:107
if (in.namesz > contents - in.namedata + size)
Large xnp->name + size may overflow an unsigned long
od-elf32_avr.c:111
in.descdata = in.namedata + align_power (in.namesz, 2);
od-elf32_avr.c:113
If in.descdata >= contents + size
od-elf32_avr.c:114
in.descsz > contents - in.descdata + size)
= Fix =
xnp->name < INT_MAX - xnp->namesz
Cast 'bfd_vma' type to signed long
xnp->name < INT_MAX - size
= UBSan =
../seed_folder/memory: file format elf32-avr
../../binutils/od-elf32_avr.c:107:42: runtime error: unsigned integer overflow:
18446744073709551604 + 60 cannot be represented in type 'unsigned long'
../../binutils/od-elf32_avr.c:111:31: runtime error: negation of 4 cannot be
represented in type 'bfd_vma' (aka 'unsigned long')
../../binutils/od-elf32_avr.c:114:51: runtime error: unsigned integer overflow:
18446744073709551600 + 60 cannot be represented in type 'unsigned long'
= Stack Trace =
Breakpoint 1, elf32_avr_dump (abfd=<optimized out>) at
../../binutils/od-elf32_avr.c:107
107 if (in.namesz > contents - in.namedata + size)
(gdb) bt
#0 elf32_avr_dump (abfd=<optimized out>) at ../../binutils/od-elf32_avr.c:107
#1 0x000000000041e80d in dump_target_specific (abfd=0x38f4c90) at
../../binutils/objdump.c:4282
#2 dump_bfd (abfd=0x38f4c90, is_mainfile=1) at ../../binutils/objdump.c:4870
#3 0x000000000041bc6f in display_object_bfd (abfd=<optimized out>) at
../../binutils/objdump.c:5008
#4 display_any_bfd (file=<optimized out>, level=<optimized out>) at
../../binutils/objdump.c:5098
#5 0x000000000040757d in display_file (filename=<optimized out>,
target=<optimized out>, last_file=<optimized out>) at
../../binutils/objdump.c:5119
#6 main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/objdump.c:5467
--
You are receiving this mail because:
You are on the CC list for the bug.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug binutils/27286] New: False results/ misinformation, unpredictable behavior and potential crash through Multiple Integer Overflows/ Underflows in elf32_avr_get_note_desc(),
dennis.r at columbia dot edu <=