bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/27288] New: Undefined negations and integer overflows in e

From: dennis.r at columbia dot edu
Subject: [Bug binutils/27288] New: Undefined negations and integer overflows in elf_object_p() potentially crashing on some systems
Date: Sun, 31 Jan 2021 03:36:38 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=27288

            Bug ID: 27288
           Summary: Undefined negations and integer overflows in
                    elf_object_p() potentially crashing on some systems
           Product: binutils
           Version: 2.36
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dennis.r at columbia dot edu
  Target Milestone: ---

Created attachment 13179
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13179&action=edit
poc

= Attachment = 
./memory

= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage memory

= Location =
../../bfd/elfcode.h:647
../../bfd/elfcode.h:757
../../bfd/elfcode.h:816

= Description =
In elfcode.h function elf_object_p multiple computation and comparisons are
unescaped. This may cause unintended program behavior.

elfcode.h:647
A negative value of i_ehdrp->e_shstrndx will cause the comparison to underflow
(i_ehdrp->e_shstrndx == (SHN_XINDEX & 0xffff))


elfcode.h:757
Small values of sh_addr in combination wiith large sh_offset cause negative
value in unsigned int in conditional ( ( i_shdrp[shindex].sh_addr -
i_shdrp[shindex].sh_offset) % ebd->minpagesize) != 0


elfcode.h:816
Negative value cannot be represented in type 'bfd_vma' (aka 'unsigned long')


= Fix =
Check for i_ehdrp->e_shstrndx to be greater equal to zero
Cast to signed long
Cast to signed long

= UBSan =
../../bfd/elfcode.h:647:35: runtime error: negation of 1 cannot be represented
in type 'unsigned int'
../../bfd/elfcode.h:757:39: runtime error: unsigned integer overflow: 0 - 180
cannot be represented in type 'unsigned long'
../../bfd/elfcode.h:816:46: runtime error: negation of 2 cannot be represented
in type 'bfd_vma' (aka 'unsigned long')

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]