[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug ld/29101] New: [Bug] User input is not sanitized in libdep_plugin.c
From: |
yguoaz at gmail dot com |
Subject: |
[Bug ld/29101] New: [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine |
Date: |
Thu, 28 Apr 2022 09:16:51 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=29101
Bug ID: 29101
Summary: [Bug] User input is not sanitized in libdep_plugin.c
and cause trouble on 32bit machine
Product: binutils
Version: 2.38
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: yguoaz at gmail dot com
Target Milestone: ---
In the file ld/libdep_pugin.c, the function get_libdeps has the following code:
(link:
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=ld/libdep_plugin.c;h=5569aa45e360be6321a94fe7f3b2af1caf3fd163;hb=20756b0fbe065a84710aa38f2457563b57546440#l108)
static enum ld_plugin_status
get_libdeps (int fd)
{
arhdr ah;
int len;
...
for (;;)
{
len = read (fd, (void *) &ah, sizeof (ah));
if (len != sizeof (ah))
break;
mlen = strtoul (ah.ar_size, NULL, 10);
if (!mlen || strncmp (ah.ar_name, LIBDEPS, sizeof (LIBDEPS)-1))
{
lseek (fd, mlen, SEEK_CUR);
continue;
}
lr = malloc (sizeof (linerec) + mlen);
...
}
}
where the definition of type arhdr is as follows:
typedef struct arhdr
{
char ar_name[16];
char ar_date[12];
char ar_uid[6];
char ar_gid[6];
char ar_mode[8];
char ar_size[10];
char ar_fmag[2];
} arhdr;
It is therefore possible to craft the file content and parse mlen to UINT32_MAX
(just manipulate the string content starting at ah.ar_size).
This will lead to an integer overflow for the calculation of the allocation
size: sizeof (linerec) + mlen (assuming a 32bit environment where unsigned long
takes 4 bytes). If this happens, accessing the buffer lr will lead to buffer
overflow in later code.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug ld/29101] New: [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine,
yguoaz at gmail dot com <=