https://sourceware.org/bugzilla/show_bug.cgi?id=16664
Bug ID: 16664 Summary: segmentation fault in process_attributes() of readelf.c Product: binutils Version: 2.24 Status: NEW Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: antiagainst at gmail dot com Created attachment 7456 --> https://sourceware.org/bugzilla/attachment.cgi?id=7456&action=edit contains a 8-byte SHT_GNU_ATTRIBUTES triggering the bug The following is based on readelf 2.24. I built it on Ubuntu 13.10 with GCC 4.8.1. In process_attributes() of readelf.c, there exist integer underflow and pointer out of bounds problems. These problems can cause segmentation faults. On a little endian machine, given a 8-byte SHT_GNU_ATTRIBUTES section whose content is `4104 0000 00ff ffff`, getdata() will allocate 9-bytes to hold it in memory. (Adding a `\0` to the end.) Then `contents` is a 9-byte char array. The first byte is matched to 'A' (line 12166), and `section_len` gets its value from next 4 bytes (line 12177), which is 4. The last 4 bytes are interpreted as a name string (line 12188), and its size is assigned to `namelen` (line 12200), which is 4. So, at line 12202, `section_len -= namelen + 4` is `4 -= 4 + 4`. This is a integer underflow. And at the end of line 12201, `p` is already goes out of the memory allocated for `contents`. This is a pointer out of bounds. Then `size` is read from some random memory after `contents` (line 12210). Later `end` is assigned to `p + size - 1` (line 12219), which could be out of bounds, and passed to display_raw_attribute(), which will cause a segmentation fault. A small problem is attached to help reproduce the bug. The command is `readelf -a readelf-5-83-A`. The program will loop for a while and then crash with segmentation fault and core dumping. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils