https://sourceware.org/bugzilla/show_bug.cgi?id=24132
Bug ID: 24132
Summary: A suspicious unsigned integer overflow which may
bypass a check
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Created attachment 11569
--> https://sourceware.org/bugzilla/attachment.cgi?id=11569&action=edit
The PoC to demonstrate the unsigned integer overflow
Hi There
Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
process_program_headers of readelf.c of version 2.31.51.20190117.
static bfd_boolean
process_program_headers (Filedata * filedata)
{
…
/* PR binutils/17512: Avoid corrupt dynamic section info in the
segment. Check this after matching against the section headers
so we don't warn on debuginfo file (which have NOBITS .dynamic
sections). */
if (dynamic_addr + dynamic_size >= filedata->file_size)
{
error (_("the dynamic segment offset + size exceeds the size of
the file\n"));
dynamic_addr = dynamic_size = 0;
}
break;
…
}
If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is found that dynamic_addr + dynamic_size overflows and
may bypass the check. Can you please help verify if it is a true positive and
do you think adding check for each variable against file_size is necessary?
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
