https://sourceware.org/bugzilla/show_bug.cgi?id=24132
Bug ID: 24132 Summary: A suspicious unsigned integer overflow which may bypass a check Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: poppeter1982 at gmail dot com Target Milestone: --- Created attachment 11569 --> https://sourceware.org/bugzilla/attachment.cgi?id=11569&action=edit The PoC to demonstrate the unsigned integer overflow Hi There Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer overflow which may bypass a check unintentionally. The bug is found in function process_program_headers of readelf.c of version 2.31.51.20190117. static bfd_boolean process_program_headers (Filedata * filedata) { … /* PR binutils/17512: Avoid corrupt dynamic section info in the segment. Check this after matching against the section headers so we don't warn on debuginfo file (which have NOBITS .dynamic sections). */ if (dynamic_addr + dynamic_size >= filedata->file_size) { error (_("the dynamic segment offset + size exceeds the size of the file\n")); dynamic_addr = dynamic_size = 0; } break; … } If you compile readelf with -fsanitize=unsigned-integer-overflow and run ./readelf -a input, it is found that dynamic_addr + dynamic_size overflows and may bypass the check. Can you please help verify if it is a true positive and do you think adding check for each variable against file_size is necessary? If you have any questions about this issue and input in the attachment, please let me know. Thanks Peng -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils