https://sourceware.org/bugzilla/show_bug.cgi?id=24138
Bug ID: 24138 Summary: A suspicious unsigned integer overflow which may bypass the check Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: poppeter1982 at gmail dot com Target Milestone: --- Created attachment 11571 --> https://sourceware.org/bugzilla/attachment.cgi?id=11571&action=edit PoC to demonstrate the check is bypassed unintentionally Hi There Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer overflow which may bypass a check unintentionally. The bug is found in function get_data of readelf.c of version 2.31.51.20190117. static void * get_data (void * var, Filedata * filedata, unsigned long offset, bfd_size_type size, bfd_size_type nmemb, const char * reason) { … // Based on the input, offset: 18446744073709551615, archive_file_offset: 0, amt: 255 // (offset + archive_file_offset + amt): 254, filedata->file_size: 256 if (amt > filedata->file_size || offset + archive_file_offset + amt > filedata->file_size) { if (reason) error (_("Reading %s bytes extends past end of file for %s\n"), bfd_vmatoa ("u", amt), reason); return NULL; } … } If you compile readelf with clang and -fsanitize=unsigned-integer-overflow and run ./readelf -a input, it is found that offset + archive_file_offset + amt overflows and bypass the check. Can you please help verify if it is a true positive and think whether adding check for each variable against file_size is necessary? If you have any questions about this issue and input in the attachment, please let me know. Thanks Peng -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils