https://sourceware.org/bugzilla/show_bug.cgi?id=24138
Bug ID: 24138
Summary: A suspicious unsigned integer overflow which may
bypass the check
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Created attachment 11571
--> https://sourceware.org/bugzilla/attachment.cgi?id=11571&action=edit
PoC to demonstrate the check is bypassed unintentionally
Hi There
Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
get_data of readelf.c of version 2.31.51.20190117.
static void *
get_data (void * var,
Filedata * filedata,
unsigned long offset,
bfd_size_type size,
bfd_size_type nmemb,
const char * reason)
{
…
// Based on the input, offset: 18446744073709551615, archive_file_offset:
0, amt: 255
// (offset + archive_file_offset + amt): 254, filedata->file_size: 256
if (amt > filedata->file_size
|| offset + archive_file_offset + amt > filedata->file_size)
{
if (reason)
error (_("Reading %s bytes extends past end of file for %s\n"),
bfd_vmatoa ("u", amt), reason);
return NULL;
}
…
}
If you compile readelf with clang and -fsanitize=unsigned-integer-overflow and
run ./readelf -a input, it is found that offset + archive_file_offset + amt
overflows and bypass the check. Can you please help verify if it is a true
positive and think whether adding check for each variable against file_size is
necessary?
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
