[Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check
https://sourceware.org/bugzilla/show_bug.cgi?id=24132 --- Comment #2 from poppeter1982 at gmail dot com --- Hi Nick nickc at redhat dot com 于2019年1月25日周五 上午4:14写道: > https://sourceware.org/bugzilla/show_bug.cgi?id=24132 > > Nick Clifton changed: > >What|Removed |Added > > > CC||nickc at redhat dot com > > --- Comment #1 from Nick Clifton --- > (In reply to poppeter1982 from comment #0) > > Hi Peng, > > > if (dynamic_addr + dynamic_size >= filedata->file_size) > > > If you compile readelf with -fsanitize=unsigned-integer-overflow > > The version of gcc that I am using (8.2.1 on Fedora 29) does not support > a -fsanitize=unsigned-integer-overflow option. Is this a new feature ? > I used clang as the compilation frontend > > > > and run > > ./readelf -a input, it is found that dynamic_addr + dynamic_size > overflows > > and may bypass the check. Can you please help verify if it is a true > > positive > > I added a printf statement before the check to examine the values of > these variables: > > fprintf (stderr, "addr %lx size %llx file %llx plus %llx\n", > dynamic_addr, dynamic_size, filedata->file_size, > dynamic_addr + dynamic_size); > > But it appears that the arithmetic works: > > addr 2216 size 6e00222f file c190d plus 6e004445 > readelf: Error: the dynamic segment offset + size exceeds the size of the > file > > (This is with a 32-bit toolchain, which I presume you are using. You > did not actually specify how you configured your binutils build). > > The point is that the dynamic_size and file_size variables are both > unsigned long long types, and so the arithmetic does not overflow. > > So I think that the check should be OK. > I compiled binutils in 64-bits platform, and carefully checked the output. I agree with you that based on this input, the check will not be bypassed. However, do you think there exist the possibility that this check will fail due to overflow? I reported a similar issue https://sourceware.org/bugzilla/show_bug.cgi?id=24138, the check fails due to overflow in this case. Best, Peng -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24138] New: A suspicious unsigned integer overflow which may bypass the check
https://sourceware.org/bugzilla/show_bug.cgi?id=24138
Bug ID: 24138
Summary: A suspicious unsigned integer overflow which may
bypass the check
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Created attachment 11571
--> https://sourceware.org/bugzilla/attachment.cgi?id=11571=edit
PoC to demonstrate the check is bypassed unintentionally
Hi There
Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
get_data of readelf.c of version 2.31.51.20190117.
static void *
get_data (void * var,
Filedata * filedata,
unsigned long offset,
bfd_size_type size,
bfd_size_type nmemb,
const char * reason)
{
…
// Based on the input, offset: 18446744073709551615, archive_file_offset:
0, amt: 255
// (offset + archive_file_offset + amt): 254, filedata->file_size: 256
if (amt > filedata->file_size
|| offset + archive_file_offset + amt > filedata->file_size)
{
if (reason)
error (_("Reading %s bytes extends past end of file for %s\n"),
bfd_vmatoa ("u", amt), reason);
return NULL;
}
…
}
If you compile readelf with clang and -fsanitize=unsigned-integer-overflow and
run ./readelf -a input, it is found that offset + archive_file_offset + amt
overflows and bypass the check. Can you please help verify if it is a true
positive and think whether adding check for each variable against file_size is
necessary?
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24131] A unsigned integer overflow found in readelf which may cause OOB memory access
https://sourceware.org/bugzilla/show_bug.cgi?id=24131 --- Comment #3 from poppeter1982 at gmail dot com --- Hi Nick Thank you for confirming and fixing this issue promptly. Best, Peng nickc at redhat dot com 于2019年1月25日周五 上午6:06写道: > https://sourceware.org/bugzilla/show_bug.cgi?id=24131 > > Nick Clifton changed: > >What|Removed |Added > > > Status|UNCONFIRMED |RESOLVED > CC||nickc at redhat dot com > Resolution|--- |FIXED > > --- Comment #2 from Nick Clifton --- > Hi Peng, > > Thanks for reporting this problem. I agree that this is a potential > illegal memory access here, so I have checked in the obvious patch to > fix the problem. > > Whilst I was inspecting the readelf sources I also found a similar > potential vulnerability, so I included a fix for that in the patch > as well. > > Cheers > Nick > > -- > You are receiving this mail because: > You reported the bug. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24132] New: A suspicious unsigned integer overflow which may bypass a check
https://sourceware.org/bugzilla/show_bug.cgi?id=24132
Bug ID: 24132
Summary: A suspicious unsigned integer overflow which may
bypass a check
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Created attachment 11569
--> https://sourceware.org/bugzilla/attachment.cgi?id=11569=edit
The PoC to demonstrate the unsigned integer overflow
Hi There
Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
process_program_headers of readelf.c of version 2.31.51.20190117.
static bfd_boolean
process_program_headers (Filedata * filedata)
{
…
/* PR binutils/17512: Avoid corrupt dynamic section info in the
segment. Check this after matching against the section headers
so we don't warn on debuginfo file (which have NOBITS .dynamic
sections). */
if (dynamic_addr + dynamic_size >= filedata->file_size)
{
error (_("the dynamic segment offset + size exceeds the size of
the file\n"));
dynamic_addr = dynamic_size = 0;
}
break;
…
}
If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is found that dynamic_addr + dynamic_size overflows and
may bypass the check. Can you please help verify if it is a true positive and
do you think adding check for each variable against file_size is necessary?
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24131] New: A unsigned integer overflow found in readelf which may cause OOB memory access
https://sourceware.org/bugzilla/show_bug.cgi?id=24131
Bug ID: 24131
Summary: A unsigned integer overflow found in readelf which may
cause OOB memory access
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Created attachment 11568
--> https://sourceware.org/bugzilla/attachment.cgi?id=11568=edit
The PoC to demonstrate the unsigned integer overflow
Hi There
Peng Li and Shengjian Guo at Baidu XLab discovered a suspicious unsigned
integer overflow which may lead to out of bound access. The bug is found in
function process_notes_at of readelf.c of version 2.31.51.20190117.
static bfd_boolean
process_notes_at (Filedata * filedata,
Elf_Internal_Shdr * section,
bfd_vma offset,
bfd_vma length,
bfd_vma align)
{
…
if (inote.namedata[inote.namesz - 1] != '\0') {
….
}
}
If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is found that inote.namesz is equal to 0, “inote.namesz
– 1” wraps around and becomes a super large number, causing the out of bound
access. Can you please help verify if it is a true positive?
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24100] New: An unsigned integer overflow which may cause huge amount of heap allocation
https://sourceware.org/bugzilla/show_bug.cgi?id=24100
Bug ID: 24100
Summary: An unsigned integer overflow which may cause huge
amount of heap allocation
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Hi There
Peng Li and Shengjian Guo at Baidu X-Lab discovered a suspicious unsigned
integer overflow which may lead to a huge amount of memory allocation in heap.
In get_dynamic_data of readelf.c of version 2.31.51.20190117
static bfd_vma *
get_dynamic_data (Filedata * filedata, bfd_size_type number, unsigned int
ent_size)
{
...
if (ent_size * number > filedata->file_size)
{
error (_("Invalid number of dynamic entries: %s\n"),
bfd_vmatoa ("u", number));
return NULL;
}
e_data = (unsigned char *) cmalloc ((size_t) number, ent_size);
...
}
If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is reported that readelf.c:11251:16: runtime error:
unsigned integer overflow: 8 * 5765762010251921410 cannot be represented in
type 'unsigned long'. With regards to this input, the wrap around result of
ent_size * number is still greater than file_size (2413), so the variable
"number" that is 5765762010251921410 does not flow into cmalloc operation.
However, let's think about the case where number is still a huge number and
8*huge_number is less than file_size, then consequently a huge amount of memory
will be allocated in heap. One possible solution to resolve the multiplication
overflow is to use division instead, for example, the conditional is changed to
if (ent_size > filedata->file_size/number).
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24100] An unsigned integer overflow which may cause huge amount of heap allocation in readelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24100 poppeter1982 at gmail dot com changed: What|Removed |Added Summary|An unsigned integer |An unsigned integer |overflow which may cause|overflow which may cause |huge amount of heap |huge amount of heap |allocation |allocation in readelf -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23659] New: A stack overflow problem for c++filt
https://sourceware.org/bugzilla/show_bug.cgi?id=23659 Bug ID: 23659 Summary: A stack overflow problem for c++filt Product: binutils Version: 2.32 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: poppeter1982 at gmail dot com Target Milestone: --- Created attachment 11248 --> https://sourceware.org/bugzilla/attachment.cgi?id=11248=edit The stack overflow poc Hi There Peng Li at Baidu X-Lab found a stack overflow bug in c++filt of the latest binutils code base, I have confirmed it with address sanitizer. Please use the “c++filt < stack_overflow_input ” to reproduce the bug. If you have any questions, please let me know. Please note that I submitted this error through email to bug-binutils@gnu.org, please ignore the previous one. Thanks Peng -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23589] New: A hang problem for c++filt
https://sourceware.org/bugzilla/show_bug.cgi?id=23589 Bug ID: 23589 Summary: A hang problem for c++filt Product: binutils Version: 2.32 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: poppeter1982 at gmail dot com Target Milestone: --- Created attachment 11216 --> https://sourceware.org/bugzilla/attachment.cgi?id=11216=edit The proof of concept ASCII file for c++filt Hi There The fuzzer generates an input which may hang the execution of c++filt, please check it on your side if this is a real positive. You could use ./c++filt < input to reproduce it. Thanks Peng -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23563] New: A potential infinite loop bug found in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=23563 Bug ID: 23563 Summary: A potential infinite loop bug found in objdump Product: binutils Version: 2.32 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: poppeter1982 at gmail dot com Target Milestone: --- Created attachment 11205 --> https://sourceware.org/bugzilla/attachment.cgi?id=11205=edit The proof of concept binary file for objdump Hi There Peng Li from Baidu X-Lab found a potential infinite loop bug in objdump, it may lead to Denial of Service. I found that the objdump executable stuck for more than one hour, and then manually aborted it. You may reproduce bug under the latest Github download of binutils? ./objdump -D test.bin Please see test.bin in the attachment, if you have any questions, please let me know ASAP. Thanks peng -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
