[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24132] New: A suspicious unsigned integer overflow which m
poppeter1982 at gmail dot com
[Bug binutils/24132] New: A suspicious unsigned integer overflow which may bypass a check
Thu, 24 Jan 2019 19:04:50 +0000
Bug ID: 24132
Summary: A suspicious unsigned integer overflow which may
bypass a check
Assignee: unassigned at sourceware dot org
Reporter: poppeter1982 at gmail dot com
Target Milestone: ---
Created attachment 11569
The PoC to demonstrate the unsigned integer overflow
Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
process_program_headers of readelf.c of version 22.214.171.12490117.
process_program_headers (Filedata * filedata)
/* PR binutils/17512: Avoid corrupt dynamic section info in the
segment. Check this after matching against the section headers
so we don't warn on debuginfo file (which have NOBITS .dynamic
if (dynamic_addr + dynamic_size >= filedata->file_size)
error (_("the dynamic segment offset + size exceeds the size of
dynamic_addr = dynamic_size = 0;
If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is found that dynamic_addr + dynamic_size overflows and
may bypass the check. Can you please help verify if it is a true positive and
do you think adding check for each variable against file_size is necessary?
If you have any questions about this issue and input in the attachment, please
let me know.
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24132] New: A suspicious unsigned integer overflow which may bypass a check,
poppeter1982 at gmail dot com <=