[Bug binutils/15157] readelf crash (double free?)

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/15157] readelf crash (double free?)

From:	paul.marinescu at imperial dot ac.uk
Subject:	[Bug binutils/15157] readelf crash (double free?)
Date:	Tue, 19 Feb 2013 16:12:26 +0000

http://sourceware.org/bugzilla/show_bug.cgi?id=15157

--- Comment #1 from Paul Marinescu <paul.marinescu at imperial dot ac.uk> 
2013-02-19 16:12:26 UTC ---
I looked a bit more into this and it seems that the problem has to do with
handling of relocation offsets. More exactly, in readelf.c:10512, the code
checks for a invalid (too big) relocation offset:

rloc = start + rp->r_offset;
if ((rloc + reloc_size) > end)
{
  warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
         (unsigned long) rp->r_offset,
         SECTION_NAME (section));
  continue;
}

However, the code fails to take into account a value such as rp->r_offset =
(unsigned long)-5. One possible implication would be that a specially crafted
binary can make readelf write to any memory location below rloc.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/15157] New: readelf crash (double free?), paul.marinescu at imperial dot ac.uk, 2013/02/19
- [Bug binutils/15157] readelf crash (double free?), paul.marinescu at imperial dot ac.uk <=
- [Bug binutils/15157] readelf crash (relocation handling), paul.marinescu at imperial dot ac.uk, 2013/02/19

Prev by Date: [Bug binutils/15159] binutils lacks Intel SMAP support (clac and stac instructions)
Next by Date: [Bug binutils/15157] readelf crash (relocation handling)
Previous by thread: [Bug binutils/15157] New: readelf crash (double free?)
Next by thread: [Bug binutils/15157] readelf crash (relocation handling)
Index(es):
- Date
- Thread