bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22148] New: Integer overflow in elf64-x86-64.c, binutils


From: luanjunchao at 163 dot com
Subject: [Bug binutils/22148] New: Integer overflow in elf64-x86-64.c, binutils 2.29.1
Date: Mon, 18 Sep 2017 01:34:58 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22148

            Bug ID: 22148
           Summary: Integer overflow  in elf64-x86-64.c, binutils 2.29.1
           Product: binutils
           Version: 2.29
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: luanjunchao at 163 dot com
  Target Milestone: ---

Created attachment 10418
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10418&action=edit
poc of integer overlow

In elf64-x86-64.c:6718, function elf_x86_64_get_synthetic_symtab

static long
elf_x86_64_get_synthetic_symtab (bfd *abfd,
                                 long symcount ATTRIBUTE_UNUSED,
                                 asymbol **syms ATTRIBUTE_UNUSED,
                                 long dynsymcount,
                                 asymbol **dynsyms,
                                 asymbol **ret)
{
......

dynrelcount = bfd_canonicalize_dynamic_reloc (abfd, dynrelbuf,
                                                dynsyms);

/* Sort the relocs by address.  */
qsort (dynrelbuf, dynrelcount, sizeof (arelent *), compare_relocs);
......
}

When I use objdump to deal with a specific elf file, it causes segmentation
fault. Here is the backtrace:

(gdb) bt                                                                        
#0  0x0000000000456d43 in compare_relocs (ap=0x800000000084ebd8, bp=0x84ebe0)
at elf64-x86-64.c:6635                                   
#1  0x00007ffff784030f in _quicksort (address@hidden,
address@hidden,                   
    address@hidden, address@hidden <compare_relocs>, arg=0x0) at
qsort.c:122                                                                     
#2  0x00007ffff7842642 in __GI___qsort_r (address@hidden, 
    address@hidden <compare_relocs>, address@hidden) at msort.c:216  
#3  0x00007ffff7842768 in __GI_qsort (address@hidden,
address@hidden, address@hidden,                 
    address@hidden <compare_relocs>) at msort.c:308                     
#4  0x000000000045a00d in elf_x86_64_get_synthetic_symtab (abfd=0x8451c0,
symcount=<optimized out>, syms=<optimized out>,       
    dynsymcount=<optimized out>, dynsyms=<optimized out>, ret=0x83e668
<synthsyms>) at elf64-x86-64.c:6722                                       
#5  0x0000000000408287 in dump_bfd (address@hidden) at
./objdump.c:3525                             
#6  0x0000000000408b48 in display_object_bfd (abfd=0x8451c0) at
./objdump.c:3603                                                                
#7  display_any_bfd (address@hidden, address@hidden) at
./objdump.c:3692                                                                
#8  0x000000000040ae14 in display_file (filename=0x7fffffffe8ba
"../out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:9273",                 
    target=<optimized out>, last_file=1) at ./objdump.c:3713                    
#9  0x0000000000404d5e in main (argc=3, argv=0x7fffffffe698) at
./objdump.c:4015                                                                
(gdb) p/x 18446744073709551615                                                  
$41 = 0xffffffffffffffff     

We can see that the n parameter is -1, which is negative, but the qsort
parameter type is unsigned, so there is an integer overfow.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]