[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22148] New: Integer overflow in elf64-x86-64.c, binutils
From: |
luanjunchao at 163 dot com |
Subject: |
[Bug binutils/22148] New: Integer overflow in elf64-x86-64.c, binutils 2.29.1 |
Date: |
Mon, 18 Sep 2017 01:34:58 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22148
Bug ID: 22148
Summary: Integer overflow in elf64-x86-64.c, binutils 2.29.1
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: luanjunchao at 163 dot com
Target Milestone: ---
Created attachment 10418
--> https://sourceware.org/bugzilla/attachment.cgi?id=10418&action=edit
poc of integer overlow
In elf64-x86-64.c:6718, function elf_x86_64_get_synthetic_symtab
static long
elf_x86_64_get_synthetic_symtab (bfd *abfd,
long symcount ATTRIBUTE_UNUSED,
asymbol **syms ATTRIBUTE_UNUSED,
long dynsymcount,
asymbol **dynsyms,
asymbol **ret)
{
......
dynrelcount = bfd_canonicalize_dynamic_reloc (abfd, dynrelbuf,
dynsyms);
/* Sort the relocs by address. */
qsort (dynrelbuf, dynrelcount, sizeof (arelent *), compare_relocs);
......
}
When I use objdump to deal with a specific elf file, it causes segmentation
fault. Here is the backtrace:
(gdb) bt
#0 0x0000000000456d43 in compare_relocs (ap=0x800000000084ebd8, bp=0x84ebe0)
at elf64-x86-64.c:6635
#1 0x00007ffff784030f in _quicksort (address@hidden,
address@hidden,
address@hidden, address@hidden <compare_relocs>, arg=0x0) at
qsort.c:122
#2 0x00007ffff7842642 in __GI___qsort_r (address@hidden,
address@hidden <compare_relocs>, address@hidden) at msort.c:216
#3 0x00007ffff7842768 in __GI_qsort (address@hidden,
address@hidden, address@hidden,
address@hidden <compare_relocs>) at msort.c:308
#4 0x000000000045a00d in elf_x86_64_get_synthetic_symtab (abfd=0x8451c0,
symcount=<optimized out>, syms=<optimized out>,
dynsymcount=<optimized out>, dynsyms=<optimized out>, ret=0x83e668
<synthsyms>) at elf64-x86-64.c:6722
#5 0x0000000000408287 in dump_bfd (address@hidden) at
./objdump.c:3525
#6 0x0000000000408b48 in display_object_bfd (abfd=0x8451c0) at
./objdump.c:3603
#7 display_any_bfd (address@hidden, address@hidden) at
./objdump.c:3692
#8 0x000000000040ae14 in display_file (filename=0x7fffffffe8ba
"../out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:9273",
target=<optimized out>, last_file=1) at ./objdump.c:3713
#9 0x0000000000404d5e in main (argc=3, argv=0x7fffffffe698) at
./objdump.c:4015
(gdb) p/x 18446744073709551615
$41 = 0xffffffffffffffff
We can see that the n parameter is -1, which is negative, but the qsort
parameter type is unsigned, so there is an integer overfow.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22148] New: Integer overflow in elf64-x86-64.c, binutils 2.29.1,
luanjunchao at 163 dot com <=