[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/21722] New: Malicious ELF64 with invalid section header ca
From: |
jgj212 at gmail dot com |
Subject: |
[Bug binutils/21722] New: Malicious ELF64 with invalid section header can cause memory exhaustion |
Date: |
Thu, 06 Jul 2017 08:15:49 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=21722
Bug ID: 21722
Summary: Malicious ELF64 with invalid section header can cause
memory exhaustion
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: jgj212 at gmail dot com
Target Milestone: ---
Created attachment 10249
--> https://sourceware.org/bugzilla/attachment.cgi?id=10249&action=edit
poc-elf64
version: objdump 2.29.51
-----------------------
$objdump -x $FILE
-----------------------
critical code in fcuntion 'bfd_elf_get_str_section' in file 'elf.c' :
```
if (shstrtabsize + 1 <= 1
|| bfd_seek (abfd, offset, SEEK_SET) != 0
|| (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
shstrtab = NULL;
```
'shstrtabsize' is initialized in fcuntion 'bfd_elf_get_str_section' as follow:
```
shstrtabsize = i_shdrp[shindex]->sh_size;
```
'i_shdrp' is elf section header as follow:
```
i_shdrp = elf_elfsections (abfd);
if (i_shdrp == 0
|| shindex >= elf_numsections (abfd)
|| i_shdrp[shindex] == 0)
return NULL;
```
So 'shstrtabsize' is from section header, and it is a bfd_size_type( 64bit in
elf64).
So it can be controlled as from 0x0 to 0xffffffffffffffff.
This could cause memory exhaustion to DOS.
Credit:The bug was discovered by ADLab of Venustech
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/21722] New: Malicious ELF64 with invalid section header can cause memory exhaustion,
jgj212 at gmail dot com <=