-------- Tin nhắn gốc --------
Từ: Manh Nguyen <address@hidden>
Ngày: 19/08/2017 19:14 (GMT+07:00)
Đến: address@hidden
Chủ đề: [Bug binutils 2.29] Integer overflow in process_version_sections (readelf.c)
I found an integer overflow bug in process_version_sections (readelf.c), which would make a for loop iterate millions of times.
============Reproduce the bug ============
address@hidden:~# readelf -a readefl_hang.elf
ELF Header:
Magic: 7f 45 4c 46 00 02 00 00 00 00 00 00 00 00 00 40
Class: none
.................
=> The program will run for very long time.
======================================
============Description==================
At readelf.c:10388, idx += ent.vn_next. This triggers integer overflow, with suitable value of ent.vn_next. With the craft readelf_hang.elf above, the for loop at readelf.c:10304 have iterations as following (set breakpoint at readelf.c:10327 and examine idx, ent.vn_next,...):
+ Loop 0: idx = 0; ent.vn_next = 64
+ Loop 1: idx = 64; ent.vn_next = 64
+ Loop 2: idx = 128; ent.vn_next = 4294967168
+ Loop 3: idx = 0; ent.vn_next = 64
+ Loop 4: idx = 64; ent.vn_next = 64
+ Loop 5: idx = 128; ent.vn_next = 4294967168
+ Loop 6: idx = 0; ent.vn_next = 64
+ Loop 7: idx = 64; ent.vn_next = 64
+ Loop 8: idx = 128; ent.vn_next = 4294967168
....
When idx = 128, ent.vn_next = 4294967168, the _expression_ idx + ent.vn_next gets 0 => idx += ent.vn_next gets overflow. So the loop would not break at line readelf.c:10312
if (idx > (size_t) (endbuf - (char *) eneed))
break;
and it would iterate until cnt gets equals to section->sh_info. With readelf_hang.elf, section->sh_info = 1441792, so it iterates for 1441792 times.
======================================
============Suggestion for Patching=========
Add the following line before line readelf.c:10388
if (idx + ent.vn_next < idx) break;
======================================