[Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check

[nickc at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=24132

Nick Clifton <nickc at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nickc at redhat dot com

--- Comment #1 from Nick Clifton <nickc at redhat dot com> ---
(In reply to poppeter1982 from comment #0)

Hi Peng,

>           if (dynamic_addr + dynamic_size >= filedata->file_size)

> If you compile readelf with -fsanitize=unsigned-integer-overflow

The version of gcc that I am using (8.2.1 on Fedora 29) does not support
a -fsanitize=unsigned-integer-overflow option.  Is this a new feature ?


> and run
> ./readelf -a input, it is found that dynamic_addr + dynamic_size overflows
> and may bypass the check. Can you please help verify if it is a true
> positive

I added a printf statement before the check to examine the values of
these variables:

  fprintf (stderr, "addr %lx size %llx file %llx plus %llx\n",
     dynamic_addr, dynamic_size, filedata->file_size, 
     dynamic_addr + dynamic_size);

But it appears that the arithmetic works:

  addr 22000016 size 60000e002200002f file c190d plus 60000e0044000045
  readelf: Error: the dynamic segment offset + size exceeds the size of the
file

(This is with a 32-bit toolchain, which I presume you are using.  You
did not actually specify how you configured your binutils build).

The point is that the dynamic_size and file_size variables are both
unsigned long long types, and so the arithmetic does not overflow.

So I think that the check should be OK.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.