[Bug binutils/24132] A suspicious unsigned integer overflow which may by

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24132] A suspicious unsigned integer overflow which may by

From:	poppeter1982 at gmail dot com
Subject:	[Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check
Date:	Fri, 25 Jan 2019 19:02:40 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24132

--- Comment #2 from poppeter1982 at gmail dot com ---
Hi Nick

nickc at redhat dot com <address@hidden> 于2019年1月25日周五
上午4:14写道：

> https://sourceware.org/bugzilla/show_bug.cgi?id=24132
>
> Nick Clifton <nickc at redhat dot com> changed:
>
>            What    |Removed                     |Added
>
> ----------------------------------------------------------------------------
>                  CC|                            |nickc at redhat dot com
>
> --- Comment #1 from Nick Clifton <nickc at redhat dot com> ---
> (In reply to poppeter1982 from comment #0)
>
> Hi Peng,
>
> >           if (dynamic_addr + dynamic_size >= filedata->file_size)
>
> > If you compile readelf with -fsanitize=unsigned-integer-overflow
>
> The version of gcc that I am using (8.2.1 on Fedora 29) does not support
> a -fsanitize=unsigned-integer-overflow option.  Is this a new feature ?
>

I used clang as the compilation frontend


>
>
> > and run
> > ./readelf -a input, it is found that dynamic_addr + dynamic_size
> overflows
> > and may bypass the check. Can you please help verify if it is a true
> > positive
>
> I added a printf statement before the check to examine the values of
> these variables:
>
>   fprintf (stderr, "addr %lx size %llx file %llx plus %llx\n",
>      dynamic_addr, dynamic_size, filedata->file_size,
>      dynamic_addr + dynamic_size);
>
> But it appears that the arithmetic works:
>
>   addr 22000016 size 60000e002200002f file c190d plus 60000e0044000045
>   readelf: Error: the dynamic segment offset + size exceeds the size of the
> file
>
> (This is with a 32-bit toolchain, which I presume you are using.  You
> did not actually specify how you configured your binutils build).
>
> The point is that the dynamic_size and file_size variables are both
> unsigned long long types, and so the arithmetic does not overflow.
>
> So I think that the check should be OK.
>

I compiled binutils in 64-bits platform, and carefully checked the output.
I agree with you that based on this input, the check will not be bypassed.
However, do you think there exist the possibility that this check will fail
due
to overflow?

I reported a similar issue
https://sourceware.org/bugzilla/show_bug.cgi?id=24138,
the check fails due to overflow in this case.

Best,
Peng

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/24132] New: A suspicious unsigned integer overflow which may bypass a check, poppeter1982 at gmail dot com, 2019/01/24
- [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check, nickc at redhat dot com, 2019/01/25
- [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check, poppeter1982 at gmail dot com <=
- [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check, nickc at redhat dot com, 2019/01/28

Prev by Date: [Bug binutils/24138] New: A suspicious unsigned integer overflow which may bypass the check
Next by Date: [Bug ld/24008] Wrong value of ternary expression in map file
Previous by thread: [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check
Next by thread: [Bug binutils/24132] A suspicious unsigned integer overflow which may bypass a check
Index(es):
- Date
- Thread