[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/27287] New: False results/ misinformation, unpredictable b
From: |
dennis.r at columbia dot edu |
Subject: |
[Bug binutils/27287] New: False results/ misinformation, unpredictable behavior and potential crash through two Integer Overflows in elf_parse_notes() based on large xnp->name |
Date: |
Sun, 31 Jan 2021 03:31:56 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=27287
Bug ID: 27287
Summary: False results/ misinformation, unpredictable behavior
and potential crash through two Integer Overflows in
elf_parse_notes() based on large xnp->name
Product: binutils
Version: 2.36
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dennis.r at columbia dot edu
Target Milestone: ---
Created attachment 13178
--> https://sourceware.org/bugzilla/attachment.cgi?id=13178&action=edit
poc
= Attachment =
./memory
= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage memory
= Description =
In elf.c:12068 and elf.c:12076 xnp->name + size may overflow an unsigned long
and cause function to falsely return FALSE. The program will proceed on an
unintended path and with unexpected behavior.
= UBSan =
../../bfd/elf.c:12068:41: runtime error: unsigned integer overflow:
18446744073709551604 + 60 cannot be represented in type 'unsigned long'
../../bfd/elf.c:12076:41: runtime error: unsigned integer overflow:
18446744073709551600 + 60 cannot be represented in type 'unsigned long'
= Stack Trace =
Breakpoint 2, elf_parse_notes (abfd=<optimized out>, buf=<optimized out>,
size=<optimized out>, offset=<optimized out>, align=<optimized out>) at
../../bfd/elf.c:12068
12068 if (in.namesz > buf - in.namedata + size)
(gdb) bt
#0 elf_parse_notes (abfd=<optimized out>, buf=<optimized out>, size=<optimized
out>, offset=<optimized out>, align=<optimized out>) at ../../bfd/elf.c:12068
#1 0x0000000000bf9f92 in _bfd_elf_make_section_from_shdr (abfd=<optimized
out>, hdr=<optimized out>, name=<optimized out>, shindex=<optimized out>) at
../../bfd/elf.c:1137
#2 0x0000000000c05f1a in bfd_section_from_shdr (abfd=<optimized out>,
shindex=<optimized out>) at ../../bfd/elf.c:2485
#3 0x0000000000d65e1e in bfd_elf32_object_p (abfd=<optimized out>) at
../../bfd/elfcode.h:834
#4 0x0000000000b56c3e in bfd_check_format_matches (abfd=<optimized out>,
format=<optimized out>, matching=<optimized out>) at ../../bfd/format.c:343
#5 0x000000000041b2a0 in display_object_bfd (abfd=0x33b7c90) at
../../binutils/objdump.c:5006
#6 display_any_bfd (file=0x33b7c90, level=0) at ../../binutils/objdump.c:5098
#7 0x000000000040757d in display_file (filename=<optimized out>,
target=<optimized out>, last_file=<optimized out>) at
../../binutils/objdump.c:5119
#8 main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/objdump.c:5467
= Fix =
Fix values of xnp->name and size rather than a local hack.
--
You are receiving this mail because:
You are on the CC list for the bug.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug binutils/27287] New: False results/ misinformation, unpredictable behavior and potential crash through two Integer Overflows in elf_parse_notes() based on large xnp->name,
dennis.r at columbia dot edu <=