https://sourceware.org/bugzilla/show_bug.cgi?id=19518
Bug ID: 19518
Summary: readelf - missing return value check in MIPS timestamp
d_tag processing
Product: binutils
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: vpbalint at silentsignal dot hu
Target Milestone: ---
Created attachment 8923
--> https://sourceware.org/bugzilla/attachment.cgi?id=8923&action=edit
AFL generated test case
readelf tries to access invalid memory when parsing timestamp dtag entries from
MIPS binaries:
Relevant code from readelf.c:
static void
dynamic_section_mips_val (Elf_Internal_Dyn * entry)
{
switch (entry->d_tag)
{
// ...
case DT_MIPS_TIME_STAMP:
{
char timebuf[20];
struct tm * tmp;
time_t atime = entry->d_un.d_val;
tmp = gmtime (&atime);
snprintf (timebuf, sizeof (timebuf), "%04u-%02u-%02uT%02u:%02u:%02u",
tmp->tm_year + 1900, tmp->tm_mon + 1, tmp->tm_mday,
tmp->tm_hour, tmp->tm_min, tmp->tm_sec);
printf (_("Time Stamp: %s"), timebuf);
}
break;
// ...
Since tmp can be NULL if atime is invalid, the subsequent snprintf() call
results in a segmentation fault.
The attached binary can be used to reproduce the problem.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
