[Bug binutils 2.29] Integer overflow in process_version_sections (readelf.c)

Tue, 22 Aug 2017 05:51:09 -0700 


Gửi từ điện thoại thông minh Samsung Galaxy của tôi.-------- Tin nhắn gốc 
--------Từ: Manh Nguyen <imd...@gmail.com> Ngày: 19/08/2017  19:14  (GMT+07:00) 
Đến: bug-binutils@gnu.org Chủ đề: [Bug binutils 2.29] Integer overflow in 
process_version_sections (readelf.c) 
I found an integer overflow bug in process_version_sections (readelf.c), which 
would make a for loop iterate millions of times.
============Reproduce the bug ============root@manh-VirtualBox:~# readelf -a 
readefl_hang.elf ELF Header:  Magic:   7f 45 4c 46 00 02 00 00 00 00 00 00 00 
00 00 40   Class:                             none.................=> The 
program will run for very long time.======================================
============Description==================This description is for the version 
2.29 (https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz)At readelf.c:10388, 
idx += ent.vn_next. This triggers integer overflow, with suitable value of 
ent.vn_next. With the craft readelf_hang.elf above, the for loop at 
readelf.c:10304 have iterations as following (set breakpoint at readelf.c:10327 
and examine idx, ent.vn_next,...):   + Loop 0: idx = 0; ent.vn_next = 64   + 
Loop 1: idx = 64; ent.vn_next = 64   + Loop 2: idx = 128; ent.vn_next = 
4294967168   + Loop 3: idx = 0; ent.vn_next = 64   + Loop 4: idx = 64; 
ent.vn_next = 64   + Loop 5: idx = 128; ent.vn_next = 4294967168   + Loop 6: 
idx = 0; ent.vn_next = 64   + Loop 7: idx = 64; ent.vn_next = 64   + Loop 8: 
idx = 128; ent.vn_next = 4294967168....When idx = 128, ent.vn_next = 
4294967168, the expression idx + ent.vn_next gets 0 => idx += ent.vn_next gets 
overflow. So the loop would not break at line readelf.c:10312                   
          if (idx > (size_t) (endbuf - (char *) eneed))                         
           break;and it would iterate until cnt gets equals to 
section->sh_info. With readelf_hang.elf, section->sh_info = 1441792, so it 
iterates for 1441792 times.======================================
============Suggestion for Patching=========
Add the following line before line readelf.c:10388      if (idx + ent.vn_next < 
idx) break;======================================



Attachment:
readefl_hang.elf

Description: Binary data


_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils






















					Reply via email to