https://sourceware.org/bugzilla/show_bug.cgi?id=21990
Bug ID: 21990
Summary: Integer overflow in process_version_sections
(readelf.c)
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: Imdb95 at gmail dot com
Target Milestone: ---
Created attachment 10358
--> https://sourceware.org/bugzilla/attachment.cgi?id=10358&action=edit
Crafted elf file used to trigger the bug
Hello,
I found this bug when fuzzing readelf with afl-fuzz.
==========Reproduce==========
manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ sudo ./configure
--prefix=`pwd`/../build-binutils-2.29-ggdb CC="gcc" CXX="g++" CFLAGS="-ldl
-Wno-error -ggdb -O0" CXXFLAGS="-ldl -Wno-error -ggdb -O0" && sudo make && sudo
make install
Trigger the bug:
manh@manh-VirtualBox:~/Fuzzing/afl/binutils$
./build-binutils-2.29-ggdb/bin/readelf -a readefl_hang.elf
==========Actual Result==========
The program readelf hangs for a very long time, printing repeated outputs.
manh@manh-VirtualBox:~/Fuzzing/afl/binutils$
./build-binutils-2.29-ggdb/bin/readelf -a readefl_hang.elf
ELF Header:
Magic: 7f 45 4c 46 00 02 00 00 00 00 00 00 00 00 00 40
Class: none
......................
0x0080: Name index: 0 Flags: none Version: 0
readelf: Warning: Invalid vna_next field of ffffff80
0x0040: Version: 0 File: 0 Cnt: 0
0x0080: Version: 0 File: 0 Cnt: 0
000000: Version: 32581 File: 20000 Cnt: 19526
000000: Name index: 0 Flags: WEAK Version: 0
0x0040: Name index: 0 Flags: none Version: 0
0x0080: Name index: 0 Flags: none Version: 0
readelf: Warning: Invalid vna_next field of ffffff80
......................
==========Build Date & Hardware==========
Version: binutils 2.29 (https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz)
Compilation on Ubuntu 16.04:
manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ uname -a
Linux manh-VirtualBox 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
==========Additional Information==========
Detailed analysis of the bug:
At readelf.c:10388, idx += ent.vn_next. This triggers integer overflow, with
suitable value of ent.vn_next. With the crafted readelf_hang.elf above, the for
loop at readelf.c:10304 iterates as following (set breakpoint at
readelf.c:10327 and examine idx, ent.vn_next,...):
+ Loop 0: idx = 0; ent.vn_next = 64
+ Loop 1: idx = 64; ent.vn_next = 64
+ Loop 2: idx = 128; ent.vn_next = 4294967168
+ Loop 3: idx = 0; ent.vn_next = 64
+ Loop 4: idx = 64; ent.vn_next = 64
+ Loop 5: idx = 128; ent.vn_next = 4294967168
+ Loop 6: idx = 0; ent.vn_next = 64
+ Loop 7: idx = 64; ent.vn_next = 64
+ Loop 8: idx = 128; ent.vn_next = 4294967168
......................
When idx = 128, ent.vn_next = 4294967168, the expression idx + ent.vn_next gets
0 => idx += ent.vn_next gets overflow. So the loop would not break at line
readelf.c:10312
if (idx > (size_t) (endbuf - (char *) eneed))
break;
and it would iterate until cnt gets equals to section->sh_info. With
readelf_hang.elf, section->sh_info = 1441792, so it iterates for 1441792 times.
==========Suggestion for Patching==========
Add the following line before line readelf.c:10388
if (idx + ent.vn_next < idx) break;
Cheers,
Manh
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
