Hi There
Peng Li and Shengjian Guo at Baidu XLab found a suspicious unsigned integer
overflow which may bypass a check unintentionally. The bug is found in function
get_data of readelf.c of version 2.31.51.20190117.
static void *
get_data (void * var,
Filedata * filedata,
unsigned long offset,
bfd_size_type size,
bfd_size_type nmemb,
const char * reason)
{
…
// Based on the input, offset: 18446744073709551615,
archive_file_offset: 0, amt: 255
// (offset + archive_file_offset + amt): 254, filedata->file_size: 256
if (amt > filedata->file_size
|| offset + archive_file_offset + amt >
filedata->file_size)
{
if (reason)
error (_("Reading %s bytes extends past end of file
for %s\n"),
bfd_vmatoa ("u", amt),
reason);
return NULL;
}
…
}
If you compile readelf with -fsanitize=unsigned-integer-overflow and run
./readelf -a input, it is found that offset + archive_file_offset + amt
overflows and bypass the check. Can you please help verify if it is a true
positive and think whether adding check for each variable against file_size is
necessary?
If you have any questions about this issue and input in the attachment, please
let me know.
Thanks
Peng
input
Description: input
_______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
