https://sourceware.org/bugzilla/show_bug.cgi?id=24829
tfx <tfx_sec at hotmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #7 from tfx <tfx_sec at hotmail dot com> ---
Hi Nick,
I found several similar problems in dwarf.c
You can reproduce it use "readelf -w poc5" with ASAN.
The crash output show as follow.
Line Number Statements:
ASAN:DEADLYSIGNAL
=================================================================
==1276==ERROR: AddressSanitizer: SEGV on unknown address 0x1bf66161 (pc
0x08234f98 bp 0xffc3aa88 sp 0xffc3a7e0 T0)
#0 0x8234f97 in display_debug_lines_raw ./src/binutils/dwarf.c:3840:18
#1 0x8234f97 in display_debug_lines ./src/binutils/dwarf.c:4825
#2 0x81984d7 in display_debug_section ./src/binutils/readelf.c:14231:18
#3 0x81984d7 in process_section_contents ./src/binutils/readelf.c:14322
#4 0x8178730 in process_object ./src/binutils/readelf.c:19760:9
#5 0x8140c51 in process_file ./src/binutils/readelf.c:20190:13
#6 0x8140c51 in main ./src/binutils/readelf.c:20249
#7 0xf7ce1636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#8 0x806254c in _start (/vul/readelf/readelf-pat+0x806254c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./src/binutils/dwarf.c:3840:18 in
display_debug_lines_raw
==1276==ABORTING
The source code with problem show as follow.
dwarf.c
2064 if (block_start + uvalue > end || data < block_start)
2065 {
2066 warn (_("Corrupt attribute block length: %lx\n"), (long)
uvalue);
2067 uvalue = end - block_start;
2068 }
2084 data = block_start + uvalue;
2085 if (block_start + uvalue > end || data < block_start)
2086 {
2087 warn (_("Corrupt attribute block length: %lx\n"), (long)
uvalue);
2088 uvalue = end - block_start;
2089 }
2105 data = block_start + uvalue;
2106 if (block_start + uvalue > end || data < block_start)
2107 {
2108 warn (_("Corrupt attribute block length: %lx\n"), (long)
uvalue);
2109 uvalue = end - block_start;
2110 }
2127 data = block_start + uvalue;
2128 if (block_start + uvalue > end
2129 /* PR 17531: file: 5b5f0592. */
2130 || data < block_start)
2131 {
2132 warn (_("Corrupt attribute block length: %lx\n"), (long)
uvalue);
2133 uvalue = end - block_start;
2134 }
2135 if (do_loc)
2136 data = block_start + uvalue;
2137 else
2138 data = display_block (block_start, uvalue, end, delimiter);
2139 break;
When "uvalue" is a specific value, "block_start + uvalue" will cause integer
overflow. This will cause a wrong "data" value and trigger crash.
3840 op_code = *data++;
It seems that reporting this type of bug has no meaning. What do you think?
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
