[Bug binutils/27287] New: False results/ misinformation, unpredictable behavior and potential crash through two Integer Overflows in elf_parse_notes() based on large xnp->name

Sat, 30 Jan 2021 19:32:58 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=27287

            Bug ID: 27287
           Summary: False results/ misinformation, unpredictable behavior
                    and potential crash through two Integer Overflows in
                    elf_parse_notes() based on large xnp->name
           Product: binutils
           Version: 2.36
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dennis.r at columbia dot edu
  Target Milestone: ---

Created attachment 13178
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13178&action=edit
poc

= Attachment = 
./memory

= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage memory

= Description =
In elf.c:12068 and elf.c:12076 xnp->name + size may overflow an unsigned long
and cause function to falsely return FALSE. The program will proceed on an
unintended path and with unexpected behavior.

= UBSan =
../../bfd/elf.c:12068:41: runtime error: unsigned integer overflow:
18446744073709551604 + 60 cannot be represented in type 'unsigned long'
../../bfd/elf.c:12076:41: runtime error: unsigned integer overflow:
18446744073709551600 + 60 cannot be represented in type 'unsigned long'

= Stack Trace =
Breakpoint 2, elf_parse_notes (abfd=<optimized out>, buf=<optimized out>,
size=<optimized out>, offset=<optimized out>, align=<optimized out>) at
../../bfd/elf.c:12068
12068         if (in.namesz > buf - in.namedata + size)
(gdb) bt
#0  elf_parse_notes (abfd=<optimized out>, buf=<optimized out>, size=<optimized
out>, offset=<optimized out>, align=<optimized out>) at ../../bfd/elf.c:12068
#1  0x0000000000bf9f92 in _bfd_elf_make_section_from_shdr (abfd=<optimized
out>, hdr=<optimized out>, name=<optimized out>, shindex=<optimized out>) at
../../bfd/elf.c:1137
#2  0x0000000000c05f1a in bfd_section_from_shdr (abfd=<optimized out>,
shindex=<optimized out>) at ../../bfd/elf.c:2485
#3  0x0000000000d65e1e in bfd_elf32_object_p (abfd=<optimized out>) at
../../bfd/elfcode.h:834
#4  0x0000000000b56c3e in bfd_check_format_matches (abfd=<optimized out>,
format=<optimized out>, matching=<optimized out>) at ../../bfd/format.c:343
#5  0x000000000041b2a0 in display_object_bfd (abfd=0x33b7c90) at
../../binutils/objdump.c:5006
#6  display_any_bfd (file=0x33b7c90, level=0) at ../../binutils/objdump.c:5098
#7  0x000000000040757d in display_file (filename=<optimized out>,
target=<optimized out>, last_file=<optimized out>) at
../../binutils/objdump.c:5119
#8  main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/objdump.c:5467

= Fix =
Fix values of xnp->name and size rather than a local hack.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to