[Bug binutils/21990] New: Integer overflow in process_version_sections (readelf.c)
https://sourceware.org/bugzilla/show_bug.cgi?id=21990 Bug ID: 21990 Summary: Integer overflow in process_version_sections (readelf.c) Product: binutils Version: 2.29 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: Imdb95 at gmail dot com Target Milestone: --- Created attachment 10358 --> https://sourceware.org/bugzilla/attachment.cgi?id=10358&action=edit Crafted elf file used to trigger the bug Hello, I found this bug when fuzzing readelf with afl-fuzz. ==Reproduce== manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ sudo ./configure --prefix=`pwd`/../build-binutils-2.29-ggdb CC="gcc" CXX="g++" CFLAGS="-ldl -Wno-error -ggdb -O0" CXXFLAGS="-ldl -Wno-error -ggdb -O0" && sudo make && sudo make install Trigger the bug: manh@manh-VirtualBox:~/Fuzzing/afl/binutils$ ./build-binutils-2.29-ggdb/bin/readelf -a readefl_hang.elf ==Actual Result== The program readelf hangs for a very long time, printing repeated outputs. manh@manh-VirtualBox:~/Fuzzing/afl/binutils$ ./build-binutils-2.29-ggdb/bin/readelf -a readefl_hang.elf ELF Header: Magic: 7f 45 4c 46 00 02 00 00 00 00 00 00 00 00 00 40 Class: none .. 0x0080: Name index: 0 Flags: none Version: 0 readelf: Warning: Invalid vna_next field of ff80 0x0040: Version: 0 File: 0 Cnt: 0 0x0080: Version: 0 File: 0 Cnt: 0 00: Version: 32581 File: 2 Cnt: 19526 00: Name index: 0 Flags: WEAK Version: 0 0x0040: Name index: 0 Flags: none Version: 0 0x0080: Name index: 0 Flags: none Version: 0 readelf: Warning: Invalid vna_next field of ff80 .. ==Build Date & Hardware== Version: binutils 2.29 (https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz) Compilation on Ubuntu 16.04: manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ uname -a Linux manh-VirtualBox 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux ==Additional Information== Detailed analysis of the bug: At readelf.c:10388, idx += ent.vn_next. This triggers integer overflow, with suitable value of ent.vn_next. With the crafted readelf_hang.elf above, the for loop at readelf.c:10304 iterates as following (set breakpoint at readelf.c:10327 and examine idx, ent.vn_next,...): + Loop 0: idx = 0; ent.vn_next = 64 + Loop 1: idx = 64; ent.vn_next = 64 + Loop 2: idx = 128; ent.vn_next = 4294967168 + Loop 3: idx = 0; ent.vn_next = 64 + Loop 4: idx = 64; ent.vn_next = 64 + Loop 5: idx = 128; ent.vn_next = 4294967168 + Loop 6: idx = 0; ent.vn_next = 64 + Loop 7: idx = 64; ent.vn_next = 64 + Loop 8: idx = 128; ent.vn_next = 4294967168 .. When idx = 128, ent.vn_next = 4294967168, the expression idx + ent.vn_next gets 0 => idx += ent.vn_next gets overflow. So the loop would not break at line readelf.c:10312 if (idx > (size_t) (endbuf - (char *) eneed)) break; and it would iterate until cnt gets equals to section->sh_info. With readelf_hang.elf, section->sh_info = 1441792, so it iterates for 1441792 times. ==Suggestion for Patching== Add the following line before line readelf.c:10388 if (idx + ent.vn_next < idx) break; Cheers, Manh -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/21994] New: Hang in process_version_sections with ent.vd_next = 0 and aux.vda_next = 0
https://sourceware.org/bugzilla/show_bug.cgi?id=21994 Bug ID: 21994 Summary: Hang in process_version_sections with ent.vd_next = 0 and aux.vda_next = 0 Product: binutils Version: 2.29 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: Imdb95 at gmail dot com Target Milestone: --- Created attachment 10360 --> https://sourceware.org/bugzilla/attachment.cgi?id=10360&action=edit Crafted elf file used to trigger the bug Hello, I found this bug when fuzzing readelf with afl-fuzz. ==Reproduce== Trigger the bug: manh@manh-VirtualBox:~/Fuzzing/afl/binutils$ ./build-binutils-2.29-ggdb/bin/readelf -a readelf_hang.elf ==Actual Result== The program readelf hangs for a very long time, printing repeated outputs. manh@manh-VirtualBox:~/Fuzzing/afl/binutils$ ./build-binutils-2.29-ggdb/bin/readelf -a readelf_hang_slave_id00.elf ELF Header: Magic: 7f 45 4c 46 02 01 01 04 00 00 00 00 00 00 00 00 Class: ELF64 .. 0x0070: Parent 19320, name index: 0 0x0070: Parent 19321, name index: 0 0x0070: Parent 19322, name index: 0 0x0070: Parent 19323, name index: 0 0x0070: Parent 19324, name index: 0 0x0070: Parent 19325, name index: 0 0x0070: Parent 19326, name index: 0 0x0070: Parent 19327, name index: 0 0x0070: Parent 19328, name index: 0 .. ==Build Date & Hardware== Version: binutils 2.29 (https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz) Compilation on Ubuntu 16.04: manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ uname -a Linux manh-VirtualBox 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ sudo ./configure --prefix=`pwd`/../build-binutils-2.29-ggdb CC="gcc" CXX="g++" CFLAGS="-ldl -Wno-error -ggdb -O0" CXXFLAGS="-ldl -Wno-error -ggdb -O0" && sudo make && sudo make install ==Additional Information== Detailed analysis of the bug: Within the loop starting at readelf.c:10236, if aux.vda_next = 0, the loop iterates (ent.vd_cnt-1) times. And within the outter loop (starting at readelf.c:10183), ent.vn_next can be zero, so idx never increases (idx += ent.vd_next), and the loop iterates cnt times. So the complexity of the two nested loops if O(cnt*ent.vd_cnt), which makes the program hangs. ==Suggestion for Patching== Just check if aux.vda_next = 0 and if ent.vn_next = 0. Cheers, Manh -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/21995] New: Hang in process_mips_specific (readelf.c)
https://sourceware.org/bugzilla/show_bug.cgi?id=21995 Bug ID: 21995 Summary: Hang in process_mips_specific (readelf.c) Product: binutils Version: 2.29 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: Imdb95 at gmail dot com Target Milestone: --- Created attachment 10361 --> https://sourceware.org/bugzilla/attachment.cgi?id=10361&action=edit Crafted elf file used to trigger the bug Hello, I found this bug when fuzzing readelf with afl-fuzz. ==Reproduce== Trigger the bug: manh@manh-VirtualBox:~/Fuzzing/afl/binutils$ ./build-binutils-2.29-ggdb/bin/readelf -a readelf_hang_slave_id03.elf ==Actual Result== The program readelf hangs for a very long time, printing repeated outputs. manh@manh-VirtualBox:~/Fuzzing/afl/binutils$ ./build-binutils-2.29-ggdb/bin/readelf -a readelf_hang_slave_id03.elf ELF Header: Magic: 7f 45 4c 46 02 14 01 00 00 00 00 00 00 00 00 00 Class: ELF64 . 008028f8 00802900 00802908 00802910 00802918 . ==Build Date & Hardware== Version: binutils 2.29 (https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz) Compilation on Ubuntu 16.04: manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ uname -a Linux manh-VirtualBox 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ sudo ./configure --prefix=`pwd`/../build-binutils-2.29-ggdb CC="gcc" CXX="g++" CFLAGS="-ldl -Wno-error -ggdb -O0" CXXFLAGS="-ldl -Wno-error -ggdb -O0" && sudo make && sudo make install ==Additional Information== Detailed analysis of the bug: The while loop at line readelf.c:15835 breaks if ent < local_end. With the crafted elf readelf_hang_slave_id03.elf, local_end = 0x47f, ent starts at 0x7f0010. The function print_mips_got_entry makes ent increase by 8 each iteration, so the while loop would run for very long time. Cheers, Manh -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
