[Bug tools/21320] New: eu-elflint: heap-based buffer overflow in check_group (elflint.c)
https://sourceware.org/bugzilla/show_bug.cgi?id=21320 Bug ID: 21320 Summary: eu-elflint: heap-based buffer overflow in check_group (elflint.c) Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: ago at gentoo dot org CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 9952 --> https://sourceware.org/bugzilla/attachment.cgi?id=9952&action=edit stacktrace On elfutils-0.168: # eu-elflint -d $FILE READ of size 4 at 0x6020efd0 thread T0 #0 0x41a39e in check_group /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664 Compiled with: gcc-6.3.0 Reproducer: https://github.com/asarubbo/poc/blob/master/00247-elfutils-heapoverflow-check_group Stacktrace attached. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/21320] eu-elflint: heap-based buffer overflow in check_group (elflint.c)
https://sourceware.org/bugzilla/show_bug.cgi?id=21320 --- Comment #1 from Agostino Sarubbo --- it can be a duplicate of 21310 -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] elflint: Don't check section group without flags word.
https://sourceware.org/bugzilla/show_bug.cgi?id=21320
Signed-off-by: Mark Wielaard
---
src/ChangeLog | 4
src/elflint.c | 5 -
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index 0601198..f5378a9 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2017-03-28 Mark Wielaard
+
+ * elflint (check_group): Don't check if there is no flag word.
+
2017-02-16 Ulf Hermann
* addr2line.c: Include printversion.h
diff --git a/src/elflint.c b/src/elflint.c
index 66a13ca..bdbf328 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -2646,9 +2646,12 @@ section [%2d] '%s': section size not multiple of
sizeof(Elf32_Word)\n"),
idx, section_name (ebl, idx));
if (data->d_size < elsize)
- ERROR (gettext ("\
+ {
+ ERROR (gettext ("\
section [%2d] '%s': section group without flags word\n"),
idx, section_name (ebl, idx));
+ return;
+ }
else if (be_strict)
{
if (data->d_size < 2 * elsize)
--
1.8.3.1
[Bug tools/21320] eu-elflint: heap-based buffer overflow in check_group (elflint.c)
https://sourceware.org/bugzilla/show_bug.cgi?id=21320 Mark Wielaard changed: What|Removed |Added CC||mjw at redhat dot com --- Comment #2 from Mark Wielaard --- elflint: Don't check section group without flags word https://sourceware.org/ml/elfutils-devel/2017-q1/msg00137.html -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/20999] Update Polish translation
https://sourceware.org/bugzilla/show_bug.cgi?id=20999 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #7 from Mark Wielaard --- Committed and released in 0.168 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/21001] Replacement of TEMP_FAILURE_RETRY is broken
https://sourceware.org/bugzilla/show_bug.cgi?id=21001 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #7 from Mark Wielaard --- commit 925f67e86d127c8917f92bde1cf5abd5b07d0768 Author: Luiz Angelo Daros de Luca Date: Thu Dec 29 21:02:57 2016 -0200 Fix TEMP_FAILURE_RETRY definition when not defined. https://sourceware.org/bugzilla/show_bug.cgi?id=21001 Signed-off-by: Luiz Angelo Daros de Luca -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/21011] "may be used uninitialized" error with -Werror=maybe-uninitialized
https://sourceware.org/bugzilla/show_bug.cgi?id=21011 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||mark at klomp dot org Resolution|--- |INVALID --- Comment #4 from Mark Wielaard --- Looks like if you compile with non-standard flags and -Wno-error this is fine. Fell free to reopen if you believe this is not the solution. -- You are receiving this mail because: You are on the CC list for the bug.
