https://sourceware.org/bugzilla/show_bug.cgi?id=24829
Bug ID: 24829
Summary: readelf: interger overflow in apply_relocations
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: tfx_sec at hotmail dot com
Target Milestone: ---
Created attachment 11914
--> https://sourceware.org/bugzilla/attachment.cgi?id=11914&action=edit
poc-interger-overflow
Hi Nick,
An interger overflow issue was discovered in readelf.
I built 32bit readelf (GNU Binutils) 2.32.51.20190715 use commit 3719fd55 in
Ubuntu 16.04 TLS .
The source code with problem show as follow.
readelf.c:13347
> rloc = start + rp->r_offset;
> if ((rloc + reloc_size) > end || (rloc < start))
> {
> warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
> (unsigned long) rp->r_offset,
> printable_section_name (filedata, section));
> continue;
> }
rp->r_offset is from input file, reloc_size is a value in (1, 2, 3, 4, 8).
When (rloc = start + rp->r_offset) == 0xFFFFFFFF in line 13347, rloc +
reloc_size will cause integer overflow in line 13348.
Finally, program will crash in write access violation in byte_put_little_endian
function in elfcomm.c.
Maybe it can fix like this:
if ((rloc + reloc_size) > end || (rloc < start) || (rloc + reloc_size) <
start)
Triggering the bug requires accurate input. I'm not sure the poc file can
trigger a crash in your environment.
You can try using gdb.
> file readelf
> r -a poc1
The crash output show as follow.
Stopped reason: SIGSEGV
0x080c9169 in byte_put_little_endian (field=0xffffffff <error: Cannot access
memory at address 0xffffffff>, value=0x12004004aa, size=0x2)
at elfcomm.c:81
81 field[1] = (value >> 8) & 0xff;
gdb-peda$ bt
#0 0x080c9169 in byte_put_little_endian (field=0xffffffff <error: Cannot
access memory at address 0xffffffff>, value=0x12004004aa,
size=0x2) at elfcomm.c:81
#1 0x0804c819 in apply_relocations (filedata=0x812d908, section=0x8130fe8,
start=0x812eae8 "j", size=0x20, relocs_return=0x0,
num_relocs_return=0x0) at readelf.c:13433
#2 0x0808d27c in process_notes_at (filedata=0x812d908, section=0x8130fe8,
offset=0x21c, length=0x20, align=0x4) at readelf.c:19098
#3 0x0808cfc8 in process_note_sections (filedata=0x812d908) at readelf.c:19372
#4 0x0805f480 in process_notes (filedata=0x812d908) at readelf.c:19408
#5 0x08053059 in process_object (filedata=0x812d908) at readelf.c:19778
#6 0x0804b5d9 in process_file (file_name=0xffffd439 "poc-readelf-a/poc3") at
readelf.c:20190
#7 0x0804a86a in main (argc=0x3, argv=0xffffd264) at readelf.c:20249
#8 0xf7e13637 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#9 0x080494a1 in _start ()
gdb-peda$
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
