https://sourceware.org/bugzilla/show_bug.cgi?id=27288
Bug ID: 27288
Summary: Undefined negations and integer overflows in
elf_object_p() potentially crashing on some systems
Product: binutils
Version: 2.36
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dennis.r at columbia dot edu
Target Milestone: ---
Created attachment 13179
--> https://sourceware.org/bugzilla/attachment.cgi?id=13179&action=edit
poc
= Attachment =
./memory
= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage memory
= Location =
../../bfd/elfcode.h:647
../../bfd/elfcode.h:757
../../bfd/elfcode.h:816
= Description =
In elfcode.h function elf_object_p multiple computation and comparisons are
unescaped. This may cause unintended program behavior.
elfcode.h:647
A negative value of i_ehdrp->e_shstrndx will cause the comparison to underflow
(i_ehdrp->e_shstrndx == (SHN_XINDEX & 0xffff))
elfcode.h:757
Small values of sh_addr in combination wiith large sh_offset cause negative
value in unsigned int in conditional ( ( i_shdrp[shindex].sh_addr -
i_shdrp[shindex].sh_offset) % ebd->minpagesize) != 0
elfcode.h:816
Negative value cannot be represented in type 'bfd_vma' (aka 'unsigned long')
= Fix =
Check for i_ehdrp->e_shstrndx to be greater equal to zero
Cast to signed long
Cast to signed long
= UBSan =
../../bfd/elfcode.h:647:35: runtime error: negation of 1 cannot be represented
in type 'unsigned int'
../../bfd/elfcode.h:757:39: runtime error: unsigned integer overflow: 0 - 180
cannot be represented in type 'unsigned long'
../../bfd/elfcode.h:816:46: runtime error: negation of 2 cannot be represented
in type 'bfd_vma' (aka 'unsigned long')
--
You are receiving this mail because:
You are on the CC list for the bug.
