From: Mark Wielaard <mjw@redhat.com>
To: elfutils-devel@lists.fedorahosted.org
Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file
Date: Thu, 13 Nov 2014 15:45:26 +0100 [thread overview]
Message-ID: <1415889926.5000.2.camel@bordewijk.wildebeest.org> (raw)
In-Reply-To: 20141111165753.GA11525@blokker.redhat.com
[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]
On Tue, 2014-11-11 at 17:57 +0100, Mark Wielaard wrote:
> On Tue, Nov 11, 2014 at 02:57:05PM +0100, Hanno Böck wrote:
> > Am Tue, 11 Nov 2014 14:53:52 +0100
> > schrieb Mark Wielaard <mjw@redhat.com>:
> >
> > > On Tue, 2014-11-11 at 14:40 +0100, Hanno Böck wrote:
> > > > I still get a bunch of crashers with correct LD_LIBRARY_PATH on
> > > > readelf -a with 32 bit compile (CFLAGS="-m32 -g"):
> > > > sig:11,hash:378b8b26
> > > > sig:11,hash:1aa8d351
> > > > sig:11,hash:872fe371
> > > > from attachment eu-readelf-crasher-hangs-2.tar.xz
> > > >
> > > > and
> > > > id:000113,src:000000,op:flip32,pos:5474
> > > > id:000116,src:000000,op:flip32,pos:5554
> > > > from attachment
> > > > /tmp/elfutils-nm-crasher.tar.xz
> > >
> > > Could you attach or post those files somewhere?
> >
> > These are all in attachments of previous mails in this thread:
> >
> > eu-readelf-crasher-hangs-2.tar.xz
> > https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004237.html
> >
> > elfutils-nm-crasher.tar.xz
> > https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004249.html
>
> Aha, apparently I am unable to write correct overflow checks... sigh.
>
> Please try the following:
> [...]
I pushed this now to master as attached.
Cheers,
Mark
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-libelf-Fix-unsigned-overflow-check-in-elf_getdata.patch --]
[-- Type: text/x-patch, Size: 1456 bytes --]
From c50ddfca105a73f7567f3072831dcfbf49ad0567 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Thu, 13 Nov 2014 15:43:02 +0100
Subject: [PATCH] libelf: Fix unsigned overflow check in elf_getdata.
---
libelf/ChangeLog | 5 +++++
libelf/elf_getdata.c | 5 ++---
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index a9d8c6f..45e220d 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2014-11-13 Mark Wielaard <mjw@redhat.com>
+
+ * elf_getdata.c (__libelf_set_rawdata_wrlock): Fix unsigned overflow
+ check.
+
2014-11-08 Mark Wielaard <mjw@redhat.com>
* elf_begin.c (__libelf_next_arhdr_wrlock): Use mempcpy not __mempcpy.
diff --git a/libelf/elf_getdata.c b/libelf/elf_getdata.c
index 33d35d6..1ce1e23 100644
--- a/libelf/elf_getdata.c
+++ b/libelf/elf_getdata.c
@@ -245,9 +245,8 @@ __libelf_set_rawdata_wrlock (Elf_Scn *scn)
/* First see whether the information in the section header is
valid and it does not ask for too much. Check for unsigned
overflow. */
- if (unlikely (offset + size > elf->maximum_size
- || (offset + size + elf->maximum_size
- < elf->maximum_size)))
+ if (unlikely (offset > elf->maximum_size
+ || elf->maximum_size - offset < size))
{
/* Something is wrong. */
__libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
--
1.8.3.1
next reply other threads:[~2014-11-13 14:45 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-13 14:45 Mark Wielaard [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-11-13 21:55
2014-11-13 21:51 Mark Wielaard
2014-11-13 19:39
2014-11-11 16:57 Mark Wielaard
2014-11-11 13:57
2014-11-11 13:53 Mark Wielaard
2014-11-11 13:49 Petr Machata
2014-11-11 13:40
2014-11-11 13:30 Petr Machata
2014-11-11 13:15 Mark Wielaard
2014-11-11 10:31
2014-11-10 20:58 Mark Wielaard
2014-11-09 21:59
2014-11-09 16:57 Mark Wielaard
2014-11-08 16:10
2014-11-08 15:32 Mark Wielaard
2014-11-08 14:04 Mark Wielaard
2014-11-07 16:13
2014-11-07 15:45 Mark Wielaard
2014-11-07 15:32
2014-11-07 11:58 Mark Wielaard
2014-11-07 11:51 Mark Wielaard
2014-11-07 0:27
2014-11-06 18:25 Roland McGrath
2014-11-06 16:05 Mark Wielaard
2014-11-06 15:11 Mark Wielaard
2014-10-31 16:13
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1415889926.5000.2.camel@bordewijk.wildebeest.org \
--to=mjw@redhat.com \
--cc=elfutils-devel@lists.fedorahosted.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).