From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 114729 invoked by alias); 11 Jun 2018 15:52:45 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 114233 invoked by uid 89); 11 Jun 2018 15:52:44 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Jun 2018 15:52:43 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 5D3E7301470D for ; Mon, 11 Jun 2018 17:52:41 +0200 (CEST) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id 0EA61413CAAC; Mon, 11 Jun 2018 17:52:41 +0200 (CEST) Message-ID: <1528732360.12946.99.camel@klomp.org> Subject: Re: [PATCH] readelf: Fix bounds check in print_form_data. From: Mark Wielaard To: elfutils-devel@sourceware.org Date: Mon, 11 Jun 2018 15:52:00 -0000 In-Reply-To: <1528676283-13515-1-git-send-email-mark@klomp.org> References: <1528676283-13515-1-git-send-email-mark@klomp.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Evolution 3.22.6 (3.22.6-14.el7) Mime-Version: 1.0 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q2/txt/msg00207.txt.bz2 On Mon, 2018-06-11 at 02:18 +0200, Mark Wielaard wrote: > The afl fuzzer found that we did a wrong check in print_form_data when > comparing the remaining bytes in the buffer to an (unsigned) value read. > We were casting the value to ptrdiff_t which is a signed value and so > might turn a really big unsigned value into a negative number. Since we > know the difference between readendp and readp is zero or greater, we > should cast the pointer difference to size_t (and unsigned type) instead > before comparing with the unsigned value. Pushed to master