From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30437 invoked by alias); 15 Jun 2018 22:24:54 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 30419 invoked by uid 89); 15 Jun 2018 22:24:53 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:377 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 15 Jun 2018 22:24:52 +0000 Received: from librem.wildebeest.org (deer0x15.wildebeest.org [172.31.17.151]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id DCC18300092E for ; Sat, 16 Jun 2018 00:24:40 +0200 (CEST) Received: by librem.wildebeest.org (Postfix, from userid 1000) id C43D8141B36; Sat, 16 Jun 2018 00:24:40 +0200 (CEST) Date: Fri, 15 Jun 2018 22:24:00 -0000 From: Mark Wielaard To: elfutils-devel@sourceware.org Subject: Re: [PATCH] readelf: While printing .debug_loc make sure that next_off doesn't overflow. Message-ID: <20180615222440.GB4102@wildebeest.org> References: <1528896285-26993-1-git-send-email-mark@klomp.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1528896285-26993-1-git-send-email-mark@klomp.org> User-Agent: Mutt/1.9.5 (2018-04-13) X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q2/txt/msg00219.txt.bz2 On Wed, Jun 13, 2018 at 03:24:45PM +0200, Mark Wielaard wrote: > Found by the afl fuzzer. The next offset (after a locview) comes from a > DIE loclist attribute. This could be a bogus value so large it overflows > the buffer and makes us print past the end of buffer. Pushed to master.