* [Bug tools/21299] New: heap-based buffer overflow in handle_gnu_hash (readelf.c)
@ 2017-03-24 9:09 ago at gentoo dot org
2017-03-24 11:06 ` [Bug tools/21299] " mjw at redhat dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: ago at gentoo dot org @ 2017-03-24 9:09 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=21299
Bug ID: 21299
Summary: heap-based buffer overflow in handle_gnu_hash
(readelf.c)
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: ago at gentoo dot org
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 9936
--> https://sourceware.org/bugzilla/attachment.cgi?id=9936&action=edit
stacktrace
On elfutils-0.168:
# eu-readelf -a $FILE
READ of size 4 at 0x611000009ffc thread T0
#0 0x421a8b in handle_gnu_hash
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3268
Compiled with: gcc-6.3.0
Reproducer:
https://github.com/asarubbo/poc/blob/master/00225-elfutils-heapoverflow-handle_gnu_hash
Stacktrace attached.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug tools/21299] heap-based buffer overflow in handle_gnu_hash (readelf.c)
2017-03-24 9:09 [Bug tools/21299] New: heap-based buffer overflow in handle_gnu_hash (readelf.c) ago at gentoo dot org
@ 2017-03-24 11:06 ` mjw at redhat dot com
2017-04-03 21:43 ` mark at klomp dot org
2017-04-10 7:26 ` ago at gentoo dot org
2 siblings, 0 replies; 4+ messages in thread
From: mjw at redhat dot com @ 2017-03-24 11:06 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=21299
Mark Wielaard <mjw at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mjw at redhat dot com
--- Comment #1 from Mark Wielaard <mjw at redhat dot com> ---
Thanks, it was an off-by-one sanity check.
diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr,
++nsyms;
if (maxlength < ++lengths[cnt])
++maxlength;
- if (inner > max_nsyms)
+ if (inner >= max_nsyms)
goto invalid_data;
}
while ((chain[inner++] & 1) == 0);
max_nsyms is the maximum number, but inner is a zero-based index.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug tools/21299] heap-based buffer overflow in handle_gnu_hash (readelf.c)
2017-03-24 9:09 [Bug tools/21299] New: heap-based buffer overflow in handle_gnu_hash (readelf.c) ago at gentoo dot org
2017-03-24 11:06 ` [Bug tools/21299] " mjw at redhat dot com
@ 2017-04-03 21:43 ` mark at klomp dot org
2017-04-10 7:26 ` ago at gentoo dot org
2 siblings, 0 replies; 4+ messages in thread
From: mark at klomp dot org @ 2017-04-03 21:43 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=21299
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |mark at klomp dot org
Resolution|--- |FIXED
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
commit 9d84fdd78705d7a1b9947a9f4ca77fbccdd76d4a
Author: Mark Wielaard <mark@klomp.org>
Date: Fri Mar 24 12:15:02 2017 +0100
readelf: Fix off by one sanity check in handle_gnu_hash.
We sanity check to make sure we don't index outside the chain array
by testing inner > max_nsyms. But inner is a zero-based index, while
max_nsyms is the maximum number. Change the check to inner >= max_nsyms.
https://sourceware.org/bugzilla/show_bug.cgi?id=21299
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug tools/21299] heap-based buffer overflow in handle_gnu_hash (readelf.c)
2017-03-24 9:09 [Bug tools/21299] New: heap-based buffer overflow in handle_gnu_hash (readelf.c) ago at gentoo dot org
2017-03-24 11:06 ` [Bug tools/21299] " mjw at redhat dot com
2017-04-03 21:43 ` mark at klomp dot org
@ 2017-04-10 7:26 ` ago at gentoo dot org
2 siblings, 0 replies; 4+ messages in thread
From: ago at gentoo dot org @ 2017-04-10 7:26 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=21299
--- Comment #3 from Agostino Sarubbo <ago at gentoo dot org> ---
Mitre assigned CVE-2017-7607 to this issue.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-04-10 7:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-24 9:09 [Bug tools/21299] New: heap-based buffer overflow in handle_gnu_hash (readelf.c) ago at gentoo dot org
2017-03-24 11:06 ` [Bug tools/21299] " mjw at redhat dot com
2017-04-03 21:43 ` mark at klomp dot org
2017-04-10 7:26 ` ago at gentoo dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).