From: "mark at klomp dot org" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug libdw/23541] heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156
Date: Fri, 17 Aug 2018 19:40:00 -0000 [thread overview]
Message-ID: <bug-23541-10460-DulB36JEy4@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-23541-10460@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=23541
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mark at klomp dot org
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
I couldn't replicate with the given reproducer.
But it is pretty clear that we forget to check there is enough data available
when reading the aranges header in dwarf_getaranges.c. In particular we forget
to check we can actually read the address and segment size bytes.
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index bff9c860..de5b81ba 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -148,6 +148,10 @@ dwarf_getaranges (Dwarf *dbg, Dwarf_Aranges **aranges,
size_t *naranges)
length_bytes, &offset, IDX_debug_info, 4))
goto fail;
+ /* Next up two bytes for address and segment size. */
+ if (readp + 2 > readendp)
+ goto invalid;
+
unsigned int address_size = *readp++;
if (unlikely (address_size != 4 && address_size != 8))
goto invalid;
While checking similar code in readelf.c I found we have a similar check
missing, but this time just for the segment size:
diff --git a/src/readelf.c b/src/readelf.c
index 7b5707f8..7b488ac5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -5447,6 +5447,8 @@ print_debug_aranges_section (Dwfl_Module *dwflmod
__attribute__ ((unused)),
goto next_table;
}
+ if (readp + 1 > readendp)
+ goto invalid_data;
unsigned int segment_size = *readp++;
printf (gettext (" Segment size: %6" PRIu64 "\n\n"),
(uint64_t) segment_size);
It looks like all other checks are in place, but this code could probably
benefit from some extra fuzzing.
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2018-08-17 19:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-17 4:06 [Bug libdw/23541] New: " wcventure at 126 dot com
2018-08-17 19:40 ` mark at klomp dot org [this message]
2018-08-18 20:50 ` [Bug libdw/23541] " mark at klomp dot org
2018-09-03 8:28 ` mark at klomp dot org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-23541-10460-DulB36JEy4@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=elfutils-devel@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).