From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 88379 invoked by alias); 17 Aug 2018 20:19:24 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 88267 invoked by uid 48); 17 Aug 2018 20:19:20 -0000 From: "mark at klomp dot org" To: elfutils-devel@sourceware.org Subject: [Bug general/23542] heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash Date: Fri, 17 Aug 2018 20:19:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: general X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mark at klomp dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2018-q3/txt/msg00074.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D23542 Mark Wielaard changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mark at klomp dot org --- Comment #1 from Mark Wielaard --- Replicated under valgrind: =3D=3D12265=3D=3D Conditional jump or move depends on uninitialised value(s) =3D=3D12265=3D=3D at 0x1111E9: check_sysv_hash (elflint.c:2056) =3D=3D12265=3D=3D by 0x1111E9: check_hash.isra.14 (elflint.c:2356) =3D=3D12265=3D=3D by 0x117B80: check_sections (elflint.c:4162) =3D=3D12265=3D=3D by 0x119364: process_elf_file (elflint.c:4740) =3D=3D12265=3D=3D by 0x119364: process_file (elflint.c:242) =3D=3D12265=3D=3D by 0x10C57C: main (elflint.c:175) The issue is that the sanity check at the start of the function overflows because it does 32bit unsigned arithmetic. Changing it to do unsigned long = long arithmetic makes the check catch the issue: diff --git a/src/elflint.c b/src/elflint.c index eec799b2..9d49c47f 100644 --- a/src/elflint.c +++ b/src/elflint.c @@ -2023,7 +2023,7 @@ check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx, Elf32_Word nbucket =3D ((Elf32_Word *) data->d_buf)[0]; Elf32_Word nchain =3D ((Elf32_Word *) data->d_buf)[1]; - if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word)) + if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word)) { ERROR (gettext ("\ section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"), --=20 You are receiving this mail because: You are on the CC list for the bug.