From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 71CE3398B40B; Fri, 23 Oct 2020 16:08:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 71CE3398B40B From: "mark at klomp dot org" To: elfutils-devel@sourceware.org Subject: [Bug libdw/26773] sleb128 values near INT64_MAX/MIN not correctly read Date: Fri, 23 Oct 2020 16:08:52 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libdw X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mark at klomp dot org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2020 16:08:52 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D26773 --- Comment #4 from Mark Wielaard --- (In reply to Josh Stone from comment #2) > (In reply to Tom Tromey from comment #1) > > This limits the number of bytes read-- but it seems like > > it maybe ought to read until the first byte without the > > high bit set. >=20 > Beware, golang just dealt with a CVE for reading unlimited varints: > https://github.com/golang/go/issues/40618 >=20 > (But the context is different since that's used in stuff like protocol > buffers that may be streamed.) Note that there are two "limits" in play here. For the normal get_sleb128 (__libdw_get_sleb128) variant we already require that and end pointer is provided, which we won't move past. We require the caller to make sure we c= an read at least the first byte. For the get_sleb128_unchecked (__libdw_get_sleb128_unchecked) variant we assume the called already knows there is a valid sleb128 at the given address, so we don't require an end pointer and can just read till the end (first byte that doesn't have the hi= gh bit set). The other limit is that we only read as many bytes that can "fit" the type. That is the "step limit" which is given by len_leb128 (int64_t) (or __libdw_max_len_uleb128/__libdw_max_len_sleb128 for the unchecked variant). This limits makes sure we don't "overflow" the int64_t or uint64_t. So we normally only read 10 bytes anyway. The bug is in "the other limit". For signed types we subtract 1 to make sur= e we didn't shift into the sign bit. But that means we can only read up to 9 byt= es of the sleb128 and will fail (return INT64_MAX and leave the addr pointer at the last byte instead of consuming it). I think Tom's suggestion to use an unsigned type for the sleb128 calculation and then cast it to int64_t when done is the correct fix. --=20 You are receiving this mail because: You are on the CC list for the bug.=