Bug 23932

Summary: integer overflow causes an endless loop
Product: binutils Reporter: Dongdong She <ds3619>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: UNCONFIRMED ---    
Severity: normal CC: nickc
Priority: P2    
Version: 2.30   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: malicious input that trigger the overflow

Description Dongdong She 2018-11-29 03:13:30 UTC
Created attachment 11419 [details]
malicious input that trigger the overflow

Integer-overflow bug in strip-new.
Description: There is a interger-overflow bug in binutils/bfd/elf.c:7036 IS_CONTAINED_BY_LMA(). There should be a boundary checking for this function.
Configure names: host='x86_64-pc-linux-gnu'  target='x86_64-pc-linux-gnu', we also upload the config.status file in the attachment.
Options: strip-new ./integer_overflow_input -o sss
Input: file interger_overflow_input
Comment 1 cvs-commit@gcc.gnu.org 2018-11-30 11:44:35 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7

commit beab453223769279cc1cef68a1622ab8978641f7
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Nov 30 11:43:12 2018 +0000

    Remove an abort in the bfd library and add a check for an integer overflow when mapping sections to segments.
    
    	PR 23932
    	* elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section
    	size.
    	(rewrite_elf_program_header): If no sections are mapped into a
    	segment return an error.
Comment 2 Nick Clifton 2018-11-30 11:48:03 UTC
Hi Dongdong,

  Thanks for reporting this problem.

  I have checked in a patch to resolve the issue.  It adds a check for a 
  possible integer overflow, as you suggested, and it replaced a call to
  abort with a more reasonable error return.

Cheers
  Nick