| Summary: | heap-based buffer overflow in handle_gnu_hash (readelf.c) | ||
|---|---|---|---|
| Product: | elfutils | Reporter: | Agostino Sarubbo <ago> |
| Component: | tools | Assignee: | Not yet assigned to anyone <unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | elfutils-devel, mark |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | ||
| Attachments: | stacktrace | ||
|
Description
Agostino Sarubbo
2017-03-24 09:09:12 UTC
Thanks, it was an off-by-one sanity check.
diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr,
++nsyms;
if (maxlength < ++lengths[cnt])
++maxlength;
- if (inner > max_nsyms)
+ if (inner >= max_nsyms)
goto invalid_data;
}
while ((chain[inner++] & 1) == 0);
max_nsyms is the maximum number, but inner is a zero-based index.
commit 9d84fdd78705d7a1b9947a9f4ca77fbccdd76d4a Author: Mark Wielaard <mark@klomp.org> Date: Fri Mar 24 12:15:02 2017 +0100 readelf: Fix off by one sanity check in handle_gnu_hash. We sanity check to make sure we don't index outside the chain array by testing inner > max_nsyms. But inner is a zero-based index, while max_nsyms is the maximum number. Change the check to inner >= max_nsyms. https://sourceware.org/bugzilla/show_bug.cgi?id=21299 Signed-off-by: Mark Wielaard <mark@klomp.org> Mitre assigned CVE-2017-7607 to this issue. |