| Summary: | heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c) | ||
|---|---|---|---|
| Product: | elfutils | Reporter: | Agostino Sarubbo <ago> |
| Component: | tools | Assignee: | Not yet assigned to anyone <unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | elfutils-devel, mark |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | ||
| Attachments: | stacktrace | ||
|
Description
Agostino Sarubbo
2017-03-24 09:16:14 UTC
Nice find. The issue is with notes that have a zero sized name (and also no descriptor data at the end of a note section). "The system reserves note information with no name (namesz==0) and with a zero-length name (name[0]=='\0') but currently defines no types. All other names must have at least one non-null character." So we must explicitly check for namesz == 0 before using the name data in the note. Posted a patch: https://sourceware.org/ml/elfutils-devel/2017-q1/msg00111.html commit b0b58c5e0b34e54194aa042f2310af58ee7de603 Author: Mark Wielaard <mark@klomp.org> Date: Fri Mar 24 14:10:26 2017 +0100 Use the empty string for note names with zero size (without any data). ELF notes can have a zero sized name. In which case there is no data at all (so also no zero terminator). Make sure to use the empty string for such notes if the code does not otherwise explicitly check n_namesz. https://sourceware.org/bugzilla/show_bug.cgi?id=21300 Signed-off-by: Mark Wielaard <mark@klomp.org> Mitre assigned CVE-2017-7608 to this issue. |