Summary: | An Out of Memory problem was discovered in function in read_long_names in elf_begin.c in libelf | ||
---|---|---|---|
Product: | elfutils | Reporter: | wcventure <wcventure> |
Component: | libelf | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | elfutils-devel, mark |
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: | POC |
Description
wcventure
2019-01-11 06:27:30 UTC
Please use the "./eu-ar -tv $POC" to reproduce the bug. If you have any questions, please let me know. I am not sure this is a real issue. The read_long_names code does the following: newp = (char *) malloc (len); if (newp != NULL) And if it is newp NULL is returned, which is then interpreted as an error: /* No long name table although it is reference. The archive is broken. */ __libelf_seterrno (ELF_E_INVALID_ARCHIVE); return -1; There are also checks that no more data is read than there is in the file, so if len is really big and malloc still succeeds that is also flagged as a corrupt file. So, yeah, a malloc call might fail on an invalid file, but nothing bad will happen. If you do feel it is an issue. We could move up the size checks, so no malloc is done at all if len is really weird and we know the malloc would probably fail anyway. CVE-2019-7148 commit e32380ecefbb23448541367283d3b94930762986 Author: Mark Wielaard <mark@klomp.org> Date: Thu Feb 14 11:47:59 2019 +0100 libelf: Make sure ar_size is terminated when reading ar long names. The ar_size is given as a fixed size decimal string, right padded with spaces. Make sure we read it properly even if there is no terminating space. Also sanity check len early if we can. https://sourceware.org/bugzilla/show_bug.cgi?id=24085 Signed-off-by: Mark Wielaard <mark@klomp.org> |