Bug 19518 - readelf - missing return value check in MIPS timestamp d_tag processing
Summary: readelf - missing return value check in MIPS timestamp d_tag processing
Status: RESOLVED DUPLICATE of bug 17531
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.24
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-25 12:41 UTC by vpb
Modified: 2016-01-25 14:24 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
AFL generated test case (66 bytes, application/x-executable)
2016-01-25 12:41 UTC, vpb
Details

Note You need to log in before you can comment on or make changes to this bug.
Description vpb 2016-01-25 12:41:23 UTC
Created attachment 8923 [details]
AFL generated test case

readelf tries to access invalid memory when parsing timestamp dtag entries from MIPS binaries:

Relevant code from readelf.c:

static void
dynamic_section_mips_val (Elf_Internal_Dyn * entry)
{
  switch (entry->d_tag)
    {
    // ...
    case DT_MIPS_TIME_STAMP:
      { 
        char timebuf[20];
        struct tm * tmp;

        time_t atime = entry->d_un.d_val;
        tmp = gmtime (&atime); 
        snprintf (timebuf, sizeof (timebuf), "%04u-%02u-%02uT%02u:%02u:%02u",
                  tmp->tm_year + 1900, tmp->tm_mon + 1, tmp->tm_mday,
                  tmp->tm_hour, tmp->tm_min, tmp->tm_sec);
        printf (_("Time Stamp: %s"), timebuf);
      }
      break;
     // ...

Since tmp can be NULL if atime is invalid, the subsequent snprintf() call results in a segmentation fault. 

The attached binary can be used to reproduce the problem.
Comment 1 Nick Clifton 2016-01-25 14:24:43 UTC
(In reply to vpb from comment #0)
 
>         tmp = gmtime (&atime); 
>         snprintf (timebuf, sizeof (timebuf), "%04u-%02u-%02uT%02u:%02u:%02u",
 
> Since tmp can be NULL if atime is invalid, the subsequent snprintf() call
> results in a segmentation fault. 
 
This has already been fixed in 2.25 and later releases of binutils.  The relevent code now looks like:

	tmp = gmtime (&atime);
	/* PR 17531: file: 6accc532.  */
	if (tmp == NULL)
	  snprintf (timebuf, sizeof (timebuf), _("<corrupt>"));
	else
	  snprintf (timebuf, sizeof (timebuf), "%04u-%02u-%02uT%02u:%02u:%02u",

Cheers
  Nick

*** This bug has been marked as a duplicate of bug 17531 ***