Created attachment 9944 [details] stacktrace On elfutils-0.168: # eu-elflint -d $FILE READ of size 4 at 0x60200000efd0 thread T0 #0 0x4267eb in check_symtab_shndx /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961 Compiled with: gcc-6.3.0 Reproducer: https://github.com/asarubbo/poc/blob/master/00234-elfutils-heapoverflow-check_symtab_shndx Stacktrace attached.
eu-elflint isn't very robust against totally bogus ELF data, but this issue is easy to fix: https://sourceware.org/ml/elfutils-devel/2017-q1/msg00129.html
commit 9a0d9d314a6342b56e3277bd7ad7ecb6e73a7d38 Author: Mark Wielaard <mark@klomp.org> Date: Mon Mar 27 23:59:02 2017 +0200 elflint: Check symbol table data is big enough before checking. Before checking symbol index zero we should make sure the data size is big enough. https://sourceware.org/bugzilla/show_bug.cgi?id=21310 Signed-off-by: Mark Wielaard <mark@klomp.org>
Pushed
Mitre assigned CVE-2017-7611 to this issue.