Created attachment 9945 [details] stacktrace Hoping that it has not the same root cause of bug 21310. On elfutils-0.168: # eu-elflint -d $FILE READ of size 4 at 0x60b00000aff4 thread T0 #0 0x40b36a in check_sysv_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2020 Compiled with: gcc-6.3.0 Reproducer: https://github.com/asarubbo/poc/blob/master/00235-elfutils-heapoverflow-check_sysv_hash Stacktrace attached.
We were a little too trusting of the data we were checking. https://sourceware.org/ml/elfutils-devel/2017-q1/msg00131.html
commit 61fe61898747f63eb35a81c2261f3590a3dab8fd Author: Mark Wielaard <mark@klomp.org> Date: Tue Mar 28 00:38:52 2017 +0200 elflint: Don't trust sh_entsize when checking hash sections. Calculate and use the expected entsize instead of relying on the one given by the ELF file section header. Return early if there isn't enough data in the section to check the full hash table. https://sourceware.org/bugzilla/show_bug.cgi?id=21311 Signed-off-by: Mark Wielaard <mark@klomp.org>
Pushed