Bug 23765 - Malformed ELF header causes Out of Bounds read
Summary: Malformed ELF header causes Out of Bounds read
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: gold (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Cary Coutant
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-12 14:06 UTC by Dusan Repel
Modified: 2022-06-27 13:59 UTC (History)
7 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-08-06 00:00:00

Attachments
64-byte ELF header (34 bytes, application/x-object)
2018-10-12 14:06 UTC, Dusan Repel 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dusan Repel 2018-10-12 14:06:14 UTC 
Created attachment 11320 [details]
64-byte ELF header

An improper validation of the e_shoff ELF header field causes an out-of-bounds read when calculating a view offset into a mapped input file.

Occurs in gold v1.11-v1.16 (Binutils v2.21-v2.31).

Tested on 64-bit Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Reproduce with "./gold testcase.o".
Comment 1 Nick Clifton 2019-08-06 13:17:57 UTC 
I have proposed a patch here:

https://www.sourceware.org/ml/binutils/2019-08/msg00022.html
Comment 2 Lokesh Janghel 2020-02-21 08:22:18 UTC 
Hi Nick,
The proposed patch from your side seems to be ok.
I have verified for the error generated without segmentation fault on the latest trunk sources.

Please let me know is it ok to go with this.
Comment 3 Lokesh Janghel 2020-02-21 08:23:50 UTC 
Hi Nick,
The proposed patch from your side seems to be ok.
I have verified for the error generated without segmentation fault on the latest trunk sources.

Please let me know is it ok to go with this.
Comment 4 Nick Clifton 2020-02-21 11:02:55 UTC 
(In reply to Lokesh Janghel from comment #3)

> Please let me know is it ok to go with this.

Sorry - I am not a maintainer for gold.  You will need to ping Ian  <iant@google.com> and/or Cary  <ccoutant@gmail.com>.

Cheers
  Nick
Comment 5 Randy Macleod 2021-02-22 22:58:56 UTC 
The simple patch that calls gold_fatal() on:
   if (((ssize_t) start) < 0)
has been on the list since Feb 2020. Not a big deal but distro maintainers like moi would like to close CVEs without carrying local commits where possible...
Comment 6 pgowda 2022-04-18 11:02:07 UTC 
Hi @Ian @Cary,

Can you please let us know whether this patch will be committed?

Thanks,
Pgowda
Comment 7 Ian Lance Taylor 2022-04-18 19:45:27 UTC 
The patch in comment #1 is fine.  Nick, go ahead and commit.  Thanks.
Comment 8 pgowda 2022-06-27 09:47:07 UTC 
Hi @Nick

Can you please commit the patch as its approved.
It would help us pick the committed sources.

Thanks,
Pgowda
Comment 9 Sourceware Commits 2022-06-27 12:08:11 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2a4fc266dbf77ed7ab83da16468e9ba627b8bc2d

commit 2a4fc266dbf77ed7ab83da16468e9ba627b8bc2d
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jun 27 13:07:40 2022 +0100

    Have gold's File_read::do_read() function check the start parameter
    
            PR 23765
            * fileread.cc (File_read::do_read): Check start parameter before
            computing number of bytes to read.
Comment 10 Nick Clifton 2022-06-27 12:08:41 UTC 
Patch applied.
Comment 11 Nick Clifton 2022-06-27 12:09:56 UTC 
Hi Pgowda,

> https://sourceware.org/bugzilla/show_bug.cgi?id=23765

> Can you please commit the patch as its approved.
> It would help us pick the committed sources.

Done.

Sorry about that - I missed Ian's approval of the patch and just,
well, forgot about it!  Doh.

Cheers
   Nick
Comment 12 pgowda 2022-06-27 13:59:41 UTC 
@Nick

Thanks very much for committing the patch.

Pgowda