Bug 23932 - integer overflow causes an endless loop
Summary: integer overflow causes an endless loop
Status: UNCONFIRMED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-29 03:13 UTC by Dongdong She
Modified: 2018-11-30 11:48 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
malicious input that trigger the overflow (2.44 KB, application/x-core)
2018-11-29 03:13 UTC, Dongdong She
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dongdong She 2018-11-29 03:13:30 UTC
Created attachment 11419 [details]
malicious input that trigger the overflow

Integer-overflow bug in strip-new.
Description: There is a interger-overflow bug in binutils/bfd/elf.c:7036 IS_CONTAINED_BY_LMA(). There should be a boundary checking for this function.
Configure names: host='x86_64-pc-linux-gnu'  target='x86_64-pc-linux-gnu', we also upload the config.status file in the attachment.
Options: strip-new ./integer_overflow_input -o sss
Input: file interger_overflow_input
Comment 1 cvs-commit@gcc.gnu.org 2018-11-30 11:44:35 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7

commit beab453223769279cc1cef68a1622ab8978641f7
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Nov 30 11:43:12 2018 +0000

    Remove an abort in the bfd library and add a check for an integer overflow when mapping sections to segments.
    
    	PR 23932
    	* elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section
    	size.
    	(rewrite_elf_program_header): If no sections are mapped into a
    	segment return an error.
Comment 2 Nick Clifton 2018-11-30 11:48:03 UTC
Hi Dongdong,

  Thanks for reporting this problem.

  I have checked in a patch to resolve the issue.  It adds a check for a 
  possible integer overflow, as you suggested, and it replaced a call to
  abort with a more reasonable error return.

Cheers
  Nick