This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[Bug general/23542] heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash
- From: "mark at klomp dot org" <sourceware-bugzilla at sourceware dot org>
- To: elfutils-devel at sourceware dot org
- Date: Fri, 17 Aug 2018 20:19:18 +0000
- Subject: [Bug general/23542] heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash
- Auto-submitted: auto-generated
- References: <bug-23542-10460@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=23542
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mark at klomp dot org
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Replicated under valgrind:
==12265== Conditional jump or move depends on uninitialised value(s)
==12265== at 0x1111E9: check_sysv_hash (elflint.c:2056)
==12265== by 0x1111E9: check_hash.isra.14 (elflint.c:2356)
==12265== by 0x117B80: check_sections (elflint.c:4162)
==12265== by 0x119364: process_elf_file (elflint.c:4740)
==12265== by 0x119364: process_file (elflint.c:242)
==12265== by 0x10C57C: main (elflint.c:175)
The issue is that the sanity check at the start of the function overflows
because it does 32bit unsigned arithmetic. Changing it to do unsigned long long
arithmetic makes the check catch the issue:
diff --git a/src/elflint.c b/src/elflint.c
index eec799b2..9d49c47f 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -2023,7 +2023,7 @@ check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data
*data, int idx,
Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
- if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word))
+ if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
{
ERROR (gettext ("\
section [%2d] '%s': hash table section is too small (is %ld, expected
%ld)\n"),
--
You are receiving this mail because:
You are on the CC list for the bug.