[Bug general/23542] heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash

["mark at klomp dot org" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=23542

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mark at klomp dot org

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Replicated under valgrind:

==12265== Conditional jump or move depends on uninitialised value(s)
==12265==    at 0x1111E9: check_sysv_hash (elflint.c:2056)
==12265==    by 0x1111E9: check_hash.isra.14 (elflint.c:2356)
==12265==    by 0x117B80: check_sections (elflint.c:4162)
==12265==    by 0x119364: process_elf_file (elflint.c:4740)
==12265==    by 0x119364: process_file (elflint.c:242)
==12265==    by 0x10C57C: main (elflint.c:175)


The issue is that the sanity check at the start of the function overflows
because it does 32bit unsigned arithmetic. Changing it to do unsigned long long
arithmetic makes the check catch the issue:

diff --git a/src/elflint.c b/src/elflint.c
index eec799b2..9d49c47f 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -2023,7 +2023,7 @@ check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data
*data, int idx,
   Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
   Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];

-  if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word))
+  if (shdr->sh_size  < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
     {
       ERROR (gettext ("\
 section [%2d] '%s': hash table section is too small (is %ld, expected
%ld)\n"),

-- 
You are receiving this mail because:
You are on the CC list for the bug.