This is the mail archive of the
mailing list for the elfutils project.
Re: Bugzilla component missing and another (minor) fuzzing-related bug report
- From: Alexander Cherepanov <ch3root at openwall dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Mon, 19 Oct 2015 03:50:26 +0300
- Subject: Re: Bugzilla component missing and another (minor) fuzzing-related bug report
On 2015-06-24 11:14, Mark Wielaard wrote:
>>> The attached file will cause a huge malloc allocation with elfutils' nm
>>> tool. This will crash if you try to run it with address sanitizer.
>>> The reason is likely that nm will try to allocate space for something
>>> based on the header value - no matter if that value makes any sense. A
>>> sanity check that checks in such cases if the file itself is smaller
>>> than the supposedly allocated memory could avoid that.
>> I've reported several similar issues before. Mark replied:
>> "I believe the "Argument 'size' of function malloc has a fishy (possibly
>> negative) value" in dwarf_begin_elf.c (check_section) is correct, but
>> harmless. We do check the value doesn't actually overflow, the allocation
>> will likely fail, but that is also checked."
> But in this case as far as I know these kind of malloc argument checks
> are indeed just noise. We do check the results of malloc everywhere
> (or should at least). I might be wrong of course, or miss something
> subtle. So please do let me know if you think it is something to fix
> differently from how we handle it currently.
gcc doesn't support objects more than half the address space in size --
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67999 . So if you are
malloc'ing >2GB on 32-bit platforms you should be concerned.