Ubuntu
binutils package

readelf: fixes for multiple crashes

Bug #614206 reported by Dan Rosenberg
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
binutils
Fix Released
Medium
binutils (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: binutils

readelf crashes very easily when parsing malformed binaries. The attached patch fixes three floating point exceptions (divide-by-zero) and approximately 13 out-of-bounds reads (due to null pointer dereference, integer overflows, and bad array indexing). I have test files that trigger each of these crashes, but the patch should be pretty self-explanatory. I've tested the patch, confirmed it breaks no functionality, and that it resolves each of my crash files. I'm not flagging security since none of these crashes appear to be exploitable for anything beyond crashing readelf.

Let me know if you'd like me to send this upstream or if you're going to take care of it.

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :
Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

Apologies, minor indexing tweak.

Revision history for this message
In , Dan Rosenberg (dan-j-rosenberg) wrote :

readelf crashes very easily when parsing malformed binaries. The attached patch
fixes three floating point exceptions (divide-by-zero) and approximately 13
out-of-bounds reads (due to null pointer dereference, integer overflows, and bad
array indexing). I have test files that trigger each of these crashes, but the
patch should be pretty self-explanatory. I've tested the patch, confirmed it
breaks no functionality, and that it resolves each of my crash files:

(Patch hosted on Ubuntu's Launchpad)
http://launchpadlibrarian.net/53144133/readelf-crashes.patch

Revision history for this message
In , Dan Rosenberg (dan-j-rosenberg) wrote :

Created attachment 4916
Fix for readelf crashes

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

Upstream bug entry
http://sourceware.org/bugzilla/show_bug.cgi?id=11889

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

Patch v3, fixed casts to work properly on 64-bit machines.

Revision history for this message
In , Dan Rosenberg (dan-j-rosenberg) wrote :

Created attachment 4917
Revised patch, fixed casts

Fixed to work on 64-bit platforms

Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Matthias Klose (doko) wrote :

> Let me know if you'd like me to send this upstream or if you're going to take care of it.

thanks for the patch! I would appreciate it if you could upstream it.

Bug Watch Updater (bug-watch-updater)
Changed in binutils:
status: Unknown → Confirmed
Mohamed Amine Ilidrissi (ilidrissi.amine)
tags: added: patch-forwarded-upstream
removed: patch
Revision history for this message
Vish (vish) wrote :

Thanks for sending the patch upstream.

Marking bug triaged, medium as requested by Mohamed Amine IL Idrissi .

Changed in binutils (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package binutils - 2.20.51.20100813-1ubuntu1

---------------
binutils (2.20.51.20100813-1ubuntu1) maverick; urgency=low

  * Merge with Debian.

binutils (2.20.51.20100813-1) experimental; urgency=low

  * Snapshot, taken from the trunk 20100813.

  [ Jonathan Nieder ]
  * Remove ld.bfd from binutils-multiarch (not that useful without an
    multiarch assembler).

  [ Marcin Juszkiewicz ]
  * Revert sysroot to / for cross builds. LP: #598389.
  * Generate debian/control for native and cross builds. LP: #612629.
  * Provide packaging rules in -source package. LP: #608745.

  [ Matthias Klose ]
  * Don't apply patches, when PATCHED_SOURCES is set to `yes'.
  * Proposed patch for PR11889, readelf crashes for malformed binaries
    (Dan Rosenberg). LP: #614206.
 -- Matthias Klose <email address hidden> Fri, 13 Aug 2010 13:26:32 +0200

Changed in binutils (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
In , Cvs-commit (cvs-commit) wrote :

Subject: Bug 11889

CVSROOT: /cvs/src
Module name: src
Changes by: <email address hidden> 2010-08-13 16:02:17

Modified files:
 binutils : ChangeLog readelf.c

Log message:
 PR binutils/11889
 * readelf.c (get_32bit_elf_symbols): Check for a corrupt
 sh_entsize.
 (get_64bit_elf_symbols): Likewise.
 (process_symbol_table): Likewise.
 (process_section_groups): Check for corrupt headers.
 (process_version_sections): Check for corrupt indicies.
 (process_corefile_note_segment): Likewise.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/ChangeLog.diff?cvsroot=src&r1=1.1670&r2=1.1671
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/readelf.c.diff?cvsroot=src&r1=1.512&r2=1.513

Revision history for this message
In , Nickc (nickc) wrote :

Hi Dan,

  Thanks for the bug report and patch. I have checked it in, modulo a few
formatting fixes, along with this changelog entry.

Cheers
  Nick

binutils/ChangeLog
2010-08-13 Dan Rosenberg <email address hidden>

 PR binutils/11889
 * readelf.c (get_32bit_elf_symbols): Check for a corrupt
 sh_entsize.
 (get_64bit_elf_symbols): Likewise.
 (process_symbol_table): Likewise.
 (process_section_groups): Check for corrupt headers.
 (process_version_sections): Check for corrupt indicies.
 (process_corefile_note_segment): Likewise.

Bug Watch Updater (bug-watch-updater)
Changed in binutils:
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in binutils:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.