Joseph Koshy
-
2014-03-17
- assigned_to: Joseph Koshy
Based on r2983
.
At line 87 of libelf/elf_scn.c
, shoff
can be a very large number, so src
is pointing to a memory address that are invalid. This will cause a segfault. A test case for this bug is attached and the command is elfdump elfdump-0-80-A
. gdb
output:
Program received signal SIGSEGV, Segmentation fault. 0x000000000041e540 in _libelf_cvt_SHDR64_tom (dst=0x6330f0 "", dsz=64, src=0x2aaaaa9088c6 <Address 0x2aaaaa9088c6 out of bounds>, count=0, byteswap=1) at libelf_convert.c:1661 1661 READ_WORD(s,t.sh_name); #0 0x000000000041e540 in _libelf_cvt_SHDR64_tom (dst=0x6330f0 "", dsz=64, src=0x2aaaaa9088c6 <Address 0x2aaaaa9088c6 out of bounds>, count=0, byteswap=1) at libelf_convert.c:1661 #1 0x000000000040e59c in _libelf_load_section_headers (e=0x633010, ehdr=0x6330a0) at elf_scn.c:107 #2 0x000000000040e6f9 in elf_getscn (e=0x633010, index=0) at elf_scn.c:145 #3 0x0000000000403a8f in load_sections (ed=0x7fffffffd4e0) at elfdump.c:1329 #4 0x0000000000403820 in elf_print_elf (ed=0x7fffffffd4e0) at elfdump.c:1271 #5 0x000000000040372c in elf_print_object (ed=0x7fffffffd4e0) at elfdump.c:1237 #6 0x000000000040311a in main (ac=1, av=0x7fffffffd670) at elfdump.c:941