#442 infinite loop and potential segfault in dump_mips_options() in readelf.c

RELEASE_1_0
closed
Ed Maste
None
FIXED
readelf
2015-04-17
2014-03-07
antiAgainst
No

Based on r2983.

In summary, at line 4102 of readelf.c, p is added by size - 8 in order to move forward. However, size - 8 could be a negative number and then p is moving backward. This will potentially cause a segfault in the end. Test program attached and the command is readelf -a readelf-5-327. For this particular test program, readelf outputs "Section ERROR contains:" and then keeps there. gdb outputs when ctrl+c the execution:

#0  0x000000000040a5e4 in dump_mips_option_flags (name=0x4573ff "HWAND", opt=0x66c980 <mips_hwa_option>, info=0) at readelf.c:4113
#1  0x000000000040a4ab in dump_mips_options (re=0x7fffffffd4f0, s=0x66f220) at readelf.c:4071
#2  0x000000000040a108 in dump_mips_specific_info (re=0x7fffffffd4f0) at readelf.c:3979
#3  0x000000000040a803 in dump_arch_specific_info (re=0x7fffffffd4f0) at readelf.c:4162
#4  0x0000000000410c43 in dump_elf (re=0x7fffffffd4f0) at readelf.c:6224
#5  0x000000000041139a in dump_object (re=0x7fffffffd4f0) at readelf.c:6374
#6  0x00000000004123ea in main (argc=1, argv=0x7fffffffd6d8) at readelf.c:6841

At line 4044 of dump_mips_options(), it is a while-statement. pe is never changed within the loop, p is incremented by size - 8 at line 4102. p size before line 4102 shows 0. This is the 5th section, which starts at offset 0x210 in the test program.

......
34 0000210: 0000 0000 0000 0000 0000 0000 0000 0000  ................
35 0000220: 0000 0000 0000 0000 0000 0000 0000 0000  ................
......
1 Attachments

Discussion

  • Ed Maste

    Ed Maste - 2015-04-17
    • status: new --> closed
    • assigned_to: Ed Maste
    • Resolution: --> FIXED
     
  • Ed Maste

    Ed Maste - 2015-04-17

    fixed in [r3187]

     

    Related

    Commit: [r3187]


Log in to post a comment.