https://sourceware.org/bugzilla/show_bug.cgi?id=27285
Bug ID: 27285
Summary: False results/ misinformation, unpredictable behavior
and potential crash through 2 Integer Overflows in
elf32_avr_get_memory_usage() based on
bfd_section_size()
Product: binutils
Version: 2.36
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dennis.r at columbia dot edu
Target Milestone: ---
= Attachment =
./poc1
= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage poc1
= Location =
od-elf32_avr.c:177 and od-elf32_avr.c:178
elf32_avr_get_memory_usage()
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L177
= Description =
If the sum of the sizes of the text segment, data segment and bootloader
exceeds len(bfd_size_type) bytes an integer overflow occurs in bfd_size_type
variable text_usage causing Undefined Behavior and potential crashes/ misuse
later on.
The same counts if the sum of the data segment, bss segment and uninitialized
segment's sizes exceeds len(bfd_size_type) bytes a few lines further down in
the same function.
= Fix =
Cast the result of bfd_section_size() to 32 bit.
Fixing the return value of bfd_section_size() should fix both bugs.
--
You are receiving this mail because:
You are on the CC list for the bug.
