Re: [PATCH, dwarflint] Explicitly qualify specializations of elfutils::to_string
On 23.02.2018. 17:47, Djordje Todorovic wrote: > This looks good to me, but Mark or someone else must approve. Looks good to me to. Thanks. Pushed to dwarflint branch. Cheers, Mark
[PATCH] elflint: Make sure we can read a whole element when iterating over group.
Change the for loop so that we can always read a full element.
https://sourceware.org/bugzilla/show_bug.cgi?id=22892
Signed-off-by: Mark Wielaard
---
src/ChangeLog | 5 +
src/elflint.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index 0ae01e92..e73c6154 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-02-09 Mark Wielaard
+
+ * elflint.c (check_group): Make sure we can read a complete
+ element when iterating over the group.
+
2018-02-09 Mark Wielaard
* readelf.c (attr_callback): Handle DW_FORM_data16 as Dwarf_Block.
diff --git a/src/elflint.c b/src/elflint.c
index df1b3a03..ebb0e4e0 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -2713,7 +2713,7 @@ section [%2d] '%s': section group with only one
member\n"),
ERROR (gettext ("section [%2d] '%s': unknown section group flags\n"),
idx, section_name (ebl, idx));
- for (cnt = elsize; cnt < data->d_size; cnt += elsize)
+ for (cnt = elsize; cnt + elsize <= data->d_size; cnt += elsize)
{
#if ALLOW_UNALIGNED
val = *((Elf32_Word *) ((char *) data->d_buf + cnt));
--
2.16.1
[Bug general/22892] heap-buffer-overflow in check_group function (src/elflint.c)
https://sourceware.org/bugzilla/show_bug.cgi?id=22892 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2018-02-26 CC||mark at klomp dot org Ever confirmed|0 |1 --- Comment #1 from Mark Wielaard --- Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q1/msg00055.html -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/22865] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
https://sourceware.org/bugzilla/show_bug.cgi?id=22865 --- Comment #1 from Mark Wielaard --- *** Bug 22864 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/22864] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
https://sourceware.org/bugzilla/show_bug.cgi?id=22864 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||mark at klomp dot org Resolution|--- |DUPLICATE --- Comment #1 from Mark Wielaard --- bug #22865 looks the same, but has an actual poc attached. *** This bug has been marked as a duplicate of bug 22865 *** -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/22865] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
https://sourceware.org/bugzilla/show_bug.cgi?id=22865 Mark Wielaard changed: What|Removed |Added CC||mark at klomp dot org --- Comment #2 from Mark Wielaard --- Could you give a bit more information on how you build and run eu-objdump? I am unable to replicate your results with the given poc. It simply works as intended: $ eu-objdump -d ./b ./b: elf64-elf_x86_64 Disassembly of section .fini: :48 83 ec 08 sub $0x8,%rsp aaae:48 83 c4 08 add $0x8,%rsp aab2:c3 retq Also it is somewhat surprising it crashes for you inside default_syscall_abi () because that doesn't seem to be called. Which indicates the error is somewhere else. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/22865] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
https://sourceware.org/bugzilla/show_bug.cgi?id=22865 --- Comment #3 from Mark Wielaard --- *** Bug 22863 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/22863] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
https://sourceware.org/bugzilla/show_bug.cgi?id=22863 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||mark at klomp dot org Resolution|--- |DUPLICATE --- Comment #1 from Mark Wielaard --- This is the same as bug #22865 with the poc inside a zip file. The binaries are identical. *** This bug has been marked as a duplicate of bug 22865 *** -- You are receiving this mail because: You are on the CC list for the bug.
