libelfin icon indicating copy to clipboard operation
libelfin copied to clipboard

Published 20 hours ago verified publisher icon aclements

found integer overflow bugs

Open lometsj opened this issue 2 years ago • 2 comments

found integer overflow bug

by source code audit,i just found integer overflow at function load(...) which return pointer on mmap address. var offset and size can assumed as u64 so in this case, if offset and size big enough,it may cause Addition overflow and return a pointer points to invalid address.

mmap_loader.cc:48:

        const void *load(off_t offset, size_t size)
        {
                if (offset + size > lim) //         integer overflow here
                        throw range_error("offset exceeds file size");
                return (const char*)base + offset;
        }

here a sample: a.zip which i just modify the offset of program_head to -1(0xffffffffffffffff)

$readelf -h a
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x401040
  Start of program headers:          -1 (bytes into file)    //  modify offset here
  Start of section headers:          23000 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         13
  Size of section headers:           64 (bytes)
  Number of section headers:         31
  Section header string table index: 30
readelf: a: Error: Reading 728 bytes extends past end of file for program headers

use ./dump-segments a Screenshot from 2023-01-14 01-26-41

and this is a batch problem at elf.cc which cause segmentation violation

elf/elf.cc
  70,44:         } *core_hdr = (struct core_hdr*)l->load(0, sizeof *core_hdr);
  87,30:         const void *hdr = l->load(0, hdr_size);
  97,35:         const void *seg_data = l->load(m->hdr.phoff,
  105,35:         const void *sec_data = l->load(m->hdr.shoff,
  191,46:                 m->data = m->f.get_loader()->load(m->hdr.offset,
  270,46:                 m->data = m->f.get_loader()->load(m->hdr.offset, m->hdr.size);

An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a Denial of Service (DoS).

lometsj avatar Jan 13 '23 17:01 lometsj

This issue appears to have CVE-2023-24180 assigned.

carnil avatar Mar 31 '23 16:03 carnil

https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html

Making use of these might help?

darealshinji avatar Oct 27 '23 23:10 darealshinji