search

aclements / libelfin

C++11 ELF/DWARF parser
MIT License
314 stars 99 forks source link

found integer overflow bugs #75

Open lometsj opened 1 year ago

lometsj commented 1 year ago

found integer overflow bug

by source code audit,i just found integer overflow at function load(...) which return pointer on mmap address. var offset and size can assumed as u64 so in this case, if offset and size big enough,it may cause Addition overflow and return a pointer points to invalid address.

mmap_loader.cc:48:

        const void *load(off_t offset, size_t size)
        {
                if (offset + size > lim) //         integer overflow here
                        throw range_error("offset exceeds file size");
                return (const char*)base + offset;
        }

here a sample: a.zip which i just modify the offset of program_head to -1(0xffffffffffffffff)

$readelf -h a
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x401040
  Start of program headers:          -1 (bytes into file)    //  modify offset here
  Start of section headers:          23000 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         13
  Size of section headers:           64 (bytes)
  Number of section headers:         31
  Section header string table index: 30
readelf: a: Error: Reading 728 bytes extends past end of file for program headers

use ./dump-segments a Screenshot from 2023-01-14 01-26-41

and this is a batch problem at elf.cc which cause segmentation violation

elf/elf.cc
  70,44:         } *core_hdr = (struct core_hdr*)l->load(0, sizeof *core_hdr);
  87,30:         const void *hdr = l->load(0, hdr_size);
  97,35:         const void *seg_data = l->load(m->hdr.phoff,
  105,35:         const void *sec_data = l->load(m->hdr.shoff,
  191,46:                 m->data = m->f.get_loader()->load(m->hdr.offset,
  270,46:                 m->data = m->f.get_loader()->load(m->hdr.offset, m->hdr.size);

An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a Denial of Service (DoS).

carnil commented 1 year ago

This issue appears to have CVE-2023-24180 assigned.

darealshinji commented 10 months ago

https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html

Making use of these might help?