Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24180: found integer overflow bugs · Issue #75 · aclements/libelfin

Libelfin v0.3 was discovered to contain an integer overflow in the load function at elf/mmap_loader.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted elf file.

CVE
Open in Source
#vulnerability#mac#dos

found integer overflow bug

by source code audit,i just found integer overflow at function load(…) which return pointer on mmap address.
var offset and size can assumed as u64
so in this case, if offset and size big enough,it may cause Addition overflow and return a pointer points to invalid address.

mmap_loader.cc:48:

        const void *load(off_t offset, size_t size)
        {
                if (offset + size > lim) //         integer overflow here
                        throw range_error("offset exceeds file size");
                return (const char*)base + offset;
        }

here a sample:
a.zip
which i just modify the offset of program_head to -1(0xffffffffffffffff)

$readelf -h a
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x401040
  Start of program headers:          -1 (bytes into file)    //  modify offset here
  Start of section headers:          23000 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         13
  Size of section headers:           64 (bytes)
  Number of section headers:         31
  Section header string table index: 30
readelf: a: Error: Reading 728 bytes extends past end of file for program headers

use ./dump-segments a

and this is a batch problem at elf.cc which cause segmentation violation

elf/elf.cc
  70,44:         } *core_hdr = (struct core_hdr*)l->load(0, sizeof *core_hdr);
  87,30:         const void *hdr = l->load(0, hdr_size);
  97,35:         const void *seg_data = l->load(m->hdr.phoff,
  105,35:         const void *sec_data = l->load(m->hdr.shoff,
  191,46:                 m->data = m->f.get_loader()->load(m->hdr.offset,
  270,46:                 m->data = m->f.get_loader()->load(m->hdr.offset, m->hdr.size);

An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a Denial of Service (DoS).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE