Headline
CVE-2021-33294: [COMMITTED] readelf: Sanity check verneed and verdef offsets in handle_symtab.
In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.
Mark Wielaard [email protected]
Wed Mar 3 20:46:24 GMT 2021
- Previous message (by thread): [Bug tools/27501] eu-readelf hang while process crafted file
- Next message (by thread): [PATCH] debuginfod-client: Don’t compare a double to a long
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We are going through vna_next, vn_next and vd_next in a while loop. Make sure that all offsets are sane. We don’t want things to wrap around so we go in cycles.
https://sourceware.org/bugzilla/show_bug.cgi?id=27501
Signed-off-by: Mark Wielaard <[email protected]>
src/ChangeLog | 5 +++++ src/readelf.c | 10 ++++++++± 2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/ChangeLog b/src/ChangeLog index 791015bb…14cd6cac 100644 — a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2021-03-03 Mark Wielaard <[email protected]>
- * readelf.c (handle_symtab): Sanity check verneed vna_next,
- vn_next and verdef vd_next offsets.
2021-03-02 Timm Bäder <[email protected]>
\* elfcompress.c (process\_file): Remove cleanup() function and
diff --git a/src/readelf.c b/src/readelf.c index 715af3b3…b9740455 100644 — a/src/readelf.c +++ b/src/readelf.c @@ -2554,7 +2554,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr) &vernaux_mem); while (vernaux != NULL && vernaux->vna_other != *versym
&& vernaux->vna\_next != 0)
&& vernaux->vna\_next != 0&& (verneed\_data->d\_size - vna\_offset>= vernaux->vna\_next)) { /\* Update the offset. \*/ vna\_offset += vernaux->vna\_next;
@@ -2571,6 +2573,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr) /* Found it. */ break;
if (verneed\_data->d\_size - vn\_offset < verneed->vn\_next)break;vn\_offset += verneed->vn\_next; verneed = (verneed->vn\_next == 0 ? NULL
@@ -2606,6 +2611,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr) /* Found the definition. */ break;
if (verdef\_data->d\_size - vd\_offset < verdef->vd\_next)break;vd\_offset += verdef->vd\_next; verdef = (verdef->vd\_next == 0 ? NULL
– 2.20.1
- Previous message (by thread): [Bug tools/27501] eu-readelf hang while process crafted file
- Next message (by thread): [PATCH] debuginfod-client: Don’t compare a double to a long
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Elfutils-devel mailing list
Related news
Ubuntu Security Notice 6322-1 - It was discovered that elfutils incorrectly handled certain malformed files. If a user or automated system were tricked into processing a specially crafted file, elfutils could be made to crash or consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. It was discovered that elfutils incorrectly handled bounds checks in certain functions when processing malformed files. If a user or automated system were tricked into processing a specially crafted file, elfutils could be made to crash or consume resources, resulting in a denial of service.