by source code audit,i just found integer overflow at function load(...) which return pointer on mmap address.
var offset and size can assumed as u64
so in this case, if offset and size big enough,it may cause Addition overflow and return a pointer points to invalid address.
here a sample: a.zip
which i just modify the offset of program_head to -1(0xffffffffffffffff)
$readelf -h a
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x401040
Start of program headers: -1 (bytes into file) // modify offset here
Start of section headers: 23000 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 13
Size of section headers: 64 (bytes)
Number of section headers: 31
Section header string table index: 30
readelf: a: Error: Reading 728 bytes extends past end of file for program headers
use ./dump-segments a
and this is a batch problem at elf.cc which cause segmentation violation
found integer overflow bug
by source code audit,i just found integer overflow at function load(...) which return pointer on mmap address.
var
offsetandsizecan assumed asu64so in this case, if offset and size big enough,it may cause Addition overflow and return a pointer points to invalid address.
mmap_loader.cc:48:
here a sample:
a.zip
which i just modify the offset of program_head to -1(0xffffffffffffffff)
use

./dump-segments aand this is a batch problem at elf.cc which cause segmentation violation
An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a Denial of Service (DoS).
The text was updated successfully, but these errors were encountered: