View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000638 | file | General | public | 2025-03-28 01:45 | 2025-03-29 15:17 |
| Reporter | pbrook | Assigned To | christos | ||
| Priority | normal | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 5.46 | ||||
| Fixed in Version | HEAD | ||||
| Summary | 0000638: Buffer overrun parsing ELF PT_INTERP | ||||
| Description | Buffer overrun leading to a crash when parsing ELF files with a large PT_INTERP segment. | ||||
| Steps To Reproduce | $ file crash.elf *** buffer overflow detected ***: terminated Aborted | ||||
| Additional Information | Looks like this was probably introduced by commit 9109a696f3289ba00eaa222fd432755ec4287e28 I observed this when installing a Yocto SDK, where binaries are built with large amounts of padding in PT_INTERP to allow later patching (the install script also happens to use file). Example ELF file and Patch to fix the bug attached | ||||
| Tags | No tags attached. | ||||
|
|
elf-crash.patch (466 bytes)
diff --git a/src/readelf.c b/src/readelf.c
index fed85efe..5c557522 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -1827,7 +1827,7 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
continue;
if (bufsize && nbuf[0]) {
nbuf[bufsize - 1] = '\0';
- memcpy(interp, nbuf, CAST(size_t, bufsize));
+ strlcpy(interp, RCAST(char *, nbuf), sizeof(interp));
} else
strlcpy(interp, "*empty*", sizeof(interp));
break;
|
|
|
As also mentioned in the Debian bug report at <https://bugs.debian.org/1101470>, this was likely already fixed upstream, "PR/579: net147: Fix stack overrun." |
|
|
fixed, thanks! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-03-28 01:45 | pbrook | New Issue | |
| 2025-03-28 01:45 | pbrook | File Added: elf-crash.patch | |
| 2025-03-28 01:45 | pbrook | File Added: crash.elf | |
| 2025-03-28 12:11 | cbiedl | Note Added: 0004196 | |
| 2025-03-29 15:16 | christos | Assigned To | => christos |
| 2025-03-29 15:16 | christos | Status | new => assigned |
| 2025-03-29 15:17 | christos | Status | assigned => resolved |
| 2025-03-29 15:17 | christos | Resolution | open => fixed |
| 2025-03-29 15:17 | christos | Fixed in Version | => HEAD |
| 2025-03-29 15:17 | christos | Note Added: 0004197 |
