diff mbox series

[Bug,tools/33005] Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function

Message ID bug-33005-10460-o4dRYv9c9b@http.sourceware.org/bugzilla/
State Committed
Headers
Series [Bug,tools/33005] Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function |

Commit Message

mark at klomp dot org June 3, 2025, 12:04 p.m. UTC 
  https://sourceware.org/bugzilla/show_bug.cgi?id=33005

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mark at klomp dot org

--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
I completely forgot we already have configure --enable-sanitize-address which
does the right thing to build with asan. With that it is reproducible. The
issue is indeed that these are corrupt files that don't really match up and so
cannot be "unstripped". If the sections don't match up we "invent" a new one
and try to see if that gives us a good set of sections to unstrip. When we do
that we forget to update the shnum value and when sorting the set of sections
on the stack we have one too many, which technically is a stack overflow. Again
the stack is deep enough for it to not be an issue. But technically it is. The
"fix" is simple:

            strtab = dwelf_strtab_init (true);

It will still fail with eu-unstrip: cannot get section data: invalid section
header
diff mbox series

Patch

diff --git a/src/unstrip.c b/src/unstrip.c
index 81c5496f43a0..6c2a98ef96f2 100644
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -1666,6 +1666,7 @@  more sections in stripped file than debug file --
arguments reversed?"));
          ELF_CHECK (newdata != NULL && gelf_update_shdr (sec->outscn,
                                                          &sec->shdr),
                     _("cannot add new section: %s"));
+         unstripped_shnum++;

          if (strtab == NULL)