debug/macho: panic on invalid dynamic symbol table command with overflowing #49792
Labels
NeedsFix
The path to resolution is known, but the work has not been done.
Milestone
These days I'm learning how to fix this vulnerability
CVE-2021-41771
at issue #48990 and CL355990.I noticed that the variables
hdr.Iundefsym
andhdr.Nundefsym
are read directly from the macho executable.Therefore, based on the existing test files, I constructed a new test file, where
hdr.Iundefsym=9
,hdr.Nundefsym=0xFF_FF_FF_FF
, the overflow after addition is8
, butuint32(len(f.Symtab.Syms))==11
.The judgment condition
hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms))
in the CL355990 can be bypassed due to integer addition overflow.Therefore, panic will still occur when calling
ImportedSymbols()
method.This seems to be the same level of security problem as
CVE-2021-41771
.The new test file was provided in this zip file:
testdata.zip
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Use the newly constructed test file and run the test in the
debug/macho
Directory:What did you expect to see?
Test PASS
What did you see instead?
The text was updated successfully, but these errors were encountered: