Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 6» 2007.Jan


Next: Consistent Handling of Fixup Up: Differences in Relocation Processing Previous: Self-updating Relocation Blocks

Integer Overflows in Size Calculations

A potential source of mistakes that could be made when processing relocations has to do with the handling of the SizeOfBlock attribute of a relocation block. There is a potential for an integer overflow to occur in applications that don't properly handle situations where the SizeOfBlock attribute is less than the size of the base relocation structure (which is 8 bytes). In order to calculate the total number of fixups in a section, it's common to see a calculation like (Block->SizeOfBlock - 8) / 2. However, if a check isn't made to ensure that SizeOfBlock is at least 8, an integer overflow will occur. If this happens, the application processing relocations would be tricked into processing a very large number of relocations. An example of a test for this issue is shown below: 

static VOID TestIntegerOverflow(
      __in PPE_IMAGE Image,
      __in PRELOC_FUZZ_CONTEXT FuzzContext)
{
   PRELOCATION_BLOCK_CONTEXT EvilBlock = AllocateRelocationBlockContext(0);

   EvilBlock->SizeOfBlock = 0;
   EvilBlock->Rva         = 0x1000;

   PrependRelocationBlockContext(
         FuzzContext,
         EvilBlock);
}

In this example, a relocation block is created that has its SizeOfBlock attribute set to zero. This is invalid because the minimum size of a block is 8 bytes. The results of this test against different applications are shown below:

Application Results

ntdll.dll
Does not perform appropriate checks which appears to result in an integer overflow: 

(9d4.6dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00014008 ecx=00011000 edx=80010000 esi=00015000 edi=ffffffff
eip=7c91e163 esp=0013fa98 ebp=0013faac iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!LdrProcessRelocationBlockLongLong+0x1a:
7c91e163 0fb706          movzx   eax,word ptr [esi] ds:0023:00015000=????

IDA
Ignores the relocation block, but may not process relocations correctly as a result (unclear at this point).

dumpbin.exe
Refuses to show relocations: 

Microsoft (R) COFF/PE Dumper Version 8.00.50727.42
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file foo.exe

File Type: EXECUTABLE IMAGE

BASE RELOCATIONS #4

  Summary

        1000 .data
        1000 .rdata
        1000 .reloc
        1000 .text

Next: Consistent Handling of Fixup Up: Differences in Relocation Processing Previous: Self-updating Relocation Blocks