[Bug libelf/24089] New: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf

Sat, 12 Jan 2019 01:29:00 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=24089

            Bug ID: 24089
           Summary: A Heap-buffer-overflow problem was discovered in the
                    function elf32_xlatetom in elf32_xlatetom.c in libelf
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libelf
          Assignee: unassigned at sourceware dot org
          Reporter: wcventure at 126 dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 11534
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11534&action=edit
POC1

Hi, 

A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in
elf32_xlatetom.c in libelf, as distributed in ELFutils 0.147. A crafted ELF
input can cause segment faults and I have confirmed them with address sanitizer
too.

Here are the POC files. Please use "./eu-readelf -a $POC" to reproduce the
error.

$ git log

> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson <j...@sifive.com>
> Date:   Thu Dec 27 15:25:49 2018 -0800
> 
>     RISC-V: Improve riscv64 core file support.
> 
>     This fixes two problems.  The offset for x1 is changed from 1 to 8 because
>     this is a byte offset not a register skip count.  Support for reading the
>     PC value is added.  This requires changing the testsuite to match the new
>     readelf output for coredumps.
> 
>     Signed-off-by: Jim Wilson <j...@sifive.com>

The ASAN dumps the stack trace as follows:

> =================================================================
> ==26819==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x6030000000b4 at pc 0x7f07b3e4ee2b bp 0x7ffe3ddce530 sp 0x7ffe3ddcdcd8
> READ of size 1 at 0x6030000000b4 thread T0
>     #0 0x7f07b3e4ee2a in memmove 
> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a)
>     #1 0x7f07b351469c in elf32_xlatetom 
> /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:116
>     #2 0x410e3c in convert 
> /home/wencheng/Experiment/elfutils/src/readelf.c:11305
>     #3 0x436e64 in handle_core_item 
> /home/wencheng/Experiment/elfutils/src/readelf.c:11359
>     #4 0x4447d4 in handle_core_items 
> /home/wencheng/Experiment/elfutils/src/readelf.c:11641
>     #5 0x4447d4 in handle_core_note 
> /home/wencheng/Experiment/elfutils/src/readelf.c:12164
>     #6 0x4a006c in handle_notes_data 
> /home/wencheng/Experiment/elfutils/src/readelf.c:12248
>     #7 0x4c5b47 in handle_notes 
> /home/wencheng/Experiment/elfutils/src/readelf.c:12315
>     #8 0x4c5b47 in process_elf_file 
> /home/wencheng/Experiment/elfutils/src/readelf.c:1000
>     #9 0x4c5b47 in process_dwflmod 
> /home/wencheng/Experiment/elfutils/src/readelf.c:760
>     #10 0x7f07b3a1fe9c in dwfl_getmodules 
> /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86
>     #11 0x41399c in process_file 
> /home/wencheng/Experiment/elfutils/src/readelf.c:868
>     #12 0x405df6 in main /home/wencheng/Experiment/elfutils/src/readelf.c:350
>     #13 0x7f07b2f3582f in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #14 0x406ef8 in _start 
> (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406ef8)
> 
> 0x6030000000b4 is located 0 bytes to the right of 20-byte region 
> [0x6030000000a0,0x6030000000b4)
> allocated by thread T0 here:
>     #0 0x7f07b3eb2b90 in __interceptor_malloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
>     #1 0x7f07b3597080 in elf_getdata_rawchunk 
> /home/wencheng/Experiment/elfutils/libelf/elf_getdata_rawchunk.c:88
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove
> Shadow bytes around the buggy address:
>   0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
> =>0x0c067fff8010: 00 fa fa fa 00 00[04]fa fa fa fa fa fa fa fa fa
>   0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==26819==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to