[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=24075

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |mark at klomp dot org
         Resolution|---                         |FIXED
            Summary|Program Crash due to Wild   |Program Crash due to buffer
                   |pointer Deference in        |over-read in
                   |ebl_object_note function in |ebl_object_note function in
                   |eblobjnote.c in libebl.     |eblobjnote.c in libebl.

--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
(In reply to wcventure from comment #0)

> Our fuzzer caught Pointer Deference problem in eu-readelf of the latest
> elfutils-0.174 code base, this inputs will cause the segment faults and I
> have confirmed them with address sanitizer too. Please use the "./eu-readelf
> -a $POC"to reproduce the bug. If you have any questions, please let me know.

This code was introduced in 0.175 and not present in 0.174.
Confirmed by running the reproducer under valgrind.

> This problem is in the code as fllow, it seem like a use-after-fee problem.
> 
> > size_t i;
> > for (i = 0; i < prop.pr_datasz - 1; i++)
> >     printf ("%02" PRIx8 " ", (uint8_t) desc[i]);

Yes, this over-reads the buffer because pr_datasz isn't checked.
Fixed as follows:

commit 012018907ca05eb0ab51d424a596ef38fc87cae1
Author: Mark Wielaard <m...@klomp.org>
Date:   Wed Jan 16 11:57:35 2019 +0100

    libebl: Check GNU property note pr_datasz fits inside note description.

    Before printing the data values, make sure pr_datasz doesn't go beyond
    the end of the note description data.

    https://sourceware.org/bugzilla/show_bug.cgi?id=24075

    Signed-off-by: Mark Wielaard <m...@klomp.org>

diff --git a/libebl/ChangeLog b/libebl/ChangeLog
index 0174f33..77c2274 100644
--- a/libebl/ChangeLog
+++ b/libebl/ChangeLog
@@ -1,3 +1,7 @@
+2019-01-16  Mark Wielaard  <m...@klomp.org>
+
+       * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+
 2018-12-02  Mark Wielaard  <m...@klomp.org>

        * eblobjnte.c (ebl_object_note): For GNU_PROPERTY_STACK_SIZE use
diff --git a/libebl/eblobjnote.c b/libebl/eblobjnote.c
index c19ea37..9094715 100644
--- a/libebl/eblobjnote.c
+++ b/libebl/eblobjnote.c
@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t namesz, const char
*name, uint32_t type,
                  desc += 8;
                  descsz -= 8;

+                 if (prop.pr_datasz > descsz)
+                   {
+                     printf ("BAD property datasz: %" PRId32 "\n",
+                             prop.pr_datasz);
+                     return;
+                   }
+
                  int elfclass = gelf_getclass (ebl->elf);
                  char *elfident = elf_getident (ebl->elf, NULL);
                  GElf_Ehdr ehdr;

-- 
You are receiving this mail because:
You are on the CC list for the bug.