https://sourceware.org/bugzilla/show_bug.cgi?id=24116
Bug ID: 24116
Summary: A Heap-buffer-overflow problem was discovered in the
function print_debug_line_section in readelf.c
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11559
--> https://sourceware.org/bugzilla/attachment.cgi?id=11559&action=edit
POC1
Hi,
A Heap-buffer-overflow problem was discovered in the function
print_debug_line_section in readelf.c, as distributed in ELFutils 0.175. A
crafted ELF input can cause segment faults and I have confirmed them with
address sanitizer too.
Here are the POC files. Please use "./eu-readelf -w $POC" to reproduce the
error.
$git log
> commit de01cc6f9446187d69b9748bb3636361c79e77a4
> Author: Mark Wielaard <m...@klomp.org>
> Date: Wed Jan 16 15:41:31 2019 +0100
>
> libebl: Check NT_PLATFORM core notes contain a zero terminated string.
>
> Most strings in core notes are fixed size. But NT_PLATFORM contains just
> a variable length string. Check that it is actually zero terminated
> before passing to readelf to print.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=24089
>
> Signed-off-by: Mark Wielaard <m...@klomp.org>
The ASAN dumps the stack trace as follows:
> =================================================================
> ==23533==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6100000002fc at pc 0x00000040507c bp 0x7ffd4aa3fa10 sp 0x7ffd4aa3fa00
> READ of size 1 at 0x6100000002fc thread T0
> #0 0x40507b in __libdw_get_uleb128 ../libdw/memory-access.h:80
> #1 0x496de9 in print_debug_line_section /elfutils/src/readelf.c:8846
> #2 0x45be8c in print_debug /elfutils/src/readelf.c:11207
> #3 0x46080a in process_elf_file /elfutils/src/readelf.c:998
> #4 0x46080a in process_dwflmod /elfutils/src/readelf.c:760
> #5 0x7f38d437171c in dwfl_getmodules
> /elfutils/libdwfl/dwfl_getmodules.c:86
> #6 0x40cb1d in process_file /elfutils/src/readelf.c:868
> #7 0x4059a6 in main /elfutils/src/readelf.c:350
> #8 0x7f38d39f782f in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x4064d8 in _start (/elfutils/build/bin/eu-readelf+0x4064d8)
>
> 0x6100000002fc is located 0 bytes to the right of 188-byte region
> [0x610000000240,0x6100000002fc)
> allocated by thread T0 here:
> #0 0x7f38d474eb90 in __interceptor_malloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
> #1 0x7f38d4003f7f in convert_data /elfutils/libelf/elf_getdata.c:157
> #2 0x7f38d4003f7f in __libelf_set_data_list_rdlock
> /elfutils/libelf/elf_getdata.c:447
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow ../libdw/memory-access.h:80
> in __libdw_get_uleb128
> Shadow bytes around the buggy address:
> 0x0c207fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c207fff8020: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c207fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c207fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> =>0x0c207fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
> 0x0c207fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c207fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c207fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c207fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c207fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==23533==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
