https://sourceware.org/bugzilla/show_bug.cgi?id=31058
Bug ID: 31058 Summary: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: jyxu at seu dot edu.cn CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 15216 --> https://sourceware.org/bugzilla/attachment.cgi?id=15216&action=edit poc System info Ubuntu x86_64, clang 12.0 version: readelf (elfutils) 0.190 Command line ./readelf -a poc Poc poc:https://github.com/SEU-SSL/Poc/blob/main/elfutils/id_000121%2Csig_08%2Csrc_002748%2B003088%2Cop_splice%2Crep_128(Alternatively, download it in the attachment.) AddressSanitizer output ==3674715==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005fe002 at pc 0x000000430d96 bp 0x7ffc65cae250 sp 0x7ffc65cada10 READ of size 1 at 0x0000005fe002 thread T0 #0 0x430d95 in strlen (/src/elfutils-0.190/src/readelf+0x430d95) #1 0x53f152 in ebl_machine_flag_name /src/elfutils-0.190/libebl/eblmachineflagname.c:73:17 #2 0x4cf3ad in print_ehdr /src/elfutils-0.190/src/readelf.c:1181:4 #3 0x4cf3ad in process_elf_file /src/elfutils-0.190/src/readelf.c:1050:5 #4 0x4cddf4 in process_dwflmod /src/elfutils-0.190/src/readelf.c:840:3 #5 0x7fba8f0d800d in dwfl_getmodules /src/elfutils-0.190/libdwfl/dwfl_getmodules.c:86:16 #6 0x4cb8e1 in process_file /src/elfutils-0.190/src/readelf.c:948:7 #7 0x4cad48 in main /src/elfutils-0.190/src/readelf.c:417:7 #8 0x7fba8ebac082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16 #9 0x41ec2d in _start (/src/elfutils-0.190/src/readelf+0x41ec2d) 0x0000005fe002 is located 30 bytes to the left of global variable '<string literal>' defined in 'arm_machineflagname.c:59:11' (0x5fe020) of size 34 '<string literal>' is ascii string 'dynamic symbols use segment index' 0x0000005fe002 is located 28 bytes to the right of global variable 'vername' defined in 'arm_machineflagname.c:42:25' (0x5fdfa0) of size 70 SUMMARY: AddressSanitizer: global-buffer-overflow (/src/elfutils-0.190/src/readelf+0x430d95) in strlen Shadow bytes around the buggy address: 0x0000800b7bb0: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 0x0000800b7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800b7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 0x0000800b7be0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800b7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 06 f9 f9 f9 =>0x0000800b7c00:[f9]f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 0x0000800b7c10: 00 00 00 07 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 0x0000800b7c20: 00 07 f9 f9 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 0x0000800b7c30: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0000800b7c40: 00 00 05 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 0x0000800b7c50: 00 00 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3674715==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.