[Bug tools/33004] New: Stack Buffer Underflow in eu-unstrip's sections_match Function

xdcao.cs at gmail dot com Tue, 27 May 2025 10:16:00 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=33004


            Bug ID: 33004
           Summary: Stack Buffer Underflow in eu-unstrip's sections_match
                    Function
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: tools
          Assignee: unassigned at sourceware dot org
          Reporter: xdcao.cs at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Summary
Stack Buffer Underflow in eu-unstrip's sections_match Function

Environment
elfutils version: 0.192
OS: Ubuntu 22.04.5 LTS


Steps to reproduce
# export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
#  ./configure --enable-maintainer-mode --disable-debuginfod
# make -j64 & make install


root@c6c01f72391e:# ./eu-unstrip -F POC/POC1 POC/POC2
=================================================================
==250432==ERROR: AddressSanitizer: stack-buffer-underflow on address
0x7ffc029cac50 at pc 0x0000004da24a bp 0x7ffc029cabb0 sp 0x7ffc029caba8
READ of size 8 at 0x7ffc029cac50 thread T0
    #0 0x4da249 in sections_match
/workspace/new-test/program/elfutils/src/unstrip.c:1024:50
    #1 0x4d11ab in copy_elided_sections
/workspace/new-test/program/elfutils/src/unstrip.c:1544:12
    #2 0x4cfc2a in handle_file
/workspace/new-test/program/elfutils/src/unstrip.c:2234:5
    #3 0x4ce648 in handle_explicit_files
/workspace/new-test/program/elfutils/src/unstrip.c:2331:3
    #4 0x4ccf0e in main
/workspace/new-test/program/elfutils/src/unstrip.c:2661:2
    #5 0x7f6ab22ebd8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7f6ab22ebe3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x420764 in _start
(/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-unstrip/eu-unstrip+0x420764)

Address 0x7ffc029cac50 is located in stack of thread T0 at offset 16 in frame
    #0 0x4d003f in copy_elided_sections
/workspace/new-test/program/elfutils/src/unstrip.c:1429

  This frame has 16 object(s):
    [32, 40) 'unstripped_shstrndx' (line 1430) <== Memory access at offset 16
underflows this variable
    [64, 72) 'stripped_shstrndx' (line 1434)
    [96, 104) 'unstripped_shnum' (line 1438)
    [128, 136) 'stripped_shnum' (line 1442)
    [160, 224) 'shdr_mem' (line 1509)
    [256, 320) 'shdr_mem551' (line 1701)
    [352, 376) 'sym_mem' (line 1785)
    [416, 420) 'shndx' (line 1786)
    [432, 496) 'shdr_mem993' (line 1852)
    [528, 592) 'mem' (line 1961)
    [624, 688) 'mem1280' (line 1988)
    [720, 744) 'sym1322' (line 2004)
    [784, 848) 'shdr_mem1499' (line 2104)
    [880, 944) 'ehdr_mem' (line 2134)
    [976, 984) 'phnum' (line 2152)
    [1008, 1064) 'phdr_mem' (line 2163)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow
/workspace/new-test/program/elfutils/src/unstrip.c:1024:50 in sections_match
Shadow bytes around the buggy address:
  0x100000531530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100000531540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100000531550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100000531560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100000531570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100000531580: ca ca ca ca cb cb cb cb f1 f1[f1]f1 00 f2 f2 f2
  0x100000531590: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00
  0x1000005315a0: 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
  0x1000005315b0: f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 f8 f2 f8 f8
  0x1000005315c0: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
  0x1000005315d0: f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==250432==ABORTING


POC
https://drive.google.com/file/d/1NA5t6yC5patQ3SkM-hXxzTugal9Wz4mj/view?usp=sharing


Credit
Xiaoguo Li (CUPL)
Xudong Cao (UCAS)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/33004] New: Stack Buffer Underflow in eu-unstrip's sections_match Function

Reply via email to