[Bug tools/33006] New: Stack Buffer Overflow in eu-objdump's riscv_disasm Function

xdcao.cs at gmail dot com Tue, 27 May 2025 10:28:56 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=33006


            Bug ID: 33006
           Summary: Stack Buffer Overflow in eu-objdump's riscv_disasm
                    Function
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: tools
          Assignee: unassigned at sourceware dot org
          Reporter: xdcao.cs at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Summary
Stack Buffer Overflow in eu-objdump's riscv_disasm Function

Environment
elfutils version: 0.192
OS: Ubuntu 22.04.5 LTS


Steps to reproduce
# export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
#  ./configure --enable-maintainer-mode --disable-debuginfod
# make -j64 & make install


root@c6c01f72391e:# ./eu-objdump -d
POC_elfutils_eu-objdump_stack-buffer-overflow 
POC_elfutils_eu-objdump_stack-buffer-overflow: elf64-elf_riscv

Disassembly of section .text:

       0:    48 8d                    0x8d48
       2:    a4 24                    fld     fs1,72(s1)                 
       4:    68 ff                    sd      a0,248(a4)                 
=================================================================
==712103==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff25e11902 at pc 0x00000043e841 bp 0x7fff25e11580 sp 0x7fff25e10d18
WRITE of size 5 at 0x7fff25e11902 thread T0
    #0 0x43e840 in vsnprintf
(/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43e840)
    #1 0x43fe66 in __snprintf_chk
(/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43fe66)
    #2 0x548c93 in riscv_disasm
/workspace/new-test/program/elfutils/libcpu/riscv_disasm.c:1308:12
    #3 0x7fa5aed94923 in disasm_cb
/workspace/new-test/program/elfutils/libasm/disasm_cb.c:178:10
    #4 0x4cefc4 in show_disasm
/workspace/new-test/program/elfutils/src/objdump.c:736:4
    #5 0x4cdd3c in handle_elf
/workspace/new-test/program/elfutils/src/objdump.c:783:14
    #6 0x4cccee in process_file
/workspace/new-test/program/elfutils/src/objdump.c:250:17
    #7 0x4cc998 in main
/workspace/new-test/program/elfutils/src/objdump.c:163:12
    #8 0x7fa5ae74bd8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7fa5ae74be3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x420734 in _start
(/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x420734)

Address 0x7fff25e11902 is located in stack of thread T0 at offset 642 in frame
    #0 0x54813f in riscv_disasm
/workspace/new-test/program/elfutils/libcpu/riscv_disasm.c:117

  This frame has 6 object(s):
    [32, 544) 'initbuf' (line 121)
    [608, 640) 'mnebuf' (line 167) <== Memory access at offset 642 overflows
this variable
    [672, 712) 'op' (line 168)
    [752, 784) 'immbuf' (line 169)
    [816, 848) 'addrbuf' (line 172)
    [880, 896) 'key' (line 1258)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43e840) in
vsnprintf
Shadow bytes around the buggy address:
  0x100064bba2d0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x100064bba2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100064bba2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100064bba300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100064bba310: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
=>0x100064bba320:[f2]f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2 00 00
  0x100064bba330: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 f8 f8
  0x100064bba340: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100064bba350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100064bba360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100064bba370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==712103==ABORTING

POC
https://drive.google.com/file/d/1YdviqwGYIv659lqkCrpGVA9QsfakD8_u/view?usp=sharing


Credit
Xiaoguo Li (CUPL)
Xudong Cao (UCAS)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/33006] New: Stack Buffer Overflow in eu-objdump's riscv_disasm Function

Reply via email to