bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/20794] New: Heap buffer overflow in readelf

From: joseph.bisch at gmail dot com
Subject: [Bug binutils/20794] New: Heap buffer overflow in readelf
Date: Tue, 08 Nov 2016 13:01:57 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=20794

            Bug ID: 20794
           Summary: Heap buffer overflow in readelf
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: joseph.bisch at gmail dot com
  Target Milestone: ---

Created attachment 9614
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9614&action=edit
testcase that causes crash

While fuzzing with afl, I encountered a heap buffer overflow in readelf
compiled with ASan. The git commit is ec7b600bf1410f6bda239666fac258a605dc3f43.

To reproduce, compile binutils with ASan and run:

/path/to/readelf -a /path/to/testcase

Here is the ASan output (which I am also attaching):

ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x401130
  Start of program headers:          64 (bytes into file)
  Start of section headers:          8760 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         9
  Size of section headers:           64 (bytes)
  Number of section headers:         5
  Section header string table index: 28 <corrupt: out of range>

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0] <no-name>         NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] <no-name>         PROGBITS         0000000000400238  00000238
       000000000000001c  0000000000000000   A       0     0     1
  [ 2] <no-name>         NOTE             0000000000400254  00000254
       0000000000000020  0000000000000000   A       0     0     4
  [ 3] <no-name>         NOTE             0000000000400274  00000274
       0000000000000024  0000000000000000   A       0     0     4
=================================================================
==20759==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61400000fdd4 at pc 0x00000052b599 bp 0x7fff0a292970 sp 0x7fff0a292968
READ of size 4 at 0x61400000fdd4 thread T0
    #0 0x52b598 in process_section_headers
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:5982:46
    #1 0x52b598 in process_object
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:16684
    #2 0x502c69 in process_file
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:17087:13
    #3 0x502c69 in main
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:17158
    #4 0x7f7754f2b290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #5 0x419089 in _start
(/home/joseph/binutils/binutils-gdb/binutils/readelf+0x419089)

0x61400000fdd4 is located 4 bytes to the right of 400-byte region
[0x61400000fc40,0x61400000fdd0)
allocated by thread T0 here:
    #0 0x4c8998 in __interceptor_malloc
(/home/joseph/binutils/binutils-gdb/binutils/readelf+0x4c8998)
    #1 0x5b78fa in xmalloc
/home/joseph/binutils/binutils-gdb/libiberty/./xmalloc.c:148:12

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:5982:46 in
process_section_headers
Shadow bytes around the buggy address:
  0x0c287fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9fb0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20759==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]