[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/20794] New: Heap buffer overflow in readelf
From: |
joseph.bisch at gmail dot com |
Subject: |
[Bug binutils/20794] New: Heap buffer overflow in readelf |
Date: |
Tue, 08 Nov 2016 13:01:57 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=20794
Bug ID: 20794
Summary: Heap buffer overflow in readelf
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: joseph.bisch at gmail dot com
Target Milestone: ---
Created attachment 9614
--> https://sourceware.org/bugzilla/attachment.cgi?id=9614&action=edit
testcase that causes crash
While fuzzing with afl, I encountered a heap buffer overflow in readelf
compiled with ASan. The git commit is ec7b600bf1410f6bda239666fac258a605dc3f43.
To reproduce, compile binutils with ASan and run:
/path/to/readelf -a /path/to/testcase
Here is the ASan output (which I am also attaching):
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x401130
Start of program headers: 64 (bytes into file)
Start of section headers: 8760 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 5
Section header string table index: 28 <corrupt: out of range>
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] <no-name> NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] <no-name> PROGBITS 0000000000400238 00000238
000000000000001c 0000000000000000 A 0 0 1
[ 2] <no-name> NOTE 0000000000400254 00000254
0000000000000020 0000000000000000 A 0 0 4
[ 3] <no-name> NOTE 0000000000400274 00000274
0000000000000024 0000000000000000 A 0 0 4
=================================================================
==20759==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61400000fdd4 at pc 0x00000052b599 bp 0x7fff0a292970 sp 0x7fff0a292968
READ of size 4 at 0x61400000fdd4 thread T0
#0 0x52b598 in process_section_headers
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:5982:46
#1 0x52b598 in process_object
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:16684
#2 0x502c69 in process_file
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:17087:13
#3 0x502c69 in main
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:17158
#4 0x7f7754f2b290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#5 0x419089 in _start
(/home/joseph/binutils/binutils-gdb/binutils/readelf+0x419089)
0x61400000fdd4 is located 4 bytes to the right of 400-byte region
[0x61400000fc40,0x61400000fdd0)
allocated by thread T0 here:
#0 0x4c8998 in __interceptor_malloc
(/home/joseph/binutils/binutils-gdb/binutils/readelf+0x4c8998)
#1 0x5b78fa in xmalloc
/home/joseph/binutils/binutils-gdb/libiberty/./xmalloc.c:148:12
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/joseph/binutils/binutils-gdb/binutils/readelf.c:5982:46 in
process_section_headers
Shadow bytes around the buggy address:
0x0c287fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff9f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9fb0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20759==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/20794] New: Heap buffer overflow in readelf,
joseph.bisch at gmail dot com <=