bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24243] New: readelf: heap buffer overflow in process_mips_

From: spinpx at gmail dot com
Subject: [Bug binutils/24243] New: readelf: heap buffer overflow in process_mips_specific
Date: Wed, 20 Feb 2019 08:12:12 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=24243

            Bug ID: 24243
           Summary: readelf: heap buffer overflow in process_mips_specific
           Product: binutils
           Version: 2.33 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: spinpx at gmail dot com
  Target Milestone: ---

Created attachment 11623
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11623&action=edit
Heap buffer overflow input

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64
GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: readelf -a input_file

- asan_report:
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 2d 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           MIPS R3000
  Version:                           0x1
  Entry point address:               0x70000029
  Start of program headers:          52 (bytes into file)
  Start of section headers:          164 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         2
  Size of section headers:           40 (bytes)
  Number of section headers:         4
  Section header string table index: 3
readelf: Warning: Section 1 has an out of range sh_link value of 127

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf
Al
  [ 0]                   NULL            00001000 000000 000000 00      0   0 
0
  [ 1] .text             MIPS_OPTIONS    08048074 000074 000001 00  AX 127   0 
4
readelf: Warning: section 1: sh_link value of 127 is larger than the number of
sections
  [ 2] .data             LOUSER+0x5dff00 08000000 000080 00000d 00 WADop  0
57087  4
  [ 3] .shstrtab         STRTAB          00000000 00008c 000017 00      0   0 
1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  DYNAMIC        0x000000 0x08048000 0x08048000 0x00090 0x00080 R E 0x1000
readelf: Error: no .dynamic section in the dynamic segment
  LOAD           0x17000080 0x08049080 0x08049080 0x0000c 0x0000c RW  0x1000

 Section to Segment mapping:
  Segment Sections...
   00     .text 
   01     
  Tag        Type                         Name/Value
 0x464c457f (<unknown>: 464c457f)        0x10101
 0x00002d00 (<unknown>: 2d00)            0x0
 0x00080002 (<unknown>: 80002)           0x1
 0x70000029 (MIPS_OPTIONS)               0x34
 0x000000a4 (<unknown>: a4)              0x0
 0x00200034 (<unknown>: 200034)          0x280002
 0x00030004 (<unknown>: 30004)           0x2
 0x00000000 (NULL)                       0x8048000

There are no relocations in this file.

The decoding of unwind sections for machine type MIPS R3000 is not currently
supported.

No version information found in this file.
readelf: Warning: Virtual address 0x34 not located in any PT_LOAD segment.
=================================================================
==395575==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000f1 at pc 0x00000057a23d bp 0x7fff14a78db0 sp 0x7fff14a78da8
WRITE of size 1 at 0x6020000000f1 thread T0
    #0 0x57a23c in process_mips_specific
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16211:21
    #1 0x5255f7 in process_arch_specific
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18994:14
    #2 0x505ccf in process_object
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19309:9
    #3 0x4f547d in process_file
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13
    #4 0x4f3ec8 in main
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11
    #5 0x7f8ee3f4709a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #6 0x41d4b9 in _start
(/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/readelf+0x41d4b9)

0x6020000000f1 is located 0 bytes to the right of 1-byte region
[0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
    #0 0x4c41ac in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x5eacf7 in xmalloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/xmalloc.c:147:12
    #2 0x5890e9 in cmalloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/dwarf.c:9576:10
    #3 0x57a01a in process_mips_specific
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16194:15
    #4 0x5255f7 in process_arch_specific
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18994:14
    #5 0x505ccf in process_object
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19309:9
    #6 0x4f547d in process_file
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13
    #7 0x4f3ec8 in main
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11
    #8 0x7f8ee3f4709a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16211:21
in process_mips_specific
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff8010: fa fa 00 01 fa fa fd fa fa fa 02 fa fa fa[01]fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==395575==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]