[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24876] New: readelf: heap-buffer-overflow
|
From: |
rmirzazadeh at gmail dot com |
|
Subject: |
[Bug binutils/24876] New: readelf: heap-buffer-overflow |
|
Date: |
Sun, 04 Aug 2019 23:04:34 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24876
Bug ID: 24876
Summary: readelf: heap-buffer-overflow
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: rmirzazadeh at gmail dot com
Target Milestone: ---
Created attachment 11934
--> https://sourceware.org/bugzilla/attachment.cgi?id=11934&action=edit
readelf heapoverflow poc
A heap overflow discovered in readelf. The PoC file is attached. Here is the
report of AddressSanitizer:
==20361==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x612000000441 at pc 0x00000060be3d bp 0x7ffd33ef0440 sp 0x7ffd33ef0438
READ of size 1 at 0x612000000441 thread T0
#0 0x60be3c in byte_get_little_endian
binutils-gdb/binutils/elfcomm.c:211:22
#1 0x5882d4 in dump_ia64_unwind binutils-gdb/binutils/readelf.c:7586:15
#2 0x57b1cb in ia64_process_unwind binutils-gdb/binutils/readelf.c:7902:6
#3 0x540cc9 in process_unwind binutils-gdb/binutils/readelf.c:9431:14
#4 0x52bda4 in process_object binutils-gdb/binutils/readelf.c:19795:9
#5 0x51b057 in process_file binutils-gdb/binutils/readelf.c:20242:13
#6 0x51985f in main binutils-gdb/binutils/readelf.c:20301:11
#7 0x7f484eeed82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41a7b8 in _start (binutils-gdb/binutils/readelf+0x41a7b8)
0x612000000441 is located 0 bytes to the right of 257-byte region
[0x612000000340,0x612000000441)
allocated by thread T0 here:
#0 0x4de9e8 in __interceptor_malloc
(binutils-gdb/binutils/readelf+0x4de9e8)
#1 0x516f34 in get_data binutils-gdb/binutils/readelf.c:435:9
#2 0x57ae1c in ia64_process_unwind binutils-gdb/binutils/readelf.c:7884:33
#3 0x540cc9 in process_unwind binutils-gdb/binutils/readelf.c:9431:14
#4 0x52bda4 in process_object binutils-gdb/binutils/readelf.c:19795:9
#5 0x51b057 in process_file binutils-gdb/binutils/readelf.c:20242:13
#6 0x51985f in main binutils-gdb/binutils/readelf.c:20301:11
#7 0x7f484eeed82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow
binutils-gdb/binutils/elfcomm.c:211:22 in byte_get_little_endian
Shadow bytes around the buggy address:
0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fff8050: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8080: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
0x0c247fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20361==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24876] New: readelf: heap-buffer-overflow,
rmirzazadeh at gmail dot com <=