[Bug binutils/24910] New: buffer overflow in byte_get_little

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24910] New: buffer overflow in byte_get_little_endian

From:	featherrain26 at gmail dot com
Subject:	[Bug binutils/24910] New: buffer overflow in byte_get_little_endian
Date:	Fri, 16 Aug 2019 07:35:58 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24910

            Bug ID: 24910
           Summary: buffer overflow in byte_get_little_endian
           Product: binutils
           Version: 2.33 (HEAD)
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: featherrain26 at gmail dot com
  Target Milestone: ---

Created attachment 11950
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11950&action=edit
PoC input

Hi, there.

There is a different heap-buffer-overflow in byte_get_little_endian in
elfcomm.c.

The environment and complie flag are:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:        16.04
Codename:       xenial
gcc: 5.4.0

CFLAG="-g -O0 -m32 -fsanitize=address,leak,undefined" 

The reproduce command is:
readelf -agteSdcWw --dyn-syms -D poc

This is trace reported by ASAN:
==32599==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4c00d74 at
pc 0x0819a687 bp 0xffff7cb8 sp 0xffff7ca8
READ of size 4 at 0xf4c00d74 thread T0
    #0 0x819a686 in byte_get_little_endian
/mnt/data/playground/binutils-2.32-a/binutils/elfcomm.c:151
    #1 0x8085112 in print_stapsdt_note
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:17864
    #2 0x8085112 in process_note
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:18576
    #3 0x8085112 in process_notes_at
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:18762
    #4 0x80f515e in process_notes_at
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:18898
    #5 0x80f515e in process_note_sections
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:18897
    #6 0x80f515e in process_notes
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:18933
    #7 0x80f515e in process_object
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:19296
    #8 0x804ba13 in process_file
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:19708
    #9 0x804ba13 in main
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:19767
    #10 0xf6fc1636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #11 0x804c6eb 
(/mnt/data/playground/binutils-2.32-a/binutils/readelf+0x804c6eb)

0xf4c00d75 is located 0 bytes to the right of 37-byte region
[0xf4c00d50,0xf4c00d75)
allocated by thread T0 here:
    #0 0xf71f5dee in malloc (/usr/lib32/libasan.so.2+0x96dee)
    #1 0x806f66e in get_data
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:426
    #2 0x806f66e in get_section_contents
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:13350
    #3 0x823bdbf 
(/mnt/data/playground/binutils-2.32-a/binutils/readelf+0x823bdbf)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/mnt/data/playground/binutils-2.32-a/binutils/elfcomm.c:151
byte_get_little_endian
Shadow bytes around the buggy address:
  0x3e980150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e980160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e980170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e980180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e980190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e9801a0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[05]fa
  0x3e9801b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x3e9801c0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 04 fa
  0x3e9801d0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 04 fa
  0x3e9801e0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 04 fa
  0x3e9801f0: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==32599==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/24910] New: buffer overflow in byte_get_little_endian, featherrain26 at gmail dot com <=
- [Bug binutils/24910] buffer overflow in byte_get_little_endian, amodra at gmail dot com, 2019/08/17

Prev by Date: [Bug binutils/24909] Uninitialized use on stack in readelf
Next by Date: [Bug binutils/24911] New: Heap overflow issue in qsort_r, dwarf.c
Previous by thread: [Bug ld/23499] Incorrect code in bfd_elf_record_link_assignment
Next by thread: [Bug binutils/24910] buffer overflow in byte_get_little_endian
Index(es):
- Date
- Thread