[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/29732] New: A heap buffer overflow was fould in find_secti
|
From: |
15664243668 at 163 dot com |
|
Subject: |
[Bug binutils/29732] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6) |
|
Date: |
Sun, 30 Oct 2022 12:19:29 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=29732
Bug ID: 29732
Summary: A heap buffer overflow was fould in
find_section_in_set() of binutils-2.39 (commit
49c843e6)
Product: binutils
Version: 2.39
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 15664243668 at 163 dot com
Target Milestone: ---
Created attachment 14421
--> https://sourceware.org/bugzilla/attachment.cgi?id=14421&action=edit
readelf poc file
Hi
There is a heap buffer overflow bug in binutils-2.39 (commit 49c843e6).
The bug is triggered in find_section_in_set() at binutils/readelf.c:970 when
parsing the debug sections of a malformed ELF file.
The bug is caused in the code stashing pool section entries. With random
nonsensical values in the index entries (rather than each index pointing to its
own set distinct from other sets), it's possible to overflow the space
allocated, losing the NULL terminator. Without a terminator,
find_section_in_set can run off the end of the shndx_pool buffer.
To reproduce this bug, use:
1. compile binutils-2.39 with clang-6.0 and address sanitizer:
```sh
./configure --disable-shared --disable-gdb --disable-werror
make
```
2. use readelf to process the PoC file (see attachment):
```sh
readelf -w ./PoC
```
The address sanitizer reports are as follows.
```
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
Contents of the .debug_names section:
readelf: Warning: Debug info is corrupted, .debug_names header at 0 has length
0x4c457f
Contents of the .debug_names section:
=================================================================
==29074==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a000000bd8 at pc 0x0000005143de bp 0x7fffffffd6c0 sp 0x7fffffffd6b8
READ of size 4 at 0x61a000000bd8 thread T0
#0 0x5143dd in find_section_in_set
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19
#1 0x5130b6 in load_debug_section
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16160:9
#2 0x612472 in load_debug_section_with_follow
/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3453:7
#3 0x606ce0 in display_debug_names
/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:10002:3
#4 0x558c9b in display_debug_section
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16258:18
#5 0x558c9b in process_section_contents
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16354
#6 0x52ae91 in process_object
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22372:9
#7 0x517f9e in process_file
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22795:13
#8 0x517f9e in main
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22866
#9 0x7ffff6e22c86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x41a909 in _start (/binutils-gdb/obj-asan/binutils/readelf+0x41a909)
0x61a000000bd8 is located 0 bytes to the right of 1368-byte region
[0x61a000000680,0x61a000000bd8)
allocated by thread T0 here:
#0 0x4dac40 in realloc (/binutils-gdb/obj-asan/binutils/readelf+0x4dac40)
#1 0x74eeed in xrealloc
/binutils-gdb/obj-asan/libiberty/../../libiberty/xmalloc.c:181:14
SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19 in
find_section_in_set
Shadow bytes around the buggy address:
0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
```
Found by SyntaxAFL.
(This bug has been reported via mail list. This report is for tracking this bug
in bugzilla.)
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/29732] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6),
15664243668 at 163 dot com <=