[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/29799] New: A heap buffer overflow was fould in display_de
|
From: |
15664243668 at 163 dot com |
|
Subject: |
[Bug binutils/29799] New: A heap buffer overflow was fould in display_debug_section in binutils-2.40 (HEAD) |
|
Date: |
Thu, 17 Nov 2022 15:36:25 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=29799
Bug ID: 29799
Summary: A heap buffer overflow was fould in
display_debug_section in binutils-2.40 (HEAD)
Product: binutils
Version: 2.40 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 15664243668 at 163 dot com
Target Milestone: ---
Flags: security?
Created attachment 14460
--> https://sourceware.org/bugzilla/attachment.cgi?id=14460&action=edit
readelf poc file
Hi
There is a heap buffer overflow bug in binutils-2.40 (commit ab11c890).
The bug is triggered in display_debug_section() at binutils/readelf.c:16319
when parsing the debug sections of a malformed ELF file.
To reproduce this bug, use:
1. compile binutils-2.39 with clang-6.0 and address sanitizer:
```sh
./configure --disable-shared --disable-gdb --disable-werror
make
```
2. use readelf to process the PoC file (see attachment):
```sh
readelf -w ./poc2
```
The address sanitizer reports are as follows.
```
===
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000e3 at pc
0x5555556ef069 bp 0x7fffffffe040 sp 0x7fffffffe030
READ of size 1 at 0x60e0000000e3 thread T0
#0 0x5555556ef068 in byte_get_little_endian ../../binutils/elfcomm.c:118
#1 0x5555556e88ff in display_gdb_index ../../binutils/dwarf.c:10548
#2 0x55555567410a in display_debug_section ../../binutils/readelf.c:16319
#3 0x555555674606 in process_section_contents
../../binutils/readelf.c:16415
#4 0x55555569169e in process_object ../../binutils/readelf.c:22438
#5 0x555555693930 in process_file ../../binutils/readelf.c:22861
#6 0x555555693d8f in main ../../binutils/readelf.c:22932
#7 0x7ffff6a48c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#8 0x55555561ba79 in _start
(/home/binutils-gdb/obj-asan/binutils/readelf+0xc7a79)
0x60e0000000e3 is located 10 bytes to the right of 153-byte region
[0x60e000000040,0x60e0000000d9)
allocated by thread T0 here:
#0 0x7ffff6ef6b40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x555555627377 in get_data ../../binutils/readelf.c:498
#2 0x555555672b0b in load_specific_debug_section
../../binutils/readelf.c:15940
#3 0x5555556740ad in display_debug_section ../../binutils/readelf.c:16313
#4 0x555555674606 in process_section_contents
../../binutils/readelf.c:16415
#5 0x55555569169e in process_object ../../binutils/readelf.c:22438
#6 0x555555693930 in process_file ../../binutils/readelf.c:22861
#7 0x555555693d8f in main ../../binutils/readelf.c:22932
#8 0x7ffff6a48c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../binutils/elfcomm.c:118 in
byte_get_little_endian
Shadow bytes around the buggy address:
0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 01[fa]fa fa fa
0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
```
More detailed causes of this bug is to be analyzed.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/29799] New: A heap buffer overflow was fould in display_debug_section in binutils-2.40 (HEAD),
15664243668 at 163 dot com <=
- [Bug binutils/29799] A heap buffer overflow was found in display_debug_section in binutils-2.40 (HEAD), address@hidden, 2022/11/17
- [Bug binutils/29799] A heap buffer overflow was found in display_debug_section in binutils-2.40 (HEAD), amodra at gmail dot com, 2022/11/17
- [Bug binutils/29799] A heap buffer overflow was found in display_debug_section in binutils-2.40 (HEAD), amodra at gmail dot com, 2022/11/17
- [Bug binutils/29799] A heap buffer overflow was found in display_debug_section in binutils-2.40 (HEAD), cvs-commit at gcc dot gnu.org, 2022/11/17
- [Bug binutils/29799] A heap buffer overflow was found in display_debug_section in binutils-2.40 (HEAD), amodra at gmail dot com, 2022/11/17