bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/27845] New: readelf crashes: heap-buffer-overflow


From: shaohua.li at inf dot ethz.ch
Subject: [Bug binutils/27845] New: readelf crashes: heap-buffer-overflow
Date: Mon, 10 May 2021 21:27:53 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=27845

            Bug ID: 27845
           Summary: readelf crashes: heap-buffer-overflow
           Product: binutils
           Version: 2.37 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: shaohua.li at inf dot ethz.ch
  Target Milestone: ---

Created attachment 13434
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13434&action=edit
poc for `readelf -w`

Hi there,

I crashed readelf (with the flag -w) with a crafted input generated by a
fuzzer.

Reproduce: run with `readelf -w poc`.

The AddressSanitizer outputs are as follows:

==109177==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61800000047f at pc 0x00000054607c bp 0x7ffe20b9a510 sp 0x7ffe20b9a508
READ of size 1 at 0x61800000047f thread T0
    #0 0x54607b in read_leb128 /data/clean/binutils-gdb/binutils/dwarf.c:353:28
    #1 0x54607b in process_abbrev_set
/data/clean/binutils-gdb/binutils/dwarf.c:1073:7
    #2 0x526563 in process_debug_info
/data/clean/binutils-gdb/binutils/dwarf.c:3682:11
    #3 0x535662 in display_debug_info
/data/clean/binutils-gdb/binutils/dwarf.c:7264:10
    #4 0x4ee444 in display_debug_section
/data/clean/binutils-gdb/binutils/readelf.c:15549:18
    #5 0x4ee444 in process_section_contents
/data/clean/binutils-gdb/binutils/readelf.c:15644:10
    #6 0x4d4a4a in process_object
/data/clean/binutils-gdb/binutils/readelf.c:21378:9
    #7 0x4cb537 in process_file
/data/clean/binutils-gdb/binutils/readelf.c:21800:13
    #8 0x4cb537 in main /data/clean/binutils-gdb/binutils/readelf.c:21871:11
    #9 0x7fd369f3c0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x41c46d in _start (/data/clean/binutils-gdb/binutils/readelf+0x41c46d)

0x61800000047f is located 1 bytes to the left of 815-byte region
[0x618000000480,0x6180000007af)
allocated by thread T0 here:
    #0 0x4976cd in malloc (/data/clean/binutils-gdb/binutils/readelf+0x4976cd)
    #1 0x4c9482 in get_data /data/clean/binutils-gdb/binutils/readelf.c:481:14
    #2 0x4c98ff in load_specific_debug_section
/data/clean/binutils-gdb/binutils/readelf.c:15181:38
    #3 0x5247b8 in load_separate_debug_files
/data/clean/binutils-gdb/binutils/dwarf.c:11473:10
    #4 0x4cb537 in process_file
/data/clean/binutils-gdb/binutils/readelf.c:21800:13
    #5 0x4cb537 in main /data/clean/binutils-gdb/binutils/readelf.c:21871:11
    #6 0x7fd369f3c0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
/data/clean/binutils-gdb/binutils/dwarf.c:353:28 in read_leb128
Shadow bytes around the buggy address:
  0x0c307fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff8070: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
=>0x0c307fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c307fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==109177==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]