[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/27849] New: heap-buffer-overflow on `readelf -w`
From: |
shaohua.li at inf dot ethz.ch |
Subject: |
[Bug binutils/27849] New: heap-buffer-overflow on `readelf -w` |
Date: |
Tue, 11 May 2021 12:06:37 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=27849
Bug ID: 27849
Summary: heap-buffer-overflow on `readelf -w`
Product: binutils
Version: 2.37 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shaohua.li at inf dot ethz.ch
Target Milestone: ---
Created attachment 13437
--> https://sourceware.org/bugzilla/attachment.cgi?id=13437&action=edit
poc
Hi there,
When I built the latest head with -fsanitize=address, I found a
heap-buffer-overflow with a crafted input. However, without the sanitizer, the
issue wouldn't be there. Not sure if this is a real heap-buffer-overflow or
just AddressSanitizer's issue.
Compiler: clang12
Reproduce: `readelf -w poc`
AddressSanitizer output:
==47596==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a000000bcb at pc 0x000000562045 bp 0x7ffd9de9fdc0 sp 0x7ffd9de9fdb8
READ of size 1 at 0x61a000000bcb thread T0
#0 0x562044 in byte_get_little_endian
/data/clean/binutils-gdb-asan/binutils/elfcomm.c:121:26
#1 0x54bd9e in fetch_indexed_string
/data/clean/binutils-gdb-asan/binutils/dwarf.c:810:16
#2 0x537229 in display_debug_macro
/data/clean/binutils-gdb-asan/binutils/dwarf.c:6267:3
#3 0x4ee444 in display_debug_section
/data/clean/binutils-gdb-asan/binutils/readelf.c:15549:18
#4 0x4ee444 in process_section_contents
/data/clean/binutils-gdb-asan/binutils/readelf.c:15644:10
#5 0x4d4a4a in process_object
/data/clean/binutils-gdb-asan/binutils/readelf.c:21378:9
#6 0x4cb537 in process_file
/data/clean/binutils-gdb-asan/binutils/readelf.c:21800:13
#7 0x4cb537 in main
/data/clean/binutils-gdb-asan/binutils/readelf.c:21871:11
#8 0x7fc3a673b0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41c46d in _start
(/data/clean/binutils-gdb-asan/binutils/readelf+0x41c46d)
0x61a000000bcb is located 0 bytes to the right of 1355-byte region
[0x61a000000680,0x61a000000bcb)
allocated by thread T0 here:
#0 0x4976cd in malloc
(/data/clean/binutils-gdb-asan/binutils/readelf+0x4976cd)
#1 0x4c9482 in get_data
/data/clean/binutils-gdb-asan/binutils/readelf.c:481:14
#2 0x4c98ff in load_specific_debug_section
/data/clean/binutils-gdb-asan/binutils/readelf.c:15181:38
#3 0x5259c5 in load_debug_section_with_follow
/data/clean/binutils-gdb-asan/binutils/dwarf.c:3451:7
#4 0x5259c5 in process_debug_info
/data/clean/binutils-gdb-asan/binutils/dwarf.c:3605:7
#5 0x535552 in display_debug_info
/data/clean/binutils-gdb-asan/binutils/dwarf.c:7268:10
#6 0x4d4a4a in process_object
/data/clean/binutils-gdb-asan/binutils/readelf.c:21378:9
#7 0x4cb537 in process_file
/data/clean/binutils-gdb-asan/binutils/readelf.c:21800:13
#8 0x4cb537 in main
/data/clean/binutils-gdb-asan/binutils/readelf.c:21871:11
#9 0x7fc3a673b0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
/data/clean/binutils-gdb-asan/binutils/elfcomm.c:121:26 in
byte_get_little_endian
Shadow bytes around the buggy address:
0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170: 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa fa
0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==47596==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/27849] New: heap-buffer-overflow on `readelf -w`,
shaohua.li at inf dot ethz.ch <=