[Bug binutils/27849] New: heap-buffer-overflow on `readelf -w`

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/27849] New: heap-buffer-overflow on `readelf -w`

From:	shaohua.li at inf dot ethz.ch
Subject:	[Bug binutils/27849] New: heap-buffer-overflow on `readelf -w`
Date:	Tue, 11 May 2021 12:06:37 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=27849

            Bug ID: 27849
           Summary: heap-buffer-overflow on `readelf -w`
           Product: binutils
           Version: 2.37 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: shaohua.li at inf dot ethz.ch
  Target Milestone: ---

Created attachment 13437
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13437&action=edit
poc

Hi there,

When I built the latest head with -fsanitize=address, I found a
heap-buffer-overflow with a crafted input. However, without the sanitizer, the
issue wouldn't be there. Not sure if this is a real heap-buffer-overflow or
just AddressSanitizer's issue.

Compiler: clang12

Reproduce: `readelf -w poc`

AddressSanitizer output:

==47596==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a000000bcb at pc 0x000000562045 bp 0x7ffd9de9fdc0 sp 0x7ffd9de9fdb8
READ of size 1 at 0x61a000000bcb thread T0
    #0 0x562044 in byte_get_little_endian
/data/clean/binutils-gdb-asan/binutils/elfcomm.c:121:26
    #1 0x54bd9e in fetch_indexed_string
/data/clean/binutils-gdb-asan/binutils/dwarf.c:810:16
    #2 0x537229 in display_debug_macro
/data/clean/binutils-gdb-asan/binutils/dwarf.c:6267:3
    #3 0x4ee444 in display_debug_section
/data/clean/binutils-gdb-asan/binutils/readelf.c:15549:18
    #4 0x4ee444 in process_section_contents
/data/clean/binutils-gdb-asan/binutils/readelf.c:15644:10
    #5 0x4d4a4a in process_object
/data/clean/binutils-gdb-asan/binutils/readelf.c:21378:9
    #6 0x4cb537 in process_file
/data/clean/binutils-gdb-asan/binutils/readelf.c:21800:13
    #7 0x4cb537 in main
/data/clean/binutils-gdb-asan/binutils/readelf.c:21871:11
    #8 0x7fc3a673b0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41c46d in _start
(/data/clean/binutils-gdb-asan/binutils/readelf+0x41c46d)

0x61a000000bcb is located 0 bytes to the right of 1355-byte region
[0x61a000000680,0x61a000000bcb)
allocated by thread T0 here:
    #0 0x4976cd in malloc
(/data/clean/binutils-gdb-asan/binutils/readelf+0x4976cd)
    #1 0x4c9482 in get_data
/data/clean/binutils-gdb-asan/binutils/readelf.c:481:14
    #2 0x4c98ff in load_specific_debug_section
/data/clean/binutils-gdb-asan/binutils/readelf.c:15181:38
    #3 0x5259c5 in load_debug_section_with_follow
/data/clean/binutils-gdb-asan/binutils/dwarf.c:3451:7
    #4 0x5259c5 in process_debug_info
/data/clean/binutils-gdb-asan/binutils/dwarf.c:3605:7
    #5 0x535552 in display_debug_info
/data/clean/binutils-gdb-asan/binutils/dwarf.c:7268:10
    #6 0x4d4a4a in process_object
/data/clean/binutils-gdb-asan/binutils/readelf.c:21378:9
    #7 0x4cb537 in process_file
/data/clean/binutils-gdb-asan/binutils/readelf.c:21800:13
    #8 0x4cb537 in main
/data/clean/binutils-gdb-asan/binutils/readelf.c:21871:11
    #9 0x7fc3a673b0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
/data/clean/binutils-gdb-asan/binutils/elfcomm.c:121:26 in
byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170: 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa fa
  0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==47596==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/27849] New: heap-buffer-overflow on `readelf -w`, shaohua.li at inf dot ethz.ch <=
- [Bug binutils/27849] heap-buffer-overflow on `readelf -w`, amodra at gmail dot com, 2021/05/11
- [Bug binutils/27849] heap-buffer-overflow on `readelf -w`, cvs-commit at gcc dot gnu.org, 2021/05/12
- [Bug binutils/27849] heap-buffer-overflow on `readelf -w`, amodra at gmail dot com, 2021/05/12

Prev by Date: [Bug binutils/27844] Unstable symbol name in objdump outputs
Next by Date: [Bug binutils/27844] Unstable symbol name in objdump outputs
Previous by thread: [Bug gas/25235] Forward-referencing ADR instructions generate wrong offsets in Thumb code
Next by thread: [Bug binutils/27849] heap-buffer-overflow on `readelf -w`
Index(es):
- Date
- Thread