* [Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
@ 2018-02-20 9:04 ks8171235 at naver dot com
2018-02-26 22:35 ` [Bug tools/22865] " mark at klomp dot org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: ks8171235 at naver dot com @ 2018-02-20 9:04 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=22865
Bug ID: 22865
Summary: [objdump] Arbitrary memory write in
default_syscall_abi of eblopenbackend.c.
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: ks8171235 at naver dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 10839
--> https://sourceware.org/bugzilla/attachment.cgi?id=10839&action=edit
poc binary file
We can trigger arbitrary write in default_syscall_abi function. This is
reproducible in elfutils 0.170. I attached a PoC binaray, so you can reproduce
by the following command:
$ ./objdump -d [poc_binary]
gdb stack trace:
===========================================================================
RAX: 0x7ffff7bd7780 (<default_elf_getsym>: mov rax,QWORD PTR [r9])
RBX: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
RCX: 0xaaaaaaaa
RDX: 0x7ffff7ff657d --> 0x20001000000
RSI: 0x7fffffffe248 --> 0x7ffff7ff6574 --> 0x8c4834808ec8348
RDI: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RBP: 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RSP: 0x7fffffffe048 --> 0x7ffff7bd79d4 (<disasm_cb+516>: mov
rcx,QWORD PTR [rsp+0x138])
RIP: 0x403820 (<default_syscall_abi>: mov DWORD PTR [rcx],0xffffffff)
R8 : 0x4042f8 ("%7m %.1o,%.2o,%.3o%34a %l")
R9 : 0x401e80 (<disasm_output>: push r14)
R10: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
R11: 0x7ffff79cb080 (<gelf_getsymshndx>: sub rsp,0x8)
R12: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R13: 0x60a7e8 --> 0x7ffff7ff7168 --> 0x0
R14: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x403810 <default_return_value_location>: mov eax,0xfffffffe
0x403815 <default_return_value_location+5>: ret
0x403816: nop WORD PTR cs:[rax+rax*1+0x0]
=> 0x403820 <default_syscall_abi>: mov DWORD PTR [rcx],0xffffffff
0x403826 <default_syscall_abi+6>: mov eax,0xffffffff
0x40382b <default_syscall_abi+11>: mov DWORD PTR [rdx],0xffffffff
0x403831 <default_syscall_abi+17>: mov DWORD PTR [rsi],0xffffffff
0x403837 <default_syscall_abi+23>: mov DWORD PTR [r8],0xffffffff
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe048 --> 0x7ffff7bd79d4 (<disasm_cb+516>: mov rcx,QWORD
PTR [rsp+0x138])
0008| 0x7fffffffe050 --> 0x7ffff7bd7780 (<default_elf_getsym>: mov
rax,QWORD PTR [r9])
0016| 0x7fffffffe058 --> 0x7fffffffe240 --> 0xaaaaaaaa
0024| 0x7fffffffe060 --> 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee
--> 0x650034365f363878 ('x86_64')
0032| 0x7fffffffe068 ("%%%%%%%%H\342\377\377\377\177")
0040| 0x7fffffffe070 --> 0x7fffffffe248 --> 0x7ffff7ff6574 -->
0x8c4834808ec8348
0048| 0x7fffffffe078 --> 0x7ffff7ff657d --> 0x20001000000
0056| 0x7fffffffe080 --> 0xaaaaaaaa
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
default_syscall_abi (ebl=0x60a9c0, sp=0x7fffffffe248, pc=0x7ffff7ff657d,
callno=0xaaaaaaaa, args=0x4042f8)
at eblopenbackend.c:724
724 *sp = *pc = *callno = -1;
gdb-peda$ bt
#0 default_syscall_abi (ebl=0x60a9c0, sp=0x7fffffffe248, pc=0x7ffff7ff657d,
callno=0xaaaaaaaa, args=0x4042f8)
at eblopenbackend.c:724
#1 0x00007ffff7bd79d4 in disasm_cb () from /lib64/libasm.so.1
#2 0x0000000000402bc0 in show_disasm (shstrndx=<optimized out>,
fname=<optimized out>, ebl=0x60a9c0)
at objdump.c:736
#3 handle_elf (elf=elf@entry=0x609050, prefix=prefix@entry=0x0,
fname=fname@entry=0x7fffffffe70d "test/b",
suffix=suffix@entry=0x0) at objdump.c:782
#4 0x00000000004032e3 in process_file (fname=0x7fffffffe70d "test/b",
more_than_one=more_than_one@entry=0x0)
at objdump.c:252
#5 0x0000000000401c07 in main (argc=0x3, argv=0x7fffffffe448) at objdump.c:165
#6 0x00007ffff7415c05 in __libc_start_main () from /lib64/libc.so.6
#7 0x0000000000401c5e in _start ()
===========================================================================
Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/22865] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
2018-02-20 9:04 [Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c ks8171235 at naver dot com
@ 2018-02-26 22:35 ` mark at klomp dot org
2018-02-26 23:03 ` mark at klomp dot org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2018-02-26 22:35 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=22865
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
*** Bug 22864 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/22865] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
2018-02-20 9:04 [Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c ks8171235 at naver dot com
2018-02-26 22:35 ` [Bug tools/22865] " mark at klomp dot org
@ 2018-02-26 23:03 ` mark at klomp dot org
2018-02-26 23:07 ` mark at klomp dot org
2018-03-05 13:32 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2018-02-26 23:03 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=22865
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mark at klomp dot org
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
Could you give a bit more information on how you build and run eu-objdump?
I am unable to replicate your results with the given poc.
It simply works as intended:
$ eu-objdump -d ./b
./b: elf64-elf_x86_64
Disassembly of section .fini:
aaaaaaaa: 48 83 ec 08 sub $0x8,%rsp
aaaaaaae: 48 83 c4 08 add $0x8,%rsp
aaaaaab2: c3 retq
Also it is somewhat surprising it crashes for you inside default_syscall_abi ()
because that doesn't seem to be called. Which indicates the error is somewhere
else.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/22865] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
2018-02-20 9:04 [Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c ks8171235 at naver dot com
2018-02-26 22:35 ` [Bug tools/22865] " mark at klomp dot org
2018-02-26 23:03 ` mark at klomp dot org
@ 2018-02-26 23:07 ` mark at klomp dot org
2018-03-05 13:32 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2018-02-26 23:07 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=22865
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
*** Bug 22863 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/22865] [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.
2018-02-20 9:04 [Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c ks8171235 at naver dot com
` (2 preceding siblings ...)
2018-02-26 23:07 ` mark at klomp dot org
@ 2018-03-05 13:32 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2018-03-05 13:32 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=22865
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
Without a way to replicate this issue it is impossible to resolve or know what
the real issue is. Please reopen if you are still able to reproduce it.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-03-05 13:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-20 9:04 [Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c ks8171235 at naver dot com
2018-02-26 22:35 ` [Bug tools/22865] " mark at klomp dot org
2018-02-26 23:03 ` mark at klomp dot org
2018-02-26 23:07 ` mark at klomp dot org
2018-03-05 13:32 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).