From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 86735 invoked by alias); 20 Feb 2018 09:04:46 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 86475 invoked by uid 48); 20 Feb 2018 09:04:41 -0000 From: "ks8171235 at naver dot com" To: elfutils-devel@sourceware.org Subject: [Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c. Date: Tue, 20 Feb 2018 09:04:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: tools X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ks8171235 at naver dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2018-q1/txt/msg00042.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D22865 Bug ID: 22865 Summary: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c. Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: ks8171235 at naver dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 10839 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D10839&action=3Ded= it poc binary file We can trigger arbitrary write in default_syscall_abi function. This is reproducible in elfutils 0.170. I attached a PoC binaray, so you can reprod= uce by the following command: $ ./objdump -d [poc_binary] gdb stack trace: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RAX: 0x7ffff7bd7780 (: mov rax,QWORD PTR [r9]) RBX: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64') RCX: 0xaaaaaaaa RDX: 0x7ffff7ff657d --> 0x20001000000 RSI: 0x7fffffffe248 --> 0x7ffff7ff6574 --> 0x8c4834808ec8348 RDI: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64') RBP: 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64') RSP: 0x7fffffffe048 --> 0x7ffff7bd79d4 (: mov=20=20=20 rcx,QWORD PTR [rsp+0x138]) RIP: 0x403820 (: mov DWORD PTR [rcx],0xffffffff) R8 : 0x4042f8 ("%7m %.1o,%.2o,%.3o%34a %l") R9 : 0x401e80 (: push r14) R10: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64') R11: 0x7ffff79cb080 (: sub rsp,0x8) R12: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64') R13: 0x60a7e8 --> 0x7ffff7ff7168 --> 0x0 R14: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64') R15: 0x0 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code---------------------------------= ----] 0x403810 : mov eax,0xfffffffe 0x403815 : ret 0x403816: nop WORD PTR cs:[rax+rax*1+0x0] =3D> 0x403820 : mov DWORD PTR [rcx],0xffffffff 0x403826 : mov eax,0xffffffff 0x40382b : mov DWORD PTR [rdx],0xffffffff 0x403831 : mov DWORD PTR [rsi],0xffffffff 0x403837 : mov DWORD PTR [r8],0xffffffff [------------------------------------stack---------------------------------= ----] 0000| 0x7fffffffe048 --> 0x7ffff7bd79d4 (: mov rcx,QW= ORD PTR [rsp+0x138]) 0008| 0x7fffffffe050 --> 0x7ffff7bd7780 (: mov= =20=20=20 rax,QWORD PTR [r9]) 0016| 0x7fffffffe058 --> 0x7fffffffe240 --> 0xaaaaaaaa 0024| 0x7fffffffe060 --> 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x404= 9ee --> 0x650034365f363878 ('x86_64') 0032| 0x7fffffffe068 ("%%%%%%%%H\342\377\377\377\177") 0040| 0x7fffffffe070 --> 0x7fffffffe248 --> 0x7ffff7ff6574 --> 0x8c4834808ec8348 0048| 0x7fffffffe078 --> 0x7ffff7ff657d --> 0x20001000000 0056| 0x7fffffffe080 --> 0xaaaaaaaa [--------------------------------------------------------------------------= ----] Legend: code, data, rodata, value Stopped reason: SIGSEGV default_syscall_abi (ebl=3D0x60a9c0, sp=3D0x7fffffffe248, pc=3D0x7ffff7ff65= 7d, callno=3D0xaaaaaaaa, args=3D0x4042f8) at eblopenbackend.c:724 724 *sp =3D *pc =3D *callno =3D -1; gdb-peda$ bt #0 default_syscall_abi (ebl=3D0x60a9c0, sp=3D0x7fffffffe248, pc=3D0x7ffff7= ff657d, callno=3D0xaaaaaaaa, args=3D0x4042f8) at eblopenbackend.c:724 #1 0x00007ffff7bd79d4 in disasm_cb () from /lib64/libasm.so.1 #2 0x0000000000402bc0 in show_disasm (shstrndx=3D, fname=3D, ebl=3D0x60a9c0) at objdump.c:736 #3 handle_elf (elf=3Delf@entry=3D0x609050, prefix=3Dprefix@entry=3D0x0, fname=3Dfname@entry=3D0x7fffffffe70d "test/b", suffix=3Dsuffix@entry=3D0x0) at objdump.c:782 #4 0x00000000004032e3 in process_file (fname=3D0x7fffffffe70d "test/b", more_than_one=3Dmore_than_one@entry=3D0x0) at objdump.c:252 #5 0x0000000000401c07 in main (argc=3D0x3, argv=3D0x7fffffffe448) at objdu= mp.c:165 #6 0x00007ffff7415c05 in __libc_start_main () from /lib64/libc.so.6 #7 0x0000000000401c5e in _start () =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team --=20 You are receiving this mail because: You are on the CC list for the bug.