* [Bug general/22892] New: heap-buffer-overflow in check_group function (src/elflint.c)
@ 2018-02-25 23:18 probefuzzer at gmail dot com
2018-02-26 22:28 ` [Bug general/22892] " mark at klomp dot org
2018-03-05 13:08 ` mark at klomp dot org
0 siblings, 2 replies; 3+ messages in thread
From: probefuzzer at gmail dot com @ 2018-02-25 23:18 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=22892
Bug ID: 22892
Summary: heap-buffer-overflow in check_group function
(src/elflint.c)
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: general
Assignee: unassigned at sourceware dot org
Reporter: probefuzzer at gmail dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 10851
--> https://sourceware.org/bugzilla/attachment.cgi?id=10851&action=edit
poc
On latest version (0.170) and master branch of elfutils:
there is a heap-buffer-buffer overflow in check_group function of src/elflint.c
file, which could be triggered by the poc below.
This issue is caused by a invalid access in elflint.c:2719. Note that this
issue is different from Bug 21320, which is already fixed in version 0.169.
To reproduce the issue, run: ./eu-elflint -d $POC
==128199==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x612000000140 at pc 0x000000420193 bp 0x7ffe6213d5a0 sp 0x7ffe6213d598
READ of size 4 at 0x612000000140 thread T0
#0 0x420192 in check_group
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:2719
#1 0x4359f1 in check_sections
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:4176
#2 0x43e086 in process_elf_file
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:4740
#3 0x43e086 in process_file
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:243
#4 0x403241 in main
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:176
#5 0x7f5f40d47c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
#6 0x404263
(/home/tmp/folder/product/elfutils/master/exe_asan/bin/eu-elflint+0x404263)
0x612000000141 is located 0 bytes to the right of 257-byte region
[0x612000000040,0x612000000141)
allocated by thread T0 here:
#0 0x7f5f416773b0 in __interceptor_malloc
../../../../gcc5-src/libsanitizer/asan/asan_malloc_linux.cc:86
#1 0x7f5f4113bedc in convert_data
/u/tmp/folder/product/elfutils/master/src/libelf/elf_getdata.c:166
#2 0x7f5f4113bedc in __libelf_set_data_list_rdlock
/u/tmp/folder/product/elfutils/master/src/libelf/elf_getdata.c:434
SUMMARY: AddressSanitizer: heap-buffer-overflow
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:2719 in check_group
Shadow bytes around the buggy address:
0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8020: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==128199==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug general/22892] heap-buffer-overflow in check_group function (src/elflint.c)
2018-02-25 23:18 [Bug general/22892] New: heap-buffer-overflow in check_group function (src/elflint.c) probefuzzer at gmail dot com
@ 2018-02-26 22:28 ` mark at klomp dot org
2018-03-05 13:08 ` mark at klomp dot org
1 sibling, 0 replies; 3+ messages in thread
From: mark at klomp dot org @ 2018-02-26 22:28 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=22892
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2018-02-26
CC| |mark at klomp dot org
Ever confirmed|0 |1
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Proposed patch:
https://sourceware.org/ml/elfutils-devel/2018-q1/msg00055.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug general/22892] heap-buffer-overflow in check_group function (src/elflint.c)
2018-02-25 23:18 [Bug general/22892] New: heap-buffer-overflow in check_group function (src/elflint.c) probefuzzer at gmail dot com
2018-02-26 22:28 ` [Bug general/22892] " mark at klomp dot org
@ 2018-03-05 13:08 ` mark at klomp dot org
1 sibling, 0 replies; 3+ messages in thread
From: mark at klomp dot org @ 2018-03-05 13:08 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=22892
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
commit 22e282071021fc5ada2b9294bfa7e25fbd62a9d6
Author: Mark Wielaard <mark@klomp.org>
Date: Mon Feb 26 22:53:10 2018 +0100
elflint: Make sure we can read a whole element when iterating over group.
Change the for loop so that we can always read a full element.
https://sourceware.org/bugzilla/show_bug.cgi?id=22892
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-05 13:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-25 23:18 [Bug general/22892] New: heap-buffer-overflow in check_group function (src/elflint.c) probefuzzer at gmail dot com
2018-02-26 22:28 ` [Bug general/22892] " mark at klomp dot org
2018-03-05 13:08 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).