From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <elfutils-devel-return-6521-listarch-elfutils-devel=sourceware.org@sourceware.org>
Received: (qmail 126888 invoked by alias); 25 Feb 2018 23:18:16 -0000
Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <elfutils-devel.sourceware.org>
List-Post: <mailto:elfutils-devel@sourceware.org>
List-Help: <mailto:elfutils-devel-help@sourceware.org>
List-Subscribe: <mailto:elfutils-devel-subscribe@sourceware.org>
Sender: elfutils-devel-owner@sourceware.org
Received: (qmail 126859 invoked by uid 48); 25 Feb 2018 23:18:11 -0000
From: "probefuzzer at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug general/22892] New: heap-buffer-overflow in check_group function (src/elflint.c)
Date: Sun, 25 Feb 2018 23:18:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: elfutils
X-Bugzilla-Component: general
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: probefuzzer at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created
Message-ID: <bug-22892-10460@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2018-q1/txt/msg00053.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=3D22892

            Bug ID: 22892
           Summary: heap-buffer-overflow in check_group function
                    (src/elflint.c)
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: general
          Assignee: unassigned at sourceware dot org
          Reporter: probefuzzer at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 10851
  --> https://sourceware.org/bugzilla/attachment.cgi?id=3D10851&action=3Ded=
it
poc

On latest version (0.170) and master branch of elfutils:
there is a heap-buffer-buffer overflow in check_group function of src/elfli=
nt.c
file, which could be triggered by the poc below.=20

This issue is caused by a invalid access in elflint.c:2719. Note that this
issue is different from Bug 21320, which is already fixed in version 0.169.

To reproduce the issue, run: ./eu-elflint -d $POC

=3D=3D128199=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address
0x612000000140 at pc 0x000000420193 bp 0x7ffe6213d5a0 sp 0x7ffe6213d598
READ of size 4 at 0x612000000140 thread T0
    #0 0x420192 in check_group
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:2719
    #1 0x4359f1 in check_sections
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:4176
    #2 0x43e086 in process_elf_file
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:4740
    #3 0x43e086 in process_file
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:243
    #4 0x403241 in main
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:176
    #5 0x7f5f40d47c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
    #6 0x404263=20
(/home/tmp/folder/product/elfutils/master/exe_asan/bin/eu-elflint+0x404263)

0x612000000141 is located 0 bytes to the right of 257-byte region
[0x612000000040,0x612000000141)
allocated by thread T0 here:
    #0 0x7f5f416773b0 in __interceptor_malloc
../../../../gcc5-src/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x7f5f4113bedc in convert_data
/u/tmp/folder/product/elfutils/master/src/libelf/elf_getdata.c:166
    #2 0x7f5f4113bedc in __libelf_set_data_list_rdlock
/u/tmp/folder/product/elfutils/master/src/libelf/elf_getdata.c:434

SUMMARY: AddressSanitizer: heap-buffer-overflow
/u/tmp/folder/product/elfutils/master/src/src/elflint.c:2719 in check_group
Shadow bytes around the buggy address:
  0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x0c247fff8020: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D128199=3D=3DABORTING

--=20
You are receiving this mail because:
You are on the CC list for the bug.