* [Bug general/23542] New: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash
@ 2018-08-17 4:11 wcventure at 126 dot com
2018-08-17 20:19 ` [Bug general/23542] " mark at klomp dot org
2018-08-18 20:50 ` mark at klomp dot org
0 siblings, 2 replies; 3+ messages in thread
From: wcventure at 126 dot com @ 2018-08-17 4:11 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=23542
Bug ID: 23542
Summary: heap-buffer-overflow in /elfutils/src/elflint.c:2055
check_sysv_hash
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: general
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11190
--> https://sourceware.org/bugzilla/attachment.cgi?id=11190&action=edit
./eu-elflint --strict @@
==123497==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61300000dfd4 at pc 0x000000432311 bp 0x7ffc0e4d29c0 sp 0x7ffc0e4d29b0
READ of size 4 at 0x61300000dfd4 thread T0
#0 0x432310 in check_sysv_hash
/home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2055
#1 0x432310 in check_hash
/home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2355
#2 0x439613 in check_sections
/home/wcventure/Documents/Cproject/elfutils/src/elflint.c:4161
#3 0x440395 in process_elf_file
/home/wcventure/Documents/Cproject/elfutils/src/elflint.c:4739
#4 0x440395 in process_file
/home/wcventure/Documents/Cproject/elfutils/src/elflint.c:242
#5 0x402e55 in main
/home/wcventure/Documents/Cproject/elfutils/src/elflint.c:175
#6 0x7f81b5bba82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x403b08 in _start
(/home/wcventure/Documents/Cproject/elfutils/build/bin/eu-elflint+0x403b08)
0x61300000dfd5 is located 0 bytes to the right of 341-byte region
[0x61300000de80,0x61300000dfd5)
allocated by thread T0 here:
#0 0x7f81b64a4602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7f81b61babff in convert_data
/home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:164
#2 0x7f81b61babff in __libelf_set_data_list_rdlock
/home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:431
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2055 check_sysv_hash
Shadow bytes around the buggy address:
0x0c267fff9ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fff9bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fff9bc0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00[05]fa fa fa fa fa
0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==123497==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug general/23542] heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash
2018-08-17 4:11 [Bug general/23542] New: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash wcventure at 126 dot com
@ 2018-08-17 20:19 ` mark at klomp dot org
2018-08-18 20:50 ` mark at klomp dot org
1 sibling, 0 replies; 3+ messages in thread
From: mark at klomp dot org @ 2018-08-17 20:19 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=23542
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mark at klomp dot org
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Replicated under valgrind:
==12265== Conditional jump or move depends on uninitialised value(s)
==12265== at 0x1111E9: check_sysv_hash (elflint.c:2056)
==12265== by 0x1111E9: check_hash.isra.14 (elflint.c:2356)
==12265== by 0x117B80: check_sections (elflint.c:4162)
==12265== by 0x119364: process_elf_file (elflint.c:4740)
==12265== by 0x119364: process_file (elflint.c:242)
==12265== by 0x10C57C: main (elflint.c:175)
The issue is that the sanity check at the start of the function overflows
because it does 32bit unsigned arithmetic. Changing it to do unsigned long long
arithmetic makes the check catch the issue:
diff --git a/src/elflint.c b/src/elflint.c
index eec799b2..9d49c47f 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -2023,7 +2023,7 @@ check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data
*data, int idx,
Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
- if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word))
+ if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
{
ERROR (gettext ("\
section [%2d] '%s': hash table section is too small (is %ld, expected
%ld)\n"),
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug general/23542] heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash
2018-08-17 4:11 [Bug general/23542] New: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash wcventure at 126 dot com
2018-08-17 20:19 ` [Bug general/23542] " mark at klomp dot org
@ 2018-08-18 20:50 ` mark at klomp dot org
1 sibling, 0 replies; 3+ messages in thread
From: mark at klomp dot org @ 2018-08-18 20:50 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=23542
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
commit c9f90a70900e753dde15cc9348dcf7de08b031eb
Author: Mark Wielaard <mark@klomp.org>
Date: Sat Aug 18 13:17:45 2018 +0200
elflint: Fix check_sysv_hash[64] sanity checks to not overflow.
The sanity checks for how many words were needed in the section could
overflow causing errors. Fix the checks.
https://sourceware.org/bugzilla/show_bug.cgi?id=23542
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-08-18 20:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-17 4:11 [Bug general/23542] New: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash wcventure at 126 dot com
2018-08-17 20:19 ` [Bug general/23542] " mark at klomp dot org
2018-08-18 20:50 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).