From: "mark at klomp dot org" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
Date: Wed, 16 Jan 2019 11:09:00 -0000 [thread overview]
Message-ID: <bug-24075-10460-KaSjjB9834@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-24075-10460@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |mark at klomp dot org
Resolution|--- |FIXED
Summary|Program Crash due to Wild |Program Crash due to buffer
|pointer Deference in |over-read in
|ebl_object_note function in |ebl_object_note function in
|eblobjnote.c in libebl. |eblobjnote.c in libebl.
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
(In reply to wcventure from comment #0)
> Our fuzzer caught Pointer Deference problem in eu-readelf of the latest
> elfutils-0.174 code base, this inputs will cause the segment faults and I
> have confirmed them with address sanitizer too. Please use the "./eu-readelf
> -a $POC"to reproduce the bug. If you have any questions, please let me know.
This code was introduced in 0.175 and not present in 0.174.
Confirmed by running the reproducer under valgrind.
> This problem is in the code as fllow, it seem like a use-after-fee problem.
>
> > size_t i;
> > for (i = 0; i < prop.pr_datasz - 1; i++)
> > printf ("%02" PRIx8 " ", (uint8_t) desc[i]);
Yes, this over-reads the buffer because pr_datasz isn't checked.
Fixed as follows:
commit 012018907ca05eb0ab51d424a596ef38fc87cae1
Author: Mark Wielaard <mark@klomp.org>
Date: Wed Jan 16 11:57:35 2019 +0100
libebl: Check GNU property note pr_datasz fits inside note description.
Before printing the data values, make sure pr_datasz doesn't go beyond
the end of the note description data.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Signed-off-by: Mark Wielaard <mark@klomp.org>
diff --git a/libebl/ChangeLog b/libebl/ChangeLog
index 0174f33..77c2274 100644
--- a/libebl/ChangeLog
+++ b/libebl/ChangeLog
@@ -1,3 +1,7 @@
+2019-01-16 Mark Wielaard <mark@klomp.org>
+
+ * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+
2018-12-02 Mark Wielaard <mark@klomp.org>
* eblobjnte.c (ebl_object_note): For GNU_PROPERTY_STACK_SIZE use
diff --git a/libebl/eblobjnote.c b/libebl/eblobjnote.c
index c19ea37..9094715 100644
--- a/libebl/eblobjnote.c
+++ b/libebl/eblobjnote.c
@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t namesz, const char
*name, uint32_t type,
desc += 8;
descsz -= 8;
+ if (prop.pr_datasz > descsz)
+ {
+ printf ("BAD property datasz: %" PRId32 "\n",
+ prop.pr_datasz);
+ return;
+ }
+
int elfclass = gelf_getclass (ebl->elf);
char *elfident = elf_getident (ebl->elf, NULL);
GElf_Ehdr ehdr;
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2019-01-16 11:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference " wcventure at 126 dot com
2019-01-09 11:34 ` [Bug backends/24075] " wcventure at 126 dot com
2019-01-15 13:17 ` mark at klomp dot org
2019-01-16 11:09 ` mark at klomp dot org [this message]
2019-01-26 8:04 ` [Bug backends/24075] Program Crash due to buffer over-read " wcventure at 126 dot com
2019-01-26 8:06 ` wcventure at 126 dot com
2019-01-26 8:10 ` wcventure at 126 dot com
2019-01-29 11:17 ` wcventure at 126 dot com
2019-01-29 23:09 ` mark at klomp dot org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-24075-10460-KaSjjB9834@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=elfutils-devel@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).