* [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.
@ 2019-01-09 11:33 wcventure at 126 dot com
2019-01-09 11:34 ` [Bug backends/24075] " wcventure at 126 dot com
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: wcventure at 126 dot com @ 2019-01-09 11:33 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Bug ID: 24075
Summary: Program Crash due to Wild pointer Deference in
ebl_object_note function in eblobjnote.c in libebl.
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: backends
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11523
--> https://sourceware.org/bugzilla/attachment.cgi?id=11523&action=edit
POC1
Hi there,
Our fuzzer caught Pointer Deference problem in eu-readelf of the latest
elfutils-0.174 code base, this inputs will cause the segment faults and I have
confirmed them with address sanitizer too. Please use the "./eu-readelf -a
$POC"to reproduce the bug. If you have any questions, please let me know.
This problem is in the code as fllow, it seem like a use-after-fee problem.
> size_t i;
> for (i = 0; i < prop.pr_datasz - 1; i++)
> printf ("%02" PRIx8 " ", (uint8_t) desc[i]);
git log
> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson <jimw@sifive.com>
> Date: Thu Dec 27 15:25:49 2018 -0800
>
> RISC-V: Improve riscv64 core file support.
>
> This fixes two problems. The offset for x1 is changed from 1 to 8 because
> this is a byte offset not a register skip count. Support for reading the
> PC value is added. This requires changing the testsuite to match the new
> readelf output for coredumps.
>
> Signed-off-by: Jim Wilson <jimw@sifive.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug backends/24075] Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
@ 2019-01-09 11:34 ` wcventure at 126 dot com
2019-01-15 13:17 ` mark at klomp dot org
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: wcventure at 126 dot com @ 2019-01-09 11:34 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11524
--> https://sourceware.org/bugzilla/attachment.cgi?id=11524&action=edit
POC2
The ASAN dumps the stack trace as follows:
> =================================================================
> ==20499==ERROR: AddressSanitizer: unknown-crash on address 0x7f908068e000 at pc 0x000000577730 bp 0x7ffd5103ba10 sp 0x7ffd5103ba00
> READ of size 1 at 0x7f908068e000 thread T0
> #0 0x57772f in ebl_object_note /elfutils/libebl/eblobjnote.c:488
> #1 0x4a06f3 in handle_notes_data /elfutils/src/readelf.c:12251
> #2 0x4c5b47 in handle_notes /elfutils/src/readelf.c:12315
> #3 0x4c5b47 in process_elf_file /elfutils/src/readelf.c:1000
> #4 0x4c5b47 in process_dwflmod /elfutils/src/readelf.c:760
> #5 0x7f907f1e9e9c in dwfl_getmodules /elfutils/libdwfl/dwfl_getmodules.c:86
> #6 0x41399c in process_file /elfutils/src/readelf.c:868
> #7 0x405df6 in main /elfutils/src/readelf.c:350
> #8 0x7f907e6ff82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x406ef8 in _start (/elfutils/build/bin/eu-readelf+0x406ef8)
>
> Address 0x7f908068e000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash /elfutils/libebl/eblobjnote.c:488 in ebl_object_note
> Shadow bytes around the buggy address:
> 0x0ff2900c9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff2900c9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff2900c9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff2900c9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff2900c9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0ff2900c9c00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==20499==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug backends/24075] Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
2019-01-09 11:34 ` [Bug backends/24075] " wcventure at 126 dot com
@ 2019-01-15 13:17 ` mark at klomp dot org
2019-01-16 11:09 ` [Bug backends/24075] Program Crash due to buffer over-read " mark at klomp dot org
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: mark at klomp dot org @ 2019-01-15 13:17 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
*** Bug 24081 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
2019-01-09 11:34 ` [Bug backends/24075] " wcventure at 126 dot com
2019-01-15 13:17 ` mark at klomp dot org
@ 2019-01-16 11:09 ` mark at klomp dot org
2019-01-26 8:04 ` wcventure at 126 dot com
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: mark at klomp dot org @ 2019-01-16 11:09 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |mark at klomp dot org
Resolution|--- |FIXED
Summary|Program Crash due to Wild |Program Crash due to buffer
|pointer Deference in |over-read in
|ebl_object_note function in |ebl_object_note function in
|eblobjnote.c in libebl. |eblobjnote.c in libebl.
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
(In reply to wcventure from comment #0)
> Our fuzzer caught Pointer Deference problem in eu-readelf of the latest
> elfutils-0.174 code base, this inputs will cause the segment faults and I
> have confirmed them with address sanitizer too. Please use the "./eu-readelf
> -a $POC"to reproduce the bug. If you have any questions, please let me know.
This code was introduced in 0.175 and not present in 0.174.
Confirmed by running the reproducer under valgrind.
> This problem is in the code as fllow, it seem like a use-after-fee problem.
>
> > size_t i;
> > for (i = 0; i < prop.pr_datasz - 1; i++)
> > printf ("%02" PRIx8 " ", (uint8_t) desc[i]);
Yes, this over-reads the buffer because pr_datasz isn't checked.
Fixed as follows:
commit 012018907ca05eb0ab51d424a596ef38fc87cae1
Author: Mark Wielaard <mark@klomp.org>
Date: Wed Jan 16 11:57:35 2019 +0100
libebl: Check GNU property note pr_datasz fits inside note description.
Before printing the data values, make sure pr_datasz doesn't go beyond
the end of the note description data.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Signed-off-by: Mark Wielaard <mark@klomp.org>
diff --git a/libebl/ChangeLog b/libebl/ChangeLog
index 0174f33..77c2274 100644
--- a/libebl/ChangeLog
+++ b/libebl/ChangeLog
@@ -1,3 +1,7 @@
+2019-01-16 Mark Wielaard <mark@klomp.org>
+
+ * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+
2018-12-02 Mark Wielaard <mark@klomp.org>
* eblobjnte.c (ebl_object_note): For GNU_PROPERTY_STACK_SIZE use
diff --git a/libebl/eblobjnote.c b/libebl/eblobjnote.c
index c19ea37..9094715 100644
--- a/libebl/eblobjnote.c
+++ b/libebl/eblobjnote.c
@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t namesz, const char
*name, uint32_t type,
desc += 8;
descsz -= 8;
+ if (prop.pr_datasz > descsz)
+ {
+ printf ("BAD property datasz: %" PRId32 "\n",
+ prop.pr_datasz);
+ return;
+ }
+
int elfclass = gelf_getclass (ebl->elf);
char *elfident = elf_getident (ebl->elf, NULL);
GElf_Ehdr ehdr;
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
` (2 preceding siblings ...)
2019-01-16 11:09 ` [Bug backends/24075] Program Crash due to buffer over-read " mark at klomp dot org
@ 2019-01-26 8:04 ` wcventure at 126 dot com
2019-01-26 8:06 ` wcventure at 126 dot com
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: wcventure at 126 dot com @ 2019-01-26 8:04 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
wcventure <wcventure at 126 dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |UNCONFIRMED
Resolution|FIXED |---
--- Comment #4 from wcventure <wcventure at 126 dot com> ---
Regression Testing:
I have done regression testing.
This problem can be broken again!
Here is the POC file.
The Commit ID I used:
> commit a17c2c0917901ffa542ac4d3e327d46742219e04
> Author: Mark Wielaard <mark@klomp.org>
> Date: Tue Jan 22 15:55:18 2019 +0100
>
> readelf: Don't go past end of line data reading unknown opcode parameters.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=24116
>
> Signed-off-by: Mark Wielaard <mark@klomp.org>
ASAN trace:
> ==22829==ERROR: AddressSanitizer: unknown-crash on address 0x7f07d1c81000 at pc 0x0000004c0857 bp 0x7ffc6580df50 sp 0x7ffc6580df40
READ of size 1 at 0x7f07d1c81000 thread T0
> #0 0x4c0856 in ebl_object_note /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495
> #1 0x452e0f in handle_notes_data /home/wencheng/Experiment/elfutils/src/readelf.c:12256
> #2 0x465ec3 in handle_notes /home/wencheng/Experiment/elfutils/src/readelf.c:12320
> #3 0x465ec3 in process_elf_file /home/wencheng/Experiment/elfutils/src/readelf.c:1000
> #4 0x465ec3 in process_dwflmod /home/wencheng/Experiment/elfutils/src/readelf.c:760
> #5 0x7f07d0893961 in dwfl_getmodules /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86
> #6 0x40d035 in process_file /home/wencheng/Experiment/elfutils/src/readelf.c:868
> #7 0x40579e in main /home/wencheng/Experiment/elfutils/src/readelf.c:350
> #8 0x7f07cff1882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x406428 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406428)
>
> Address 0x7f07d1c81000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495 in ebl_object_note
> Shadow bytes around the buggy address:
> 0x0fe17a3881b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe17a3881c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe17a3881d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe17a3881e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe17a3881f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fe17a388200:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388210: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388220: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388230: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388240: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388250: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==22829==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
` (3 preceding siblings ...)
2019-01-26 8:04 ` wcventure at 126 dot com
@ 2019-01-26 8:06 ` wcventure at 126 dot com
2019-01-26 8:10 ` wcventure at 126 dot com
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: wcventure at 126 dot com @ 2019-01-26 8:06 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
--- Comment #5 from wcventure <wcventure at 126 dot com> ---
Created attachment 11573
--> https://sourceware.org/bugzilla/attachment.cgi?id=11573&action=edit
Regressiong_POC
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
` (4 preceding siblings ...)
2019-01-26 8:06 ` wcventure at 126 dot com
@ 2019-01-26 8:10 ` wcventure at 126 dot com
2019-01-29 11:17 ` wcventure at 126 dot com
2019-01-29 23:09 ` mark at klomp dot org
7 siblings, 0 replies; 9+ messages in thread
From: wcventure at 126 dot com @ 2019-01-26 8:10 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
wcventure <wcventure at 126 dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P2 |P1
Severity|normal |critical
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
` (5 preceding siblings ...)
2019-01-26 8:10 ` wcventure at 126 dot com
@ 2019-01-29 11:17 ` wcventure at 126 dot com
2019-01-29 23:09 ` mark at klomp dot org
7 siblings, 0 replies; 9+ messages in thread
From: wcventure at 126 dot com @ 2019-01-29 11:17 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
--- Comment #6 from wcventure <wcventure at 126 dot com> ---
CVE-2019-7146
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
` (6 preceding siblings ...)
2019-01-29 11:17 ` wcventure at 126 dot com
@ 2019-01-29 23:09 ` mark at klomp dot org
7 siblings, 0 replies; 9+ messages in thread
From: mark at klomp dot org @ 2019-01-29 23:09 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Mark Wielaard <mark at klomp dot org> ---
Nice find. The property data is padded and we also must make sure that the
extra padding fits the note description.
commit cd7ded3df43f655af945c869976401a602e46fcd (HEAD -> master)
Author: Mark Wielaard <mark@klomp.org>
Date: Wed Jan 30 00:04:11 2019 +0100
libebl: Check GNU property note data padding fits inside note.
The GNU property note data is padded. Make sure the extra padding
still fits in the note description.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-01-29 23:09 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-09 11:33 [Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl wcventure at 126 dot com
2019-01-09 11:34 ` [Bug backends/24075] " wcventure at 126 dot com
2019-01-15 13:17 ` mark at klomp dot org
2019-01-16 11:09 ` [Bug backends/24075] Program Crash due to buffer over-read " mark at klomp dot org
2019-01-26 8:04 ` wcventure at 126 dot com
2019-01-26 8:06 ` wcventure at 126 dot com
2019-01-26 8:10 ` wcventure at 126 dot com
2019-01-29 11:17 ` wcventure at 126 dot com
2019-01-29 23:09 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).