* [Bug libelf/24081] New: Use-After-free Problem in elf32_xlatetom function in libelf
@ 2019-01-10 13:21 wcventure at 126 dot com
2019-01-10 13:26 ` [Bug libelf/24081] " wcventure at 126 dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: wcventure at 126 dot com @ 2019-01-10 13:21 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24081
Bug ID: 24081
Summary: Use-After-free Problem in elf32_xlatetom function in
libelf
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11527
--> https://sourceware.org/bugzilla/attachment.cgi?id=11527&action=edit
POC1
Hi there,
Our fuzzer caught Use-after-free problem in eu-readelf of the latest
elfutils-0.174 code base when calling memmove in elf32_xlatetom function in
libelf, this inputs will cause the segment faults and I have confirmed them
with address sanitizer too.
Please use the "./eu-readelf -a $POC"to reproduce the bug. If you have any
questions, please let me know.
git log
> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson <jimw@sifive.com>
> Date: Thu Dec 27 15:25:49 2018 -0800
>
> RISC-V: Improve riscv64 core file support.
>
> This fixes two problems. The offset for x1 is changed from 1 to 8 because
> this is a byte offset not a register skip count. Support for reading the
> PC value is added. This requires changing the testsuite to match the new
> readelf output for coredumps.
>
> Signed-off-by: Jim Wilson <jimw@sifive.com>
The ASAN dumps the stack trace as follows:
> ==7822==ERROR: AddressSanitizer: unknown-crash on address 0x7f773670a000 at pc 0x7f7735694e2b bp 0x7ffcba3c16a0 sp 0x7ffcba3c0e48
> READ of size 8 at 0x7f773670a000 thread T0
> #0 0x7f7735694e2a in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a)
> #1 0x7f7734d5a9bb in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:59
> #2 0x7f7734d5a9bb in elf32_xlatetom /elfutils/libelf/elf32_xlatetom.c:100
> #3 0x56d6b8 in ebl_object_note /elfutils/libebl/eblobjnote.c:342
> #4 0x4a06f3 in handle_notes_data /elfutils/src/readelf.c:12251
> #5 0x4c5b47 in handle_notes /elfutils/src/readelf.c:12315
> #6 0x4c5b47 in process_elf_file /elfutils/src/readelf.c:1000
> #7 0x4c5b47 in process_dwflmod /elfutils/src/readelf.c:760
> #8 0x7f7735265e9c in dwfl_getmodules /elfutils/libdwfl/dwfl_getmodules.c:86
> #9 0x41399c in process_file /elfutils/src/readelf.c:868
> #10 0x405df6 in main /elfutils/src/readelf.c:350
> #11 0x7f773477b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #12 0x406ef8 in _start (/elfutils/build/bin/eu-readelf+0x406ef8)
>
> Address 0x7f773670a000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove
> Shadow bytes around the buggy address:
> 0x0fef66cd93b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fef66cd93c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fef66cd93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fef66cd93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fef66cd93f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fef66cd9400:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fef66cd9410: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fef66cd9420: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fef66cd9430: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fef66cd9440: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fef66cd9450: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==7822==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libelf/24081] Use-After-free Problem in elf32_xlatetom function in libelf
2019-01-10 13:21 [Bug libelf/24081] New: Use-After-free Problem in elf32_xlatetom function in libelf wcventure at 126 dot com
@ 2019-01-10 13:26 ` wcventure at 126 dot com
2019-01-15 13:17 ` mark at klomp dot org
2019-01-30 5:44 ` [Bug libelf/24081] buffer over-read " wcventure at 126 dot com
2 siblings, 0 replies; 4+ messages in thread
From: wcventure at 126 dot com @ 2019-01-10 13:26 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24081
--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11528
--> https://sourceware.org/bugzilla/attachment.cgi?id=11528&action=edit
POC2
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libelf/24081] Use-After-free Problem in elf32_xlatetom function in libelf
2019-01-10 13:21 [Bug libelf/24081] New: Use-After-free Problem in elf32_xlatetom function in libelf wcventure at 126 dot com
2019-01-10 13:26 ` [Bug libelf/24081] " wcventure at 126 dot com
@ 2019-01-15 13:17 ` mark at klomp dot org
2019-01-30 5:44 ` [Bug libelf/24081] buffer over-read " wcventure at 126 dot com
2 siblings, 0 replies; 4+ messages in thread
From: mark at klomp dot org @ 2019-01-15 13:17 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24081
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |mark at klomp dot org
Resolution|--- |DUPLICATE
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
This is really just the same as
https://sourceware.org/bugzilla/show_bug.cgi?id=24075 we should check the
pr_datasz.
*** This bug has been marked as a duplicate of bug 24075 ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libelf/24081] buffer over-read Problem in elf32_xlatetom function in libelf
2019-01-10 13:21 [Bug libelf/24081] New: Use-After-free Problem in elf32_xlatetom function in libelf wcventure at 126 dot com
2019-01-10 13:26 ` [Bug libelf/24081] " wcventure at 126 dot com
2019-01-15 13:17 ` mark at klomp dot org
@ 2019-01-30 5:44 ` wcventure at 126 dot com
2 siblings, 0 replies; 4+ messages in thread
From: wcventure at 126 dot com @ 2019-01-30 5:44 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24081
wcventure <wcventure at 126 dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Use-After-free Problem in |buffer over-read Problem in
|elf32_xlatetom function in |elf32_xlatetom function in
|libelf |libelf
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-01-30 5:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-10 13:21 [Bug libelf/24081] New: Use-After-free Problem in elf32_xlatetom function in libelf wcventure at 126 dot com
2019-01-10 13:26 ` [Bug libelf/24081] " wcventure at 126 dot com
2019-01-15 13:17 ` mark at klomp dot org
2019-01-30 5:44 ` [Bug libelf/24081] buffer over-read " wcventure at 126 dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).