From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 78763 invoked by alias); 10 Jan 2019 13:21:54 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 78672 invoked by uid 48); 10 Jan 2019 13:21:49 -0000 From: "wcventure at 126 dot com" To: elfutils-devel@sourceware.org Subject: [Bug libelf/24081] New: Use-After-free Problem in elf32_xlatetom function in libelf Date: Thu, 10 Jan 2019 13:21:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libelf X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: wcventure at 126 dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2019-q1/txt/msg00016.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D24081 Bug ID: 24081 Summary: Use-After-free Problem in elf32_xlatetom function in libelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11527 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D11527&action=3Ded= it POC1 Hi there, Our fuzzer caught Use-after-free problem in eu-readelf of the latest elfutils-0.174 code base when calling memmove in elf32_xlatetom function in libelf, this inputs will cause the segment faults and I have confirmed them with address sanitizer too.=20 Please use the "./eu-readelf -a $POC"to reproduce the bug. If you have any questions, please let me know. git log > commit 1dabad36ee28aa76b8cf14b6426b379cabee6def > Author: Jim Wilson > Date: Thu Dec 27 15:25:49 2018 -0800 >=20 > RISC-V: Improve riscv64 core file support. >=20 > This fixes two problems. The offset for x1 is changed from 1 to 8 be= cause > this is a byte offset not a register skip count. Support for reading= the > PC value is added. This requires changing the testsuite to match the= new > readelf output for coredumps. >=20 > Signed-off-by: Jim Wilson The ASAN dumps the stack trace as follows: > =3D=3D7822=3D=3DERROR: AddressSanitizer: unknown-crash on address 0x7f773= 670a000 at pc 0x7f7735694e2b bp 0x7ffcba3c16a0 sp 0x7ffcba3c0e48 > READ of size 8 at 0x7f773670a000 thread T0 > #0 0x7f7735694e2a in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+= 0x7ae2a) > #1 0x7f7734d5a9bb in memmove /usr/include/x86_64-linux-gnu/bits/strin= g3.h:59 > #2 0x7f7734d5a9bb in elf32_xlatetom /elfutils/libelf/elf32_xlatetom.c= :100 > #3 0x56d6b8 in ebl_object_note /elfutils/libebl/eblobjnote.c:342 > #4 0x4a06f3 in handle_notes_data /elfutils/src/readelf.c:12251 > #5 0x4c5b47 in handle_notes /elfutils/src/readelf.c:12315 > #6 0x4c5b47 in process_elf_file /elfutils/src/readelf.c:1000 > #7 0x4c5b47 in process_dwflmod /elfutils/src/readelf.c:760 > #8 0x7f7735265e9c in dwfl_getmodules /elfutils/libdwfl/dwfl_getmodule= s.c:86 > #9 0x41399c in process_file /elfutils/src/readelf.c:868 > #10 0x405df6 in main /elfutils/src/readelf.c:350 > #11 0x7f773477b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.s= o.6+0x2082f) > #12 0x406ef8 in _start (/elfutils/build/bin/eu-readelf+0x406ef8) >=20 > Address 0x7f773670a000 is a wild pointer. > SUMMARY: AddressSanitizer: unknown-crash (/usr/lib/x86_64-linux-gnu/libas= an.so.4+0x7ae2a) in memmove > Shadow bytes around the buggy address: > 0x0fef66cd93b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fef66cd93c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fef66cd93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fef66cd93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fef66cd93f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =3D>0x0fef66cd9400:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9410: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9420: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9430: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9440: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9450: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > =3D=3D7822=3D=3DABORTING --=20 You are receiving this mail because: You are on the CC list for the bug.