From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19890 invoked by alias); 16 Jan 2019 14:46:20 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 19828 invoked by uid 48); 16 Jan 2019 14:46:15 -0000 From: "mark at klomp dot org" To: elfutils-devel@sourceware.org Subject: [Bug tools/24089] NT_PLATFORM core file note should be a zero terminated string Date: Wed, 16 Jan 2019 14:46:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: tools X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mark at klomp dot org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status cf_reconfirmed_on cc component short_desc everconfirmed Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2019-q1/txt/msg00050.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D24089 Mark Wielaard changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |ASSIGNED Last reconfirmed| |2019-01-16 CC| |mark at klomp dot org Component|libelf |tools Summary|A Heap-buffer-overflow |NT_PLATFORM core file note |problem was discovered in |should be a zero terminated |the function elf32_xlatetom |string |in elf32_xlatetom.c in | |libelf | Ever confirmed|0 |1 --- Comment #2 from Mark Wielaard --- (In reply to wcventure from comment #0) > A Heap-buffer-overflow problem was discovered in the function elf32_xlate= tom > in elf32_xlatetom.c in libelf, as distributed in ELFutils 0.147. A crafted > ELF input can cause segment faults and I have confirmed them with address > sanitizer too. Interesting. The same can be found running the reproducer under valgrind. The issue is that when eu-readelf -n tries to print the values of a core fi= le ELF note and sees a NT_PLATFORM type, it doesn't check that the value is a properly zero terminated string. The simplest solution is to just not recognize such corrupt core file notes= in ebl_core_note: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html --=20 You are receiving this mail because: You are on the CC list for the bug.