* [Bug libelf/24089] New: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf
@ 2019-01-12 9:28 wcventure at 126 dot com
2019-01-12 9:34 ` [Bug libelf/24089] " wcventure at 126 dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: wcventure at 126 dot com @ 2019-01-12 9:28 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24089
Bug ID: 24089
Summary: A Heap-buffer-overflow problem was discovered in the
function elf32_xlatetom in elf32_xlatetom.c in libelf
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11534
--> https://sourceware.org/bugzilla/attachment.cgi?id=11534&action=edit
POC1
Hi,
A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in
elf32_xlatetom.c in libelf, as distributed in ELFutils 0.147. A crafted ELF
input can cause segment faults and I have confirmed them with address sanitizer
too.
Here are the POC files. Please use "./eu-readelf -a $POC" to reproduce the
error.
$ git log
> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson <jimw@sifive.com>
> Date: Thu Dec 27 15:25:49 2018 -0800
>
> RISC-V: Improve riscv64 core file support.
>
> This fixes two problems. The offset for x1 is changed from 1 to 8 because
> this is a byte offset not a register skip count. Support for reading the
> PC value is added. This requires changing the testsuite to match the new
> readelf output for coredumps.
>
> Signed-off-by: Jim Wilson <jimw@sifive.com>
The ASAN dumps the stack trace as follows:
> =================================================================
> ==26819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000000b4 at pc 0x7f07b3e4ee2b bp 0x7ffe3ddce530 sp 0x7ffe3ddcdcd8
> READ of size 1 at 0x6030000000b4 thread T0
> #0 0x7f07b3e4ee2a in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a)
> #1 0x7f07b351469c in elf32_xlatetom /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:116
> #2 0x410e3c in convert /home/wencheng/Experiment/elfutils/src/readelf.c:11305
> #3 0x436e64 in handle_core_item /home/wencheng/Experiment/elfutils/src/readelf.c:11359
> #4 0x4447d4 in handle_core_items /home/wencheng/Experiment/elfutils/src/readelf.c:11641
> #5 0x4447d4 in handle_core_note /home/wencheng/Experiment/elfutils/src/readelf.c:12164
> #6 0x4a006c in handle_notes_data /home/wencheng/Experiment/elfutils/src/readelf.c:12248
> #7 0x4c5b47 in handle_notes /home/wencheng/Experiment/elfutils/src/readelf.c:12315
> #8 0x4c5b47 in process_elf_file /home/wencheng/Experiment/elfutils/src/readelf.c:1000
> #9 0x4c5b47 in process_dwflmod /home/wencheng/Experiment/elfutils/src/readelf.c:760
> #10 0x7f07b3a1fe9c in dwfl_getmodules /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86
> #11 0x41399c in process_file /home/wencheng/Experiment/elfutils/src/readelf.c:868
> #12 0x405df6 in main /home/wencheng/Experiment/elfutils/src/readelf.c:350
> #13 0x7f07b2f3582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #14 0x406ef8 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406ef8)
>
> 0x6030000000b4 is located 0 bytes to the right of 20-byte region [0x6030000000a0,0x6030000000b4)
> allocated by thread T0 here:
> #0 0x7f07b3eb2b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
> #1 0x7f07b3597080 in elf_getdata_rawchunk /home/wencheng/Experiment/elfutils/libelf/elf_getdata_rawchunk.c:88
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove
> Shadow bytes around the buggy address:
> 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
> =>0x0c067fff8010: 00 fa fa fa 00 00[04]fa fa fa fa fa fa fa fa fa
> 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==26819==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libelf/24089] A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf
2019-01-12 9:28 [Bug libelf/24089] New: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
@ 2019-01-12 9:34 ` wcventure at 126 dot com
2019-01-16 14:46 ` [Bug tools/24089] NT_PLATFORM core file note should be a zero terminated string mark at klomp dot org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: wcventure at 126 dot com @ 2019-01-12 9:34 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24089
--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11535
--> https://sourceware.org/bugzilla/attachment.cgi?id=11535&action=edit
POC2
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/24089] NT_PLATFORM core file note should be a zero terminated string
2019-01-12 9:28 [Bug libelf/24089] New: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
2019-01-12 9:34 ` [Bug libelf/24089] " wcventure at 126 dot com
@ 2019-01-16 14:46 ` mark at klomp dot org
2019-01-18 23:40 ` mark at klomp dot org
2019-02-10 12:12 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2019-01-16 14:46 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24089
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2019-01-16
CC| |mark at klomp dot org
Component|libelf |tools
Summary|A Heap-buffer-overflow |NT_PLATFORM core file note
|problem was discovered in |should be a zero terminated
|the function elf32_xlatetom |string
|in elf32_xlatetom.c in |
|libelf |
Ever confirmed|0 |1
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
(In reply to wcventure from comment #0)
> A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom
> in elf32_xlatetom.c in libelf, as distributed in ELFutils 0.147. A crafted
> ELF input can cause segment faults and I have confirmed them with address
> sanitizer too.
Interesting. The same can be found running the reproducer under valgrind.
The issue is that when eu-readelf -n tries to print the values of a core file
ELF note and sees a NT_PLATFORM type, it doesn't check that the value is a
properly zero terminated string.
The simplest solution is to just not recognize such corrupt core file notes in
ebl_core_note:
https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/24089] NT_PLATFORM core file note should be a zero terminated string
2019-01-12 9:28 [Bug libelf/24089] New: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
2019-01-12 9:34 ` [Bug libelf/24089] " wcventure at 126 dot com
2019-01-16 14:46 ` [Bug tools/24089] NT_PLATFORM core file note should be a zero terminated string mark at klomp dot org
@ 2019-01-18 23:40 ` mark at klomp dot org
2019-02-10 12:12 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2019-01-18 23:40 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24089
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
commit de01cc6f9446187d69b9748bb3636361c79e77a4
Author: Mark Wielaard <mark@klomp.org>
Date: Wed Jan 16 15:41:31 2019 +0100
libebl: Check NT_PLATFORM core notes contain a zero terminated string.
Most strings in core notes are fixed size. But NT_PLATFORM contains just
a variable length string. Check that it is actually zero terminated
before passing to readelf to print.
https://sourceware.org/bugzilla/show_bug.cgi?id=24089
Signed-off-by: Mark Wielaard <mark@klomp.org>
Pushed to master.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/24089] NT_PLATFORM core file note should be a zero terminated string
2019-01-12 9:28 [Bug libelf/24089] New: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
` (2 preceding siblings ...)
2019-01-18 23:40 ` mark at klomp dot org
@ 2019-02-10 12:12 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2019-02-10 12:12 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24089
--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
CVE-2019-7665
Note the CVE description is somewhat misleading, this is not a bug in libelf.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-02-10 12:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-12 9:28 [Bug libelf/24089] New: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
2019-01-12 9:34 ` [Bug libelf/24089] " wcventure at 126 dot com
2019-01-16 14:46 ` [Bug tools/24089] NT_PLATFORM core file note should be a zero terminated string mark at klomp dot org
2019-01-18 23:40 ` mark at klomp dot org
2019-02-10 12:12 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).