* [Bug libelf/24103] Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf
2019-01-18 11:32 [Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
@ 2019-01-18 11:32 ` wcventure at 126 dot com
2019-01-20 22:09 ` [Bug libdw/24103] " mark at klomp dot org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: wcventure at 126 dot com @ 2019-01-18 11:32 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24103
--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11546
--> https://sourceware.org/bugzilla/attachment.cgi?id=11546&action=edit
POC2
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf
@ 2019-01-18 11:32 wcventure at 126 dot com
2019-01-18 11:32 ` [Bug libelf/24103] " wcventure at 126 dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: wcventure at 126 dot com @ 2019-01-18 11:32 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24103
Bug ID: 24103
Summary: Invalid address Deference in elf64_xlatetom in
elf32_xlatetom.c in libelf
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11545
--> https://sourceware.org/bugzilla/attachment.cgi?id=11545&action=edit
POC1
Different from Bug 24081 and Bug 24089. This error occur in function
elf64_xlatetom.
Please use the "eu-stack --core=$POC"to reproduce the bug.
$git log
> commit e65d91d21cb09d83b001fef9435e576ba447db32
> Author: Mark Wielaard <mark@klomp.org>
> Date: Wed Jan 16 12:25:57 2019 +0100
>
> libelf: Correct overflow check in note_xlate.
>
> We want to make sure the note_len doesn't overflow and becomes shorter
> than the note header. But the namesz and descsz checks got the note header
> size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=24084
>
> Signed-off-by: Mark Wielaard <mark@klomp.org>
The ASAN dumps the stack trace as follows:
> =================================================================
> ==7964==ERROR: AddressSanitizer: unknown-crash on address 0x7f5eace16000 at pc 0x7f5eabd97e2b bp 0x7ffc6b0f0680 sp 0x7ffc6b0efe28
> READ of size 983520 at 0x7f5eace16000 thread T0
> #0 0x7f5eabd97e2a in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a)
> #1 0x7f5eaba8e510 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:59
> #2 0x7f5eaba8e510 in elf64_xlatetom /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:100
> #3 0x7f5eab7d6e6b in dwfl_segment_report_module /home/wencheng/Experiment/elfutils/libdwfl/dwfl_segment_report_module.c:807
> #4 0x7f5eab7ef0dd in dwfl_core_file_report /home/wencheng/Experiment/elfutils/libdwfl/core-file.c:543
> #5 0x4033a3 in parse_opt /home/wencheng/Experiment/elfutils/src/stack.c:590
> #6 0x7f5eab013847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847)
> #7 0x402860 in main /home/wencheng/Experiment/elfutils/src/stack.c:690
> #8 0x7f5eaaf1f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x4030d8 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-stack+0x4030d8)
>
> Address 0x7f5eace16000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove
> Shadow bytes around the buggy address:
> 0x0fec559babb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fec559babc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fec559babd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fec559babe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fec559babf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fec559bac00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fec559bac10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fec559bac20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fec559bac30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fec559bac40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fec559bac50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==7964==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libdw/24103] Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf
2019-01-18 11:32 [Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
2019-01-18 11:32 ` [Bug libelf/24103] " wcventure at 126 dot com
@ 2019-01-20 22:09 ` mark at klomp dot org
2019-01-21 12:48 ` [Bug libdw/24103] dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated mark at klomp dot org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: mark at klomp dot org @ 2019-01-20 22:09 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24103
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2019-01-20
CC| |mark at klomp dot org
Component|libelf |libdw
Ever confirmed|0 |1
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
Thanks. Replicated under valgrind.
This is similar to https://sourceware.org/bugzilla/show_bug.cgi?id=23752
We need to check if we got all the dynamic data we expected from the file.
Proposed patch:
https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libdw/24103] dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated
2019-01-18 11:32 [Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
2019-01-18 11:32 ` [Bug libelf/24103] " wcventure at 126 dot com
2019-01-20 22:09 ` [Bug libdw/24103] " mark at klomp dot org
@ 2019-01-21 12:48 ` mark at klomp dot org
2019-01-22 16:44 ` mark at klomp dot org
2019-01-31 14:45 ` mark at klomp dot org
4 siblings, 0 replies; 6+ messages in thread
From: mark at klomp dot org @ 2019-01-21 12:48 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24103
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Invalid address Deference |dwfl_segment_report_module
|in elf64_xlatetom in |doesn't check whether the
|elf32_xlatetom.c in libelf |dyn data read from core
| |file is truncated
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libdw/24103] dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated
2019-01-18 11:32 [Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
` (2 preceding siblings ...)
2019-01-21 12:48 ` [Bug libdw/24103] dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated mark at klomp dot org
@ 2019-01-22 16:44 ` mark at klomp dot org
2019-01-31 14:45 ` mark at klomp dot org
4 siblings, 0 replies; 6+ messages in thread
From: mark at klomp dot org @ 2019-01-22 16:44 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24103
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
commit da5c5336a1eaf519de246f7d9f0f5585e1d4ac59
Author: Mark Wielaard <mark@klomp.org>
Date: Sun Jan 20 23:05:56 2019 +0100
libdwfl: Sanity check partial core file dyn data read.
When reading the dyn data from the core file check if we got everything,
or just part of the data.
https://sourceware.org/bugzilla/show_bug.cgi?id=24103
Signed-off-by: Mark Wielaard <mark@klomp.org>
Pushed to master.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libdw/24103] dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated
2019-01-18 11:32 [Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
` (3 preceding siblings ...)
2019-01-22 16:44 ` mark at klomp dot org
@ 2019-01-31 14:45 ` mark at klomp dot org
4 siblings, 0 replies; 6+ messages in thread
From: mark at klomp dot org @ 2019-01-31 14:45 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24103
--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
Apparently this bug got assigned CVE-2019-7150
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-01-31 14:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-18 11:32 [Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf wcventure at 126 dot com
2019-01-18 11:32 ` [Bug libelf/24103] " wcventure at 126 dot com
2019-01-20 22:09 ` [Bug libdw/24103] " mark at klomp dot org
2019-01-21 12:48 ` [Bug libdw/24103] dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated mark at klomp dot org
2019-01-22 16:44 ` mark at klomp dot org
2019-01-31 14:45 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).