From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 101667 invoked by alias); 26 Jan 2019 08:16:34 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 101607 invoked by uid 48); 26 Jan 2019 08:16:30 -0000 From: "wcventure at 126 dot com" To: elfutils-devel@sourceware.org Subject: [Bug libdw/24140] New: A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw Date: Sat, 26 Jan 2019 08:16:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libdw X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: critical X-Bugzilla-Who: wcventure at 126 dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2019-q1/txt/msg00094.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D24140 Bug ID: 24140 Summary: A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: critical Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11574 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D11574&action=3Ded= it POC Hi,=20 A Heap-buffer-overflow problem was discovered in the function __libdw_next_= unit in dwarf_nextcu.c in libdw, as distributed in Elfutils 0.175. A crafted ELF input can cause segment faults and I have confirmed them with address sanit= izer too. Here are the POC files. Please use "./eu-nm -C $POC" to reproduce the error. $git log > commit a17c2c0917901ffa542ac4d3e327d46742219e04 > Author: Mark Wielaard > Date: Tue Jan 22 15:55:18 2019 +0100 >=20 > readelf: Don't go past end of line data reading unknown opcode parame= ters. >=20 > https://sourceware.org/bugzilla/show_bug.cgi?id=3D24116 >=20 > Signed-off-by: Mark Wielaard The ASAN dumps the stack trace as follows: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D12766=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address= 0x603000000032 at pc 0x7f1605a83c52 bp 0x7ffeba226910 sp 0x7ffeba226900 > READ of size 2 at 0x603000000032 thread T0 > #0 0x7f1605a83c51 in __libdw_next_unit /home/wencheng/Experiment/elfu= tils/libdw/dwarf_nextcu.c:249 > #1 0x7f1605a83f3c in dwarf_next_unit /home/wencheng/Experiment/elfuti= ls/libdw/dwarf_nextcu.c:46 > #2 0x7f1605a83f3c in dwarf_nextcu /home/wencheng/Experiment/elfutils/= libdw/dwarf_nextcu.c:294 > #3 0x408273 in get_local_names /home/wencheng/Experiment/elfutils/src= /nm.c:627 > #4 0x408273 in show_symbols /home/wencheng/Experiment/elfutils/src/nm= .c:1285 > #5 0x40e5bd in handle_elf /home/wencheng/Experiment/elfutils/src/nm.c= :1578 > #6 0x40387c in process_file /home/wencheng/Experiment/elfutils/src/nm= .c:374 > #7 0x40387c in main /home/wencheng/Experiment/elfutils/src/nm.c:249 > #8 0x7f1604e6782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so= .6+0x2082f) > #9 0x404568 in _start (/home/wencheng/Experiment/elfutils/build/bin/e= u-nm+0x404568) >=20 > 0x603000000032 is located 2 bytes to the right of 32-byte region [0x60300= 0000010,0x603000000030) > allocated by thread T0 here: > #0 0x7f1605f4ab90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/= libasan.so.4+0xdeb90) > #1 0x7f16057feec3 in convert_data /home/wencheng/Experiment/elfutils/= libelf/elf_getdata.c:157 > #2 0x7f16057feec3 in __libelf_set_data_list_rdlock /home/wencheng/Exp= eriment/elfutils/libelf/elf_getdata.c:447 >=20 > SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wencheng/Experiment= /elfutils/libdw/dwarf_nextcu.c:249 in __libdw_next_unit > Shadow bytes around the buggy address: > 0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =3D>0x0c067fff8000: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa > 0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07=20 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > =3D=3D12766=3D=3DABORTING --=20 You are receiving this mail because: You are on the CC list for the bug.