* [Bug libelf/24387] New: Invalid address Deference in elf32_xlatetom function in libelf/elf32_xlatetom.c
@ 2019-03-26 8:19 wcventure at 126 dot com
2019-03-26 8:19 ` [Bug libelf/24387] " wcventure at 126 dot com
2019-03-27 21:40 ` [Bug libelf/24387] dwfl_segment_report_module doesn't check whether the phdrs data read from core file is truncated mark at klomp dot org
0 siblings, 2 replies; 3+ messages in thread
From: wcventure at 126 dot com @ 2019-03-26 8:19 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24387
Bug ID: 24387
Summary: Invalid address Deference in elf32_xlatetom function
in libelf/elf32_xlatetom.c
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11701
--> https://sourceware.org/bugzilla/attachment.cgi?id=11701&action=edit
POC1
Similar to Bug 24103. But this bug happened in elf32_xlatetom function, and can
still reproduce on elfutils 0.176.
So the Fixed is Incomplete.
Need to check the root cause.
Here are the POC file. Please use the "eu-stack --core=$POC"to reproduce the
bug.
ASAN backtrace:
> =================================================================
> ==6345==ERROR: AddressSanitizer: unknown-crash on address 0x7f79e8976000 at pc 0x7f79e7886df8 bp 0x7ffd4529cf30 sp 0x7ffd4529c6d8
> READ of size 3104 at 0x7f79e8976000 thread T0
> #0 0x7f79e7886df7 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cdf7)
> #1 0x7f79e756ac2b in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:59
> #2 0x7f79e756ac2b in elf32_xlatetom /Regression/elfutils-0.176/libelf/elf32_xlatetom.c:100
> #3 0x7f79e72c29c8 in dwfl_segment_report_module /Regression/elfutils-0.176/libdwfl/dwfl_segment_report_module.c:607
> #4 0x7f79e72d51b9 in dwfl_core_file_report /Regression/elfutils-0.176/libdwfl/core-file.c:543
> #5 0x40322d in parse_opt /Regression/elfutils-0.176/src/stack.c:590
> #6 0x7f79e6b2a847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847)
> #7 0x40271b in main /Regression/elfutils-0.176/src/stack.c:690
> #8 0x7f79e6a3682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x402ef8 in _start (/Regression/elfutils-0.176_ASAN/build/bin/eu-stack+0x402ef8)
>
> AddressSanitizer can not describe address in more detail (wild memory access suspected).
> SUMMARY: AddressSanitizer: unknown-crash ??:0 __asan_memmove
> Shadow bytes around the buggy address:
> 0x0fefbd126bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fefbd126bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fefbd126bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fefbd126be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fefbd126bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fefbd126c00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fefbd126c10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fefbd126c20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fefbd126c30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fefbd126c40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fefbd126c50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==6345==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libelf/24387] Invalid address Deference in elf32_xlatetom function in libelf/elf32_xlatetom.c
2019-03-26 8:19 [Bug libelf/24387] New: Invalid address Deference in elf32_xlatetom function in libelf/elf32_xlatetom.c wcventure at 126 dot com
@ 2019-03-26 8:19 ` wcventure at 126 dot com
2019-03-27 21:40 ` [Bug libelf/24387] dwfl_segment_report_module doesn't check whether the phdrs data read from core file is truncated mark at klomp dot org
1 sibling, 0 replies; 3+ messages in thread
From: wcventure at 126 dot com @ 2019-03-26 8:19 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24387
--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11702
--> https://sourceware.org/bugzilla/attachment.cgi?id=11702&action=edit
POC2
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libelf/24387] dwfl_segment_report_module doesn't check whether the phdrs data read from core file is truncated
2019-03-26 8:19 [Bug libelf/24387] New: Invalid address Deference in elf32_xlatetom function in libelf/elf32_xlatetom.c wcventure at 126 dot com
2019-03-26 8:19 ` [Bug libelf/24387] " wcventure at 126 dot com
@ 2019-03-27 21:40 ` mark at klomp dot org
1 sibling, 0 replies; 3+ messages in thread
From: mark at klomp dot org @ 2019-03-27 21:40 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24387
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |mark at klomp dot org
Resolution|--- |FIXED
Summary|Invalid address Deference |dwfl_segment_report_module
|in elf32_xlatetom function |doesn't check whether the
|in libelf/elf32_xlatetom.c |phdrs data read from core
| |file is truncated
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
Can be replicated with valgrind.
It is indeed similar to bug #24103. Both of which aren't bugs in
elf(64|32)_xlatetom, but dwfl_segment_report_module should also check that the
core file isn't truncated so that not all of the phdrs can be read.
Fix is similar:
diff --git a/libdwfl/dwfl_segment_report_module.c
b/libdwfl/dwfl_segment_report_
index f6ad39b..76ba150 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -412,6 +412,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const
char
start + phoff, xlatefrom.d_size))
return finish ();
+ /* ph_buffer_size will be zero if we got everything from the initial
+ buffer, otherwise it will be the size of the new buffer that
+ could be read. */
+ if (ph_buffer_size != 0)
+ xlatefrom.d_size = ph_buffer_size;
+
xlatefrom.d_buf = ph_buffer;
bool class32 = ei_class == ELFCLASS32;
commit e1f353b785b5cdb20d8004b6c4070c3e2a783e8b
Author: Mark Wielaard <mark@klomp.org>
Date: Wed Mar 27 22:32:21 2019 +0100
libdwfl: Sanity check partial core file phdrs data read.
When reading the phdrs data from the core file check if we got everything,
or just part of the data.
https://sourceware.org/bugzilla/show_bug.cgi?id=24387
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-03-27 21:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-26 8:19 [Bug libelf/24387] New: Invalid address Deference in elf32_xlatetom function in libelf/elf32_xlatetom.c wcventure at 126 dot com
2019-03-26 8:19 ` [Bug libelf/24387] " wcventure at 126 dot com
2019-03-27 21:40 ` [Bug libelf/24387] dwfl_segment_report_module doesn't check whether the phdrs data read from core file is truncated mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).