[Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

[Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

[leftcopy.chx at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

            Bug ID: 25069
           Summary: AddressSanitizer: heap-buffer-overflow at
                    libdwelf/dwelf_strtab.c:284
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libelf
          Assignee: unassigned at sourceware dot org
          Reporter: leftcopy.chx at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 12024
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12024&action=edit
pocs

When running `eu-unstrip hbo_libelf/hbo__dwelf_strtab.c:284_1
hbo_libelf/stripped -o /dev/null` (compiled with ASAN), it may report the error
message, which results from a heap-buffer-overflow inside libelf (relevant file
attached):



=================================================================
==18249==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x620000001f75 at pc 0x7ffff6e6b66e bp 0x7fffffff48b0 sp 0x7fffffff4058
READ of size 20 at 0x620000001f75 thread T0
    #0 0x7ffff6e6b66d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
    #1 0x7ffff68b080a in dwelf_strtab_add
/home/hongxu/FOT/Targets/elfutils/eu-asan/libdwelf/dwelf_strtab.c:284
    #2 0x555555569394 in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1845
    #3 0x55555556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
    #4 0x55555556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
    #5 0x55555556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
    #6 0x7ffff63b2b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x555555559a89 in _start
(/home/hongxu/FOT/Targets/elfutils/eu-asan/install/bin/eu-unstrip+0x5a89)

0x620000001f75 is located 0 bytes to the right of 3829-byte region
[0x620000001080,0x620000001f75)
allocated by thread T0 here:
    #0 0x7ffff6ef8b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7ffff6be8287 in __libelf_set_rawdata_wrlock
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:332
    #2 0x7ffff6be8f06 in __elf_getdata_rdlock
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:535
    #3 0x7ffff6be8fb6 in elf_getdata
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:562
    #4 0x55555555f7d0 in collect_symbols
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:838
    #5 0x555555568b94 in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1783
    #6 0x55555556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
    #7 0x55555556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
    #8 0x55555556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
    #9 0x7ffff63b2b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) 
Shadow bytes around the buggy address:
  0x0c407fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff83b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff83c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c407fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa
  0x0c407fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18249==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mark at klomp dot org

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
I am unable to replicate this. Are you able to replicate with current git trunk
(with the recent fixes for eu-unstrip)?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

[leftcopy.chx at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

--- Comment #2 from leftcopy.chx at gmail dot com ---
(In reply to Mark Wielaard from comment #1)
> I am unable to replicate this. Are you able to replicate with current git
> trunk (with the recent fixes for eu-unstrip)?

I cannot replicate with git trunk either.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

[leftcopy.chx at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

--- Comment #3 from leftcopy.chx at gmail dot com ---
Created attachment 12053
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12053&action=edit
poc that triggers the crash against git 99dc63b1

Found another poc that triggers this crash. See attachment.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2019-10-26
     Ever confirmed|0                           |1

--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
Thanks, replicated with that reproducer (and the stripped file from the first)
with valgrind:

mark@librem:~/build/elfutils-obj$ LD_LIBRARY_PATH=backends:libelf:libdw:libasm
valgrind -q src/unstrip poc2/hbo__dwelf_strtab.c\:284_2 poc2/stripped -o
/dev/null
==22429== Invalid read of size 1
==22429==    at 0x4838C74: strlen (vg_replace_strmem.c:460)
==22429==    by 0x49B3EE3: dwelf_strtab_add (dwelf_strtab.c:284)
==22429==    by 0x11A8BE: copy_elided_sections (unstrip.c:1882)
==22429==    by 0x11CDA2: handle_file (unstrip.c:2203)
==22429==    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429==    by 0x1121CF: main (unstrip.c:2603)
==22429==  Address 0x5d8c3b5 is 0 bytes after a block of size 3,829 alloc'd
==22429==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==22429==    by 0x4878E2D: __libelf_set_rawdata_wrlock (elf_getdata.c:332)
==22429==    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:535)
==22429==    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:458)
==22429==    by 0x4879C73: elf_getdata (elf_getdata.c:562)
==22429==    by 0x112B29: collect_symbols (unstrip.c:843)
==22429==    by 0x119B7D: copy_elided_sections (unstrip.c:1820)
==22429==    by 0x11CDA2: handle_file (unstrip.c:2203)
==22429==    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429==    by 0x1121CF: main (unstrip.c:2603)
==22429== 
==22429== Invalid read of size 1
==22429==    at 0x483D4E0: mempcpy (vg_replace_strmem.c:1536)
==22429==    by 0x49B3BD2: mempcpy (string_fortified.h:48)
==22429==    by 0x49B3BD2: copystrings (dwelf_strtab.c:301)
==22429==    by 0x49B400C: dwelf_strtab_finalize (dwelf_strtab.c:342)
==22429==    by 0x11AC4C: copy_elided_sections (unstrip.c:1929)
==22429==    by 0x11CDA2: handle_file (unstrip.c:2203)
==22429==    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429==    by 0x1121CF: main (unstrip.c:2603)
==22429==  Address 0x5d8c3b5 is 0 bytes after a block of size 3,829 alloc'd
==22429==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==22429==    by 0x4878E2D: __libelf_set_rawdata_wrlock (elf_getdata.c:332)
==22429==    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:535)
==22429==    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:458)
==22429==    by 0x4879C73: elf_getdata (elf_getdata.c:562)
==22429==    by 0x112B29: collect_symbols (unstrip.c:843)
==22429==    by 0x119B7D: copy_elided_sections (unstrip.c:1820)
==22429==    by 0x11CDA2: handle_file (unstrip.c:2203)
==22429==    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429==    by 0x1121CF: main (unstrip.c:2603)
==22429== 
src/unstrip: cannot write output file: section `sh_size' too small for data

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
          Component|libelf                      |tools
           Assignee|unassigned at sourceware dot org   |mark at klomp dot org

--- Comment #5 from Mark Wielaard <mark at klomp dot org> ---
The problem is that the symbol table string data (.strtab) is corrupt. The last
string doesn't have a zero terminator. This can be fixed by checking the symbol
name is a valid string:

diff --git a/src/unstrip.c b/src/unstrip.c
index f4314d5d..9b8c09a1 100644
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -854,7 +854,9 @@ collect_symbols (Elf *outelf, bool rel, Elf_Scn *symscn,
Elf_Scn *strscn,
       if (sym->st_shndx != SHN_XINDEX)
        shndx = sym->st_shndx;

-      if (sym->st_name >= strdata->d_size)
+      if (sym->st_name >= strdata->d_size
+         || memrchr (strdata->d_buf + sym->st_name, '\0',
+                     strdata->d_size - sym->st_name) == NULL)
        error (EXIT_FAILURE, 0,
               _("invalid string offset in symbol [%zu]"), i);

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Mark Wielaard <mark at klomp dot org> ---
commit b2dddd3389a8005a7e93bc21b2932156899e1aac
Author: Mark Wielaard <mark@klomp.org>
Date:   Sat Oct 26 22:54:49 2019 +0200

    unstrip: Check symbol strings are terminated.

    A corrupt ELF file could contain a .strtab section that wasn't
    properly zero terminated. If so we could add a non-terminated string
    to the dwelf_strtab functions, which could then crash because they
    would read past the .strtab section data.

    https://sourceware.org/bugzilla/show_bug.cgi?id=25069

    Signed-off-by: Mark Wielaard <mark@klomp.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.