* [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284
@ 2019-10-06 16:11 leftcopy.chx at gmail dot com
2019-10-26 0:57 ` [Bug libelf/25069] " mark at klomp dot org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: leftcopy.chx at gmail dot com @ 2019-10-06 16:11 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25069
Bug ID: 25069
Summary: AddressSanitizer: heap-buffer-overflow at
libdwelf/dwelf_strtab.c:284
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: leftcopy.chx at gmail dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 12024
--> https://sourceware.org/bugzilla/attachment.cgi?id=12024&action=edit
pocs
When running `eu-unstrip hbo_libelf/hbo__dwelf_strtab.c:284_1
hbo_libelf/stripped -o /dev/null` (compiled with ASAN), it may report the error
message, which results from a heap-buffer-overflow inside libelf (relevant file
attached):
=================================================================
==18249==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x620000001f75 at pc 0x7ffff6e6b66e bp 0x7fffffff48b0 sp 0x7fffffff4058
READ of size 20 at 0x620000001f75 thread T0
#0 0x7ffff6e6b66d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
#1 0x7ffff68b080a in dwelf_strtab_add
/home/hongxu/FOT/Targets/elfutils/eu-asan/libdwelf/dwelf_strtab.c:284
#2 0x555555569394 in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1845
#3 0x55555556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
#4 0x55555556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
#5 0x55555556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
#6 0x7ffff63b2b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#7 0x555555559a89 in _start
(/home/hongxu/FOT/Targets/elfutils/eu-asan/install/bin/eu-unstrip+0x5a89)
0x620000001f75 is located 0 bytes to the right of 3829-byte region
[0x620000001080,0x620000001f75)
allocated by thread T0 here:
#0 0x7ffff6ef8b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7ffff6be8287 in __libelf_set_rawdata_wrlock
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:332
#2 0x7ffff6be8f06 in __elf_getdata_rdlock
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:535
#3 0x7ffff6be8fb6 in elf_getdata
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:562
#4 0x55555555f7d0 in collect_symbols
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:838
#5 0x555555568b94 in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1783
#6 0x55555556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
#7 0x55555556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
#8 0x55555556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
#9 0x7ffff63b2b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
Shadow bytes around the buggy address:
0x0c407fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c407fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c407fff83b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c407fff83c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c407fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c407fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa
0x0c407fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18249==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284
2019-10-06 16:11 [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 leftcopy.chx at gmail dot com
@ 2019-10-26 0:57 ` mark at klomp dot org
2019-10-26 7:31 ` leftcopy.chx at gmail dot com
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: mark at klomp dot org @ 2019-10-26 0:57 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25069
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mark at klomp dot org
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
I am unable to replicate this. Are you able to replicate with current git trunk
(with the recent fixes for eu-unstrip)?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284
2019-10-06 16:11 [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 leftcopy.chx at gmail dot com
2019-10-26 0:57 ` [Bug libelf/25069] " mark at klomp dot org
@ 2019-10-26 7:31 ` leftcopy.chx at gmail dot com
2019-10-26 8:07 ` leftcopy.chx at gmail dot com
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: leftcopy.chx at gmail dot com @ 2019-10-26 7:31 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25069
--- Comment #2 from leftcopy.chx at gmail dot com ---
(In reply to Mark Wielaard from comment #1)
> I am unable to replicate this. Are you able to replicate with current git
> trunk (with the recent fixes for eu-unstrip)?
I cannot replicate with git trunk either.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284
2019-10-06 16:11 [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 leftcopy.chx at gmail dot com
2019-10-26 0:57 ` [Bug libelf/25069] " mark at klomp dot org
2019-10-26 7:31 ` leftcopy.chx at gmail dot com
@ 2019-10-26 8:07 ` leftcopy.chx at gmail dot com
2019-10-26 20:07 ` mark at klomp dot org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: leftcopy.chx at gmail dot com @ 2019-10-26 8:07 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25069
--- Comment #3 from leftcopy.chx at gmail dot com ---
Created attachment 12053
--> https://sourceware.org/bugzilla/attachment.cgi?id=12053&action=edit
poc that triggers the crash against git 99dc63b1
Found another poc that triggers this crash. See attachment.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284
2019-10-06 16:11 [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 leftcopy.chx at gmail dot com
` (2 preceding siblings ...)
2019-10-26 8:07 ` leftcopy.chx at gmail dot com
@ 2019-10-26 20:07 ` mark at klomp dot org
2019-10-26 20:52 ` [Bug tools/25069] " mark at klomp dot org
2019-10-29 14:49 ` mark at klomp dot org
5 siblings, 0 replies; 7+ messages in thread
From: mark at klomp dot org @ 2019-10-26 20:07 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25069
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2019-10-26
Ever confirmed|0 |1
--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
Thanks, replicated with that reproducer (and the stripped file from the first)
with valgrind:
mark@librem:~/build/elfutils-obj$ LD_LIBRARY_PATH=backends:libelf:libdw:libasm
valgrind -q src/unstrip poc2/hbo__dwelf_strtab.c\:284_2 poc2/stripped -o
/dev/null
==22429== Invalid read of size 1
==22429== at 0x4838C74: strlen (vg_replace_strmem.c:460)
==22429== by 0x49B3EE3: dwelf_strtab_add (dwelf_strtab.c:284)
==22429== by 0x11A8BE: copy_elided_sections (unstrip.c:1882)
==22429== by 0x11CDA2: handle_file (unstrip.c:2203)
==22429== by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429== by 0x1121CF: main (unstrip.c:2603)
==22429== Address 0x5d8c3b5 is 0 bytes after a block of size 3,829 alloc'd
==22429== at 0x483577F: malloc (vg_replace_malloc.c:299)
==22429== by 0x4878E2D: __libelf_set_rawdata_wrlock (elf_getdata.c:332)
==22429== by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:535)
==22429== by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:458)
==22429== by 0x4879C73: elf_getdata (elf_getdata.c:562)
==22429== by 0x112B29: collect_symbols (unstrip.c:843)
==22429== by 0x119B7D: copy_elided_sections (unstrip.c:1820)
==22429== by 0x11CDA2: handle_file (unstrip.c:2203)
==22429== by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429== by 0x1121CF: main (unstrip.c:2603)
==22429==
==22429== Invalid read of size 1
==22429== at 0x483D4E0: mempcpy (vg_replace_strmem.c:1536)
==22429== by 0x49B3BD2: mempcpy (string_fortified.h:48)
==22429== by 0x49B3BD2: copystrings (dwelf_strtab.c:301)
==22429== by 0x49B400C: dwelf_strtab_finalize (dwelf_strtab.c:342)
==22429== by 0x11AC4C: copy_elided_sections (unstrip.c:1929)
==22429== by 0x11CDA2: handle_file (unstrip.c:2203)
==22429== by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429== by 0x1121CF: main (unstrip.c:2603)
==22429== Address 0x5d8c3b5 is 0 bytes after a block of size 3,829 alloc'd
==22429== at 0x483577F: malloc (vg_replace_malloc.c:299)
==22429== by 0x4878E2D: __libelf_set_rawdata_wrlock (elf_getdata.c:332)
==22429== by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:535)
==22429== by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:458)
==22429== by 0x4879C73: elf_getdata (elf_getdata.c:562)
==22429== by 0x112B29: collect_symbols (unstrip.c:843)
==22429== by 0x119B7D: copy_elided_sections (unstrip.c:1820)
==22429== by 0x11CDA2: handle_file (unstrip.c:2203)
==22429== by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429== by 0x1121CF: main (unstrip.c:2603)
==22429==
src/unstrip: cannot write output file: section `sh_size' too small for data
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tools/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284
2019-10-06 16:11 [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 leftcopy.chx at gmail dot com
` (3 preceding siblings ...)
2019-10-26 20:07 ` mark at klomp dot org
@ 2019-10-26 20:52 ` mark at klomp dot org
2019-10-29 14:49 ` mark at klomp dot org
5 siblings, 0 replies; 7+ messages in thread
From: mark at klomp dot org @ 2019-10-26 20:52 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25069
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Component|libelf |tools
Assignee|unassigned at sourceware dot org |mark at klomp dot org
--- Comment #5 from Mark Wielaard <mark at klomp dot org> ---
The problem is that the symbol table string data (.strtab) is corrupt. The last
string doesn't have a zero terminator. This can be fixed by checking the symbol
name is a valid string:
diff --git a/src/unstrip.c b/src/unstrip.c
index f4314d5d..9b8c09a1 100644
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -854,7 +854,9 @@ collect_symbols (Elf *outelf, bool rel, Elf_Scn *symscn,
Elf_Scn *strscn,
if (sym->st_shndx != SHN_XINDEX)
shndx = sym->st_shndx;
- if (sym->st_name >= strdata->d_size)
+ if (sym->st_name >= strdata->d_size
+ || memrchr (strdata->d_buf + sym->st_name, '\0',
+ strdata->d_size - sym->st_name) == NULL)
error (EXIT_FAILURE, 0,
_("invalid string offset in symbol [%zu]"), i);
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tools/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284
2019-10-06 16:11 [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 leftcopy.chx at gmail dot com
` (4 preceding siblings ...)
2019-10-26 20:52 ` [Bug tools/25069] " mark at klomp dot org
@ 2019-10-29 14:49 ` mark at klomp dot org
5 siblings, 0 replies; 7+ messages in thread
From: mark at klomp dot org @ 2019-10-29 14:49 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25069
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Mark Wielaard <mark at klomp dot org> ---
commit b2dddd3389a8005a7e93bc21b2932156899e1aac
Author: Mark Wielaard <mark@klomp.org>
Date: Sat Oct 26 22:54:49 2019 +0200
unstrip: Check symbol strings are terminated.
A corrupt ELF file could contain a .strtab section that wasn't
properly zero terminated. If so we could add a non-terminated string
to the dwelf_strtab functions, which could then crash because they
would read past the .strtab section data.
https://sourceware.org/bugzilla/show_bug.cgi?id=25069
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-10-29 14:49 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-06 16:11 [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 leftcopy.chx at gmail dot com
2019-10-26 0:57 ` [Bug libelf/25069] " mark at klomp dot org
2019-10-26 7:31 ` leftcopy.chx at gmail dot com
2019-10-26 8:07 ` leftcopy.chx at gmail dot com
2019-10-26 20:07 ` mark at klomp dot org
2019-10-26 20:52 ` [Bug tools/25069] " mark at klomp dot org
2019-10-29 14:49 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).