From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <elfutils-devel-return-7821-listarch-elfutils-devel=sourceware.org@sourceware.org>
Received: (qmail 74770 invoked by alias); 26 Oct 2019 20:07:53 -0000
Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <elfutils-devel.sourceware.org>
List-Post: <mailto:elfutils-devel@sourceware.org>
List-Help: <mailto:elfutils-devel-help@sourceware.org>
List-Subscribe: <mailto:elfutils-devel-subscribe@sourceware.org>
Sender: elfutils-devel-owner@sourceware.org
Received: (qmail 74555 invoked by uid 48); 26 Oct 2019 20:07:48 -0000
From: "mark at klomp dot org" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284
Date: Sat, 26 Oct 2019 20:07:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: elfutils
X-Bugzilla-Component: libelf
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: mark at klomp dot org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status cf_reconfirmed_on everconfirmed
Message-ID: <bug-25069-10460-qX68zMRywc@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-25069-10460@http.sourceware.org/bugzilla/>
References: <bug-25069-10460@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2019-q4/txt/msg00051.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=3D25069

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2019-10-26
     Ever confirmed|0                           |1

--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
Thanks, replicated with that reproducer (and the stripped file from the fir=
st)
with valgrind:

mark@librem:~/build/elfutils-obj$ LD_LIBRARY_PATH=3Dbackends:libelf:libdw:l=
ibasm
valgrind -q src/unstrip poc2/hbo__dwelf_strtab.c\:284_2 poc2/stripped -o
/dev/null
=3D=3D22429=3D=3D Invalid read of size 1
=3D=3D22429=3D=3D    at 0x4838C74: strlen (vg_replace_strmem.c:460)
=3D=3D22429=3D=3D    by 0x49B3EE3: dwelf_strtab_add (dwelf_strtab.c:284)
=3D=3D22429=3D=3D    by 0x11A8BE: copy_elided_sections (unstrip.c:1882)
=3D=3D22429=3D=3D    by 0x11CDA2: handle_file (unstrip.c:2203)
=3D=3D22429=3D=3D    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
=3D=3D22429=3D=3D    by 0x1121CF: main (unstrip.c:2603)
=3D=3D22429=3D=3D  Address 0x5d8c3b5 is 0 bytes after a block of size 3,829=
 alloc'd
=3D=3D22429=3D=3D    at 0x483577F: malloc (vg_replace_malloc.c:299)
=3D=3D22429=3D=3D    by 0x4878E2D: __libelf_set_rawdata_wrlock (elf_getdata=
.c:332)
=3D=3D22429=3D=3D    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:535)
=3D=3D22429=3D=3D    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:458)
=3D=3D22429=3D=3D    by 0x4879C73: elf_getdata (elf_getdata.c:562)
=3D=3D22429=3D=3D    by 0x112B29: collect_symbols (unstrip.c:843)
=3D=3D22429=3D=3D    by 0x119B7D: copy_elided_sections (unstrip.c:1820)
=3D=3D22429=3D=3D    by 0x11CDA2: handle_file (unstrip.c:2203)
=3D=3D22429=3D=3D    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
=3D=3D22429=3D=3D    by 0x1121CF: main (unstrip.c:2603)
=3D=3D22429=3D=3D=20
=3D=3D22429=3D=3D Invalid read of size 1
=3D=3D22429=3D=3D    at 0x483D4E0: mempcpy (vg_replace_strmem.c:1536)
=3D=3D22429=3D=3D    by 0x49B3BD2: mempcpy (string_fortified.h:48)
=3D=3D22429=3D=3D    by 0x49B3BD2: copystrings (dwelf_strtab.c:301)
=3D=3D22429=3D=3D    by 0x49B400C: dwelf_strtab_finalize (dwelf_strtab.c:34=
2)
=3D=3D22429=3D=3D    by 0x11AC4C: copy_elided_sections (unstrip.c:1929)
=3D=3D22429=3D=3D    by 0x11CDA2: handle_file (unstrip.c:2203)
=3D=3D22429=3D=3D    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
=3D=3D22429=3D=3D    by 0x1121CF: main (unstrip.c:2603)
=3D=3D22429=3D=3D  Address 0x5d8c3b5 is 0 bytes after a block of size 3,829=
 alloc'd
=3D=3D22429=3D=3D    at 0x483577F: malloc (vg_replace_malloc.c:299)
=3D=3D22429=3D=3D    by 0x4878E2D: __libelf_set_rawdata_wrlock (elf_getdata=
.c:332)
=3D=3D22429=3D=3D    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:535)
=3D=3D22429=3D=3D    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:458)
=3D=3D22429=3D=3D    by 0x4879C73: elf_getdata (elf_getdata.c:562)
=3D=3D22429=3D=3D    by 0x112B29: collect_symbols (unstrip.c:843)
=3D=3D22429=3D=3D    by 0x119B7D: copy_elided_sections (unstrip.c:1820)
=3D=3D22429=3D=3D    by 0x11CDA2: handle_file (unstrip.c:2203)
=3D=3D22429=3D=3D    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
=3D=3D22429=3D=3D    by 0x1121CF: main (unstrip.c:2603)
=3D=3D22429=3D=3D=20
src/unstrip: cannot write output file: section `sh_size' too small for data

--=20
You are receiving this mail because:
You are on the CC list for the bug.