From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15134 invoked by alias); 6 Oct 2019 16:11:46 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 15075 invoked by uid 48); 6 Oct 2019 16:11:42 -0000 From: "leftcopy.chx at gmail dot com" To: elfutils-devel@sourceware.org Subject: [Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 Date: Sun, 06 Oct 2019 16:11:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libelf X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: leftcopy.chx at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2019-q4/txt/msg00005.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D25069 Bug ID: 25069 Summary: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284 Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: leftcopy.chx at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 12024 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D12024&action=3Ded= it pocs When running `eu-unstrip hbo_libelf/hbo__dwelf_strtab.c:284_1 hbo_libelf/stripped -o /dev/null` (compiled with ASAN), it may report the e= rror message, which results from a heap-buffer-overflow inside libelf (relevant = file attached): =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D18249=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000001f75 at pc 0x7ffff6e6b66e bp 0x7fffffff48b0 sp 0x7fffffff4058 READ of size 20 at 0x620000001f75 thread T0 #0 0x7ffff6e6b66d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) #1 0x7ffff68b080a in dwelf_strtab_add /home/hongxu/FOT/Targets/elfutils/eu-asan/libdwelf/dwelf_strtab.c:284 #2 0x555555569394 in copy_elided_sections /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1845 #3 0x55555556bea1 in handle_file /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162 #4 0x55555556c760 in handle_explicit_files /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227 #5 0x55555556f1f6 in main /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562 #6 0x7ffff63b2b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #7 0x555555559a89 in _start (/home/hongxu/FOT/Targets/elfutils/eu-asan/install/bin/eu-unstrip+0x5a89) 0x620000001f75 is located 0 bytes to the right of 3829-byte region [0x620000001080,0x620000001f75) allocated by thread T0 here: #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7ffff6be8287 in __libelf_set_rawdata_wrlock /home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:332 #2 0x7ffff6be8f06 in __elf_getdata_rdlock /home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:535 #3 0x7ffff6be8fb6 in elf_getdata /home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:562 #4 0x55555555f7d0 in collect_symbols /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:838 #5 0x555555568b94 in copy_elided_sections /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1783 #6 0x55555556bea1 in handle_file /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162 #7 0x55555556c760 in handle_explicit_files /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227 #8 0x55555556f1f6 in main /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562 #9 0x7ffff63b2b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)=20 Shadow bytes around the buggy address: 0x0c407fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c407fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c407fff83b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c407fff83c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c407fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x0c407fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa 0x0c407fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D18249=3D=3DABORTING --=20 You are receiving this mail because: You are on the CC list for the bug.