From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 86716 invoked by alias); 19 Oct 2019 12:43:37 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 86618 invoked by uid 48); 19 Oct 2019 12:43:33 -0000 From: "mark at klomp dot org" To: elfutils-devel@sourceware.org Subject: [Bug libelf/25077] AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 Date: Sat, 19 Oct 2019 12:43:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libelf X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mark at klomp dot org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status cf_reconfirmed_on cc everconfirmed Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2019-q4/txt/msg00019.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D25077 Mark Wielaard changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |ASSIGNED Last reconfirmed| |2019-10-19 CC| |mark at klomp dot org Ever confirmed|0 |1 --- Comment #1 from Mark Wielaard --- Replicated under valgrind: $ valgrind -q eu-unstrip hbo_libelf/hbo__elf32_updatefile.c:772_1 hbo_libelf/stripped -o /tmp/foobar =3D=3D25850=3D=3D Syscall param pwrite64(buf) points to unaddressable byte(= s) =3D=3D25850=3D=3D at 0x57A80D3: __pwrite_nocancel (syscall-template.S:81) =3D=3D25850=3D=3D by 0x4E45E37: UnknownInlinedFun (system.h:95) =3D=3D25850=3D=3D by 0x4E45E37: __elf64_updatefile (elf32_updatefile.c:7= 95) =3D=3D25850=3D=3D by 0x4E42250: write_file (elf_update.c:132) =3D=3D25850=3D=3D by 0x4E42250: elf_update (elf_update.c:231) =3D=3D25850=3D=3D by 0x406840: copy_elided_sections (unstrip.c:2070) =3D=3D25850=3D=3D by 0x4078B3: handle_file (unstrip.c:2158) =3D=3D25850=3D=3D by 0x407B8B: handle_explicit_files (unstrip.c:2223) =3D=3D25850=3D=3D by 0x4029DD: main (unstrip.c:2558) =3D=3D25850=3D=3D Address 0x632b8c6 is 0 bytes after a block of size 470 a= lloc'd =3D=3D25850=3D=3D at 0x4C2BF79: calloc (vg_replace_malloc.c:762) =3D=3D25850=3D=3D by 0x408028: xcalloc (xmalloc.c:63) =3D=3D25850=3D=3D by 0x403FD6: adjust_relocs.isra.14 (unstrip.c:565) =3D=3D25850=3D=3D by 0x406CC6: copy_elided_sections (unstrip.c:1956) =3D=3D25850=3D=3D by 0x4078B3: handle_file (unstrip.c:2158) =3D=3D25850=3D=3D by 0x407B8B: handle_explicit_files (unstrip.c:2223) =3D=3D25850=3D=3D by 0x4029DD: main (unstrip.c:2558) =3D=3D25850=3D=3D=20 eu-unstrip: cannot write output file: cannot write data to file The issue is simply that if the sh_entsize of the symver section was bogus (bigger than necessary) then some bogus data would be written out (except t= hat then fails as can be seen by the error message). The solution is simply to use the actual symver data size: diff --git a/src/unstrip.c b/src/unstrip.c index fc878325..5531a02d 100644 --- a/src/unstrip.c +++ b/src/unstrip.c @@ -572,7 +572,7 @@ adjust_relocs (Elf_Scn *outscn, Elf_Scn *inscn, const GElf_Shdr *shdr, record_new_data (versym); data->d_buf =3D versym; - data->d_size =3D nent * shdr->sh_entsize; + data->d_size =3D nent * sizeof versym[0]; elf_flagdata (data, ELF_C_SET, ELF_F_DIRTY); update_sh_size (outscn, data); } --=20 You are receiving this mail because: You are on the CC list for the bug.