* [Bug libelf/25077] AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772
2019-10-08 3:19 [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 leftcopy.chx at gmail dot com
@ 2019-10-19 12:43 ` mark at klomp dot org
2019-10-21 20:56 ` [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section mark at klomp dot org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: mark at klomp dot org @ 2019-10-19 12:43 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2019-10-19
CC| |mark at klomp dot org
Ever confirmed|0 |1
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Replicated under valgrind:
$ valgrind -q eu-unstrip hbo_libelf/hbo__elf32_updatefile.c:772_1
hbo_libelf/stripped -o /tmp/foobar
==25850== Syscall param pwrite64(buf) points to unaddressable byte(s)
==25850== at 0x57A80D3: __pwrite_nocancel (syscall-template.S:81)
==25850== by 0x4E45E37: UnknownInlinedFun (system.h:95)
==25850== by 0x4E45E37: __elf64_updatefile (elf32_updatefile.c:795)
==25850== by 0x4E42250: write_file (elf_update.c:132)
==25850== by 0x4E42250: elf_update (elf_update.c:231)
==25850== by 0x406840: copy_elided_sections (unstrip.c:2070)
==25850== by 0x4078B3: handle_file (unstrip.c:2158)
==25850== by 0x407B8B: handle_explicit_files (unstrip.c:2223)
==25850== by 0x4029DD: main (unstrip.c:2558)
==25850== Address 0x632b8c6 is 0 bytes after a block of size 470 alloc'd
==25850== at 0x4C2BF79: calloc (vg_replace_malloc.c:762)
==25850== by 0x408028: xcalloc (xmalloc.c:63)
==25850== by 0x403FD6: adjust_relocs.isra.14 (unstrip.c:565)
==25850== by 0x406CC6: copy_elided_sections (unstrip.c:1956)
==25850== by 0x4078B3: handle_file (unstrip.c:2158)
==25850== by 0x407B8B: handle_explicit_files (unstrip.c:2223)
==25850== by 0x4029DD: main (unstrip.c:2558)
==25850==
eu-unstrip: cannot write output file: cannot write data to file
The issue is simply that if the sh_entsize of the symver section was bogus
(bigger than necessary) then some bogus data would be written out (except that
then fails as can be seen by the error message).
The solution is simply to use the actual symver data size:
diff --git a/src/unstrip.c b/src/unstrip.c
index fc878325..5531a02d 100644
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -572,7 +572,7 @@ adjust_relocs (Elf_Scn *outscn, Elf_Scn *inscn, const
GElf_Shdr *shdr,
record_new_data (versym);
data->d_buf = versym;
- data->d_size = nent * shdr->sh_entsize;
+ data->d_size = nent * sizeof versym[0];
elf_flagdata (data, ELF_C_SET, ELF_F_DIRTY);
update_sh_size (outscn, data);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
2019-10-08 3:19 [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 leftcopy.chx at gmail dot com
2019-10-19 12:43 ` [Bug libelf/25077] " mark at klomp dot org
@ 2019-10-21 20:56 ` mark at klomp dot org
2019-10-22 6:17 ` leftcopy.chx at gmail dot com
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: mark at klomp dot org @ 2019-10-21 20:56 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libelf |tools
Assignee|unassigned at sourceware dot org |mark at klomp dot org
Summary|AddressSanitizer: |unstrip bad handling of
|heap-buffer-overflow at |sh_entsize of the symver
|libelf/elf32_updatefile.c:7 |section
|72 |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
2019-10-08 3:19 [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 leftcopy.chx at gmail dot com
2019-10-19 12:43 ` [Bug libelf/25077] " mark at klomp dot org
2019-10-21 20:56 ` [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section mark at klomp dot org
@ 2019-10-22 6:17 ` leftcopy.chx at gmail dot com
2019-10-22 12:01 ` mark at klomp dot org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: leftcopy.chx at gmail dot com @ 2019-10-22 6:17 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
--- Comment #2 from leftcopy.chx at gmail dot com ---
Since this crashes occurs when calling `elf_update`, which resides in libelf, I
suppose this is a libelf library issue.
I'd suggest adding some documents to warn that it is the developers' duty to
ensure that the claimed symver size matches with the actual one, or better
resolves the size purely inside libelf code?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
2019-10-08 3:19 [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 leftcopy.chx at gmail dot com
` (2 preceding siblings ...)
2019-10-22 6:17 ` leftcopy.chx at gmail dot com
@ 2019-10-22 12:01 ` mark at klomp dot org
2019-10-22 12:12 ` leftcopy.chx at gmail dot com
2019-10-26 0:28 ` mark at klomp dot org
5 siblings, 0 replies; 7+ messages in thread
From: mark at klomp dot org @ 2019-10-22 12:01 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
(In reply to leftcopy.chx from comment #2)
> Since this crashes occurs when calling `elf_update`, which resides in
> libelf, I suppose this is a libelf library issue.
>
> I'd suggest adding some documents to warn that it is the developers' duty to
> ensure that the claimed symver size matches with the actual one, or better
> resolves the size purely inside libelf code?
libelf would do the right thing if you use don't use elf_flagelf (outelf,
ELF_C_SET, ELF_F_LAYOUT) as eu-unstrip does. If you set ELF_F_LAYOUT you
promise to set up all ELF data fields correctly yourself and libelf just trusts
you when writing out the file.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
2019-10-08 3:19 [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 leftcopy.chx at gmail dot com
` (3 preceding siblings ...)
2019-10-22 12:01 ` mark at klomp dot org
@ 2019-10-22 12:12 ` leftcopy.chx at gmail dot com
2019-10-26 0:28 ` mark at klomp dot org
5 siblings, 0 replies; 7+ messages in thread
From: leftcopy.chx at gmail dot com @ 2019-10-22 12:12 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
--- Comment #4 from leftcopy.chx at gmail dot com ---
OK, that makes sense!
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
2019-10-08 3:19 [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 leftcopy.chx at gmail dot com
` (4 preceding siblings ...)
2019-10-22 12:12 ` leftcopy.chx at gmail dot com
@ 2019-10-26 0:28 ` mark at klomp dot org
5 siblings, 0 replies; 7+ messages in thread
From: mark at klomp dot org @ 2019-10-26 0:28 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Mark Wielaard <mark at klomp dot org> ---
commit da5a32a400da6a03a96f0aff10aff2d86bd9baad (HEAD -> master)
Author: Mark Wielaard <mark@klomp.org>
Date: Sat Oct 19 14:37:46 2019 +0200
unstrip: Don't try to write extra bogus versym data.
If the sh_entsize of the symver section was bogus (bigger than necessary)
then some bogus data would be written out (except that then fails because
pwrite would probably fail). Fix that by ignoring the bogus sh_entsize
and use the actual symver data size.
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread