From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 114460 invoked by alias); 8 Oct 2019 03:19:16 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 114432 invoked by uid 48); 8 Oct 2019 03:19:12 -0000 From: "leftcopy.chx at gmail dot com" To: elfutils-devel@sourceware.org Subject: [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 Date: Tue, 08 Oct 2019 03:19:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libelf X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: leftcopy.chx at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2019-q4/txt/msg00012.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D25077 Bug ID: 25077 Summary: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772 Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: leftcopy.chx at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 12030 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D12030&action=3Ded= it pocs and error message As of 47780c9e, libelf may suffer from a heap-buffer-overflow vulnerability when executing `./eu-unstrip $FILE ./stripped -o /dev/null`, where elfutils= is built with ASAN. The attachment contains the required files for reproductio= n. The error message is like: =3D=3D32515=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150000009d6 at pc 0x7ffff6e670ae bp 0x7fffffff1290 sp 0x7fffffff0a38 READ of size 60432 at 0x6150000009d6 thread T0 #0 0x7ffff6e670ad (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x4d0ad) #1 0x7ffff6c10de4 in pwrite_retry ../lib/system.h:95 #2 0x7ffff6c10de4 in __elf64_updatefile /home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf32_updatefile.c:772 #3 0x7ffff6c0ce98 in write_file /home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf_update.c:132 #4 0x7ffff6c0ce98 in elf_update /home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf_update.c:231 #5 0x55555556b4ec in copy_elided_sections /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2074 #6 0x55555556bea1 in handle_file /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162 #7 0x55555556c760 in handle_explicit_files /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227 #8 0x55555556f1f6 in main /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562 #9 0x7ffff6596b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #10 0x555555559a89 in _start (/home/hongxu/FOT/Targets/elfutils/eu-asan/install/bin/eu-unstrip+0x5a89) 0x6150000009d6 is located 0 bytes to the right of 470-byte region [0x615000000800,0x6150000009d6) allocated by thread T0 here: #0 0x7ffff6ef8d38 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38) #1 0x55555556f4aa in xcalloc /home/hongxu/FOT/Targets/elfutils/eu-asan/lib/xmalloc.c:63 #2 0x55555555db16 in adjust_relocs /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:565 #3 0x55555556a62a in copy_elided_sections /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1960 #4 0x55555556bea1 in handle_file /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162 #5 0x55555556c760 in handle_explicit_files /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227 #6 0x55555556f1f6 in main /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562 #7 0x7ffff6596b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x4d0ad)=20 Shadow bytes around the buggy address: 0x0c2a7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c2a7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x0c2a7fff8130: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa 0x0c2a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D32515=3D=3DABORTING --=20 You are receiving this mail because: You are on the CC list for the bug.