From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 254D7386F47E; Wed, 16 Dec 2020 10:09:12 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 254D7386F47E
From: "mark at klomp dot org" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug libelf/27076] heap-buffer-overflow when calling file_read_elf
 function in elf_begin.c in libelf
Date: Wed, 16 Dec 2020 10:09:11 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: elfutils
X-Bugzilla-Component: libelf
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: mark at klomp dot org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_status cc resolution
Message-ID: <bug-27076-10460-E6KtyhKcoe@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-27076-10460@http.sourceware.org/bugzilla/>
References: <bug-27076-10460@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: elfutils-devel@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Elfutils-devel mailing list <elfutils-devel.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/elfutils-devel/>
List-Help: <mailto:elfutils-devel-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 10:09:12 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D27076

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |mark at klomp dot org
         Resolution|---                         |FIXED

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
I couldn't reproduce a crash, but there is a small (1 byte) over-read detec=
ted
by valgrind:

=3D=3D12591=3D=3D Memcheck, a memory error detector
=3D=3D12591=3D=3D Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward =
et al.
=3D=3D12591=3D=3D Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyr=
ight info
=3D=3D12591=3D=3D Command: src/stack --core ./POC -abdilmsv
=3D=3D12591=3D=3D=20
=3D=3D12591=3D=3D Invalid read of size 2
=3D=3D12591=3D=3D    at 0x4E3A768: get_shnum (elf_begin.c:139)
=3D=3D12591=3D=3D    by 0x4E3A768: file_read_elf (elf_begin.c:289)
=3D=3D12591=3D=3D    by 0x4E3AE48: __libelf_read_mmaped_file (elf_begin.c:5=
52)
=3D=3D12591=3D=3D    by 0x50A969A: dwfl_segment_report_module
(dwfl_segment_report_module.c:955)
=3D=3D12591=3D=3D    by 0x50AC773: dwfl_core_file_report@@ELFUTILS_0.158
(core-file.c:558)
=3D=3D12591=3D=3D    by 0x4025B6: parse_opt (stack.c:595)
=3D=3D12591=3D=3D    by 0x56FACE3: argp_parse (in /usr/lib64/libc-2.17.so)
=3D=3D12591=3D=3D    by 0x401C12: main (stack.c:695)
=3D=3D12591=3D=3D  Address 0x6c182a0 is 48 bytes inside a block of size 49 =
alloc'd
=3D=3D12591=3D=3D    at 0x4C2C089: calloc (vg_replace_malloc.c:762)
=3D=3D12591=3D=3D    by 0x50A961E: dwfl_segment_report_module
(dwfl_segment_report_module.c:907)
=3D=3D12591=3D=3D    by 0x50AC773: dwfl_core_file_report@@ELFUTILS_0.158
(core-file.c:558)
=3D=3D12591=3D=3D    by 0x4025B6: parse_opt (stack.c:595)
=3D=3D12591=3D=3D    by 0x56FACE3: argp_parse (in /usr/lib64/libc-2.17.so)
=3D=3D12591=3D=3D    by 0x401C12: main (stack.c:695)
=3D=3D12591=3D=3D=20
src/stack: dwfl_core_file_attach: (null)
=3D=3D12591=3D=3D=20
=3D=3D12591=3D=3D HEAP SUMMARY:
=3D=3D12591=3D=3D     in use at exit: 2,536 bytes in 11 blocks
=3D=3D12591=3D=3D   total heap usage: 43 allocs, 32 frees, 14,913 bytes all=
ocated
=3D=3D12591=3D=3D=20
=3D=3D12591=3D=3D LEAK SUMMARY:
=3D=3D12591=3D=3D    definitely lost: 0 bytes in 0 blocks
=3D=3D12591=3D=3D    indirectly lost: 0 bytes in 0 blocks
=3D=3D12591=3D=3D      possibly lost: 0 bytes in 0 blocks
=3D=3D12591=3D=3D    still reachable: 2,536 bytes in 11 blocks
=3D=3D12591=3D=3D         suppressed: 0 bytes in 0 blocks
=3D=3D12591=3D=3D Rerun with --leak-check=3Dfull to see details of leaked m=
emory
=3D=3D12591=3D=3D=20
=3D=3D12591=3D=3D For lists of detected and suppressed errors, rerun with: =
-s
=3D=3D12591=3D=3D ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 fr=
om 0)

Fixed by making sure we have at least a full Ehdr available (which is 52 or=
 64
bytes in size):
https://sourceware.org/pipermail/elfutils-devel/2020q4/003322.html

--=20
You are receiving this mail because:
You are on the CC list for the bug.=