From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 586BD384A018; Wed, 16 Dec 2020 06:38:44 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 586BD384A018 From: "2060271023 at email dot szu.edu.cn" To: elfutils-devel@sourceware.org Subject: [Bug libelf/27076] New: heap-buffer-overflow when calling file_read_elf function in elf_begin.c in libelf Date: Wed, 16 Dec 2020 06:38:44 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libelf X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: 2060271023 at email dot szu.edu.cn X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 06:38:44 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D27076 Bug ID: 27076 Summary: heap-buffer-overflow when calling file_read_elf function in elf_begin.c in libelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: 2060271023 at email dot szu.edu.cn CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 13055 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D13055&action=3Ded= it the crafted input causing heap-buffer-overflow Hi,=20 A Heap-buffer-overflow problem was discovered in the function file_read_elf= in elf_begin.c in libelf, as distributed in elfutils-0.182. A crafted input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./eu-stack --core=3D$POS -abdilmsv" to reproduce the error. $ git log > commit 609290a61d4f900c65b7e0e273981022a826e4c0 (HEAD -> master, origin/m= aster, origin/HEAD) > Author: Mark Wielaard > Date: Sun Nov 29 01:57:53 2020 +0100 >=20 > libdwfl: Use 64bit GElf_Addr instead of size_t to calculate address. >=20 > size_t is too small on 32 bit systems to analyze a 64 bit core file. >=20 > Signed-off-by: Mark Wielaard The ASAN dumps the stack trace as follows: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D5661=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address = 0x6060000000b0 at pc 0x7f3dda845483 bp 0x7ffcfffb4ad0 sp 0x7ffcfffb4ac0 > READ of size 2 at 0x6060000000b0 thread T0 > #0 0x7f3dda845482 in file_read_elf /elfutils/libelf/elf_begin.c:453 > #1 0x7f3dda845482 in __libelf_read_mmaped_file /elfutils/libelf/elf_b= egin.c:552 > #2 0x7f3dda54f44f in dwfl_segment_report_module /elfutils/libdwfl/dwf= l_segment_report_module.c:955 > #3 0x7f3dda567165 in dwfl_core_file_report /elfutils/libdwfl/core-fil= e.c:558 > #4 0x5584957f0f15 in parse_opt /elfutils/src/stack.c:595 > #5 0x7f3dd9fe0d4a in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x12= fd4a) > #6 0x5584957f01f4 in main /elfutils/src/stack.c:695 > #7 0x7f3dd9ed2bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so= .6+0x21bf6) > #8 0x5584957f0bc9 in _start (/elfutils/build/bin/eu-stack+0x5bc9) >=20 > 0x6060000000b1 is located 0 bytes to the right of 49-byte region [0x60600= 0000080,0x6060000000b1) > allocated by thread T0 here: > #0 0x7f3ddabc9d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/= libasan.so.4+0xded28) > #1 0x7f3dda54f1a6 in dwfl_segment_report_module /elfutils/libdwfl/dwf= l_segment_report_module.c:907 > #2 0x7f3dda567165 in dwfl_core_file_report /elfutils/libdwfl/core-fil= e.c:558 > #3 0x5584957f0f15 in parse_opt /elfutils/src/stack.c:595 > #4 0x7f3dd9fe0d4a in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x12= fd4a) > #5 0x5584957f01f4 in main /elfutils/src/stack.c:695 > #6 0x7f3dd9ed2bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so= .6+0x21bf6) >=20 > SUMMARY: AddressSanitizer: heap-buffer-overflow /elfutils/libelf/elf_begi= n.c:453 in file_read_elf > Shadow bytes around the buggy address: > 0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa > =3D>0x0c0c7fff8010: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa > 0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > =3D=3D5661=3D=3DABORTING --=20 You are receiving this mail because: You are on the CC list for the bug.=