* [Bug tools/31058] New: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c
@ 2023-11-13 3:08 jyxu at seu dot edu.cn
2023-11-13 21:59 ` [Bug tools/31058] " mark at klomp dot org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: jyxu at seu dot edu.cn @ 2023-11-13 3:08 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
Bug ID: 31058
Summary: global-buffer-overflow exists in the function
ebl_machine_flag_name in eblmachineflagname.c
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: jyxu at seu dot edu.cn
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 15216
--> https://sourceware.org/bugzilla/attachment.cgi?id=15216&action=edit
poc
System info
Ubuntu x86_64, clang 12.0
version: readelf (elfutils) 0.190
Command line
./readelf -a poc
Poc
poc:https://github.com/SEU-SSL/Poc/blob/main/elfutils/id_000121%2Csig_08%2Csrc_002748%2B003088%2Cop_splice%2Crep_128(Alternatively,
download it in the attachment.)
AddressSanitizer output
==3674715==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000005fe002 at pc 0x000000430d96 bp 0x7ffc65cae250 sp 0x7ffc65cada10
READ of size 1 at 0x0000005fe002 thread T0
#0 0x430d95 in strlen (/src/elfutils-0.190/src/readelf+0x430d95)
#1 0x53f152 in ebl_machine_flag_name
/src/elfutils-0.190/libebl/eblmachineflagname.c:73:17
#2 0x4cf3ad in print_ehdr /src/elfutils-0.190/src/readelf.c:1181:4
#3 0x4cf3ad in process_elf_file /src/elfutils-0.190/src/readelf.c:1050:5
#4 0x4cddf4 in process_dwflmod /src/elfutils-0.190/src/readelf.c:840:3
#5 0x7fba8f0d800d in dwfl_getmodules
/src/elfutils-0.190/libdwfl/dwfl_getmodules.c:86:16
#6 0x4cb8e1 in process_file /src/elfutils-0.190/src/readelf.c:948:7
#7 0x4cad48 in main /src/elfutils-0.190/src/readelf.c:417:7
#8 0x7fba8ebac082 in __libc_start_main
/build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41ec2d in _start (/src/elfutils-0.190/src/readelf+0x41ec2d)
0x0000005fe002 is located 30 bytes to the left of global variable '<string
literal>' defined in 'arm_machineflagname.c:59:11' (0x5fe020) of size 34
'<string literal>' is ascii string 'dynamic symbols use segment index'
0x0000005fe002 is located 28 bytes to the right of global variable 'vername'
defined in 'arm_machineflagname.c:42:25' (0x5fdfa0) of size 70
SUMMARY: AddressSanitizer: global-buffer-overflow
(/src/elfutils-0.190/src/readelf+0x430d95) in strlen
Shadow bytes around the buggy address:
0x0000800b7bb0: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0000800b7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
0x0000800b7be0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 06 f9 f9 f9
=>0x0000800b7c00:[f9]f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
0x0000800b7c10: 00 00 00 07 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
0x0000800b7c20: 00 07 f9 f9 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9
0x0000800b7c30: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000800b7c40: 00 00 05 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
0x0000800b7c50: 00 00 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3674715==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/31058] global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c
2023-11-13 3:08 [Bug tools/31058] New: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c jyxu at seu dot edu.cn
@ 2023-11-13 21:59 ` mark at klomp dot org
2024-02-20 21:36 ` mark at klomp dot org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2023-11-13 21:59 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
CC| |mark at klomp dot org
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Thanks, fixed with this commit so no random global strings are returned.
commit 373f5212677235fc3ca6068b887111554790f944
Author: Mark Wielaard <mark@klomp.org>
Date: Mon Nov 13 22:38:10 2023 +0100
backends: Fix arm_machine_flag_name version string.
arm_machine_flag_name checks the version byte and if not zero returns
a version string. There are only 5 versions defined. So check the
version byte is not larger.
* backends/arm_machineflagname.c (arm_machine_flag_name):
Check version <= 0, otherwise return NULL.
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/31058] global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c
2023-11-13 3:08 [Bug tools/31058] New: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c jyxu at seu dot edu.cn
2023-11-13 21:59 ` [Bug tools/31058] " mark at klomp dot org
@ 2024-02-20 21:36 ` mark at klomp dot org
2024-02-21 1:32 ` mark at klomp dot org
2024-02-28 14:48 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2024-02-20 21:36 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
Note that this issue was discussed when rediscovered again on January 9 by
someone else running a fuzzer.
The conclusion then was that this was a normal bug and not a security issue.
Crashes in the standalone utilities on untrustworthy
inputs are not normally seen as security issues, because they don't
cause privilege escalation. See our SECURITY policy at:
https://sourceware.org/cgit/elfutils/tree/SECURITY
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/31058] global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c
2023-11-13 3:08 [Bug tools/31058] New: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c jyxu at seu dot edu.cn
2023-11-13 21:59 ` [Bug tools/31058] " mark at klomp dot org
2024-02-20 21:36 ` mark at klomp dot org
@ 2024-02-21 1:32 ` mark at klomp dot org
2024-02-28 14:48 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2024-02-21 1:32 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
Also note that no actual crash occurs unless the eu-readelf is instrumented
with AddressSanitizer. Otherwise eu-readelf will just print a random global
string.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug tools/31058] global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c
2023-11-13 3:08 [Bug tools/31058] New: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c jyxu at seu dot edu.cn
` (2 preceding siblings ...)
2024-02-21 1:32 ` mark at klomp dot org
@ 2024-02-28 14:48 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2024-02-28 14:48 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
This bug is referenced from CVE-2024-25260. But the CVE description "NULL
pointer dereference via the handle_verdef() function at readelf.c" doesn't
match this bug. And the supposed reproducer referenced from the CVE doesn't
show a NULL pointer dereference, and doesn't match this bug report either.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-02-28 14:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-13 3:08 [Bug tools/31058] New: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c jyxu at seu dot edu.cn
2023-11-13 21:59 ` [Bug tools/31058] " mark at klomp dot org
2024-02-20 21:36 ` mark at klomp dot org
2024-02-21 1:32 ` mark at klomp dot org
2024-02-28 14:48 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).