public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug debug/107416] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6)
@ 2022-10-26 14:33 bjchan9an at foxmail dot com
2022-10-26 14:35 ` [Bug debug/107416] " pinskia at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: bjchan9an at foxmail dot com @ 2022-10-26 14:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107416
Bug ID: 107416
Summary: A heap buffer overflow was fould in
find_section_in_set() of binutils-2.39 (commit
49c843e6)
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: debug
Assignee: unassigned at gcc dot gnu.org
Reporter: bjchan9an at foxmail dot com
Target Milestone: ---
Created attachment 53777
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53777&action=edit
readelf poc file
Hi
There is a heap buffer overflow bug in binutils-2.39 (commit 49c843e6).
The bug is triggered in find_section_in_set() at binutils/readelf.c:970 when
parsing the debug sections of a malformed ELF file.
The bug is caused by improper checks of the array boundary when iterating
through the array "section_subset" of ELF debug section.
To reproduce this bug, use:
1. compile binutils-2.39 with clang-6.0 and address sanitizer:
```sh
./configure --disable-shared --disable-gdb --disable-werror
make
```
2. use readelf to process the PoC file (see attachment):
```sh
readelf -w ./PoC
```
The address sanitizer reports are as follows.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
Contents of the .debug_names section:
readelf: Warning: Debug info is corrupted, .debug_names header at 0 has length
0x4c457f
Contents of the .debug_names section:
=================================================================
==29074==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a000000bd8 at pc 0x0000005143de bp 0x7fffffffd6c0 sp 0x7fffffffd6b8
READ of size 4 at 0x61a000000bd8 thread T0
#0 0x5143dd in find_section_in_set
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19
#1 0x5130b6 in load_debug_section
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16160:9
#2 0x612472 in load_debug_section_with_follow
/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3453:7
#3 0x606ce0 in display_debug_names
/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:10002:3
#4 0x558c9b in display_debug_section
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16258:18
#5 0x558c9b in process_section_contents
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16354
#6 0x52ae91 in process_object
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22372:9
#7 0x517f9e in process_file
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22795:13
#8 0x517f9e in main
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22866
#9 0x7ffff6e22c86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x41a909 in _start (/binutils-gdb/obj-asan/binutils/readelf+0x41a909)
0x61a000000bd8 is located 0 bytes to the right of 1368-byte region
[0x61a000000680,0x61a000000bd8)
allocated by thread T0 here:
#0 0x4dac40 in realloc (/binutils-gdb/obj-asan/binutils/readelf+0x4dac40)
#1 0x74eeed in xrealloc
/binutils-gdb/obj-asan/libiberty/../../libiberty/xmalloc.c:181:14
SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19 in
find_section_in_set
Shadow bytes around the buggy address:
0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Found by SyntaxAFL.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug debug/107416] A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6)
2022-10-26 14:33 [Bug debug/107416] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6) bjchan9an at foxmail dot com
@ 2022-10-26 14:35 ` pinskia at gcc dot gnu.org
2022-10-26 14:40 ` bjchan9an at foxmail dot com
2022-10-26 15:03 ` [Bug debug/107416] removed redi at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: pinskia at gcc dot gnu.org @ 2022-10-26 14:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107416
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Binutils bugzilla is located at https://sourceware.org/bugzilla/ .
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug debug/107416] A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6)
2022-10-26 14:33 [Bug debug/107416] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6) bjchan9an at foxmail dot com
2022-10-26 14:35 ` [Bug debug/107416] " pinskia at gcc dot gnu.org
@ 2022-10-26 14:40 ` bjchan9an at foxmail dot com
2022-10-26 15:03 ` [Bug debug/107416] removed redi at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: bjchan9an at foxmail dot com @ 2022-10-26 14:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107416
--- Comment #2 from bjchan9an at foxmail dot com ---
(In reply to Andrew Pinski from comment #1)
> Binutils bugzilla is located at https://sourceware.org/bugzilla/ .
Sorry, can you delete this report? We will report it to binutils bugzilla.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug debug/107416] removed
2022-10-26 14:33 [Bug debug/107416] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6) bjchan9an at foxmail dot com
2022-10-26 14:35 ` [Bug debug/107416] " pinskia at gcc dot gnu.org
2022-10-26 14:40 ` bjchan9an at foxmail dot com
@ 2022-10-26 15:03 ` redi at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: redi at gcc dot gnu.org @ 2022-10-26 15:03 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107416
Jonathan Wakely <redi at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |MOVED
Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Jonathan Wakely <redi at gcc dot gnu.org> ---
.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-10-26 15:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-26 14:33 [Bug debug/107416] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6) bjchan9an at foxmail dot com
2022-10-26 14:35 ` [Bug debug/107416] " pinskia at gcc dot gnu.org
2022-10-26 14:40 ` bjchan9an at foxmail dot com
2022-10-26 15:03 ` [Bug debug/107416] removed redi at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).