24049 – heap-use-after-free in readelf

Bug 24049 - heap-use-after-free in readelf

Summary: heap-use-after-free in readelf

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.31

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-12-31 05:34 UTC by zerokeeper
Modified:	2019-01-14 13:59 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
binutils-readelf-heap-use-after-free (175.50 KB, application/x-archive) 2018-12-31 05:34 UTC, zerokeeper	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zerokeeper 2018-12-31 05:34:25 UTC

Created attachment 11503 [details]
binutils-readelf-heap-use-after-free

hi,binutils team. when i use readelf read a elf file,i get a heap-use-after-free bug reported by AddressSanitizer.


# ./binutils/readelf -a binutils-readelf-heap-use-after-free


File: fuzzout/crashes/id:000000,sig:06,src:000022,op:flip1,pos:2021(aaaaaaaaaaaaaaaa)
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start

File: fuzzout/crashes/id:000000,sig:06,src:000022,op:flip1,pos:2021(gethnamaddr.o)
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          551872 (bytes into file)
..................


  694: 0000000000000016     0 SECTION <processor specific>: 15 INTERNAL [<other>: 28]   UND
   695: 0000000000000010     0 COMMON  <processor specific>: 14 HIDDEN  [<other>: 28]   UND
   696: 0000000000000010     0 <processor specific>: 13 <processor specific>: 14 HIDDEN  [<other>: 28]   UND
   697: 0000137000d40012 0x6e00000000 SRELC   <processor specific>: 15 HIDDEN  [<other>: 28]   UND
   698: 000013e000d40012 0x46300000000 <OS specific>: 11 LOCAL  PROTECTED [<other>: 28]   UND
readelf: Warning: local symbol 698 found at index >= .symtab's sh_info value of 662
   699: 0000000000000010     0 <processor specific>: 13 GLOBAL PROTECTED [<other>: 28]   UND
   700: 0000000000000010     0 COMMON  WEAK   PROTECTED [<other>: 28]   UND

No version information found in this file.
readelf: Error: =================================================================
==12436==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700000d8b0 at pc 0x000000460e16 bp 0x7fff617cbf30 sp 0x7fff617cb6e0
READ of size 2 at 0x60700000d8b0 thread T0
    #0 0x460e15  (/root/binutils-2.31/binutils/readelf+0x460e15)
    #1 0x460712  (/root/binutils-2.31/binutils/readelf+0x460712)
    #2 0x46160a  (/root/binutils-2.31/binutils/readelf+0x46160a)
    #3 0x5c4f4e  (/root/binutils-2.31/binutils/readelf+0x5c4f4e)
    #4 0x4fc965  (/root/binutils-2.31/binutils/readelf+0x4fc965)
    #5 0x4ee2f6  (/root/binutils-2.31/binutils/readelf+0x4ee2f6)
    #6 0x7fd145e2c82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x419078  (/root/binutils-2.31/binutils/readelf+0x419078)

0x60700000d8b0 is located 0 bytes inside of 77-byte region [0x60700000d8b0,0x60700000d8fd)
freed by thread T0 here:
    #0 0x4b9020  (/root/binutils-2.31/binutils/readelf+0x4b9020)
    #1 0x4fc709  (/root/binutils-2.31/binutils/readelf+0x4fc709)
    #2 0x4ee2f6  (/root/binutils-2.31/binutils/readelf+0x4ee2f6)
    #3 0x7fd145e2c82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x4b91a8  (/root/binutils-2.31/binutils/readelf+0x4b91a8)
    #1 0x5ca176  (/root/binutils-2.31/binutils/readelf+0x5ca176)

SUMMARY: AddressSanitizer: heap-use-after-free (/root/binutils-2.31/binutils/readelf+0x460e15)
Shadow bytes around the buggy address:
  0x0c0e7fff9ac0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff9ad0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c0e7fff9ae0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff9af0: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff9b00: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0e7fff9b10: fd fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
  0x0c0e7fff9b20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff9b30: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff9b40: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e7fff9b50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff9b60: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12436==ABORTING

Comment 1 zerokeeper 2018-12-31 15:11:00 UTC

update,the first AddressSanitizer don't show code symbolize.i rebuild.
this is symbolize on the stack traces.

readelf: Error: =================================================================
==24023==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000ef50 at pc 0x7f196b4121e9 bp 0x7ffc894f6a00 sp 0x7ffc894f6178
READ of size 2 at 0x60300000ef50 thread T0
    #0 0x7f196b4121e8  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x601e8)
    #1 0x7f196b412bcc in vfprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x60bcc)
    #2 0x5420b6 in error /root/fuzz/binutils-2.31/binutils/elfcomm.c:43
    #3 0x4a6311 in process_archive /root/fuzz/binutils-2.31/binutils/readelf.c:19092
    #4 0x404397 in process_file /root/fuzz/binutils-2.31/binutils/readelf.c:19247
    #5 0x404397 in main /root/fuzz/binutils-2.31/binutils/readelf.c:19318
    #6 0x7f196b00882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x404f78 in _start (/root/fuzz/binutils-2.31/binutils/readelf+0x404f78)

0x60300000ef50 is located 0 bytes inside of 19-byte region [0x60300000ef50,0x60300000ef63)
freed by thread T0 here:
    #0 0x7f196b44a2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x4a55ee in process_archive /root/fuzz/binutils-2.31/binutils/readelf.c:19178

previously allocated by thread T0 here:
    #0 0x7f196b44a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x54b194 in make_qualified_name /root/fuzz/binutils-2.31/binutils/elfcomm.c:906

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
=>0x0c067fff9de0: fd fa fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa
  0x0c067fff9df0: fd fd fd fa fa fa 00 00 01 fa fa fa 00 00 00 fa
  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==24023==ABORTING

Comment 2 Nick Clifton 2019-01-09 12:32:52 UTC

Hi zerokeeper,

  Thanks for reporting this bug.  I have checked in a patch to fix this
  particular problem and several other places where the same illegal
  memory access could be triggered.

Cheers
  Nick

Comment 3 rschiron 2019-01-14 13:59:04 UTC

CVE-2018-20623 has been assigned to this flaw.

Nick, I guess the fix for it is in commit 28e817cc440bce73691c03e01860089a0954a837, is that right? Thanks.